[OT] Re: unsubscribe - Procmail Rule
Can anynone enlighten me why my rule didn't catch this message? :0 * ^X-Mailing-List:[EMAIL PROTECTED] * ^Subject: .{0,2}sub.{1,5}ibe /dev/null I would appreciate it...Thanks. On Fri, 25 Apr 2003 at 08:20:27AM +0300, Andres wrote: > unsubscribe > > - > Hot Mobiil - helinad, logod ja pilts?numid! > http://portal.hot.ee > > > -- Phillip Hofmeister Network Administrator/Systems Engineer IP3 Inc. http://www.ip3security.com PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #4: Global warming
Apache http server 2.0
Hi all, I experienced a very strange apache responce today in our production environment at work. A user in a discussion room a posting containing the following characters: ,,'' This gave the result that several pages could not longer be displayed. I also tried this on search engine http://www.google.com which gave the same result. Nothing of results and not even the message "no results found..." could be display. If you even keep on refreshing you will notice that also the google logo will disappear. On our servers, we didn't notice anything in the logs. I have done a test with several browsers and I had every time the same result as described above: Internet Explorer Netscape (windows) Mozilla (Linux) Opera (Linux) Personally I'm not sure but I'm getting the idea that this might me exploitable. For example, executing code/commands after using the characters as mentioned above followed by the code or the commands in a search engine, discussion rooms,... Kind regards, Kim De Smaele
Re: Snort exploit in wild.
On Fri, Apr 25, 2003 at 10:44:49PM +0100, Nick Boyce wrote: > The general consensus of opinion (including the Debian packager) was > that *nobody* should even consider using the V1.8.4 Snort package in > Woody - it's much too old, and has a number of security issues. It's not really that it has a number of security issues; It's more that no new rulesets are being developed for it, and thus it can't detect any attempts to exploit vulnerabilities more recent than its last ruleset. Obviously that defeats the purpose of using a rule-based traffic analyzer like snort. > Most people's advice was to stop using the Debian package, and instead > download & compile the latest source from www.snort.org, and keep > tracking new releases from there - and get signature updates from > there as well. This is what I do now. Yes, that's generally the least disruptive to your Debian system. I've seen people run a hybrid woody/sid system just to get the new snort. If you build it yourself, you don't need to worry about upgrading to unstable and unsupported (by the sec team) software. > Some people think Snort should actually be removed from the Debian > package collection, because it will always drift seriously out of date > over time, and because there's no easy way to incorporate up-to-date > signatures (rules) into Debian. It would be less of an issue if you could actually *get* new rules for the version of snort that's in woody. There wouldn't be anything to stop you from downloading the new rules (which are distributed independently of snort itself and updated regularly) and untarring them into the right place and having the right thing happened. Yes, snort should probably not be shipping with Debian. Sticking with an outdated version of snort is counterproductive and, at the very least, likely to give you a false sense of security regarding the traffic hitting your machines. I wish people were more open to the idea of letting a wholly new version (say, an up to date 1.9) enter woody with its next revision, but that's not going to happen. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpIvSmbRka4m.pgp Description: PGP signature
Re: Snort exploit in wild.
