[SECURITY] [DSA 291-1] New ircII packages fix DoS and arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 291-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze April 22nd, 2003http://www.debian.org/security/faq - -- Package: ircii Vulnerability : buffer overflows Problem-Type : remote Debian-specific: no Timo Sirainen discovered several problems in ircII, a popular client for Internet Relay Chat (IRC). A malicious server could craft special reply strings, triggering the client to write beyond buffer boundaries. This could lead to a denial of service if the client only crashes, but may also lead to executing of arbitrary code under the user id of the chatting user. For the stable distribution (woody) these problems have been fixed in version 20020322-1.1. For the old stable distribution (potato) these problems have been fixed in version 4.4M-1.1. For the unstable distribution (sid) these problems have been fixed in version 20030315-1. We recommend that you upgrade your ircII package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/i/ircii/ircii_4.4M-1.1.dsc Size/MD5 checksum: 561 839b3a71f89b6c2eb5e832deb2dc59c3 http://security.debian.org/pool/updates/main/i/ircii/ircii_4.4M-1.1.diff.gz Size/MD5 checksum:10664 eaca1c29c0cff98a88075c4b1d8ae03a http://security.debian.org/pool/updates/main/i/ircii/ircii_4.4M.orig.tar.gz Size/MD5 checksum: 618719 34d6fb3e4d2635b04978741a3fad5c9d Alpha architecture: http://security.debian.org/pool/updates/main/i/ircii/ircii_4.4M-1.1_alpha.deb Size/MD5 checksum: 491222 66f35a7db3e501c0a4c1b6b8e760a3b0 ARM architecture: http://security.debian.org/pool/updates/main/i/ircii/ircii_4.4M-1.1_arm.deb Size/MD5 checksum: 436750 2fe088a4be9d7c1dd64b069a812d9dea Intel IA-32 architecture: http://security.debian.org/pool/updates/main/i/ircii/ircii_4.4M-1.1_i386.deb Size/MD5 checksum: 423470 a4382e8fd62713d631f9fd274539cc5f Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/i/ircii/ircii_4.4M-1.1_m68k.deb Size/MD5 checksum: 411104 3a08779a159cbed3c29ae54056a715e8 PowerPC architecture: http://security.debian.org/pool/updates/main/i/ircii/ircii_4.4M-1.1_powerpc.deb Size/MD5 checksum: 441672 b3b334f2a030574eed464cdf6fecbc4d Sun Sparc architecture: http://security.debian.org/pool/updates/main/i/ircii/ircii_4.4M-1.1_sparc.deb Size/MD5 checksum: 440372 4e9d015e3605fe247ed5e1d95d224d06 Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/i/ircii/ircii_20020322-1.1.dsc Size/MD5 checksum: 575 738b611ff09e3d2adc2dd3a4dff2e805 http://security.debian.org/pool/updates/main/i/ircii/ircii_20020322-1.1.diff.gz Size/MD5 checksum:14312 d32509c26bf555b508fd5ae8fe44b7d8 http://security.debian.org/pool/updates/main/i/ircii/ircii_20020322.orig.tar.gz Size/MD5 checksum: 679408 2bf794fbc86e60dab17137ba002e265e Alpha architecture: http://security.debian.org/pool/updates/main/i/ircii/ircii_20020322-1.1_alpha.deb Size/MD5 checksum: 527350 6e077fc538dfc80c69b1277eaa3f4939 ARM architecture: http://security.debian.org/pool/updates/main/i/ircii/ircii_20020322-1.1_arm.deb Size/MD5 checksum: 473926 afb398619d6ebb7d6f8260bb7501b604 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/i/ircii/ircii_20020322-1.1_i386.deb Size/MD5 checksum: 457866 c9c084e3650a8d40d719d9bfa1313633 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/i/ircii/ircii_20020322-1.1_ia64.deb Size/MD5 checksum: 592094 6c3f4a25b53625a983d335772b65d8af HP Precision architecture: http://security.debian.org/pool/updates/main/i/ircii/ircii_20020322-1.1_hppa.deb Size/MD5 checksum: 505096 9082959ed33c608b40642c6190e90c6b Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/i/ircii/ircii_20020322-1.1_m68k.deb Size/MD5 checksum: 445146 0b7bc7a9953907f3efa802d2c3a77067 Big endian MIPS architecture:
