Re: iptables install
Jim Breton, 2001-Jul-20 20:01 +: > On Fri, Jul 20, 2001 at 12:37:49PM -0700, Jeff Coppock wrote: > >Do I need to dist-upgrade to woody to use iptables? > > Nope. > > http://netfilter.samba.org > > Compiles very easily from source. HTH. > I was able to compile a good 2.4.6 kernel and then compiled iptables from source. I have all the netfilter stuff as modules, but I can't load any of them. # modprobe ip_tables modprobe: Can't locate module ip_tables But, it's definitely there. I can't figure out how to fix this. Any help is very much appreciated. thanks, jc -- Jeff CoppockNortel Networks Systems Engineerhttp://nortelnetworks.com Major Accts.Santa Clara, CA
Re: red worm amusement
> Wichert Akkerman was said to been seen saying: ... > > we glad we all run Linux? :) ... > Scratch another win for Linux... What you mean to say is: "Aren't we all glad we don't run IIS" because 1) this has nothing to do with Linux. Last I heard, *BSD, Solaris, etc.. weren't vulnerable to this. 2) Apache, Boa, thttpd, and others each deal with this differently. What way is the *correct* way? -- Pound for pound, the amoeba is the most vicious animal on earth. Jon Nelson [EMAIL PROTECTED]
Re: iptables install
On Fri, Jul 20, 2001 at 09:31:07PM -0700, Jeff Coppock wrote: ># modprobe ip_tables >modprobe: Can't locate module ip_tables > >But, it's definitely there. I can't figure out how to fix >this. Any help is very much appreciated. Your version of modutils's 'modprobe' doesn't look in the correct directories for modules (which are different in 2.4.x). You can either upgrade some of your packages (including modutils) in the manner suggested by others here (using Bunk's debs), or you can just use 'insmod' which will still work but you will have to specify the path to each module. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: iptables install
Jim Breton, 2001-Jul-20 20:01 +: > On Fri, Jul 20, 2001 at 12:37:49PM -0700, Jeff Coppock wrote: > >Do I need to dist-upgrade to woody to use iptables? > > Nope. > > http://netfilter.samba.org > > Compiles very easily from source. HTH. > I was able to compile a good 2.4.6 kernel and then compiled iptables from source. I have all the netfilter stuff as modules, but I can't load any of them. # modprobe ip_tables modprobe: Can't locate module ip_tables But, it's definitely there. I can't figure out how to fix this. Any help is very much appreciated. thanks, jc -- Jeff CoppockNortel Networks Systems Engineerhttp://nortelnetworks.com Major Accts.Santa Clara, CA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
> Wichert Akkerman was said to been seen saying: ... > > we glad we all run Linux? :) ... > Scratch another win for Linux... What you mean to say is: "Aren't we all glad we don't run IIS" because 1) this has nothing to do with Linux. Last I heard, *BSD, Solaris, etc.. weren't vulnerable to this. 2) Apache, Boa, thttpd, and others each deal with this differently. What way is the *correct* way? -- Pound for pound, the amoeba is the most vicious animal on earth. Jon Nelson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
Really? As if linux has not had it's worms? I think blaming Windows here is a tad bit short sighted. What we hopefully can be glad for is that most of the people on this list (hopefully) is good at upgrading their systems. Well yes and no. First of all MS has to take some of the blame for advertising NT as an easy to use and administer system that does not need a competent sysadmin to set up and run. They hammer this point repeatedly whenever the subject of Linux VS Windows comes up. You really can not blame people for not hiring "expensive unix sysadmins" and letting some semi competent windows user run the NT network. Secondly MS has to take the blame for creating an operating system that needs to be brought offline for even the most routine patch. People put off patching their windows systems because it means coming in at midnight after everybody else has gone home. Finally It's very very important to remember that Windows is a PRODUCT not a PROJECT. NT costs a lot of money no matter how you slice it. You expect that something you paid for and which is supposedly guaranteed and backed by the largest and the richest company on the planet should actually be better then the PROJECT run by volunteers. In other words I would expect linux to be much worse then windows alas it's the other way around. -- Tim Uckun Mobile Intelligence Unit. -- "There are some who call me TIM?" --
Re: red worm amusement
In the depths of that dark day Sat Jul 21, the words of Wichert Akkerman were the beacon: > > For amusement I checked the web logs for a few debian machines to see > if they had some red worm attempts. Seems we've been probed a fair > bit: 16 times on www.spi-inc.org, 22 on non-us.debian.org and 18 > on www.debian.org. Almost all attempts were made on July 19. Aren't > we glad we all run Linux? :) > I've got nothing in my web logs, but I've gotten a whole lot of these over the past couple of days: Jul 19 12:00:47 router kernel: IN=eth1 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=64.152.168.173 DST=123.456.789.012 LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=47979 DF PROTO=TCP SPT=1707 DPT=80 WINDOW=8760 RES=0x00 SYN URGP=0 Along with the normal crop of connection attempts to ports 111 and 27374. That's life on Roadrunner.
