[SECURITY] [DSA-358-2] New kernel packages fix potential oops
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 358-2 [EMAIL PROTECTED] http://www.debian.org/security/ Matt Zimmerman August 5th, 2003http://www.debian.org/security/faq - -- Package: linux-kernel-i386, linux-kernel-alpha This advisory provides a correction to the previous kernel updates, which contained an error introduced in kernel-source-2.4.18 version 2.4.18-7. This error could result in a kernel oops under certain circumstances. For the stable distribution (woody) on the i386 architecture, this problem has been fixed in kernel-source-2.4.18 version 2.4.18-12 and kernel-image-2.4.18-1-i386 version 2.4.18-10. For the stable distribution (woody) on the alpha architecture, this problem has been fixed in kernel-source-2.4.18 version 2.4.18-12 and kernel-image-2.4.18-1-alpha version 2.4.18-9. For the unstable distribution (sid) this problem has been fixed in kernel-source-2.4.20 version 2.4.20-7. We recommend that you update your kernel packages. If you are using the kernel installed by the installation system when the bf24 option is selected (for a 2.4.x kernel), you should install the kernel-image-2.4.18-bf2.4 package. If you installed a different kernel-image package after installation, you should install the corresponding 2.4.18-1 kernel. You may use the table below as a guide. | If uname -r shows: | Install this package: - -- | 2.4.18-bf2.4 | kernel-image-2.4.18-bf2.4 | 2.4.18-386 | kernel-image-2.4.18-1-386 | 2.4.18-586tsc| kernel-image-2.4.18-1-586tsc | 2.4.18-686 | kernel-image-2.4.18-1-686 | 2.4.18-686-smp | kernel-image-2.4.18-1-686-smp | 2.4.18-k6| kernel-image-2.4.18-1-k6 | 2.4.18-k7| kernel-image-2.4.18-1-k7 NOTE: that this kernel is binary compatible with the previous kernel security update, but not binary compatible with the corresponding kernel included in Debian 3.0r1. If you have not already applied the previous security update (kernel-image-2.4.18-bf2.4 version 2.4.18-5woody1 or any of the 2.4.18-1-* kernels), then any custom modules will need to be rebuilt in order to work with the new kernel. New PCMCIA modules are provided for all of the above kernels. NOTE: A system reboot will be required immediately after the upgrade in order to replace the running kernel. Remember to read carefully and follow the instructions given during the kernel upgrade process. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-source-2.4.18_2.4.18-12.dsc Size/MD5 checksum: 798 0b80fd853e8335178cb1d0ef8187408d http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-source-2.4.18_2.4.18-12.diff.gz Size/MD5 checksum:0 43f07d53594a1eab3ea6524119aeb433 http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-source-2.4.18_2.4.18.orig.tar.gz Size/MD5 checksum: 29818323 24b4c45a04a23eb4ce465eb326a6ddf2 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-i386_2.4.18-10.dsc Size/MD5 checksum: 1325 3c4977110668d52e4d7de76e5f208083 http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-i386/kernel-image-2.4.18-1-i386_2.4.18-10.tar.gz Size/MD5 checksum:69667 19c21980ec15f21bb8fc3ebcaad99d7f http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-image-2.4.18-1-alpha_2.4.18-9.dsc Size/MD5 checksum: 872 dbf9fa022e1a4dcd8f71ed31b818246c http://security.debian.org/pool/updates/main/k/kernel-image-2.4.18-1-alpha/kernel-image-2.4.18-1-alpha_2.4.18-9.tar.gz Size/MD5 checksum:24090 37791aded81c2fff898aef80a26c7971 Architecture independent components: http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-doc-2.4.18_2.4.18-12_all.deb Size/MD5 checksum: 1710352 b2fcafe9a6da7d34e78af9235553cb59 http://security.debian.org/pool/updates/main/k/kernel-source-2.4.18/kernel-source-2.4.18_2.4.18-12_all.deb Size/MD5 checksum: 23886908 eefc72de43d624922ab06f5735768c91 Intel IA-32 architecture:
[SECURITY] [DSA-366-1] New eroaster packages fix insecure temporary file creation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 366-1 [EMAIL PROTECTED] http://www.debian.org/security/ Matt Zimmerman August 5th, 2003http://www.debian.org/security/faq - -- Package: eroaster Vulnerability : insecure temporary file Problem-Type : local Debian-specific: no CVE Id : CAN-2003-0656 eroaster, a frontend for burning CD-R media using cdrecord, does not take appropriate security precautions when creating a temporary file for use as a lockfile. This bug could potentially be exploited to overwrite arbitrary files with the privileges of the user running eroaster. For the stable distribution (woody) this problem has been fixed in version 2.1.0.0.3-2woody1. For the unstable distribution (sid) this problem has been fixed in version 2.2.0-0.5-1. We recommend that you update your eroaster package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/e/eroaster/eroaster_2.1.0.0.3-2woody1.dsc Size/MD5 checksum: 641 384fd61393ef45c246489da03dec960c http://security.debian.org/pool/updates/main/e/eroaster/eroaster_2.1.0.0.3-2woody1.diff.gz Size/MD5 checksum: 2442 1356f13831c215a137f8639c3a656ee9 http://security.debian.org/pool/updates/main/e/eroaster/eroaster_2.1.0.0.3.orig.tar.gz Size/MD5 checksum: 160884 1337d58a0c140ef62f2184699132ed40 Architecture independent components: http://security.debian.org/pool/updates/main/e/eroaster/eroaster_2.1.0.0.3-2woody1_all.deb Size/MD5 checksum: 145184 757bdf67c5b40eb6309260d90f1006ab These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/MHAQArxCt0PiXR4RAjoAAJ9BJxyq9q8g+esboAKNnhGllnmplQCeInhb ID4Mx/AirS2x8vmL8AaVmu4= =yRMp -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
pf support