[SECURITY] [DSA 292-1] New mime-support packages fix temporary file race conditions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 292-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze April 22nd, 2003http://www.debian.org/security/faq - -- Package: mime-support Vulnerability : insecure temporary file creation Problem-Type : local Debian-specific: no Colin Phipps discovered several problems in mime-support, that contains support programs for the MIME control files 'mime.types' and 'mailcap'. When a temporary file is to be used it is created insecurely, allowing an attacker to overwrite arbitrary under the user id of the person executing run-mailcap, most probably root. Additionally the program did not properly escape shell escape characters when executing a command. This is unlikely to be exploitable, though. For the stable distribution (woody) these problems have been fixed in version 3.18-1.1. For the old stable distribution (potato) these problems have been fixed in version 3.9-1.1. For the unstable distribution (sid) these problems have been fixed in version 3.22-1. We recommend that you upgrade your mime-support packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 2.2 alias potato - - Source archives: http://security.debian.org/pool/updates/main/m/mime-support/mime-support_3.9-1.1.dsc Size/MD5 checksum: 473 45ec24d391fbccffe70612eee5117d12 http://security.debian.org/pool/updates/main/m/mime-support/mime-support_3.9-1.1.tar.gz Size/MD5 checksum:91665 530e77c39a2ef192da2492af7b4ee493 Architecture independent components: http://security.debian.org/pool/updates/main/m/mime-support/mime-support_3.9-1.1_all.deb Size/MD5 checksum:99118 0b86cad241365d36b376fdc2d5d6bb2e Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/m/mime-support/mime-support_3.18-1.1.dsc Size/MD5 checksum: 475 a4e5dfead5075aff505dea895dc15a44 http://security.debian.org/pool/updates/main/m/mime-support/mime-support_3.18-1.1.tar.gz Size/MD5 checksum:72157 2c486737714c778928f354ccab4a01be Architecture independent components: http://security.debian.org/pool/updates/main/m/mime-support/mime-support_3.18-1.1_all.deb Size/MD5 checksum:68520 4a2fb1fa53ef6c0b83e5416399a1b2ea These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+pVCuW5ql+IAeqTIRArfgAJ46rkMKgQTNtF88YdAGrViQGETFpQCgmzgK tIEgFzbTjRteYZfexIniT4E= =KD9g -END PGP SIGNATURE-
Re: grsec patch over debian 2.4.20 kernel
Ted Bukov [EMAIL PROTECTED] 22.04.2003, 14:17:56: I got the last 2.4.20 kernel with apt-get install. I want to patch it with grsec, but I met many times the follow message: Reversed (or previously applied) patch detected! Assume -R? [n] When I answered yes to all questions, the kernel compilation had failed. I think grsec patch have conficts with already patched debian kernel source, so is there any debian kernel sources with grsec applied? I don't want to use plain (vanilla) kernel, because of its ptrace vulnerability. Thanks in advance. I have the same problem as I can not apply the patch on the 2.4.20-sources. I've tried this some month ago (also on 2.4.20) for my home workstation, the patch did apply. Now I've had a look at Trusted Linux. However, I am not quite shure, because apt-get will update 127 packages, but just 180 packages are installed. -- FiFo Ost GbR Tal 44, D- 80331 M?nchen Tel.: +49 89 21 03 18 88 Fax: +49 89 21 03 18 90
Re: grsec patch over debian 2.4.20 kernel
Le Tue, 22 Apr 2003 15:17:56 +0300, Ted Bukov a ÃÂÃÂÃÂÃÂÃÂÃÂÃÂécritÃÂÃÂÃÂÃÂÃÂÃÂÃÂà: Hi folks, I got the last 2.4.20 kernel with apt-get install. I want to patch it with grsec, but I met many times the follow message: Reversed (or previously applied) patch detected! Assume -R? [n] When I answered yes to all questions, the kernel compilation had failed. I think grsec patch have conficts with already patched debian kernel source, so is there any debian kernel sources with grsec applied? I don't want to use plain (vanilla) kernel, because of its ptrace vulnerability. I don't know what version of debian you have but in sid: [EMAIL PROTECTED] 15:09:27 ~]# apt-cache search grsec ... gradm - Administration program for the GrSecurity ACL system kernel-patch-2.4-grsecurity - grsecurity kernel patch - 2.4.x security patch You're better to used this kernel-patch if you want to have debian kernel source. Hope that help... -- Raphaël SurcouF [EMAIL PROTECTED]
Re: grsec patch over debian 2.4.20 kernel