Re: red worm amusement - redirect
On Fri, Jul 20, 2001 at 09:33:21PM -0400, Noah L. Meyerhans wrote: > On Fri, Jul 20, 2001 at 06:24:54PM -0700, Alvin Oga wrote: > > if ya wrote a script... was thinking..wouldnt it be funny > > to redirect that incoming attack with the cgi script to > > redirect it back to the incoming machine ??? > > It wouldn't get you anything exciting. The source machine has already > been cracked, and chances are it will get hit again by the worm anyway. > From what I've read about the "random" IP address generator used by the > worm, the same sets of hosts get hit again and again. The intense increase in probes can be attributed to a new worm variant, which supposedly has the correct random seed generation code. I think you can safely assume that the probes we're seeing now are coming from the new worm variant. I guess one could devise a script which cleans the probing host from the worm and creates the file c:\noworm (or something similar), but it's probably too late anyway. -- Yotam Rubin > > noah > > -- > ___ > | Web: http://web.morgul.net/~frodo/ > | PGP Public Key: http://web.morgul.net/~frodo/mail.html
Re: red worm amusement
I got such attempts from 21 distinct addresses against my server in Russia since July 19 through July 20. I was able to resolve some of the addresses into hostnames. It is forged addresses, isn't it, and we cannot blame this hosts for the attacks? Mikhail. - Original Message - From: Yotam Rubin <[EMAIL PROTECTED]> To: Sent: Saturday, July 21, 2001 7:06 AM Subject: Re: red worm amusement > On Sat, Jul 21, 2001 at 02:10:42AM +0200, Wichert Akkerman wrote: > > > > For amusement I checked the web logs for a few debian machines to see > > if they had some red worm attempts. Seems we've been probed a fair > > bit: 16 times on www.spi-inc.org, 22 on non-us.debian.org and 18 > > on www.debian.org. Almost all attempts were made on July 19. Aren't > > we glad we all run Linux? :) > > That's pretty low, actually. I got attempts from 22 distinct addresses against > one server located in Israel and 36 distinct attempts against a server located > somewhere in the US. I think I'll add this to my advocacy toolkit now. > > -- Yotam Rubin > > > > > > > Wichert. > > > > -- > > _ > > / Nothing is fool-proof to a sufficiently talented fool \ > > | [EMAIL PROTECTED] http://www.liacs.nl/~wichert/ | > > | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
Re: red worm amusement - redirect
On Fri, Jul 20, 2001 at 06:24:54PM -0700, Alvin Oga wrote: > if ya wrote a script... was thinking..wouldnt it be funny > to redirect that incoming attack with the cgi script to > redirect it back to the incoming machine ??? It wouldn't get you anything exciting. The source machine has already been cracked, and chances are it will get hit again by the worm anyway. From what I've read about the "random" IP address generator used by the worm, the same sets of hosts get hit again and again. Everybody that's reported seeing the worm has reported many attempts at the exploit from many different hosts. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgp8JQXMAkuKf.pgp Description: PGP signature
Re: red worm amusement
Wichert Akkerman was said to been seen saying: > > For amusement I checked the web logs for a few debian machines to see > if they had some red worm attempts. Seems we've been probed a fair > bit: 16 times on www.spi-inc.org, 22 on non-us.debian.org and 18 > on www.debian.org. Almost all attempts were made on July 19. Aren't > we glad we all run Linux? :) > My one web server has over 40 logged attempts all from unique host addresses/IP addresses... Makes me laugh at the stupid IIS exploits that so many execs order unwilling admins to install :) Scratch another win for Linux... Respectfully, Jeremy T. Bouse -- ,-, |Jeremy T. Bouse, CCNA - UnderGrid Network Services, LLC - www.UnderGrid.net | |Public PGP/GPG fingerprint and location in headers of message| | If received unsigned (without requesting as such) DO NOT trust it! | | [EMAIL PROTECTED] - NIC Whois: JB5713 - [EMAIL PROTECTED] | `-' pgpDGvl7sIgKv.pgp Description: PGP signature
Re: red worm amusement - redirect
hi ya Alson.. if ya wrote a script... was thinking..wouldnt it be funny to redirect that incoming attack with the cgi script to redirect it back to the incoming machine ??? c ya alvin On Sat, 21 Jul 2001, Alson van der Meulen wrote: > On Sat, Jul 21, 2001 at 02:10:42AM +0200, Wichert Akkerman wrote: > > > > For amusement I checked the web logs for a few debian machines to see > > if they had some red worm attempts. Seems we've been probed a fair > > bit: 16 times on www.spi-inc.org, 22 on non-us.debian.org and 18 > > on www.debian.org. Almost all attempts were made on July 19. Aren't > > we glad we all run Linux? :) > > I first saw it while tailing my access.log at home, grepping > access.log's of other servers showed indeed around 20 hits per server. > > Made some funny cgi script called /default.ida for fun :), apache > didn't appear to like the HTTP request though, but thttpd passed it > nicely to the cgi script. I even set up a temporary thttpd on a box > just for fun of logging, wondered what would happen if I would adjust > the router config at school to forward port 80 to an win2k server > running IIS (prolly wouldn't have worked with Dutch localized IIS :( ) > > Linux people having fun with win2k-exploits ;)
Re: red worm amusement
On Sat, Jul 21, 2001 at 02:10:42AM +0200, Wichert Akkerman wrote: > > For amusement I checked the web logs for a few debian machines to see > if they had some red worm attempts. Seems we've been probed a fair > bit: 16 times on www.spi-inc.org, 22 on non-us.debian.org and 18 > on www.debian.org. Almost all attempts were made on July 19. Aren't > we glad we all run Linux? :) That's pretty low, actually. I got attempts from 22 distinct addresses against one server located in Israel and 36 distinct attempts against a server located somewhere in the US. I think I'll add this to my advocacy toolkit now. -- Yotam Rubin > > > Wichert. > > -- > _ > / Nothing is fool-proof to a sufficiently talented fool \ > | [EMAIL PROTECTED] http://www.liacs.nl/~wichert/ | > | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
Re: red worm amusement
Wichert Akkerman <[EMAIL PROTECTED]> writes: > For amusement I checked the web logs for a few debian machines to see > if they had some red worm attempts. Seems we've been probed a fair > bit: 16 times on www.spi-inc.org, 22 on non-us.debian.org and 18 > on www.debian.org. Almost all attempts were made on July 19. Aren't > we glad we all run Linux? :) Really? As if linux has not had it's worms? I think blaming Windows here is a tad bit short sighted. What we hopefully can be glad for is that most of the people on this list (hopefully) is good at upgrading their systems. Code Red's success should as far as I can see mostly be contributed to stupid admins, and unfortunatly we also have stupid admins running Linux. But of course, we're all glad we are running Linux:) But maybe not because of that (quite well written) piece of malware... (is it fair to say that we have the better system, and that they have the better worms? :) -sig -- Sigurd Urdahl [EMAIL PROTECTED] Systemkonsulent | Systems consultant Linpro A/S www.linpro.no
Re: red worm amusement
