Re: who owns the ports?
On Wed, 7 Feb 2001, Carl Brock Sides wrote: My immediate guess, upon seeing anything running on 31337, is that you've been "0wn3d", as the script kiddies put it, and maybe lsof has been trojaned not to list the attacker's processes. You are running lsof as root, right? It won't show you everything as an ordinary user. You don't say what version of Debian you're running. If you're running potato or unstable on x86, with lsof-2.2 4.48-1, here's the md5sum for it: be8cf28300c29db5dffbea19fd613abf /usr/sbin/lsof If that's not it, it's a trojan. I'd guess that other useful tools for finding out what's going on, e.g. ls and ps and fuser, have been trojaned as well. (Although you might want to try "fuser 31337/tcp", maybe the attacker forgot about it.) Reinstall fileutils, procps, psmisc, lsof-2.2, and findutils if you're interested in further investigation. This may be not enough: recent rootkits install trojan libraries or even a trojan kernel module, and intercept system calls directly, with no need to tamper with tools. Therefore they are both more difficult to detect and more difficult to clean. To be safe you need to boot from a safe kernel and/or run statically linked utilities. A clean rescue cdrom is the safest bet. Bye Giacomo _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ "When the storms are raging around you, stay right where you are" (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: who owns the ports?
On Wed, 7 Feb 2001, Matthias G. Imhof wrote: Running lsof as root or various versions of netstat showed that portsentry owns these ports :-) Glad to hear it was a false alarm. Sorry to have alarmed you. Bye Giacomo _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ "When the storms are raging around you, stay right where you are" (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Where to get updates
Hello. Can someone tell me the difference between packages in the dists/potato-proposed-updates and packages on the security.debian.org site? I had been using the proposed-updates in my sources.list file for a while, but I have not found the updated bind package there. But I did find it on the security.debian.org site. Thanks for any help. Jase -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: who owns the ports?
On Thursday 08 February 2001 03:19, Bradley M Alexander wrote: On Wed, Feb 07, 2001 at 05:12:48PM -0500, Matthias G. Imhof wrote: Running lsof as root or various versions of netstat showed that portsentry owns these ports :-) This is quite true. I remember now that I had the same issue come up when I set up portsentry. If you run it in -tcp and/or -udp mode, it will appear that these ports are listening. However if you switch to advanced mode (-atcp and/or -audp), these ports will not respond. But in advanced mode it doesnt show all the listening ports? What ports did it show? And it blocked the ip adress? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
sources.list
I have recently been to the www.debian.org looking for the latest sites to add to my sources.list file. I could not find them even though I know that I have seen them there before. Could anyone give me a hand and let me know what entries to include there. I am currently using: #STABLE deb http://http.us.debian.org/debian potato main contrib non-free deb http://non-us.debian.org/debian-non-US potato/non-US main contrib non-free deb http://security.debian.org/debian-security potato/updates main contrib non-free #STABLE SOURCE # Uncomment if you want the apt-get source function to work #deb-src http://http.us.debian.org/debian stable main contrib non-free #deb-src http://non-us.debian.org/debian-non-US stable non-US #HELIX CODE deb http://spidermonkey.helixcode.com/distributions/debian unstable main #added in by me for alsa # WOODY #deb http://llug.sep.bnl.gov/debian woody main contrib non-free Any suggestions to improving the above list would be appreciated. Gary * Cisco Certified Academy Instructor * * Empowering the Internet Generation * *Are you ready?* * mailto:[EMAIL PROTECTED]* * http://www.cisco.com/edu * -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Apt-get package verification
Anybody know if apt will do any sort of verification of checksums or anything to validate the package is from debian? I'm using apt to automate priority security updates on several of my customers firewalls and i'm curious that is somebody poisons some routes and/or dns caches, we could have serious trouble. Thanks for your comments (new to debian) Schwack clint sand -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Apt-get package verification
Currently it won't. :-\ You would have to get the packages yourself and check the md5sums. Which were of course altered by the cracker. Bad idea. bye, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Premium Certified -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: sources.list
I ran apt-setup and it automatically added my local mirrors. I'm not sure if it wipes your previous sources.list though... GBY -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: who owns the ports?
