Re: DoS in debian (potato) proftpd
On Wed, Mar 27, 2002 at 12:37:59AM +0100, martin f krafft wrote: also sprach Joe Dollard [EMAIL PROTECTED] [2002.03.25.2114 +0100]: Hi, The version of proftp that is in debian potato (1.2.0pre10 as reported by running 'proftpd -v ') is vulnerable to a glob DoS attack, as discovered on the 15th March 2001. You can verify this bug by logging in to a server running debian stable's proftpd and type ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*. This results with 100% of the CPU and memory resources being consumed (more info at http://proftpd.linux.co.uk/critbugs.html), (please fix your line wraps!) security.debian.org has proftpd_1.2.0pre10-2.0potato1 which does not contain this bug, at least not on i386 systems: fishbowl:~ ncftp lapse.home.madduck.net NcFTP 3.1.2 (Jan 28, 2002) by Mike Gleason ([EMAIL PROTECTED]). Connecting to 192.168.14.3 ProFTPD 1.2.0pre10 Server (Debian) [lapse.home.madduck.net] Logging in... Anonymous access granted, restrictions apply. Logged in to localhost. ncftp / ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../* and on for another screen full fishbowl:~ ssh lapse 'cat /etc/debian_version; uname -a' 2.2r5 Linux lapse 2.2.20 #1 Tue Feb 12 14:22:30 CET 2002 i486 If my understanding of this bug is right the new bug with the old problem is in mod_sql. So if you don't use it you should not be vulnerable cause no input data is passed through it. Another thing, the vulnerable mod_sql release was not shipped with the proftpd stable release. Sven -- Lamer! :)\nLokaler Admin mit enormen Rechten[tm] [Christian Schneider und Jens Himmelrath in alt.hacker.org-gcf] http://www.linux-secure.de http://www.linuxboard.de http://www.bluephod.net http://www.disconow.de -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
the MUST HAVE tool of the security industry...and it's FREE
if you work in the security industry, you cannot afford to ignore this e-mail... www.SourceSecurity.com is the only definitive and independent product finder to ensure you can find the best products to meet your security needs...as well as informing you of new technology, products and upgrades. it's FREE to use - so what have you to lose? even better than FREE - first time users will also be entered in our Caribbean holiday draw... just one click away - www.SourceSecurity.com
Visonic release NEXT Duo digital detector
...combining advanced infrared and microwave technologies in a single compact unit To view more information, click on the product hyperlink below and this will link you directly to thewww.SourceSecurity.com new product database. Visonic add Duo to NEXT digital detector range Powerful performance and reliability in a sleek and stylish unit We apologise if this e-mail has reached you in error. If you no longer wish to receive our security new product alerts and reviews, please reply to this e-mail with REMOVE in the subject line, or send a blank e-mail to [EMAIL PROTECTED]
Re: Rootkit Detection
On Wed, 27 Mar 2002 09:11:58 JST [EMAIL PROTECTED] (NOKUBI Takatsugu) wrote: [...] I could made potato package easily from sid's source. It requires build-essential and debhelper to do it. Ok guy, but apt pin is so easy =) See: - Add in your sources.list something like: deb http://http.us.debian.org/debian unstable main contrib non-free deb-src http://http.us.debian.org/debian unstable main contrib non-free - /etc/apt/preferences example: Package: * Pin: release a=stable Pin-Priority: 500 Package: chkrootkit Pin: release a=unstable Pin-Priority: 50 Instead chkrootkit, try * for more packages at unstable tree. It's better and more secure than a big sources.list, with unknown repositories... bye, -- _ _ __|_ _. _ _|_.__.._ _ _ (_||_|_ |_(_|\/(_) | |(_|| |(_(_)[EMAIL PROTECTED] _|nupg id: 0x37155778 [EMAIL PROTECTED] Alternex S/A - www.alternex.com.br -- Rio de Janeiro/Brazil gnupg id: 0x37155778 (fetch from keyserver: wwwkeys.eu.pgp.net) Key fingerprint = 1908 52B9 4A16 6EC2 74D1 C03B EDFB 7005 3715 5778 msg06109/pgp0.pgp Description: PGP signature