On Sat, Jul 21, 2001 at 02:10:42AM +0200, Wichert Akkerman wrote: > > For amusement I checked the web logs for a few debian machines to see > if they had some red worm attempts. Seems we've been probed a fair > bit: 16 times on www.spi-inc.org, 22 on non-us.debian.org and 18 > on www.debian.org. Almost all attempts were made on July 19. Aren't > we glad we all run Linux? :) otoh i get nearly a dozen ftp and dns connection attempts a week at a minimum, no doubt looking for vulnerable versions of bind and wu-ftpd. also a dozen portmap connection attempts per day, no doubt looking for vulnerable rpc.statd. incompetant `morons with root password' (i won't call them sysadmins) who won't install security updates are really the worse problem. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpDDr9QPRj2q.pgp Description: PGP signature
Re: red worm amusement
On Sat, Jul 21, 2001 at 02:10:42AM +0200, Wichert Akkerman wrote: > > For amusement I checked the web logs for a few debian machines to see > if they had some red worm attempts. Seems we've been probed a fair > bit: 16 times on www.spi-inc.org, 22 on non-us.debian.org and 18 > on www.debian.org. Almost all attempts were made on July 19. Aren't > we glad we all run Linux? :) So that's what I get on my Birthday? I wonder what I'll get next year... ;) Mike
Re: red worm amusement
On Sat, Jul 21, 2001 at 02:10:42AM +0200, Wichert Akkerman wrote: > > For amusement I checked the web logs for a few debian machines to see > if they had some red worm attempts. Seems we've been probed a fair > bit: 16 times on www.spi-inc.org, 22 on non-us.debian.org and 18 > on www.debian.org. Almost all attempts were made on July 19. Aren't > we glad we all run Linux? :) I first saw it while tailing my access.log at home, grepping access.log's of other servers showed indeed around 20 hits per server. Made some funny cgi script called /default.ida for fun :), apache didn't appear to like the HTTP request though, but thttpd passed it nicely to the cgi script. I even set up a temporary thttpd on a box just for fun of logging, wondered what would happen if I would adjust the router config at school to forward port 80 to an win2k server running IIS (prolly wouldn't have worked with Dutch localized IIS :( ) Linux people having fun with win2k-exploits ;) -- ,---. > Name: Alson van der Meulen < > Personal:[EMAIL PROTECTED]< > School: [EMAIL PROTECTED]< `---' What's this switch for anyways...? -
red worm amusement
For amusement I checked the web logs for a few debian machines to see if they had some red worm attempts. Seems we've been probed a fair bit: 16 times on www.spi-inc.org, 22 on non-us.debian.org and 18 on www.debian.org. Almost all attempts were made on July 19. Aren't we glad we all run Linux? :) Wichert. -- _ / Nothing is fool-proof to a sufficiently talented fool \ | [EMAIL PROTECTED] http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |
Re: red worm amusement
> >Really? As if linux has not had it's worms? > >I think blaming Windows here is a tad bit short sighted. What we >hopefully can be glad for is that most of the people on this list >(hopefully) is good at upgrading their systems. Well yes and no. First of all MS has to take some of the blame for advertising NT as an easy to use and administer system that does not need a competent sysadmin to set up and run. They hammer this point repeatedly whenever the subject of Linux VS Windows comes up. You really can not blame people for not hiring "expensive unix sysadmins" and letting some semi competent windows user run the NT network. Secondly MS has to take the blame for creating an operating system that needs to be brought offline for even the most routine patch. People put off patching their windows systems because it means coming in at midnight after everybody else has gone home. Finally It's very very important to remember that Windows is a PRODUCT not a PROJECT. NT costs a lot of money no matter how you slice it. You expect that something you paid for and which is supposedly guaranteed and backed by the largest and the richest company on the planet should actually be better then the PROJECT run by volunteers. In other words I would expect linux to be much worse then windows alas it's the other way around. -- Tim Uckun Mobile Intelligence Unit. -- "There are some who call me TIM?" -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
In the depths of that dark day Sat Jul 21, the words of Wichert Akkerman were the beacon: > > For amusement I checked the web logs for a few debian machines to see > if they had some red worm attempts. Seems we've been probed a fair > bit: 16 times on www.spi-inc.org, 22 on non-us.debian.org and 18 > on www.debian.org. Almost all attempts were made on July 19. Aren't > we glad we all run Linux? :) > I've got nothing in my web logs, but I've gotten a whole lot of these over the past couple of days: Jul 19 12:00:47 router kernel: IN=eth1 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=64.152.168.173 DST=123.456.789.012 LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=47979 DF PROTO=TCP SPT=1707 DPT=80 WINDOW=8760 RES=0x00 SYN URGP=0 Along with the normal crop of connection attempts to ports 111 and 27374. That's life on Roadrunner. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement - redirect
On Fri, Jul 20, 2001 at 09:33:21PM -0400, Noah L. Meyerhans wrote: > On Fri, Jul 20, 2001 at 06:24:54PM -0700, Alvin Oga wrote: > > if ya wrote a script... was thinking..wouldnt it be funny > > to redirect that incoming attack with the cgi script to > > redirect it back to the incoming machine ??? > > It wouldn't get you anything exciting. The source machine has already > been cracked, and chances are it will get hit again by the worm anyway. > From what I've read about the "random" IP address generator used by the > worm, the same sets of hosts get hit again and again. The intense increase in probes can be attributed to a new worm variant, which supposedly has the correct random seed generation code. I think you can safely assume that the probes we're seeing now are coming from the new worm variant. I guess one could devise a script which cleans the probing host from the worm and creates the file c:\noworm (or something similar), but it's probably too late anyway. -- Yotam Rubin > > noah > > -- > ___ > | Web: http://web.morgul.net/~frodo/ > | PGP Public Key: http://web.morgul.net/~frodo/mail.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
I got such attempts from 21 distinct addresses against my server in Russia since July 19 through July 20. I was able to resolve some of the addresses into hostnames. It is forged addresses, isn't it, and we cannot blame this hosts for the attacks? Mikhail. - Original Message - From: Yotam Rubin <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, July 21, 2001 7:06 AM Subject: Re: red worm amusement > On Sat, Jul 21, 2001 at 02:10:42AM +0200, Wichert Akkerman wrote: > > > > For amusement I checked the web logs for a few debian machines to see > > if they had some red worm attempts. Seems we've been probed a fair > > bit: 16 times on www.spi-inc.org, 22 on non-us.debian.org and 18 > > on www.debian.org. Almost all attempts were made on July 19. Aren't > > we glad we all run Linux? :) > > That's pretty low, actually. I got attempts from 22 distinct addresses against > one server located in Israel and 36 distinct attempts against a server located > somewhere in the US. I think I'll add this to my advocacy toolkit now. > > -- Yotam Rubin > > > > > > > Wichert. > > > > -- > > _ > > / Nothing is fool-proof to a sufficiently talented fool \ > > | [EMAIL PROTECTED] http://www.liacs.nl/~wichert/ | > > | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement - redirect