All this discussion about the possibility of "script kiddies" installing root kits, and overwriting various important system files, makes me think of a useful potential feature. And since this is Debian, I figure there's a good chance that this useful feature already exists, and I just don't know about it. I've got a rescue CD with most of the packages on it, and most(*) of those packages include MD5 sums for all the files. There should be a way to, after booting up on my rescue CD, check all my files against the MD5 checksums on the CD (ignoring the conffiles, of course). Better yet, for the packages that are not on my CD, it could get the MD5s from the FTP archive. Does anyone know of such a feature already in the rescue disks? Thanks, --- Wade (*)On a slightly off-topic topic, why is it that only most of the packages contain MD5 checksums? Is the package maintainer required to do this, or can it be done auto-magically when a package is uploaded? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: who owns the ports?
#! /bin/sh
# adaptible for upd also
export TCPPRTS=`netstat -na -t | grep "^tcp" | sed "s/^[^:]*:\(.\).*/\1/g"
| sort -nu`
echo "Active tcp ports:" $TCPPRTS
for PRT in ${TCPPRTS} ; do
echo port number $PRT : `grep "[^0123456789]${PRT}\/tcp" /etc/services`
export TPID=`fuser ${PRT}/tcp | cut -d ':' -f 2`
ps wax | awk '{print $1" "$5 }' | grep ${TPID}
done
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: who owns the ports?
On Wed, 7 Feb 2001, Matthias G. Imhof wrote: Performing strobe or nmap on my system, I get, e.g., the following list: (omissis) It is very likely that your host has been compromised and a rootkit installed. Do not trust any of the utilities on that host. Instead, boot off a (trusted) rescue cd with a clean system on it, and check with it. Be careful how you take down that computer: I have seen crackers install background processes that monitor e.g. the connectivity of the computer and do an rm -rf / command if they suspect they have been caught. As crazy as it sounds, if your computer has indeed been compromised the safest thing may indeed be to simply cut the power off. Whatever you do, be careful. Bye Giacomo _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _
Re: who owns the ports?
On Wed, 7 Feb 2001, Aaron Dewell wrote: Well, finger is probably running through inetd... Either that or you are running that scanner detecter package that binds to every port known in the universe. He said he checked inetd.conf, and whatever is bound to any port lsof should report it. It smells fishy... Bye Giacomo _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _
Re: who owns the ports?
On Wed, 7 Feb 2001, Carl Brock Sides wrote: My immediate guess, upon seeing anything running on 31337, is that you've been 0wn3d, as the script kiddies put it, and maybe lsof has been trojaned not to list the attacker's processes. You are running lsof as root, right? It won't show you everything as an ordinary user. You don't say what version of Debian you're running. If you're running potato or unstable on x86, with lsof-2.2 4.48-1, here's the md5sum for it: be8cf28300c29db5dffbea19fd613abf /usr/sbin/lsof If that's not it, it's a trojan. I'd guess that other useful tools for finding out what's going on, e.g. ls and ps and fuser, have been trojaned as well. (Although you might want to try fuser 31337/tcp, maybe the attacker forgot about it.) Reinstall fileutils, procps, psmisc, lsof-2.2, and findutils if you're interested in further investigation. This may be not enough: recent rootkits install trojan libraries or even a trojan kernel module, and intercept system calls directly, with no need to tamper with tools. Therefore they are both more difficult to detect and more difficult to clean. To be safe you need to boot from a safe kernel and/or run statically linked utilities. A clean rescue cdrom is the safest bet. Bye Giacomo _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _
Re: who owns the ports?
On Wed, 7 Feb 2001, Matthias G. Imhof wrote: Running lsof as root or various versions of netstat showed that portsentry owns these ports :-) Glad to hear it was a false alarm. Sorry to have alarmed you. Bye Giacomo _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _
Where to get updates
Hello. Can someone tell me the difference between packages in the dists/potato-proposed-updates and packages on the security.debian.org site? I had been using the proposed-updates in my sources.list file for a while, but I have not found the updated bind package there. But I did find it on the security.debian.org site. Thanks for any help. Jase
Re: who owns the ports?
On Thursday 08 February 2001 03:19, Bradley M Alexander wrote: On Wed, Feb 07, 2001 at 05:12:48PM -0500, Matthias G. Imhof wrote: Running lsof as root or various versions of netstat showed that portsentry owns these ports :-) This is quite true. I remember now that I had the same issue come up when I set up portsentry. If you run it in -tcp and/or -udp mode, it will appear that these ports are listening. However if you switch to advanced mode (-atcp and/or -audp), these ports will not respond. But in advanced mode it doesnt show all the listening ports? What ports did it show? And it blocked the ip adress?