Re: DoS in debian (potato) proftpd
On Wed, 27 Mar 2002 00:37:59 +0100 martin f krafft [EMAIL PROTECTED] wrote: [...] (please fix your line wraps!) security.debian.org has proftpd_1.2.0pre10-2.0potato1 which does not contain this bug, at least not on i386 systems: fishbowl:~ ncftp lapse.home.madduck.net NcFTP 3.1.2 (Jan 28, 2002) by Mike Gleason ([EMAIL PROTECTED]). Connecting to 192.168.14.3 ProFTPD 1.2.0pre10 Server (Debian) [lapse.home.madduck.net] Logging in... [...] Adding... proftpd (1.2.0pre10-2.0potato1) stable; urgency=high * Non-Maintainer upload. * Applied patch against string format buffer attack. * Removed extra User/Group pair from basic.conf, server now runs as user/group nobody by default. * Added build dependencies on zlib1g-dev, debhelper and libpam-dev. * In contrib/libcap/libcap.h: moved the capability.h include to just below sys/types.h to fix horrible build errors. -- Ivo Timmermans [EMAIL PROTECTED] Sat, 24 Feb 2001 12:42:53 +0100 See: Applied patch against string format buffer attack. done, -- _ _ __|_ _. _ _|_.__.._ _ _ (_||_|_ |_(_|\/(_) | |(_|| |(_(_)[EMAIL PROTECTED] _|nupg id: 0x37155778 [EMAIL PROTECTED] Alternex S/A - www.alternex.com.br -- Rio de Janeiro/Brazil gnupg id: 0x37155778 (fetch from keyserver: wwwkeys.eu.pgp.net) Key fingerprint = 1908 52B9 4A16 6EC2 74D1 C03B EDFB 7005 3715 5778 msg06110/pgp0.pgp Description: PGP signature
Re: Re: iptables filtering rules
On Mon, Mar 25, 2002 at 06:01:45AM -0300, Luiz Carlos Santos de Alencar wrote: Andrew Tait wrote: I've checked up one of that IPs; it's being used right now by a web server pretty much infected with I-Worm.Nimda.A! AVG identification. The standard page delivers a readme.eml file in a pop-up window; less then a minute to have an infected readme.exe being executed. I've heard about it, but never had seen until then. From a Linux box is safe to acess http 216.72.135.102 and verify that the host is infecting all the Window$ based visitors machines, using X/wav OE vulnerability, so far I know (*Atention* Do not try from a Win box; it's vulnerable). By the way, what to do about it... The polite thing to do is to inform the owner of the machine. If that is not possible, or you feel particularly bastardly, hack the freaken thing and wipe it's drives. And/or contact their upstream provider to get their IP feed pulled. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: virtual hosting
Hello, The only question I have in this setup is why would you need to chroot everything. In a typical hosting environment where users have FTP access to the server to upload web pages, you can just chroot the FTP daemon to the individual user's upload directory. As far as Apache, you could chroot the daemon to the directory where all your websites reside. But in that situation, I do believe you would need to copy all the binaries you would want to run (i.e. Perl, PHP, MySQL, etc.), but I could be wrong on that point. Hope that helps a bit. Regards, jovan rivera [EMAIL PROTECTED] On Tue, 26 Mar 2002 15:49:56 +0100 Michal Novotny [EMAIL PROTECTED] wrote: Hello! It is possible to make virtual web hosting (apache) in chroot jail? There is a little problem with about 1500 domains/clients. How can I set it up (with perl/php/ssi/ssl/cgi/ftp/mysql etc.) ? I think it have to be all in the chrooted directory, so will it be apache/perl/mysql/libs for each domain? or could it be symlinked? I do not imagine about 1500 chroots... But I think if it can work then it will be so secure, isn't it? Regards Michal Novotny -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: DoS in debian (potato) proftpd