On Fri, Jul 20, 2001 at 06:24:54PM -0700, Alvin Oga wrote: > if ya wrote a script... was thinking..wouldnt it be funny > to redirect that incoming attack with the cgi script to > redirect it back to the incoming machine ??? It wouldn't get you anything exciting. The source machine has already been cracked, and chances are it will get hit again by the worm anyway. From what I've read about the "random" IP address generator used by the worm, the same sets of hosts get hit again and again. Everybody that's reported seeing the worm has reported many attempts at the exploit from many different hosts. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html PGP signature
Re: red worm amusement
Wichert Akkerman was said to been seen saying: > > For amusement I checked the web logs for a few debian machines to see > if they had some red worm attempts. Seems we've been probed a fair > bit: 16 times on www.spi-inc.org, 22 on non-us.debian.org and 18 > on www.debian.org. Almost all attempts were made on July 19. Aren't > we glad we all run Linux? :) > My one web server has over 40 logged attempts all from unique host addresses/IP addresses... Makes me laugh at the stupid IIS exploits that so many execs order unwilling admins to install :) Scratch another win for Linux... Respectfully, Jeremy T. Bouse -- ,-, |Jeremy T. Bouse, CCNA - UnderGrid Network Services, LLC - www.UnderGrid.net | |Public PGP/GPG fingerprint and location in headers of message| | If received unsigned (without requesting as such) DO NOT trust it! | | [EMAIL PROTECTED] - NIC Whois: JB5713 - [EMAIL PROTECTED] | `-' PGP signature
Re: red worm amusement - redirect
hi ya Alson.. if ya wrote a script... was thinking..wouldnt it be funny to redirect that incoming attack with the cgi script to redirect it back to the incoming machine ??? c ya alvin On Sat, 21 Jul 2001, Alson van der Meulen wrote: > On Sat, Jul 21, 2001 at 02:10:42AM +0200, Wichert Akkerman wrote: > > > > For amusement I checked the web logs for a few debian machines to see > > if they had some red worm attempts. Seems we've been probed a fair > > bit: 16 times on www.spi-inc.org, 22 on non-us.debian.org and 18 > > on www.debian.org. Almost all attempts were made on July 19. Aren't > > we glad we all run Linux? :) > > I first saw it while tailing my access.log at home, grepping > access.log's of other servers showed indeed around 20 hits per server. > > Made some funny cgi script called /default.ida for fun :), apache > didn't appear to like the HTTP request though, but thttpd passed it > nicely to the cgi script. I even set up a temporary thttpd on a box > just for fun of logging, wondered what would happen if I would adjust > the router config at school to forward port 80 to an win2k server > running IIS (prolly wouldn't have worked with Dutch localized IIS :( ) > > Linux people having fun with win2k-exploits ;) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sat, Jul 21, 2001 at 02:10:42AM +0200, Wichert Akkerman wrote: > > For amusement I checked the web logs for a few debian machines to see > if they had some red worm attempts. Seems we've been probed a fair > bit: 16 times on www.spi-inc.org, 22 on non-us.debian.org and 18 > on www.debian.org. Almost all attempts were made on July 19. Aren't > we glad we all run Linux? :) That's pretty low, actually. I got attempts from 22 distinct addresses against one server located in Israel and 36 distinct attempts against a server located somewhere in the US. I think I'll add this to my advocacy toolkit now. -- Yotam Rubin > > > Wichert. > > -- > _ > / Nothing is fool-proof to a sufficiently talented fool \ > | [EMAIL PROTECTED] http://www.liacs.nl/~wichert/ | > | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: iptables install
I am using the packages from Adrian Bunk, they work great. Add the following to /etc/apt/source.list: deb http://people.debian.org/~bunk/debian potato main deb-src http://people.debian.org/~bunk/debian potato main With this you can then use apt, capt or dselect. (The tools that make me so fond of debian.) I hope this helps. Pat Moffitt MIS Administrator Western Recreational Vehicles, Inc. > -Original Message- > From: Vineet Kumar [mailto:[EMAIL PROTECTED] > Sent: Friday, July 20, 2001 1:05 PM > To: debian security list > Subject: Re: iptables install > > > * Jeff Coppock ([EMAIL PROTECTED]) [010720 12:54]: > >Dilemna: > >I want to run iptables, but I'm running stable. I have a > >clean, bootable 2.4.6 kernel (took awhile, but I got it), and > >then realized that the iptable package in not in stable, but > >is in testing and unstable. I looked for deb-src, but > >couldn't find any. I figured I could compile it on my stable > >machine. > > > >Do I need to dist-upgrade to woody to use iptables? > > > > No. Adrian Bunk has created great resources for running kernel 2.4.x > on potato. I haven't used it myself, but reports are that it works > great. Please see the website he has set up at > > http://www.fs.tum.de/~bunk/kernel-24.html > > He also has deb repositories with all the upgraded/new packages you'll > need to run a 2.4 kernel with potato. > > Good luck. > > Vineet >
Re: red worm amusement
Wichert Akkerman <[EMAIL PROTECTED]> writes: > For amusement I checked the web logs for a few debian machines to see > if they had some red worm attempts. Seems we've been probed a fair > bit: 16 times on www.spi-inc.org, 22 on non-us.debian.org and 18 > on www.debian.org. Almost all attempts were made on July 19. Aren't > we glad we all run Linux? :) Really? As if linux has not had it's worms? I think blaming Windows here is a tad bit short sighted. What we hopefully can be glad for is that most of the people on this list (hopefully) is good at upgrading their systems. Code Red's success should as far as I can see mostly be contributed to stupid admins, and unfortunatly we also have stupid admins running Linux. But of course, we're all glad we are running Linux:) But maybe not because of that (quite well written) piece of malware... (is it fair to say that we have the better system, and that they have the better worms? :) -sig -- Sigurd Urdahl [EMAIL PROTECTED] Systemkonsulent | Systems consultant Linpro A/S www.linpro.no -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sat, Jul 21, 2001 at 02:10:42AM +0200, Wichert Akkerman wrote: > > For amusement I checked the web logs for a few debian machines to see > if they had some red worm attempts. Seems we've been probed a fair > bit: 16 times on www.spi-inc.org, 22 on non-us.debian.org and 18 > on www.debian.org. Almost all attempts were made on July 19. Aren't > we glad we all run Linux? :) otoh i get nearly a dozen ftp and dns connection attempts a week at a minimum, no doubt looking for vulnerable versions of bind and wu-ftpd. also a dozen portmap connection attempts per day, no doubt looking for vulnerable rpc.statd. incompetant `morons with root password' (i won't call them sysadmins) who won't install security updates are really the worse problem. -- Ethan Benson http://www.alaska.net/~erbenson/ PGP signature
Re: red worm amusement
On Sat, Jul 21, 2001 at 02:10:42AM +0200, Wichert Akkerman wrote: > > For amusement I checked the web logs for a few debian machines to see > if they had some red worm attempts. Seems we've been probed a fair > bit: 16 times on www.spi-inc.org, 22 on non-us.debian.org and 18 > on www.debian.org. Almost all attempts were made on July 19. Aren't > we glad we all run Linux? :) So that's what I get on my Birthday? I wonder what I'll get next year... ;) Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: red worm amusement