On Tuesday 22 April 2003 15:12, [EMAIL PROTECTED] wrote: Hi, Ted Bukov [EMAIL PROTECTED] 22.04.2003, 14:17:56: I got the last 2.4.20 kernel with apt-get install. I want to patch it with grsec, but I met many times the follow message: Reversed (or previously applied) patch detected! Assume -R? [n] When I answered yes to all questions, the kernel compilation had failed. I think grsec patch have conficts with already patched debian kernel source, so is there any debian kernel sources with grsec applied? I don't want to use plain (vanilla) kernel, because of its ptrace vulnerability. Thanks in advance. I have the same problem as I can not apply the patch on the 2.4.20-sources. I've tried this some month ago (also on 2.4.20) for my home workstation, the patch did apply. Now I've had a look at Trusted Linux. However, I am not quite shure, because apt-get will update 127 packages, but just 180 packages are installed. reading the changelog of _both_ might help :P grsecurity has the ptrace-fix included. debian's 2.4.20 kernel has the ptrace-fix included. so, unpatch that kernel with the ptrace-fix and apply grsec and it'll work. -- ciao, Marc
Re: grsec patch over debian 2.4.20 kernel
On Tue, Apr 22, 2003 at 03:17:56PM +0300, Ted Bukov wrote: Hi folks, I got the last 2.4.20 kernel with apt-get install. I want to patch it with grsec, but I met many times the follow message: Reversed (or previously applied) patch detected! Assume -R? [n] When I answered yes to all questions, the kernel compilation had failed. I think grsec patch have conficts with already patched debian kernel source, so is there any debian kernel sources with grsec applied? I don't want to use plain (vanilla) kernel, because of its ptrace vulnerability. Thanks in advance. I know that I had some issues when I put together my kernel, but I got them resolved. Turned out that my kernel, at the time, wasn't proved to be supported by grsec, yet. Looking at the downloads section of grsecurity's website, www.grsecurity.net and notice their latest version was published only two days ago, grsecurity-1.9.9g-2.4.20.patch . I'd suggest that you might consider checking on the mailing list over there, as I'm sure that any quirks of the patch would be well known there. Their mailing list info is at http://www.grsecurity.net/mailinglist.php and the archives of the list are at http://wws.grsecurity.net/wws/arc/grsecurity . Personally, I'm happy with my current kernel and it's current patch and having recently experienced a spate of downtime due to a SCSI drive (I tried EVERYTHING before I finally replaced the drive - to my detriment) I'm not looking to make a reboot until I absolutely have to. So I've not touched the kernel lately. However, looking at some of the new admin features of grsecurity, I think I'll add it to my so-called development box. HTH j -- == + It's simply not | John Keimel+ + RFC1149 compliant!| [EMAIL PROTECTED]+ + | http://www.keimel.com + == pgp5EGzqmIPuC.pgp Description: PGP signature
Network stress testing
Would anyone have a recommendation for doing a stress test of a network? I've got a big show coming up and I'd like to set up re-produceable test procedures so I know how things respond under expected real life loads. I'm sure I've run across discussions of such tools but I can't remember any names. In particular I'd like to be able to hit a web server (and the local dns) with n requests/min to ensure it works, or if not to identify the weak spots. I'm doing googles in parallel with this query as I'm rather under stress testing myself at the moment, with a fixed deadline... -- -- IN MY NAME:Dale Amon, CEO/MD No Mushroom clouds over Islandone Society London and New York. www.islandone.org --
RE: grsec patch over debian 2.4.20 kernel