On Wed, Mar 27, 2002 at 12:37:59AM +0100, martin f krafft wrote: also sprach Joe Dollard [EMAIL PROTECTED] [2002.03.25.2114 +0100]: Hi, The version of proftp that is in debian potato (1.2.0pre10 as reported by running 'proftpd -v ') is vulnerable to a glob DoS attack, as discovered on the 15th March 2001. You can verify this bug by logging in to a server running debian stable's proftpd and type ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*. This results with 100% of the CPU and memory resources being consumed (more info at http://proftpd.linux.co.uk/critbugs.html), (please fix your line wraps!) security.debian.org has proftpd_1.2.0pre10-2.0potato1 which does not contain this bug, at least not on i386 systems: fishbowl:~ ncftp lapse.home.madduck.net NcFTP 3.1.2 (Jan 28, 2002) by Mike Gleason ([EMAIL PROTECTED]). Connecting to 192.168.14.3 ProFTPD 1.2.0pre10 Server (Debian) [lapse.home.madduck.net] Logging in... Anonymous access granted, restrictions apply. Logged in to localhost. ncftp / ls */../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../*/../* and on for another screen full fishbowl:~ ssh lapse 'cat /etc/debian_version; uname -a' 2.2r5 Linux lapse 2.2.20 #1 Tue Feb 12 14:22:30 CET 2002 i486 If my understanding of this bug is right the new bug with the old problem is in mod_sql. So if you don't use it you should not be vulnerable cause no input data is passed through it. Another thing, the vulnerable mod_sql release was not shipped with the proftpd stable release. Sven -- Lamer! :)\nLokaler Admin mit enormen Rechten[tm] [Christian Schneider und Jens Himmelrath in alt.hacker.org-gcf] http://www.linux-secure.de http://www.linuxboard.de http://www.bluephod.net http://www.disconow.de -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
the MUST HAVE tool of the security industry...and it's FREE
if you work in the security industry, you cannot afford to ignore this e-mail... www.SourceSecurity.com is the only definitive and independent product finder to ensure you can find the best products to meet your security needs...as well as informing you of new technology, products and upgrades. it's FREE to use - so what have you to lose? even better than FREE - first time users will also be entered in our Caribbean holiday draw... just one click away - www.SourceSecurity.com
Visonic release NEXT Duo digital detector
...combining advanced infrared and microwave technologies in a single compact unit To view more information, click on the product hyperlink below and this will link you directly to thewww.SourceSecurity.com new product database. Visonic add Duo to NEXT digital detector range Powerful performance and reliability in a sleek and stylish unit We apologise if this e-mail has reached you in error. If you no longer wish to receive our security new product alerts and reviews, please reply to this e-mail with REMOVE in the subject line, or send a blank e-mail to [EMAIL PROTECTED]
Re: Rootkit Detection
On Wed, 27 Mar 2002 09:11:58 JST [EMAIL PROTECTED] (NOKUBI Takatsugu) wrote: [...] I could made potato package easily from sid's source. It requires build-essential and debhelper to do it. Ok guy, but apt pin is so easy =) See: - Add in your sources.list something like: deb http://http.us.debian.org/debian unstable main contrib non-free deb-src http://http.us.debian.org/debian unstable main contrib non-free - /etc/apt/preferences example: Package: * Pin: release a=stable Pin-Priority: 500 Package: chkrootkit Pin: release a=unstable Pin-Priority: 50 Instead chkrootkit, try * for more packages at unstable tree. It's better and more secure than a big sources.list, with unknown repositories... bye, -- _ _ __|_ _. _ _|_.__.._ _ _ (_||_|_ |_(_|\/(_) | |(_|| |(_(_)[EMAIL PROTECTED] _|nupg id: 0x37155778 [EMAIL PROTECTED] Alternex S/A - www.alternex.com.br -- Rio de Janeiro/Brazil gnupg id: 0x37155778 (fetch from keyserver: wwwkeys.eu.pgp.net) Key fingerprint = 1908 52B9 4A16 6EC2 74D1 C03B EDFB 7005 3715 5778 pgpRW0LL5iF1Z.pgp Description: PGP signature