Re: Where to get updates
On Thu, 8 Feb 2001, Desai, Jason wrote: Hello. Can someone tell me the difference between packages in the dists/potato-proposed-updates and packages on the security.debian.org site? I had been using the proposed-updates in my sources.list file for a while, but I have not found the updated bind package there. But I did find it on the security.debian.org site. Thanks for any help. Jase The proposed updates are bug updates to packages that are going to be put into the next release of potato. However security.debian.org is for priority security updates, if you are using potato then you should have that in your sources file as well. Take care - Rab -- Robert Lazzurs | All that is etched in stone is The Lazzurs Administration | truly only scribbled in sand +44 7092 157408 | -ARL [EMAIL PROTECTED] | EB chat client http://www.everybuddy.com AIM:lazzurs ICQ:66324927| ER-Web http://www.elite.uk.com/er Yahoo:arl666_uk MSN:arl666 | Join EFF http://www.eff.org
Apt-get package verification
Anybody know if apt will do any sort of verification of checksums or anything to validate the package is from debian? I'm using apt to automate priority security updates on several of my customers firewalls and i'm curious that is somebody poisons some routes and/or dns caches, we could have serious trouble. Thanks for your comments (new to debian) Schwack clint sand
Re: Apt-get package verification
Currently it won't. :-\ You would have to get the packages yourself and check the md5sums. Which were of course altered by the cracker. Bad idea. bye, -christian- -- Christian HammersWESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet Security for ProfessionalsFax 0241/911879 WESTEND ist CISCO Systems Partner - Premium Certified
Re: sources.list
I ran apt-setup and it automatically added my local mirrors. I'm not sure if it wipes your previous sources.list though... GBY
Re: Apt-get package verification
On Thu, 08 Feb 2001, Christian Hammers wrote: Currently it won't. :-\ You would have to get the packages yourself and check the md5sums. Which were of course altered by the cracker. Bad idea. Just subscribe to debian-devel-changes or debian-changes @lists.debian.org, the .changes files are sent there; they are signed by the uploader's gpg key, and contain all the md5sums. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh pgp9DwGazzXga.pgp Description: PGP signature
Re: who owns the ports?
All this discussion about the possibility of script kiddies installing root kits, and overwriting various important system files, makes me think of a useful potential feature. And since this is Debian, I figure there's a good chance that this useful feature already exists, and I just don't know about it. I've got a rescue CD with most of the packages on it, and most(*) of those packages include MD5 sums for all the files. There should be a way to, after booting up on my rescue CD, check all my files against the MD5 checksums on the CD (ignoring the conffiles, of course). Better yet, for the packages that are not on my CD, it could get the MD5s from the FTP archive. Does anyone know of such a feature already in the rescue disks? Thanks, --- Wade (*)On a slightly off-topic topic, why is it that only most of the packages contain MD5 checksums? Is the package maintainer required to do this, or can it be done auto-magically when a package is uploaded?
Re: who owns the ports?
Wade Richards ([EMAIL PROTECTED]) wrote: I've got a rescue CD with most of the packages on it, and most(*) of those packages include MD5 sums for all the files. There should be a way to, after booting up on my rescue CD, check all my files against the MD5 checksums on the CD (ignoring the conffiles, of course). Tripwire Better yet, for the packages that are not on my CD, it could get the MD5s from the FTP archive. Does anyone know of such a feature already in the rescue disks? No, but you can do it with tripwire. cu, Rolf
Re: who owns the ports?