On Fri, 25 Apr 2003 10:19:59 +0100, David Ramsden wrote: >Noticed on vil.mcafee.com that a proof of concept exploit for Snort to >exploit the vuln. found in v1.8 through to 1.9.1. [...] >What's the status of a patch from Debian Security? No DSA yet either. >I know this has been brought up a few times already but now an exploit >exists in the wild. David, you probably want to look at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=173254 which I submitted after a previous discussion on this list (December 2002) about problems with the Debian stable Snort package being out of date. The general consensus of opinion (including the Debian packager) was that *nobody* should even consider using the V1.8.4 Snort package in Woody - it's much too old, and has a number of security issues. Most people's advice was to stop using the Debian package, and instead download & compile the latest source from www.snort.org, and keep tracking new releases from there - and get signature updates from there as well. This is what I do now. Some people think Snort should actually be removed from the Debian package collection, because it will always drift seriously out of date over time, and because there's no easy way to incorporate up-to-date signatures (rules) into Debian. Cheers, Nick Boyce Bristol, UK -- Boycott Amazon till they relent on the 1-click software patent - http://www.gnu.org/philosophy/amazon.html
Re: Woody security updates
Woody CD updates afaik are only done when stable releases are done. See http://people.debian.org/~joey/stable.html for details. There are nightly builds of CD's for Sarge and Sid, but I don't think I've seen any such thing for stable or oldstable that includes security updates. The nightly builds can be found through the debian-boot mailing list or perhaps the debian-installer (d-i) web site ( http://people.debian.org/~mbc/di.html ). A further note, security updates for Potato are still being done (and will stop soon iirc), but no further releases will be done. Again see http://people.debian.org/~joey/stable.html for details. Drew Daniels
Information in DSAs on necessary restarts due to library-security-updates
Hi! As I described in a mail to debian-devel [1], it seems that with library updates programs using the libraries are generally not restarted. Nevertheless, for programs/services to use the updated libraries a restart would be necessary. Especially with security-updates for such central libraries as the glibc (e.g. DSA-282), IMHO there should be a warning that programs and services are _not_ restarted automatically but _must_ be restarted manually in order to benefit from the security-update. As long as the programs keep on running, they are still vulnerable. A generic solution which can be used by all library-packages to inform the user about this fact was proposed on debian-devel, but does not exist currently. I therefore suggest putting this kind of information in any Debian Security Advisory for library packages (or possibly others too which need similar actions to be taken by the user). I'd be glad about any comments. :) So long, Max PS: If this is not the right list, please let me know and point me to the correct place where I can suggest this DSA-addon. Thanks [1] http://lists.debian.org/debian-devel/2003/debian-devel-200304/msg01189.html -- The first time any man's freedom is trodden on, we're all damaged. http://homex.subnet.at/~max/
Re: apt-check-sigs.pl
On Thu, Apr 24, 2003 at 06:46:11PM +0200, Adam ENDRODI wrote: > Comments, corrections and enhancements are always welcome. Please add a proper license in the file. GPL? http://www.gnu.org/licenses/gpl-howto.html Regards Javi pgp7fRNrY2gL1.pgp Description: PGP signature
Re: Woody security updates
Matthias Faulstich <[EMAIL PROTECTED]> wrote: > Does this jigdo - file load the latest security updates or are there any > other > places to download / create CD-Images? AFAIK no. I think you'll have to apt-get update && apt-get upgrade immediately after the installation because CDs can never be as up to date as security.debian.org is. Paul
Re: pptpd
On Fri, Apr 18, 2003 at 07:54:32PM -0400, Noah Meyerhans wrote: > On Fri, Apr 18, 2003 at 11:09:14PM +0200, Martin Hermanowski wrote: > > am I missing an update of pptpd? Today an exploit has been posted to > > bugtraq. > > The update has not yet been released. What is the problem with this security patch? AFAIK there is only one line that has to be changed. I am running the Debian Stable pptpd with this patch and it works (and exploit says the patched version is not vulnerable, but the original one is). Regards, Martin pgpobJM4Qzfvf.pgp Description: PGP signature
Team to patch vulnerabilities
Hi, There are a large number of security issues discussed in the BTS. http://qa.debian.org/bts-security.html lists almost all of them. I'm looking at them and trying to create patches for some and bring them to the attention of the appropriate parties. Any help would be appreciated. The security team has been releasing advisories like crazy and they seem very overworked. If non security team people can help patch known security issues, then Debian, and OpenSource software would be even more secure. There are other social benefits too... I've been looking at creating a security audit team, but it looks like far more help is needed to patch known problems. Drew Daniels
fakechroot
For those that missed it on Debian-devel, there's a patched version of fakeroot that does chroot too. You can read about it and better/worse alternatives in the thread at: http://lists.debian.org/debian-devel/2003/debian-devel-200304/msg00747.html Drew Daniels
Re: Secure remote syslogging?