Re: DoS in debian (potato) proftpd
On Wed, 27 Mar 2002 00:37:59 +0100 martin f krafft [EMAIL PROTECTED] wrote: [...] (please fix your line wraps!) security.debian.org has proftpd_1.2.0pre10-2.0potato1 which does not contain this bug, at least not on i386 systems: fishbowl:~ ncftp lapse.home.madduck.net NcFTP 3.1.2 (Jan 28, 2002) by Mike Gleason ([EMAIL PROTECTED]). Connecting to 192.168.14.3 ProFTPD 1.2.0pre10 Server (Debian) [lapse.home.madduck.net] Logging in... [...] Adding... proftpd (1.2.0pre10-2.0potato1) stable; urgency=high * Non-Maintainer upload. * Applied patch against string format buffer attack. * Removed extra User/Group pair from basic.conf, server now runs as user/group nobody by default. * Added build dependencies on zlib1g-dev, debhelper and libpam-dev. * In contrib/libcap/libcap.h: moved the capability.h include to just below sys/types.h to fix horrible build errors. -- Ivo Timmermans [EMAIL PROTECTED] Sat, 24 Feb 2001 12:42:53 +0100 See: Applied patch against string format buffer attack. done, -- _ _ __|_ _. _ _|_.__.._ _ _ (_||_|_ |_(_|\/(_) | |(_|| |(_(_)[EMAIL PROTECTED] _|nupg id: 0x37155778 [EMAIL PROTECTED] Alternex S/A - www.alternex.com.br -- Rio de Janeiro/Brazil gnupg id: 0x37155778 (fetch from keyserver: wwwkeys.eu.pgp.net) Key fingerprint = 1908 52B9 4A16 6EC2 74D1 C03B EDFB 7005 3715 5778 pgpS7ga5C7aOe.pgp Description: PGP signature
Re: Re: iptables filtering rules
On Mon, Mar 25, 2002 at 06:01:45AM -0300, Luiz Carlos Santos de Alencar wrote: Andrew Tait wrote: I've checked up one of that IPs; it's being used right now by a web server pretty much infected with I-Worm.Nimda.A! AVG identification. The standard page delivers a readme.eml file in a pop-up window; less then a minute to have an infected readme.exe being executed. I've heard about it, but never had seen until then. From a Linux box is safe to acess http 216.72.135.102 and verify that the host is infecting all the Window$ based visitors machines, using X/wav OE vulnerability, so far I know (*Atention* Do not try from a Win box; it's vulnerable). By the way, what to do about it... The polite thing to do is to inform the owner of the machine. If that is not possible, or you feel particularly bastardly, hack the freaken thing and wipe it's drives. And/or contact their upstream provider to get their IP feed pulled. -- Share and Enjoy. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: virtual hosting
Hello, The only question I have in this setup is why would you need to chroot everything. In a typical hosting environment where users have FTP access to the server to upload web pages, you can just chroot the FTP daemon to the individual user's upload directory. As far as Apache, you could chroot the daemon to the directory where all your websites reside. But in that situation, I do believe you would need to copy all the binaries you would want to run (i.e. Perl, PHP, MySQL, etc.), but I could be wrong on that point. Hope that helps a bit. Regards, jovan rivera [EMAIL PROTECTED] On Tue, 26 Mar 2002 15:49:56 +0100 Michal Novotny [EMAIL PROTECTED] wrote: Hello! It is possible to make virtual web hosting (apache) in chroot jail? There is a little problem with about 1500 domains/clients. How can I set it up (with perl/php/ssi/ssl/cgi/ftp/mysql etc.) ? I think it have to be all in the chrooted directory, so will it be apache/perl/mysql/libs for each domain? or could it be symlinked? I do not imagine about 1500 chroots... But I think if it can work then it will be so secure, isn't it? Regards Michal Novotny -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]