On Thursday 08 February 2001 21:21, Rolf Kutz wrote: Wade Richards ([EMAIL PROTECTED]) wrote: I've got a rescue CD with most of the packages on it, and most(*) of those packages include MD5 sums for all the files. There should be a way to, after booting up on my rescue CD, check all my files against the MD5 checksums on the CD (ignoring the conffiles, of course). Tripwire Try the package debsum, it is a tool to handle md5sums for installed packages Better yet, for the packages that are not on my CD, it could get the MD5s from the FTP archive. Does anyone know of such a feature already in the rescue disks? No, but you can do it with tripwire. cu, Rolf
[joey@finlandia.infodrom.north.de: [SECURITY] [DSA 027-1] New OpenSSH packages released]
a note to sparc users (and others): the versions of ssh and ssh-askpass-gnome referenced below and to be found at http://security.debian.org/dists/stable/updates/main/binary-sparc/ssh_1.2.3-9.2_sparc.deb http://security.debian.org/dists/stable/updates/main/binary-sparc/ssh-askpass-gnome_1.2.3-9.2_sparc.deb have earlier version numbers than the packages uploaded on Jan 28 (e.g, ssh_1.2.3-9.3_sparc.deb), which fixed the lack of pam support (http://www.debian.org/security/2001/dsa-025 - was there a reason why only some users noticed that problem?). the version numbering seems to have gotten a touch off... looks like the pam support remains present. andy - Forwarded message from Martin Schulze [EMAIL PROTECTED] - Date: Fri, 9 Feb 2001 00:08:58 +0100 From: Martin Schulze [EMAIL PROTECTED] To: Debian Security Announcements debian-security-announce@lists.debian.org Subject: [SECURITY] [DSA 027-1] New OpenSSH packages released Reply-To: [EMAIL PROTECTED] -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-027-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze February 8, 2001 - Package: openssh Vulnerability : remote memory overwrite, key exchange problem Type : remote exploit Debian-specific: no This upload fixes: 1. Prior versions of OpenSSH are vulnerable to a remote arbitrary memory overwrite attack which may eventually lead into a root exploit. No exploit program is known yet but expected to come up soon. 2. CORE-SDI has described a problem with regards to RSA key exchange and a Bleichenbacher attack to gather the session key from an ssh session. We recommend you upgrade your openssh package immediately. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - Potato was released for the alpha, arm, i386, m68k, powerpc and sparc architectures. Source archives: http://security.debian.org/dists/stable/updates/main/source/openssh_1.2.3-9.2.diff.gz MD5 checksum: b823b3a94de32533cb35c23a9b956c5c http://security.debian.org/dists/stable/updates/main/source/openssh_1.2.3-9.2.dsc MD5 checksum: bae514efd776c6007944677e767c60a0 http://security.debian.org/dists/stable/updates/main/source/openssh_1.2.3.orig.tar.gz MD5 checksum: 6aad0cc9ceca55f138ed1ba4cf660349 Intel ia32 architecture: http://security.debian.org/dists/stable/updates/main/binary-i386/ssh-askpass-gnome_1.2.3-9.2_i386.deb MD5 checksum: 0283cfa29a7ac7e7857a6e86202d http://security.debian.org/dists/stable/updates/main/binary-i386/ssh_1.2.3-9.2_i386.deb MD5 checksum: e093ef0bc4201860c66edc859f064e71 Motorola 680x0 architecture: http://security.debian.org/dists/stable/updates/main/binary-m68k/ssh-askpass-gnome_1.2.3-9.2_m68k.deb MD5 checksum: a7f52d223f5755dacc09c20bbaf10d3e http://security.debian.org/dists/stable/updates/main/binary-m68k/ssh_1.2.3-9.2_m68k.deb MD5 checksum: 50cbe82d6f733357350cbedebc6b58a6 Sun Sparc architecture: http://security.debian.org/dists/stable/updates/main/binary-sparc/ssh_1.2.3-9.2_sparc.deb MD5 checksum: c2b2aefe74ba8852f0ac0bb2a3145892 http://security.debian.org/dists/stable/updates/main/binary-sparc/ssh-askpass-gnome_1.2.3-9.2_sparc.deb MD5 checksum: d0de50b38fd8b517aa2b62fd15d5fcd4 Alpha architecture: http://security.debian.org/dists/stable/updates/main/binary-alpha/ssh-askpass-gnome_1.2.3-9.2_alpha.deb MD5 checksum: 5be857c6395f02bb9b454bfb13621b06 http://security.debian.org/dists/stable/updates/main/binary-alpha/ssh_1.2.3-9.2_alpha.deb MD5 checksum: e55ef711299a60f5ee5df935a5db4931 PowerPC architecture: http://security.debian.org/dists/stable/updates/main/binary-powerpc/ssh-askpass-gnome_1.2.3-9.2_powerpc.deb MD5 checksum: 343c30fec20cf21f7075d86eed9f66f5 http://security.debian.org/dists/stable/updates/main/binary-powerpc/ssh_1.2.3-9.2_powerpc.deb MD5 checksum: 12d7876a78d4eb9485b1aec8da28d3f9 ARM architecture: http://security.debian.org/dists/stable/updates/main/binary-arm/ssh-askpass-gnome_1.2.3-9.2_arm.deb MD5 checksum: fc55f1ec0dfba1175f7060235a6d6d09 http://security.debian.org/dists/stable/updates/main/binary-arm/ssh_1.2.3-9.2_arm.deb MD5 checksum: 3e01291dedf24d01e5645734ec2c4cfb Architecture independent:
