[no subject]
unsubscribe [EMAIL PROTECTED]
Re: New IIS worm
* Johann Schwarzmeier ([EMAIL PROTECTED]) [010921 14:25]: > Hello, > > Hint: see wat iv'ed done: > > /etc/apache/srm.conf: > Alias /c/winnt/system32/cmd.exe /usr/lib/cgi-bin/block.cgi > Alias /d/winnt/system32/cmd.exe /usr/lib/cgi-bin/block.cgi > > The CGI: > > echo "You come from : ${REMOTE_ADDR}" > > sudo ipchains -I wan-in -j DENY -l -s ${REMOTE_ADDR} > sudo ipchains -I wan-out -j DENY -l -s ${REMOTE_ADDR} > > > keep in mind: sudo ! > /etc/sudoers > . > Cmnd_Alias FIREWALL=/sbin/ipchains > . > www-data ALL=NOPASSWD: WWW,FIREWALL careful with that... someone who breaks your apache will have permission to do, say: sudo ipchains -P input ACCEPT sudo ipchains -F input > > it works fine. The cracker come only one time. :-) On the whole, I'm sure it does, and the risk is acceptably slim. One way to reduce the risk further would be to specify the specific arguments to ipchains, or make a wrapper script something like this: #!/bin/sh # /usr/local/sbin/nimdablocker.sh: give me $1, and I block him. ipchains -I wan-in -j DENY -l -s $1 ipchains -I wan-out -j DENY -l -s $1 #EOF and allow that via sudo instead. -- Vineet http://www.anti-dmca.org Unauthorized use of this .sig may constitute violation of US law. echo Qba\'g gernq ba zr\! |tr 'a-zA-Z' 'n-za-mN-ZA-M' pgpV2ZW1EXkM2.pgp Description: PGP signature
Re: setuid changes
apt-get install sxid On Fri, Sep 21, 2001 at 10:22:29AM -0700, Micah Anderson wrote: > I was thinking it would be nice to see what sort of new setuid > programs show up on my box each day... then I noticed that these are > already being logged in /var/log/setuid.today and > /var/log/setuid.yesterday. What makes these? It appears they come from > /etc/cron.daily/standard which runs /usr/sbin/checksecurity. > > But, what is the point of logging these each day into > /var/log/setuid.changes if nobody sees them? Why doesn't this list get > emailed to root? Am I missing something? > > Micah > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- Ethan Benson http://www.alaska.net/~erbenson/ pgpBsIAzS6zjF.pgp Description: PGP signature
No Subject
unsubscribe [EMAIL PROTECTED]
Re: New IIS worm
* Johann Schwarzmeier ([EMAIL PROTECTED]) [010921 14:25]: > Hello, > > Hint: see wat iv'ed done: > > /etc/apache/srm.conf: > Alias /c/winnt/system32/cmd.exe /usr/lib/cgi-bin/block.cgi > Alias /d/winnt/system32/cmd.exe /usr/lib/cgi-bin/block.cgi > > The CGI: > > echo "You come from : ${REMOTE_ADDR}" > > sudo ipchains -I wan-in -j DENY -l -s ${REMOTE_ADDR} > sudo ipchains -I wan-out -j DENY -l -s ${REMOTE_ADDR} > > > keep in mind: sudo ! > /etc/sudoers > . > Cmnd_Alias FIREWALL=/sbin/ipchains > . > www-data ALL=NOPASSWD: WWW,FIREWALL careful with that... someone who breaks your apache will have permission to do, say: sudo ipchains -P input ACCEPT sudo ipchains -F input > > it works fine. The cracker come only one time. :-) On the whole, I'm sure it does, and the risk is acceptably slim. One way to reduce the risk further would be to specify the specific arguments to ipchains, or make a wrapper script something like this: #!/bin/sh # /usr/local/sbin/nimdablocker.sh: give me $1, and I block him. ipchains -I wan-in -j DENY -l -s $1 ipchains -I wan-out -j DENY -l -s $1 #EOF and allow that via sudo instead. -- Vineet http://www.anti-dmca.org Unauthorized use of this .sig may constitute violation of US law. echo Qba\'g gernq ba zr\! |tr 'a-zA-Z' 'n-za-mN-ZA-M' PGP signature
Re: New IIS worm