On Sat, Jul 21, 2001 at 02:10:42AM +0200, Wichert Akkerman wrote: > > For amusement I checked the web logs for a few debian machines to see > if they had some red worm attempts. Seems we've been probed a fair > bit: 16 times on www.spi-inc.org, 22 on non-us.debian.org and 18 > on www.debian.org. Almost all attempts were made on July 19. Aren't > we glad we all run Linux? :) I first saw it while tailing my access.log at home, grepping access.log's of other servers showed indeed around 20 hits per server. Made some funny cgi script called /default.ida for fun :), apache didn't appear to like the HTTP request though, but thttpd passed it nicely to the cgi script. I even set up a temporary thttpd on a box just for fun of logging, wondered what would happen if I would adjust the router config at school to forward port 80 to an win2k server running IIS (prolly wouldn't have worked with Dutch localized IIS :( ) Linux people having fun with win2k-exploits ;) -- ,---. > Name: Alson van der Meulen < > Personal:[EMAIL PROTECTED]< > School: [EMAIL PROTECTED]< `---' What's this switch for anyways...? - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
red worm amusement
For amusement I checked the web logs for a few debian machines to see if they had some red worm attempts. Seems we've been probed a fair bit: 16 times on www.spi-inc.org, 22 on non-us.debian.org and 18 on www.debian.org. Almost all attempts were made on July 19. Aren't we glad we all run Linux? :) Wichert. -- _ / Nothing is fool-proof to a sufficiently talented fool \ | [EMAIL PROTECTED] http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: iptables install
Jeff Coppock <[EMAIL PROTECTED]> writes: >I want to run iptables, but I'm running stable. I have a clean, >bootable 2.4.6 kernel (took awhile, but I got it), and then realized >that the iptable package in not in stable, but is in testing and >unstable. I looked for deb-src, but couldn't find any. I figured I >could compile it on my stable machine. > >Do I need to dist-upgrade to woody to use iptables? Not a whole dist-upgrade, no, but you might be best off putting a deb-src entry for testing in sources.list, `apt-get update'-ing, and then doing an apt-get source iptables cd iptables-* dpkg-buildpackage -rfakeroot sudo dpkg -i ../iptables*deb and you'll be away in one. Probably. :8) ~Tim -- 9:38pm up 7 days, 21:13, 5 users, load average: 0.17, 0.16, 0.13 [EMAIL PROTECTED] |You take your message to the waters, http://piglet.is.dreaming.org |And you watch the ripples flow
Re: iptables install
Jeff Coppock wrote on Fri Jul 20, 2001 at 12:37:49PM: > >Dilemna: >I want to run iptables, but I'm running stable. I have a >clean, bootable 2.4.6 kernel (took awhile, but I got it), and >then realized that the iptable package in not in stable, but >is in testing and unstable. I looked for deb-src, but >couldn't find any. I figured I could compile it on my stable >machine. > >Do I need to dist-upgrade to woody to use iptables? No you don't have to, http://www.fs.tum.de/~bunk/kernel-24.html tells you how to upgrade stable to kernel 2.4.x --- including iptables. Works fine here. Matth¡as -- Matthias Richter --+- stud. soz. & inf. -+-- http://www.uni-leipzig.de -->GPG Public Key: http://www.matthias-richter.de/gpg.ascii<-- · Projekt Deutscher Wortschatz: http://wortschatz.uni-leipzig.de> pgpPJF0rzaEE0.pgp Description: PGP signature
Re: iptables install
Hello, On Fri, Jul 20, 2001 at 12:37:27PM -0700, Jeff Coppock wrote: >Dilemna: >I want to run iptables, but I'm running stable. I have a >clean, bootable 2.4.6 kernel (took awhile, but I got it), and >then realized that the iptable package in not in stable, but >is in testing and unstable. http://netfilter.filewatcher.org Have been using iptables on potato with no problems. Downloaded source and compiled. Check that you've included iptables support in your kernel, or have compiled the correct modules. Regards, Robert
Re: iptables install
* Jeff Coppock ([EMAIL PROTECTED]) [010720 12:54]: >Dilemna: >I want to run iptables, but I'm running stable. I have a >clean, bootable 2.4.6 kernel (took awhile, but I got it), and >then realized that the iptable package in not in stable, but >is in testing and unstable. I looked for deb-src, but >couldn't find any. I figured I could compile it on my stable >machine. > >Do I need to dist-upgrade to woody to use iptables? > No. Adrian Bunk has created great resources for running kernel 2.4.x on potato. I haven't used it myself, but reports are that it works great. Please see the website he has set up at http://www.fs.tum.de/~bunk/kernel-24.html He also has deb repositories with all the upgraded/new packages you'll need to run a 2.4 kernel with potato. Good luck. Vineet pgpYHhZfbtmzQ.pgp Description: PGP signature
Re: iptables install
On Fri, Jul 20, 2001 at 12:37:49PM -0700, Jeff Coppock wrote: >Do I need to dist-upgrade to woody to use iptables? Nope. http://netfilter.samba.org Compiles very easily from source. HTH.
RE: iptables install
Someone spammed this out a while back. I just used this a few days ago, worked just fine http://www.debian.org/News/2001/20010415 HTH, Steven Beverly IS Technician - PHX IS Operations EarthLink, Inc. Cell: 602.723.4485 Pager: [EMAIL PROTECTED] "I am the Illustrious Postmaster and Grand Poobah of Electronic Transmissions" -Mary Jo Pehl, MST3K "He who fights with monsters should look to it that he himself does not become a monster...when you gaze long into the abyss the abyss also gazes into you." -Friedrich Nietzsche -Original Message- From: Jeff Coppock [mailto:[EMAIL PROTECTED] Sent: Friday, July 20, 2001 12:38 PM To: debian security list Subject: iptables install Dilemna: I want to run iptables, but I'm running stable. I have a clean, bootable 2.4.6 kernel (took awhile, but I got it), and then realized that the iptable package in not in stable, but is in testing and unstable. I looked for deb-src, but couldn't find any. I figured I could compile it on my stable machine. Do I need to dist-upgrade to woody to use iptables? seeking help, jc -- Jeff CoppockNortel Networks Systems Engineerhttp://nortelnetworks.com Major Accts.Santa Clara, CA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: iptables install
I am using the packages from Adrian Bunk, they work great. Add the following to /etc/apt/source.list: deb http://people.debian.org/~bunk/debian potato main deb-src http://people.debian.org/~bunk/debian potato main With this you can then use apt, capt or dselect. (The tools that make me so fond of debian.) I hope this helps. Pat Moffitt MIS Administrator Western Recreational Vehicles, Inc. > -Original Message- > From: Vineet Kumar [mailto:[EMAIL PROTECTED]] > Sent: Friday, July 20, 2001 1:05 PM > To: debian security list > Subject: Re: iptables install > > > * Jeff Coppock ([EMAIL PROTECTED]) [010720 12:54]: > >Dilemna: > >I want to run iptables, but I'm running stable. I have a > >clean, bootable 2.4.6 kernel (took awhile, but I got it), and > >then realized that the iptable package in not in stable, but > >is in testing and unstable. I looked for deb-src, but > >couldn't find any. I figured I could compile it on my stable > >machine. > > > >Do I need to dist-upgrade to woody to use iptables? > > > > No. Adrian Bunk has created great resources for running kernel 2.4.x > on potato. I haven't used it myself, but reports are that it works > great. Please see the website he has set up at > > http://www.fs.tum.de/~bunk/kernel-24.html > > He also has deb repositories with all the upgraded/new packages you'll > need to run a 2.4 kernel with potato. > > Good luck. > > Vineet > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
iptables install