Hello, I was under the impression that an apt-get dist-upgrade would upgrade me to the latest everything... I am running stable if that makes a difference. Is 2.4.20 in testing or unstable at the moment, or is it just being blocked from my woody installation? Thanks, Richard. -Original Message- From: Marcel Weber [mailto:[EMAIL PROTECTED] Sent: 22 April 2003 17:13 To: Hobbs, Richard Cc: [EMAIL PROTECTED]; debian-security@lists.debian.org Subject: Re: grsec patch over debian 2.4.20 kernel Hobbs, Richard wrote: Hello, Where is the 2.4.20 kernel in apt?? Hi You do not miss anything (or I would miss the same thing...). The 2.4.20 kernel is part of sid and not woody. For a 2.4.20 kernel grab sid's kernel source or the plain vanilla kernel from kernel.org. Regards Marcel -- Richard Hobbs [EMAIL PROTECTED] http://mongeese.co.uk | http://unixforum.co.uk There's only one way of life, and that's your own - The Levellers _ Send all your jokes to: [EMAIL PROTECTED] !! To subscribe, email: [EMAIL PROTECTED] smime.p7s Description: S/MIME cryptographic signature
Re: Network stress testing
Would anyone have a recommendation for doing a stress test of a network? I've got a big show coming up and I'd like to set up re-produceable test procedures so I know how things respond under expected real life loads. Which layer do you want to test? Layer 2 (Ethernet etc) Layer 3 (IP) Layer 7 (Web) I'm sure I've run across discussions of such tools but I can't remember any names. In particular I'd like to be able to hit a web server (and the local dns) with n requests/min to ensure it works, or if not to identify the weak spots. In that case, ab (apachebench) is a very handy tool. If you have Apache installed you should be able to find it. Otherwise there are many other webserver testing packages, have a search of freshmeat.net I'm doing googles in parallel with this query as I'm rather under stress testing myself at the moment, with a fixed deadline... Goodluck, Tim
Re: grsec patch over debian 2.4.20 kernel
On Tue, Apr 22, 2003 at 09:46:13AM -0400, John Keimel wrote: On Tue, Apr 22, 2003 at 03:17:56PM +0300, Ted Bukov wrote: I got the last 2.4.20 kernel with apt-get install. I want to patch it with grsec, but I met many times the follow message: Reversed (or previously applied) patch detected! Assume -R? [n] When I answered yes to all questions, the kernel compilation had failed. I think grsec patch have conficts with already patched debian kernel source, so is there any debian kernel sources with grsec applied? I don't want to use plain (vanilla) kernel, because of its ptrace vulnerability. I know that I had some issues when I put together my kernel, but I got them resolved. Turned out that my kernel, at the time, wasn't proved to be supported by grsec, yet. Looking at the downloads section of grsecurity's website, www.grsecurity.net and notice their latest version was published only two days ago, grsecurity-1.9.9g-2.4.20.patch . Bah. That's typical. Just after I upload a 1.9.9f kernel-patch-2.4-grsecurity package they update the patch. I'll try to get a g release uploaded in the next few days. FWIW the kernel-patch-2.4-grsecurity 1.9.9f package is against Debian's kernel-source-2.4.20 package, so doesn't include the ptrace fix as that's in the kernel-source package. If you're seeing issues with this combination (and I can't tell if this is the case or not from the original post), then please do file a bug. The 1.9.9e release didn't have this removed, so if you were using an old version of the package try the latest one. J. (kernel-patch-2.4-grsecurity maintainer) -- /\ | Allow me to introduce my selves. | | http://www.blackcatnetworks.co.uk/ | \/ pgp88B0UGoMhM.pgp Description: PGP signature
Re: Network stress testing
On Tue, 22 Apr 2003 16:21:03 +0100 Dale Amon [EMAIL PROTECTED] wrote: Would anyone have a recommendation for doing a stress test of a network? I've got a big show coming up and I'd like to set up re-produceable test procedures so I know how things respond under expected real life loads. http://www.netperf.org/ There is a tool to stress test http servers, but i dont remenber the name. pgpSgrcjDmSrw.pgp Description: PGP signature
RE: grsec patch over debian 2.4.20 kernel