On Thu, Apr 24, 2003 at 08:52:10PM +0200, Jose Luis Domingo Lopez wrote: 8< syslog-ng --> named pipe --> perl script --> ssh tunnel --> SQL DB > destination d_logpipe { pipe("/tmp/pipe" owner("someone") template("\( > '$HOST', '$ISODATE', '$FACILITY', +'$PRIORITY', '$MESSAGE' \)\n") ); }; you need syslog-ng >= 1.5.3 for the template to work, iirc. and if you go thus far, why not template("INSERT INTO logs VALUES ... \( ... \);\n"), and then simply mysql -h 127.0.0.1 -... -D logs < /tmp/pipe ? what about forged messages containing queries themselves? logger -p kern.err "'); DELETE *.* FROM logs;#" =] you need to quote the input somehow. so here my suggestion (despite the fact that you hit plenty stuff when googling on that matter): since the content of the other macros is well defined, and you use a perl script anyways, why not use template("$HOST $ISODATE $FACILITY $PRIORITY $MESSAGE\n"), which can be split on the spaces into its parts, and let perl do the quoting? and, btw, why not just use the syslog format as is? works with syslog (old generation), too. (ok, with -og, and the default format, to preserve facility/priority you'd need to setup one pipe for each class you want to distinguish...) and, if you don't mind, please use DBI/DBD::mysql (or whatever DBD submodule you like). old syslog.conf: *.* |/some/fifo -ng: destination d_logpipe { pipe("/some/fifo"); } ... with $syslog_ng_template=0 below! or destination d_logpipe { pipe("/some/fifo"); template("$HOST $ISODATE $FACILITY $PRIORITY $MESSAGE\n"); } and set $syslog_ng_template=1 below. use strict; use DBI (); my $syslog_ng_template=1; my $driver="mysql"; my $sqlhost="127.0.0.1"; # possibly (ssh) tunnel to somewhere else my $port=3306; my $database="logs"; my $user="joseluis"; my $password="joseluis"; my ($sth,$dbh, $host,$time,$facility,$priority,$msg); # RaiseError will raise an exception, i.e. die(), on errors. # ->prepare("... ?,?,? ") and execute(arg1,arg2,...) will do the # necessary quoting and interpolation for you, and even perform better. sub try_connect() { # you may want to ping the db here # or eval { $dbh->disconnect } if $dbh; $dbh = DBI->connect("DBI:$driver:database=$database;host=$sqlhost;port=$port;", $user,$password, { RaiseError => 1 , AutoCommit => 1 }); if ($syslog_ng_template) { $sth = $dbh->prepare("INSERT INTO logs.testbox " ."(host,time,facility,priority,message) " ."VALUES (?,?,?,?,?)"); } else { $sth = $dbh->prepare("INSERT INTO logs.testbox " ."(host,time,message) " ."VALUES (?,?,?)"); } } # you might want to move this into the eval below open ( LOGPIPE, "< /tmp/pipe" ) or die "open LOGPIP: $!\n"; while(1) { # forever eval { # catch db errors try_connect; while ( my $log = ) { if ($syslog_ng_template) { ($host,$time,$facility,$priority,$msg) = $log =~ /^(\S+) (\S+) (\S+) (\S+) (.*)$/; $sth->execute($host,$time,$facility,$priority,$msg); } else { ($time,$host,$msg) = $log =~ /^(\S+ \S+ \S+) (\S+) (.*)$/; $sth->execute($host,$time,$msg); } }; }; warn($@) if $@; } > Hope it helps. dito :) Lars
Woody security updates
Hi all! Regularily, security updates for Debian Woody are beeing anounced and recomended for installation. The update packages, as I understand, are available from network for installation with apt under deb http://security.debian.org/ woody/updates main contrib non-free. But what about CD Images for update? The jigdo file for the woody - update -CD http://non-us.cdimage.debian.org/jigdo-area/3.0_r1/jigdo/i386/debian-update-3.0r1-i386.jigdo shows the modification date 10-Jan-2003. Does this jigdo - file load the latest security updates or are there any other places to download / create CD-Images? Thanks a lot, Matthias.
Re: SPAMMED ONCE AGIN !!! (Was: Re: Under 10 bucks, cell phone antenna boosters. qmnh coxehywqphhnsg)
Hello Rich, Am 10:42 2003-04-14 -0500 hat Rich Puhek geschrieben: >Well, no. If you look carefully, you have managed to leak that address >to the list before. On March 17, 2003, for instance (Message-Id: ><[EMAIL PROTECTED]>) you posted a >reply to a question. Although you set your From address to be the >"linux4michelle" address, you also ended up with the following line: > >X-Sender: [EMAIL PROTECTED] (Unverified) Because I have no internet access at home, I can not use mutt to send the messages... need to use a Windows-Client and the I transfer it on Floppyst to the Internet-Cafee and send it with a windows program... So I can not rewrite anything... >So, your MUA or MTA has leaked that address, without anyone needing to >do a lookup on the Debian servers. In some days I will get my new Mobil-Telephone, which I will connect to my router at home... If it works, I can use mutt in the futur. - uff ! (But only for Sending, because downloading of 1 MByte of Debian-Lists each day ist to expensive) >That is a nice approach to handling the spam problem, but as you can >see, one must be very careful to prevent leaking the subscribed to address. have a nice Evening Michelle -- Registered Linux-User #280138 with the Linux Counter, http://counter.li.org.