Dilemna: I want to run iptables, but I'm running stable. I have a clean, bootable 2.4.6 kernel (took awhile, but I got it), and then realized that the iptable package in not in stable, but is in testing and unstable. I looked for deb-src, but couldn't find any. I figured I could compile it on my stable machine. Do I need to dist-upgrade to woody to use iptables? seeking help, jc -- Jeff CoppockNortel Networks Systems Engineerhttp://nortelnetworks.com Major Accts.Santa Clara, CA
Re: iptables install
Jeff Coppock <[EMAIL PROTECTED]> writes: >I want to run iptables, but I'm running stable. I have a clean, >bootable 2.4.6 kernel (took awhile, but I got it), and then realized >that the iptable package in not in stable, but is in testing and >unstable. I looked for deb-src, but couldn't find any. I figured I >could compile it on my stable machine. > >Do I need to dist-upgrade to woody to use iptables? Not a whole dist-upgrade, no, but you might be best off putting a deb-src entry for testing in sources.list, `apt-get update'-ing, and then doing an apt-get source iptables cd iptables-* dpkg-buildpackage -rfakeroot sudo dpkg -i ../iptables*deb and you'll be away in one. Probably. :8) ~Tim -- 9:38pm up 7 days, 21:13, 5 users, load average: 0.17, 0.16, 0.13 [EMAIL PROTECTED] |You take your message to the waters, http://piglet.is.dreaming.org |And you watch the ripples flow -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: iptables install
Jeff Coppock wrote on Fri Jul 20, 2001 at 12:37:49PM: > >Dilemna: >I want to run iptables, but I'm running stable. I have a >clean, bootable 2.4.6 kernel (took awhile, but I got it), and >then realized that the iptable package in not in stable, but >is in testing and unstable. I looked for deb-src, but >couldn't find any. I figured I could compile it on my stable >machine. > >Do I need to dist-upgrade to woody to use iptables? No you don't have to, http://www.fs.tum.de/~bunk/kernel-24.html tells you how to upgrade stable to kernel 2.4.x --- including iptables. Works fine here. Matth¡as -- Matthias Richter --+- stud. soz. & inf. -+-- http://www.uni-leipzig.de -->GPG Public Key: http://www.matthias-richter.de/gpg.ascii<-- · Projekt Deutscher Wortschatz: http://wortschatz.uni-leipzig.de> PGP signature
Re: iptables install
Hello, On Fri, Jul 20, 2001 at 12:37:27PM -0700, Jeff Coppock wrote: >Dilemna: >I want to run iptables, but I'm running stable. I have a >clean, bootable 2.4.6 kernel (took awhile, but I got it), and >then realized that the iptable package in not in stable, but >is in testing and unstable. http://netfilter.filewatcher.org Have been using iptables on potato with no problems. Downloaded source and compiled. Check that you've included iptables support in your kernel, or have compiled the correct modules. Regards, Robert -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: iptables install
* Jeff Coppock ([EMAIL PROTECTED]) [010720 12:54]: >Dilemna: >I want to run iptables, but I'm running stable. I have a >clean, bootable 2.4.6 kernel (took awhile, but I got it), and >then realized that the iptable package in not in stable, but >is in testing and unstable. I looked for deb-src, but >couldn't find any. I figured I could compile it on my stable >machine. > >Do I need to dist-upgrade to woody to use iptables? > No. Adrian Bunk has created great resources for running kernel 2.4.x on potato. I haven't used it myself, but reports are that it works great. Please see the website he has set up at http://www.fs.tum.de/~bunk/kernel-24.html He also has deb repositories with all the upgraded/new packages you'll need to run a 2.4 kernel with potato. Good luck. Vineet PGP signature
Re: iptables install
On Fri, Jul 20, 2001 at 12:37:49PM -0700, Jeff Coppock wrote: >Do I need to dist-upgrade to woody to use iptables? Nope. http://netfilter.samba.org Compiles very easily from source. HTH. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: iptables install
Someone spammed this out a while back. I just used this a few days ago, worked just fine http://www.debian.org/News/2001/20010415 HTH, Steven Beverly IS Technician - PHX IS Operations EarthLink, Inc. Cell: 602.723.4485 Pager: [EMAIL PROTECTED] "I am the Illustrious Postmaster and Grand Poobah of Electronic Transmissions" -Mary Jo Pehl, MST3K "He who fights with monsters should look to it that he himself does not become a monster...when you gaze long into the abyss the abyss also gazes into you." -Friedrich Nietzsche -Original Message- From: Jeff Coppock [mailto:[EMAIL PROTECTED]] Sent: Friday, July 20, 2001 12:38 PM To: debian security list Subject: iptables install Dilemna: I want to run iptables, but I'm running stable. I have a clean, bootable 2.4.6 kernel (took awhile, but I got it), and then realized that the iptable package in not in stable, but is in testing and unstable. I looked for deb-src, but couldn't find any. I figured I could compile it on my stable machine. Do I need to dist-upgrade to woody to use iptables? seeking help, jc -- Jeff CoppockNortel Networks Systems Engineerhttp://nortelnetworks.com Major Accts.Santa Clara, CA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
iptables install
Dilemna: I want to run iptables, but I'm running stable. I have a clean, bootable 2.4.6 kernel (took awhile, but I got it), and then realized that the iptable package in not in stable, but is in testing and unstable. I looked for deb-src, but couldn't find any. I figured I could compile it on my stable machine. Do I need to dist-upgrade to woody to use iptables? seeking help, jc -- Jeff CoppockNortel Networks Systems Engineerhttp://nortelnetworks.com Major Accts.Santa Clara, CA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: read-write to stdin-stdout or to a file?
On Fri, Jul 20, 2001 at 12:42:13PM +0100, David Wright wrote: > Do you mean this package? > > "Programmer for Atmel AVR microcontrolers that uses PC parallel port Yes. > If so, I'm not sure why you think it needs to be setuid. Just > chgrp somegroup /dev/lp0 (or whichever port) and put yourself > (and any others) into somegroup. I tried /dev/lp* and couldn't make the program work with it. This program uses a specific hardware connected to the printer port. It has to read some bits of the port and write other bits in patterns which has to change in some microseconds. That is why it uses lowlevel ioperm, inb, outb to IO 0x378 (or other IO, at user option[1]) and runs setuid root. I think (not sure about all architectures) that because of this, it will run only in i386 machines. If I used /dev/lp* it would run in all machines. If someone knows how to use lp device for this specific purpose, please write me. Thanks, Pedro [1] root must edit a config file to say which ports the user can choose.
Re: read-write to stdin-stdout or to a file?
On Fri, Jul 20, 2001 at 08:28:54AM -0300, Pedro Zorzenon Neto wrote: >I could use some options like this: > > $ avrprog -i input.data -o output.data > >But I chose to use stdin/stdout instead. > > $ avrprog < input.data > output.data > >Than I don't need to check if the user has permission to read/write that > file, don't need to check for symlink... because the shell will do this for > me. To be accurate, the kernel does it for you. The unprivileged shell does the open calls and the kernel validates them. >Is this right? Did I make the right option when I decided to use >stdin/stdout. It should be safe. On Fri, Jul 20, 2001 at 04:42:16AM -0700, Vladislav wrote: > I think, the better way is to use freopen() function > to reassign stdin, stdout and stderr. > This is more secure and shell-independant desision... No, that would defeat the entire point of using stdin/stdout, which was to avoid the privileged process having to open anything. -- Colin Phipps PGP 0x689E463E http://www.netcraft.com/
Re: read-write to stdin-stdout or to a file?