On Tue, 2003-04-22 at 12:16, Hobbs, Richard wrote: Hello, I was under the impression that an apt-get dist-upgrade would upgrade me to the latest everything... I am running stable if that makes a difference. Is 2.4.20 in testing or unstable at the moment, or is it just being blocked from my woody installation? Thanks, Richard. Apt will never upgrade a kernel unless you explicitly tell it to install a new one. Kernels are too critical to just be replaced willy-nilly, particularly without a backup around and available *just-in-case* - unlike M$ that believes it isn't an update unless you are forced to risk the system being totally buggered. That is why the kernel version number is part of the package name. -Original Message- From: Marcel Weber [mailto:[EMAIL PROTECTED] Sent: 22 April 2003 17:13 To: Hobbs, Richard Cc: [EMAIL PROTECTED]; debian-security@lists.debian.org Subject: Re: grsec patch over debian 2.4.20 kernel Hobbs, Richard wrote: Hello, Where is the 2.4.20 kernel in apt?? Hi You do not miss anything (or I would miss the same thing...). The 2.4.20 kernel is part of sid and not woody. For a 2.4.20 kernel grab sid's kernel source or the plain vanilla kernel from kernel.org. Regards Marcel -- Richard Hobbs [EMAIL PROTECTED] http://mongeese.co.uk | http://unixforum.co.uk There's only one way of life, and that's your own - The Levellers _ Send all your jokes to: [EMAIL PROTECTED] !! To subscribe, email: [EMAIL PROTECTED] -- Mark L. Kahnt, FLMI/M, ALHC, HIA, AIAA, ACS, MHP ML Kahnt New Markets Consulting Tel: (613) 531-8684 / (613) 539-0935 Email: [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part
Re: Network stress testing
Hi Dale, Stress testing networks can be quite tedious depending on what type of 'real simulation' you have to abide by. If you have a budget take a look at an appliance called 'Flame Thrower' I forget who the vendor is ATM, but it was complete in regaurds to stress testing IDS's. We used it at my old company about 2 years ago, and I'm sure it has been enhanced since. If you have no budget and are just looking for a cheap solution (free opensource tools) then 'wget' for ftp / web traffic and tcpdump + tcpreplay are your friends with -nl options (this breaks real network traffic ofcourse). I wrote several tools about 2 years ago ( I had just started coding then so excuse the poor code heh but they worked for me back then ;) SAT Tools on PacketStorm if you want to look at them. *Note - These are probably not feasable for dns stressing. There are several other network appliances available for generating traffic at controlled speeds, but from my experience Flame thrower did quite well for IDS Stress testing as it has an API for integrating new attack simulations and has several modules already included in it. -x On Tuesday 22 April 2003 09:21, Dale Amon wrote: Would anyone have a recommendation for doing a stress test of a network? I've got a big show coming up and I'd like to set up re-produceable test procedures so I know how things respond under expected real life loads. I'm sure I've run across discussions of such tools but I can't remember any names. In particular I'd like to be able to hit a web server (and the local dns) with n requests/min to ensure it works, or if not to identify the weak spots. I'm doing googles in parallel with this query as I'm rather under stress testing myself at the moment, with a fixed deadline...
Re: Network stress testing
On Tue, Apr 22, 2003 at 04:21:03PM +0100, Dale Amon wrote: Would anyone have a recommendation for doing a stress test of a network? I've got a big show coming up and I'd like to set up re-produceable test procedures so I know how things respond under expected real life loads. From what i heard Quake would be the best tool ;) In particular I'd like to be able to hit a web server (and the local dns) with n requests/min to ensure it works, or if not to identify the weak spots. The very good tool for this task would be 'flood'. I don't remember the homepage, but it's a part of Apache projects. I'm doing googles in parallel with this query as I'm rather under stress testing myself at the -- Michael carstein Melewski | Nikt nie mówił, że nie [EMAIL PROTECTED]| będzie bolało... mobile: 502 545 913 | -- Łukasz Wielebski o postępie gpg: carstein.c.pl/carstein.txt | prac nad projektem Prokartel.
HELP, my Debian Server was hacked!