Hello, Hint: see wat iv'ed done: /etc/apache/srm.conf: Alias /c/winnt/system32/cmd.exe /usr/lib/cgi-bin/block.cgi Alias /d/winnt/system32/cmd.exe /usr/lib/cgi-bin/block.cgi The CGI: echo "You come from : ${REMOTE_ADDR}" sudo ipchains -I wan-in -j DENY -l -s ${REMOTE_ADDR} sudo ipchains -I wan-out -j DENY -l -s ${REMOTE_ADDR} keep in mind: sudo ! /etc/sudoers . Cmnd_Alias FIREWALL=/sbin/ipchains . www-data ALL=NOPASSWD: WWW,FIREWALL it works fine. The cracker come only one time. :-) On Thursday 20 September 2001 03:48, R Allen Blowers wrote: > You could use the hosts.deny file for this also, no? > > Best Regards, Allen > > > -Original Message- > > From: Emmanuel Valliet [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, September 18, 2001 8:09 PM > > To: debian-security@lists.debian.org > > Subject: Re: New IIS worm > > > > (2001-09-18) Emmanuel Valliet sed : > > | I know we don't care on linux, but I have reallly a lot of hits from > > | machine querying for the ..%%35c../winnt/system32/cmd.exe and Cie. > > | And it starts to make a lot of apache childs, and the global charge > > | grows consequently. > > | Is there a way to protect from that ? > > | Using an apache configuration trick ? > > | Or blacklisting and using some firewall rules behind ? > > | If anyone knows how to do, or has already done the script that kicks > > | these infected servers, it could interest me... > > > > Hum, doing a script that parse the logs and catch the bad servers was > > easy. But I didn't realize that the infection could be that big and > > quick. > > > > Euh can ipchains or iptables support some more 1500 denying rules > > ? I don't think so... > > > > Anyway, it doesn't matter, my apache servers seem to survive the > > "flood", I'm just happy to have big CPU and lot of mem. > > > > Just the script, if you want to count the worm hit on your box: > > (really not a piece of art) > > > > #!/usr/bin/perl > > > > my %bannlist; > > > > while (<>) { > > next if not /^(.*) - -.*GET \/scripts\/.*winnt.*\/cmd.exe.*$/; > > $host=$1; > > next if $bannlist{"$host"}; > > $bannlist{"$host"}=1; > > # system("/sbin/ipchains -A input -p tcp -s $host -d 10.0.2.138 www > > -j DENY"); > > print "Worm victim: $host\n"; > > } > > > > > > -- > > VALLIET Emmanuel ! http://www.webmotion.com > > Webmotion Inc. ! mailto:[EMAIL PROTECTED] > > Oxymoron: Stuck in traffic. > > > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED]
Re: setuid changes
apt-get install sxid On Fri, Sep 21, 2001 at 10:22:29AM -0700, Micah Anderson wrote: > I was thinking it would be nice to see what sort of new setuid > programs show up on my box each day... then I noticed that these are > already being logged in /var/log/setuid.today and > /var/log/setuid.yesterday. What makes these? It appears they come from > /etc/cron.daily/standard which runs /usr/sbin/checksecurity. > > But, what is the point of logging these each day into > /var/log/setuid.changes if nobody sees them? Why doesn't this list get > emailed to root? Am I missing something? > > Micah > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- Ethan Benson http://www.alaska.net/~erbenson/ PGP signature
Re: setuid changes
* Micah Anderson ([EMAIL PROTECTED]) [010921 10:23]: > I was thinking it would be nice to see what sort of new setuid > programs show up on my box each day... then I noticed that these are > already being logged in /var/log/setuid.today and > /var/log/setuid.yesterday. What makes these? It appears they come from > /etc/cron.daily/standard which runs /usr/sbin/checksecurity. > > But, what is the point of logging these each day into > /var/log/setuid.changes if nobody sees them? Why doesn't this list get > emailed to root? Am I missing something? Well, maybe root should go see them? I don't mean to be snotty about it, but surely you concede that there is a point to logging and not emailing