Quoting Pedro Zorzenon Neto ([EMAIL PROTECTED]): >I wrote a program that needs to run setuid root due to direct hardware > access (Package: avrprog). Do you mean this package? "Programmer for Atmel AVR microcontrolers that uses PC parallel port to program the device in serial mode. The device can be programmed "in-system". It comes with a schematic of the hardware required. The hardware was designed to be efficient and unexpensive." If so, I'm not sure why you think it needs to be setuid. Just chgrp somegroup /dev/lp0 (or whichever port) and put yourself (and any others) into somegroup. Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised.
Re: read-write to stdin-stdout or to a file?
Hola! --- Pedro Zorzenon Neto <[EMAIL PROTECTED]> wrote: >This program needs to read data from a file and > also write to other file. > >I could use some options like this: > > $ avrprog -i input.data -o output.data > >But I chose to use stdin/stdout instead. > > $ avrprog < input.data > output.data > >Than I don't need to check if the user has > permission to read/write that file, don't need to > check for symlink... because the shell will do this > for me. > >Is this right? Did I make the right option when I > decided to use stdin/stdout. I think, the better way is to use freopen() function to reassign stdin, stdout and stderr. This is more secure and shell-independant desision... = Regards, Vladislav. ---> http://cybervlad.port5.com __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/
read-write to stdin-stdout or to a file?
Hi list, I wrote a program that needs to run setuid root due to direct hardware access (Package: avrprog). This program needs to read data from a file and also write to other file. I could use some options like this: $ avrprog -i input.data -o output.data But I chose to use stdin/stdout instead. $ avrprog < input.data > output.data Than I don't need to check if the user has permission to read/write that file, don't need to check for symlink... because the shell will do this for me. Is this right? Did I make the right option when I decided to use stdin/stdout. Thanks in advance, Pedro Note: user messages and error messages go to stderr.
Re: read-write to stdin-stdout or to a file?
On Fri, Jul 20, 2001 at 12:42:13PM +0100, David Wright wrote: > Do you mean this package? > > "Programmer for Atmel AVR microcontrolers that uses PC parallel port Yes. > If so, I'm not sure why you think it needs to be setuid. Just > chgrp somegroup /dev/lp0 (or whichever port) and put yourself > (and any others) into somegroup. I tried /dev/lp* and couldn't make the program work with it. This program uses a specific hardware connected to the printer port. It has to read some bits of the port and write other bits in patterns which has to change in some microseconds. That is why it uses lowlevel ioperm, inb, outb to IO 0x378 (or other IO, at user option[1]) and runs setuid root. I think (not sure about all architectures) that because of this, it will run only in i386 machines. If I used /dev/lp* it would run in all machines. If someone knows how to use lp device for this specific purpose, please write me. Thanks, Pedro [1] root must edit a config file to say which ports the user can choose. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: read-write to stdin-stdout or to a file?
On Fri, Jul 20, 2001 at 08:28:54AM -0300, Pedro Zorzenon Neto wrote: >I could use some options like this: > > $ avrprog -i input.data -o output.data > >But I chose to use stdin/stdout instead. > > $ avrprog < input.data > output.data > >Than I don't need to check if the user has permission to read/write that file, >don't need to check for symlink... because the shell will do this for me. To be accurate, the kernel does it for you. The unprivileged shell does the open calls and the kernel validates them. >Is this right? Did I make the right option when I decided to use >stdin/stdout. It should be safe. On Fri, Jul 20, 2001 at 04:42:16AM -0700, Vladislav wrote: > I think, the better way is to use freopen() function > to reassign stdin, stdout and stderr. > This is more secure and shell-independant desision... No, that would defeat the entire point of using stdin/stdout, which was to avoid the privileged process having to open anything. -- Colin Phipps PGP 0x689E463E http://www.netcraft.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: read-write to stdin-stdout or to a file?
Quoting Pedro Zorzenon Neto ([EMAIL PROTECTED]): >I wrote a program that needs to run setuid root due to direct hardware access >(Package: avrprog). Do you mean this package? "Programmer for Atmel AVR microcontrolers that uses PC parallel port to program the device in serial mode. The device can be programmed "in-system". It comes with a schematic of the hardware required. The hardware was designed to be efficient and unexpensive." If so, I'm not sure why you think it needs to be setuid. Just chgrp somegroup /dev/lp0 (or whichever port) and put yourself (and any others) into somegroup. Cheers, -- Email: [EMAIL PROTECTED] Tel: +44 1908 653 739 Fax: +44 1908 655 151 Snail: David Wright, Earth Science Dept., Milton Keynes, England, MK7 6AA Disclaimer: These addresses are only for reaching me, and do not signify official stationery. Views expressed here are either my own or plagiarised. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: read-write to stdin-stdout or to a file?
Hola! --- Pedro Zorzenon Neto <[EMAIL PROTECTED]> wrote: >This program needs to read data from a file and > also write to other file. > >I could use some options like this: > > $ avrprog -i input.data -o output.data > >But I chose to use stdin/stdout instead. > > $ avrprog < input.data > output.data > >Than I don't need to check if the user has > permission to read/write that file, don't need to > check for symlink... because the shell will do this > for me. > >Is this right? Did I make the right option when I > decided to use stdin/stdout. I think, the better way is to use freopen() function to reassign stdin, stdout and stderr. This is more secure and shell-independant desision... = Regards, Vladislav. ---> http://cybervlad.port5.com __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: CGI Buffer Overflow?
Title: RE: CGI Buffer Overflow? It's a worm called Code Red, spreading thru IIS-servers. Nothing you have to worry about if you're only running Apache. We dont, so we should have worried yesterday. =) There are info on cert.org, eeya.com and probably /. and so on.. I've seen 100 of this on one server, around 70 on another. Plus the IIS we got infected (not my area =)). > -Original Message- > From: Brian Rectanus [mailto:[EMAIL PROTECTED]] > Sent: den 19 juli 2001 23:17 > To: debian-security@lists.debian.org > Subject: CGI Buffer Overflow? > > > Anyone seen this before? I have looked around for similar > attacks, but > cannot find any info. I assume that is a unicode string > padded out with > Ns. How would I go about finding out what is in the string? > > > xxx.xxx.xxx.xxx - - [19/Jul/2001:14:28:23 -0400] "GET > /default.ida?N > NN > NN > NN > NN > NN > N%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd > 3%u7801%u9 > 090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 > b%u53ff%u0 > 078%u%u00=a HTTP/1.0" 400 328 > > > --Brian > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > ### This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange. For more information, connect to http://www.F-Secure.com/
read-write to stdin-stdout or to a file?