Hello List, I hope this is not of topic: My private server has been hacked: debian woody 2.4.18bf2.4 kernel, apache-ssl, samba, squid. now my problem: the intruder used a rootkit, i think, cause he deleted /var/log, symlinked /root/.bash_history /dev/null, etc. Is there any way to recover the evidences, e.g. the /var/log/ directory? (ext2) and there three sh processes running as root? Ptrace exploit? how can i dump this processes to file, to keep this evidence? Thanks for help -- Christian Koenning
RE: grsec patch over debian 2.4.20 kernel
Hello, Thanks for the reply... So does this mean it will become available in woody when it is deemed stable enough? Any ideas when this might be? Also I am right in saying this does fix the ptrace bug, right? I think I'm right on this one. Thanks, Richard. -Original Message- From: Emmanuel Lacour [mailto:[EMAIL PROTECTED] Sent: 22 April 2003 18:11 To: debian-security@lists.debian.org Subject: Re: grsec patch over debian 2.4.20 kernel On Tue, Apr 22, 2003 at 06:13:06PM +0200, Marcel Weber wrote: Hobbs, Richard wrote: Hello, Where is the 2.4.20 kernel in apt?? Hi You do not miss anything (or I would miss the same thing...). The 2.4.20 kernel is part of sid and not woody. For a 2.4.20 kernel grab sid's kernel source or the plain vanilla kernel from kernel.org. you've got a 2.4.20 for woody in the pool, you can get it via: deb http://http.us.debian.org/debian woody-proposed-updates main -- Emmanuel Lacour Easter-eggs 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Richard Hobbs [EMAIL PROTECTED] http://mongeese.co.uk | http://unixforum.co.uk There's only one way of life, and that's your own - The Levellers _ Send all your jokes to: [EMAIL PROTECTED] !! To subscribe, email: [EMAIL PROTECTED] smime.p7s Description: S/MIME cryptographic signature
Re: Network stress testing
* Thus spoke Gustavo Adolfo Silva Ribeiro Felisberto [EMAIL PROTECTED]: Hello, There is a tool to stress test http servers, but i dont remenber the name. - http://ltp.sourceforge.net/tooltable.php Bye, Wolle -- Es gibt Diebe, die nicht bestraft werden und einem doch das Kostbarste stehlen: die Zeit. -- Napoleon Bonaparte
DSA-288 - a question
Hi! DSA 288 [0] says: ] You will have to decide whether you want the security update which is ] not thread-safe and recompile all applications that apparently fail ^^ ] after the upgrade, [...] Does that mean that installing 0.9.6c-2.woody.3 and then recompiling e.g. stunnel against it will make it work fine even though openssl won't be thread-safe? If so, can anyone explain how recompiling an application can help? (There are no differences in the library interface between openssl-0.9.6c-2.woody.2 and openssl-0.9.6c-2.woody.3) If not, then what does it refer to, and is there any way to make threaded apps work with openssl 0.9.6c-2.woody.3? regards Marcin [0] http://www.debian.org/security/2003/dsa-288 -- Marcin Owsiany [EMAIL PROTECTED] http://marcin.owsiany.pl/ GnuPG: 1024D/60F41216 FE67 DA2D 0ACA FC5E 3F75 D6F6 3A0D 8AA0 60F4 1216
Re: Network stress testing
On Tue, Apr 22, 2003 at 11:31:25AM -0600, xbud wrote: Hi Dale, Stress testing networks can be quite tedious depending on what type of 'real simulation' you have to abide by. If you have a budget take a look at an appliance called 'Flame Thrower' I forget who the vendor is ATM, but it was complete in regaurds to stress testing IDS's. We used it at my old company about 2 years ago, and I'm sure it has been enhanced since. It looks marvelous. But at $80K for the box... however they will do on site testing at $2500/day. Might be a bit much but the decision is not mine, I just pass on the suggestions. It does look like a hellishly powerful test capability though. ttp://www.antara.net/ If you have no budget and are just looking for a cheap solution (free opensource tools) then 'wget' for ftp / web traffic and tcpdump + tcpreplay are your friends with -nl options (this breaks real network traffic ofcourse). I wrote several tools about 2 years ago ( I had just started coding then so excuse the poor code heh but they worked for me back then ;) SAT Tools on PacketStorm if you want to look at them. I may well have to cobble something together like you and a few other kind responders have suggested. *Note - These are probably not feasable for dns stressing. And DNS is one of my worries. 1000 DNS queries in the first 1 minute is a distinct possibility.
Re: Network stress testing
On Tue, Apr 22, 2003 at 06:31:56PM +0100, Gustavo Adolfo Silva Ribeiro Felisberto wrote: http://www.netperf.org/ There is a tool to stress test http servers, but i dont remenber the name. There are several, already mentioned, and also httperf (available as a Debian package) Regards Javi pgpOjyYFujSCM.pgp Description: PGP signature
ptrace patch for vanilla kernel 2.4.20
hi, can anyone post the patch for the 2.4.20-kernel (from kernel.org) or give me an adress I can leech it from. thx for help Fallen_Angel
Re: HELP, my Debian Server was hacked!