something; surely you have other logs on your system which are not emailed to root? As root, it's best to be vigilant and actively inspect your system rather than just wait for alerts to come to you. That's not to say that alerts aren't helpful, and that it probably would be nice to send these to root. You should be able to get that effect by simply adding it to the cron job. You'd just need to add a line that says "cat /var/log/setuid.changes", as stdout from the cron job gets mailed to its owner (root). -- Vineet http://www.anti-dmca.org Unauthorized use of this .sig may constitute violation of US law. echo Qba\'g gernq ba zr\! |tr 'a-zA-Z' 'n-za-mN-ZA-M' pgpo6H8wah7SV.pgp Description: PGP signature
Re: New IIS worm
Hello, Hint: see wat iv'ed done: /etc/apache/srm.conf: Alias /c/winnt/system32/cmd.exe /usr/lib/cgi-bin/block.cgi Alias /d/winnt/system32/cmd.exe /usr/lib/cgi-bin/block.cgi The CGI: echo "You come from : ${REMOTE_ADDR}" sudo ipchains -I wan-in -j DENY -l -s ${REMOTE_ADDR} sudo ipchains -I wan-out -j DENY -l -s ${REMOTE_ADDR} keep in mind: sudo ! /etc/sudoers . Cmnd_Alias FIREWALL=/sbin/ipchains . www-data ALL=NOPASSWD: WWW,FIREWALL it works fine. The cracker come only one time. :-) On Thursday 20 September 2001 03:48, R Allen Blowers wrote: > You could use the hosts.deny file for this also, no? > > Best Regards, Allen > > > -Original Message- > > From: Emmanuel Valliet [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, September 18, 2001 8:09 PM > > To: [EMAIL PROTECTED] > > Subject: Re: New IIS worm > > > > (2001-09-18) Emmanuel Valliet sed : > > | I know we don't care on linux, but I have reallly a lot of hits from > > | machine querying for the ..%%35c../winnt/system32/cmd.exe and Cie. > > | And it starts to make a lot of apache childs, and the global charge > > | grows consequently. > > | Is there a way to protect from that ? > > | Using an apache configuration trick ? > > | Or blacklisting and using some firewall rules behind ? > > | If anyone knows how to do, or has already done the script that kicks > > | these infected servers, it could interest me... > > > > Hum, doing a script that parse the logs and catch the bad servers was > > easy. But I didn't realize that the infection could be that big and > > quick. > > > > Euh can ipchains or iptables support some more 1500 denying rules > > ? I don't think so... > > > > Anyway, it doesn't matter, my apache servers seem to survive the > > "flood", I'm just happy to have big CPU and lot of mem. > > > > Just the script, if you want to count the worm hit on your box: > > (really not a piece of art) > > > > #!/usr/bin/perl > > > > my %bannlist; > > > > while (<>) { > > next if not /^(.*) - -.*GET \/scripts\/.*winnt.*\/cmd.exe.*$/; > > $host=$1; > > next if $bannlist{"$host"}; > > $bannlist{"$host"}=1; > > # system("/sbin/ipchains -A input -p tcp -s $host -d 10.0.2.138 www > > -j DENY"); > > print "Worm victim: $host\n"; > > } > > > > > > -- > > VALLIET Emmanuel ! http://www.webmotion.com > > Webmotion Inc. ! mailto:[EMAIL PROTECTED] > > Oxymoron: Stuck in traffic. > > > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: setuid changes