Hi list, I wrote a program that needs to run setuid root due to direct hardware access (Package: avrprog). This program needs to read data from a file and also write to other file. I could use some options like this: $ avrprog -i input.data -o output.data But I chose to use stdin/stdout instead. $ avrprog < input.data > output.data Than I don't need to check if the user has permission to read/write that file, don't need to check for symlink... because the shell will do this for me. Is this right? Did I make the right option when I decided to use stdin/stdout. Thanks in advance, Pedro Note: user messages and error messages go to stderr. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: CGI Buffer Overflow?
On Thu, 19 Jul 2001, Brian Rectanus wrote: > xxx.xxx.xxx.xxx - - [19/Jul/2001:14:28:23 -0400] "GET > /default.ida?NNN http://www.eeye.com/html/Research/Advisories/AL20010717.html -- [-] "you're wasting my time, chatterbox."
Re: non-US security fixes URL
Try http://security.debian.org/dists/potato/updates/main/* http://security.debian.org/dists/potato/updates/contrib/* http://security.debian.org/dists/potato/updates/non-free/* On Friday 20 July 2001 03:33, Jason Thomas wrote: > On Fri, Jul 20, 2001 at 09:39:55AM +0300, Juha J?ykk? wrote: > > > deb http://security.debian.org potato/updates main contrib > > > non-free > > does this actually work from what I can tell it ends up being > http://security.debian.org/potato/updates/main/* > http://security.debian.org/potato/updates/contrib/* > http://security.debian.org/potato/updates/non-free/* > > I am unable to look at any of them, leaving off the '*' of course.
Re: non-US security fixes URL
On Fri, Jul 20, 2001 at 09:39:55AM +0300, Juha J?ykk? wrote: > > deb http://security.debian.org potato/updates main contrib non-free does this actually work from what I can tell it ends up being http://security.debian.org/potato/updates/main/* http://security.debian.org/potato/updates/contrib/* http://security.debian.org/potato/updates/non-free/* I am unable to look at any of them, leaving off the '*' of course. -- Jason Thomas Phone: +61 2 6257 7111 System Administrator - UID 0 Fax:+61 2 6257 7311 tSA Consulting Group Pty. Ltd. Mobile: 0418 29 66 81 1 Hall Street Lyneham ACT 2602 http://www.topic.com.au/ pgpc8rOg6aKX3.pgp Description: PGP signature
Apologies - previous was accidental post.
Improvements always welcome ;-)
Unidentified subject!
-- Alan McNatty Catalyst IT Ltd Level 22 - 105 The Terrace, Wellington phone: 4 4992267 x705 mob: 21 2661571 email: [EMAIL PROTECTED] test.pl Description: Perl program
RE: CGI Buffer Overflow?
Title: RE: CGI Buffer Overflow? It's a worm called Code Red, spreading thru IIS-servers. Nothing you have to worry about if you're only running Apache. We dont, so we should have worried yesterday. =) There are info on cert.org, eeya.com and probably /. and so on.. I've seen 100 of this on one server, around 70 on another. Plus the IIS we got infected (not my area =)). > -Original Message- > From: Brian Rectanus [mailto:[EMAIL PROTECTED]] > Sent: den 19 juli 2001 23:17 > To: [EMAIL PROTECTED] > Subject: CGI Buffer Overflow? > > > Anyone seen this before? I have looked around for similar > attacks, but > cannot find any info. I assume that is a unicode string > padded out with > Ns. How would I go about finding out what is in the string? > > > xxx.xxx.xxx.xxx - - [19/Jul/2001:14:28:23 -0400] "GET > /default.ida?N > NN > NN > NN > NN > NN > N%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd > 3%u7801%u9 > 090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531 > b%u53ff%u0 > 078%u%u00=a HTTP/1.0" 400 328 > > > --Brian > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > ### This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange. For more information, connect to http://www.F-Secure.com/
Re: non-US security fixes URL
> deb http://security.debian.org/debian-security potato/updates main contrib > non- > free > deb http://security.debian.org/debian-non-US potato/non-US main contrib > non-fre > e > deb http://security.debian.org potato/updates main contrib non-free Someone administering the www.debian.org security pages might want to add that non-US security fix URL to the pages. Currently it is not mentioned there. -- --- | Juha Jäykkä, [EMAIL PROTECTED]| | home: http://www.utu.fi/~juolja/ | ---
Re: CGI Buffer Overflow?
On Thu, 19 Jul 2001, Brian Rectanus wrote: > xxx.xxx.xxx.xxx - - [19/Jul/2001:14:28:23 -0400] "GET > /default.ida?NNN http://www.eeye.com/html/Research/Advisories/AL20010717.html -- [-] "you're wasting my time, chatterbox." -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: non-US security fixes URL
Try http://security.debian.org/dists/potato/updates/main/* http://security.debian.org/dists/potato/updates/contrib/* http://security.debian.org/dists/potato/updates/non-free/* On Friday 20 July 2001 03:33, Jason Thomas wrote: > On Fri, Jul 20, 2001 at 09:39:55AM +0300, Juha J?ykk? wrote: > > > deb http://security.debian.org potato/updates main contrib > > > non-free > > does this actually work from what I can tell it ends up being > http://security.debian.org/potato/updates/main/* > http://security.debian.org/potato/updates/contrib/* > http://security.debian.org/potato/updates/non-free/* > > I am unable to look at any of them, leaving off the '*' of course. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: It's speading nicely.
On Thu, Jul 19, 2001 at 08:43:43PM -0500, xbud wrote: > 'Nicely' probably isn't a prefered word but you all know what I mean. > > Here are some numbers. Is this thing known to point itself at the private IP blocks?, i.e. # 10.0.0.0 10.255.255.255 # 172.16.0.0172.31.255.255 # 192.168.0.0 192.168.255.255 I'm wondering about those cable internet companies that use huge NAT'ed nets for their customers. Not that those customers would be running IIS, but just curious. -- Bob Bernstein at Esmond, R.I., USA
Re: non-US security fixes URL
On Fri, Jul 20, 2001 at 09:39:55AM +0300, Juha J?ykk? wrote: > > deb http://security.debian.org potato/updates main contrib non-free does this actually work from what I can tell it ends up being http://security.debian.org/potato/updates/main/* http://security.debian.org/potato/updates/contrib/* http://security.debian.org/potato/updates/non-free/* I am unable to look at any of them, leaving off the '*' of course. -- Jason Thomas Phone: +61 2 6257 7111 System Administrator - UID 0 Fax:+61 2 6257 7311 tSA Consulting Group Pty. Ltd. Mobile: 0418 29 66 81 1 Hall Street Lyneham ACT 2602 http://www.topic.com.au/ PGP signature
Apologies - previous was accidental post.
Improvements always welcome ;-) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Unidentified subject!
-- Alan McNatty Catalyst IT Ltd Level 22 - 105 The Terrace, Wellington phone: 4 4992267 x705 mob: 21 2661571 email: [EMAIL PROTECTED] test.pl