On Tue, Apr 22, 2003 at 09:00:11PM +0200, Christian Könning wrote: Hello List, I hope this is not of topic: My private server has been hacked: debian woody 2.4.18bf2.4 kernel, apache-ssl, samba, squid. Ouch. Was it up-to-date to security patches? now my problem: the intruder used a rootkit, i think, cause he deleted /var/log, symlinked /root/.bash_history /dev/null, etc. Is there any way to recover the evidences, e.g. the /var/log/ directory? (ext2) Use e2undel (but you should mount read-only) and there three sh processes running as root? Ptrace exploit? how can i dump this processes to file, to keep this evidence? Go to /proc/# (with # being the process number of these) you will find all the information on running processes there (environment, commandline, filedescriptor, the executable...) You probably need a crash course on forensics in UNIX (me too :-), maybe this helps: http://staff.washington.edu/dittrich/talks/blackhat/blackhat/forensics.html and http://www.dpo.uab.edu/~kalyan/incidentchecklist.html Plenty of reading also at http://www.sans.org/rr/incident/, if you are interested. But I believe you want to get over this as fast as possible, consider using 'tct' (The Coroner Toolkit, packaged for Debian) . Hope that helps Javi pgpoBflRucsHl.pgp Description: PGP signature
Re: HELP, my Debian Server was hacked!
tar up your /proc/ directory to save a copy of your kcore - it should have useful information unless he managed to zero out all the memory that was being utilized during the break in. turn the box off but make sure it don't delete crap, watch out for logic bombs or what not. remove the disk and mount it on another box -o ro (read only) and do your analysis there. On Tuesday 22 April 2003 13:00, Christian Könning wrote: Hello List, I hope this is not of topic: My private server has been hacked: debian woody 2.4.18bf2.4 kernel, apache-ssl, samba, squid. now my problem: the intruder used a rootkit, i think, cause he deleted /var/log, symlinked /root/.bash_history /dev/null, etc. Is there any way to recover the evidences, e.g. the /var/log/ directory? (ext2) and there three sh processes running as root? Ptrace exploit? how can i dump this processes to file, to keep this evidence? Thanks for help -- -- Orlando Padilla http://www.g0thead.com/xbud.asc --
Re: HELP, my Debian Server was hacked!
While the earlier advice is probably the best advice, don't forget to run chkrootkit. I recently had the same thing happen to one of my machines. I've found a kit in /dev/proc/fuckit The total nuking of /log makes this look like a very amature job. If they were hot they would edit the appropriate logs and retouch the dates ect leaving less blatant signs. I can't totally rule out a physical hack as it is an office machine, but it it was network I really want to know what in sarge can be so blatently abused. (nightly apt-get update apt-get upgrade) David. On Tue, 22 Apr 2003, xbud wrote: tar up your /proc/ directory to save a copy of your kcore - it should have useful information unless he managed to zero out all the memory that was being utilized during the break in. turn the box off but make sure it don't delete crap, watch out for logic bombs or what not. remove the disk and mount it on another box -o ro (read only) and do your analysis there. On Tuesday 22 April 2003 13:00, Christian Könning wrote: Hello List, I hope this is not of topic: My private server has been hacked: debian woody 2.4.18bf2.4 kernel, apache-ssl, samba, squid. now my problem: the intruder used a rootkit, i think, cause he deleted /var/log, symlinked /root/.bash_history /dev/null, etc. Is there any way to recover the evidences, e.g. the /var/log/ directory? (ext2) and there three sh processes running as root? Ptrace exploit? how can i dump this processes to file, to keep this evidence? Thanks for help -- -- Orlando Padilla http://www.g0thead.com/xbud.asc -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ptrace patch for vanilla kernel 2.4.20
* Konstantin [EMAIL PROTECTED] [030422 23:03]: can anyone post the patch for the 2.4.20-kernel (from kernel.org) or give me an adress I can leech it from. http://www.ussg.iu.edu/hypermail/linux/kernel/0303.2/0226.html http://sinuspl.net/ptrace/ cu Alex -- PGP key on demand, mailto:[EMAIL PROTECTED] with subject get pgp-key pgpUSICeMVZ2w.pgp Description: PGP signature