* Micah Anderson ([EMAIL PROTECTED]) [010921 10:23]: > I was thinking it would be nice to see what sort of new setuid > programs show up on my box each day... then I noticed that these are > already being logged in /var/log/setuid.today and > /var/log/setuid.yesterday. What makes these? It appears they come from > /etc/cron.daily/standard which runs /usr/sbin/checksecurity. > > But, what is the point of logging these each day into > /var/log/setuid.changes if nobody sees them? Why doesn't this list get > emailed to root? Am I missing something? Well, maybe root should go see them? I don't mean to be snotty about it, but surely you concede that there is a point to logging and not emailing something; surely you have other logs on your system which are not emailed to root? As root, it's best to be vigilant and actively inspect your system rather than just wait for alerts to come to you. That's not to say that alerts aren't helpful, and that it probably would be nice to send these to root. You should be able to get that effect by simply adding it to the cron job. You'd just need to add a line that says "cat /var/log/setuid.changes", as stdout from the cron job gets mailed to its owner (root). -- Vineet http://www.anti-dmca.org Unauthorized use of this .sig may constitute violation of US law. echo Qba\'g gernq ba zr\! |tr 'a-zA-Z' 'n-za-mN-ZA-M' PGP signature
setuid changes
I was thinking it would be nice to see what sort of new setuid programs show up on my box each day... then I noticed that these are already being logged in /var/log/setuid.today and /var/log/setuid.yesterday. What makes these? It appears they come from /etc/cron.daily/standard which runs /usr/sbin/checksecurity. But, what is the point of logging these each day into /var/log/setuid.changes if nobody sees them? Why doesn't this list get emailed to root? Am I missing something? Micah
PERDITA EMAIL
ciao a tutti! ho perso la mail [EMAIL PROTECTED] diffidate di qualsiasi messaggio che vi dovesse arrivare da tale indirizzo se vi dovesse arrivare un messaggio da tale indirizzo, siate così gentili da comunicarmelo: mi farete un grosso favore. se non mi conoscete vi chiedo scusa per il disturbo: ho perso pure la rubrica che tenevo sul sito di yahoo e mi sono trovato costretto a scrivere un programmino in C che cercasse indirizzi email fra i vecchi messaggi. se invece mi conoscete potreste per favore fare un REPLY all'indirizzo dal quale vi ho mandato questo messaggio, specificando la vostra identità e la/e vostra/e mail nel corpo del messaggio? possibilmente non modificatene il subject. a quel punto vi invierò i miei nuovi indirizzi: questa non è la mia nuova mail e tra un paio di settimane verrà soppressa. ciao e grazie infinite sandr8)
setuid changes
I was thinking it would be nice to see what sort of new setuid programs show up on my box each day... then I noticed that these are already being logged in /var/log/setuid.today and /var/log/setuid.yesterday. What makes these? It appears they come from /etc/cron.daily/standard which runs /usr/sbin/checksecurity. But, what is the point of logging these each day into /var/log/setuid.changes if nobody sees them? Why doesn't this list get emailed to root? Am I missing something? Micah -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
PERDITA EMAIL
ciao a tutti! ho perso la mail [EMAIL PROTECTED] diffidate di qualsiasi messaggio che vi dovesse arrivare da tale indirizzo se vi dovesse arrivare un messaggio da tale indirizzo, siate così gentili da comunicarmelo: mi farete un grosso favore. se non mi conoscete vi chiedo scusa per il disturbo: ho perso pure la rubrica che tenevo sul sito di yahoo e mi sono trovato costretto a scrivere un programmino in C che cercasse indirizzi email fra i vecchi messaggi. se invece mi conoscete potreste per favore fare un REPLY all'indirizzo dal quale vi ho mandato questo messaggio, specificando la vostra identità e la/e vostra/e mail nel corpo del messaggio? possibilmente non modificatene il subject. a quel punto vi invierò i miei nuovi indirizzi: questa non è la mia nuova mail e tra un paio di settimane verrà soppressa. ciao e grazie infinite sandr8) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]