Re: Snort exploit in wild.
- Forwarded message from Marcel Weber <[EMAIL PROTECTED]> - From: Marcel Weber <[EMAIL PROTECTED]> To: David Ramsden <[EMAIL PROTECTED]> Cc: debian-security@lists.debian.org Subject: Re: Snort exploit in wild. X-Virus-Scanned: by AMaViS and OpenAntivirus ScannerDaemon X-Spam-Status: No, hits=-4.4 required=5.0 tests=IN_REP_TO version=2.20 X-Spam-Level: David Ramsden wrote: >Hi, > >Noticed on vil.mcafee.com that a proof of concept exploit for Snort to >exploit the vuln. found in v1.8 through to 1.9.1. > >Packet Storm Security have this proof of concept on their site (local >exploit at the moment). >It uses a call-back technique to spawn a shell on the attackers machine, >via a connection from the compromised machine. >I've not tried this on my Debian machines yet, so can't say if it works >- You'd need the return address for Debian as only Slackware is support >in this proof of concept. > >What's the status of a patch from Debian Security? No DSA yet either. >I know this has been brought up a few times already but now an exploit >exists in the wild. > >As a workaround, I could disable snort (granted) but also, how can I use >/etc/apt/preferences to update /just/ snort to a non-vuln. version from >another branch (unstable/testing)? What line do I need in >/etc/apt/sources.list? And how easy is it to downgrade to the stable >version if something goes wrong or a patch is released from Debian? > >Thanks for all the help and regards, >David. Hi Following the advice from heise.de [1] it should be enough to comment out the line: preprocessor stream4_reassemble in your /etc/snort/snort.conf as the vulnerability is in this module. Of course you will loose some information. But saver is better ;-) Regards Marcel [1] (http://www.heise.de/newsticker/result.xhtml?url=/newsticker/data/pab-16.04.03-000/default.shtml&words=Snort) - End forwarded message - -- .''`. David Ramsden <[EMAIL PROTECTED]> : :' :http://portal.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgpKunnn53SX5.pgp Description: PGP signature
Re: Snort exploit in wild.
Il ven, 2003-04-25 alle 11:19, David Ramsden ha scritto: > Noticed on vil.mcafee.com that a proof of concept exploit for Snort to > exploit the vuln. found in v1.8 through to 1.9.1. up to 2.0rc1 as reported by cert > What's the status of a patch from Debian Security? No DSA yet either. > I know this has been brought up a few times already but now an exploit > exists in the wild. don't know if the debian package is affected, however it should > As a workaround, I could disable snort (granted) but also, how can I use > /etc/apt/preferences to update /just/ snort to a non-vuln. version from > another branch (unstable/testing)? What line do I need in > /etc/apt/sources.list? And how easy is it to downgrade to the stable > version if something goes wrong or a patch is released from Debian? don't do it... unstable/snort depends on a libc version not available in stable, and maybe there are some other unresolved dependencies... instead get the deb-src and try to recompile... i think it's not so linear, but it should work... in the meantime (from the cert advisory): > Disable affected preprocessor modules > > Sites that are unable to immediately upgrade affected Snort sensors > may prevent exploitation of this vulnerability by commenting out the > affected preprocessor modules in the "snort.conf" configuration file. > > To prevent exploitation of VU#139129, comment out the following line: > > preprocessor stream4_reassemble > > To prevent exploitation of VU#916785, comment out the following line: > > preprocessor rpc_decode: 111 32771 > > After commenting out the affected modules, send a SIGHUP signal to the > affected Snort process to update the configuration. Note that > disabling these modules may have adverse affects on a sensor's ability > to correctly process RPC record fragments and TCP packet fragments. In > particular, disabling the "stream4" preprocessor module will prevent > the Snort sensor from detecting a variety of IDS evasion attacks. Regards, Gian Piero. PS: about the pinning question, please read the apt-howto
Re: Snort exploit in wild.
On Fri, Apr 25, 2003 at 12:13:38PM +0200, Marcel Weber wrote: > David Ramsden wrote: > [snip] > > Following the advice from heise.de [1] it should be enough to comment > out the line: > > preprocessor stream4_reassemble > > in your /etc/snort/snort.conf > > as the vulnerability is in this module. Of course you will loose some > information. But saver is better ;-) > [snip] > > [1] > (http://www.heise.de/newsticker/result.xhtml?url=/newsticker/data/pab-16.04.03-000/default.shtml&words=Snort) Thank you for the information. I had a quick look on the bug tracking system for Debian and found information for the RPC decoder exploit, so have commented that out. I'll now disable what's been suggested and wait for a DSA. Thanks for the information on this Marcel. Kind regards, David. -- .''`. David Ramsden <[EMAIL PROTECTED]> : :' :http://portal.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgp5yi8ycYeGX.pgp Description: PGP signature
Re: Snort exploit in wild.
David Ramsden wrote: Hi, Noticed on vil.mcafee.com that a proof of concept exploit for Snort to exploit the vuln. found in v1.8 through to 1.9.1. Packet Storm Security have this proof of concept on their site (local exploit at the moment). It uses a call-back technique to spawn a shell on the attackers machine, via a connection from the compromised machine. I've not tried this on my Debian machines yet, so can't say if it works - You'd need the return address for Debian as only Slackware is support in this proof of concept. What's the status of a patch from Debian Security? No DSA yet either. I know this has been brought up a few times already but now an exploit exists in the wild. As a workaround, I could disable snort (granted) but also, how can I use /etc/apt/preferences to update /just/ snort to a non-vuln. version from another branch (unstable/testing)? What line do I need in /etc/apt/sources.list? And how easy is it to downgrade to the stable version if something goes wrong or a patch is released from Debian? Thanks for all the help and regards, David. Hi Following the advice from heise.de [1] it should be enough to comment out the line: preprocessor stream4_reassemble in your /etc/snort/snort.conf as the vulnerability is in this module. Of course you will loose some information. But saver is better ;-) Regards Marcel [1] (http://www.heise.de/newsticker/result.xhtml?url=/newsticker/data/pab-16.04.03-000/default.shtml&words=Snort)
Snort exploit in wild.
Hi, Noticed on vil.mcafee.com that a proof of concept exploit for Snort to exploit the vuln. found in v1.8 through to 1.9.1. Packet Storm Security have this proof of concept on their site (local exploit at the moment). It uses a call-back technique to spawn a shell on the attackers machine, via a connection from the compromised machine. I've not tried this on my Debian machines yet, so can't say if it works - You'd need the return address for Debian as only Slackware is support in this proof of concept. What's the status of a patch from Debian Security? No DSA yet either. I know this has been brought up a few times already but now an exploit exists in the wild. As a workaround, I could disable snort (granted) but also, how can I use /etc/apt/preferences to update /just/ snort to a non-vuln. version from another branch (unstable/testing)? What line do I need in /etc/apt/sources.list? And how easy is it to downgrade to the stable version if something goes wrong or a patch is released from Debian? Thanks for all the help and regards, David. -- .''`. David Ramsden <[EMAIL PROTECTED]> : :' :http://portal.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgpHiO0wzneXY.pgp Description: PGP signature
Re: Chkrootkit
Hi, this is not exactly a reply to your question, just a general pointer: whatever you do, don't rely solely on chkrootkit. One woody-box I know of just recently got cracked, and had the viceroy rootkit installed. It was a very poorly done rootkit to boot (ls, ps, netstat etc were all dynamically linked to libc.so.5, which didn't exist on the machine, /sbin, /bin and /usr/sbin had tons of ext2-attrs attached, /var/log was wiped and syslogd killed etc). Turns out, the latest debian chkrootkit (0.40?) didn't find a thing and declared the box as clean. After seeing that I recommend tripwire over chkrootkit to anyone that asks, even if tripwire is higher in maintanance. Regs, Sven -- Sven Riedel [EMAIL PROTECTED] Osteroeder Str. 6 / App. 13 [EMAIL PROTECTED] 38678 Clausthal "Python is merely Perl for those who prefer Pascal to C" (anon)
Re: Presentation
Seems like again somebody is willing to pay the "donation" to debian? List-admin ... go ahead :-)
unsubscribe
unsubscribe - Hot Mobiil - helinad, logod ja piltsõnumid! http://portal.hot.ee