Is anyone planning on porting OpenBSD's pf to Debian? - Perry Research, Inc. 5450 Bruce B. Downs Blvd #313 Wesley Chapel, FL 33543 p: 813-864-7659 f: 813-862-2015 http://www.PerryResearch.com/phorum -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Stable server hacked
- Original Message - From: Thijs Welman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 5:56 PM Subject: Re: Debian Stable server hacked Thanx for the replies so far. [...] Thought of that myself. Checked the apache logfiles and went through the scripts... i don't have any 'candidates' besides Horde-2.1/Imp-3.1 and squirrelmail-1.4.0. But then there's still the www-data - root question... It is possible to write harmful php code which executes code on your server, and use that to trigger a local root exploit. I've seen one of those attempts one of my webservers, which tried to trigger a kernel exploit. Luckily we upgraded that kernel some days before the attempt. Regards, Teun -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Debian Stable server hacked
Hi, Last sunday, August 3rd 2003, one of my servers was hacked which i, by coincidence, was able to catch 'in progress'. My loganalyzer showed four Did not receive identification string from w.x.y.z logentries from sshd. This happens all the time and i certainly don't check all of them out, but i happen to do so this time. I noticed suspicious network connections with netstat[1]. Shortly thereafter i noticed i had two init processes and multiple syslogd processes. I killed the syslogd processes immediately, as the networktraffic appeared to be IRC-traffic. Then i practically sealed the machine from outside with my firewall, allowing me to do some further research. I found the following: - The extra init process was somehow spawned, but the originally binary seems to have been deleted [2]. - All base system programs where ok, including init and syslogd. Md5s matched. - in / there was rpm-4.0.4.i386.tar.gz. I found that the content was installed. It matches the archive on ftp.rpm.org (md5) - I didn't find any other out-of-the-ordinary files - chkrootkit didn't find anything but the extra init proces running. I'm puzzled about how they managed to get those processes running (as root). There are no local accounts, other than some accounts for the sysadmins. Does anyone have any idea how they might have done this? Anyone seen similar hacks recently? I'd sure like to solve this problem, but at this moment i wouldn't know how, so suggestions are more than welcome. Unfortunately i don't have the resources to get an IDS system up and running... regards and tia, Thijs Welman Delft University of Technology the Netherlands - [0] My server is running Debian stable with: - linux-2.4.21-ac4 custom compiled kernel without LKM-support - sshd - apache - apache-ssl - php4 - smbd/nmbd (firewalled at the university network border) - postfix (not accessible from outside) - bind9 (not accessible from outside) - mysql (firewalled) - proftpd (firewalled) - snmpd (firewalled) - amanda-client from inetd (firewalled) All packages are unmodified releases from Debian stable and, yes, i do update packes from security.debian.org as soon as there are any updates. :) [1] netstat -anp at that time: tcp 00 MYIP:36789 IP#1:21ESTABLISHED 12642/wget tcp 14480 MYIP:36790 IP#1:20ESTABLISHED 12642/wget tcp 00 MYIP:44367 IP#2:60666 ESTABLISHED 10051/syslogd tcp 00 MYIP:33397 IP#2:60666 ESTABLISHED 10051/syslogd tcp 0 80 MYIP:53731 IP#3:59780 ESTABLISHED 10764/init Note: i found out 'init' and 'syslogd' where 'extra' processes. My normal init and syslogd were running normally (seemed untouched) [2] lsof output: init 1 root cwdDIR3,34096 2 / init 1 root rtdDIR3,34096 2 / init 1 root txtREG3,3 27844 312195 /sbin/init init 1 root memREG3,3 90210 179291 /lib/ld-2.2.5.so init 1 root memREG3,3 1153784 179294 /lib/libc-2.2.5.so init 1 root 10u FIFO3,3 49116 /dev/initctl init 9 root cwdDIR3,34096 2 / init 9 root rtdDIR3,34096 2 / init 9 root txtREG3,3 29304 312205 /sbin/init (deleted) init 9 root0u CHR1,3 49079 /dev/null init 9 root1u CHR1,3 49079 /dev/null init 9 root2u CHR1,3 49079 /dev/null init 9 root3u CHR1,2 49078 /dev/kmem init 9 root4u sock0,0 19 can't identify protocol
Re: [d-security] Debian Stable server hacked
Hello On Wed, Aug 06, 2003 at 04:01:39PM +0200, Thijs Welman wrote: I'm puzzled about how they managed to get those processes running (as root). There are no local accounts, other than some accounts for the sysadmins. Does anyone have any idea how they might have done this? Most times, servers are not cracked by somebody logging in and get root permissions somehow but by somebody who convinces a running network daemon like a web, database or mail server via means of buffer overflows etc to execute arbitrary code instructions. This code will then e.g. write a shell script and executes it or spanws a shell. You will never see an atacker in your last log :-) Try nmap to see which services are reachable from the network. bye, -christian-
Re: Debian Stable server hacked
A few thoughts on potenital problems: Thijs Welman wrote: Unfortunately i don't have the resources to get an IDS system up and running... A bare-bones IDS isn't all thet extreme to build, especially if you are only interested in a single network. Debian stable + snort source package from unstable might be your best bet... regards and tia, Thijs Welman Delft University of Technology the Netherlands - [0] My server is running Debian stable with: - linux-2.4.21-ac4 custom compiled kernel without LKM-support - sshd - apache - apache-ssl - php4 - smbd/nmbd (firewalled at the university network border) NOTE: Ok, firewalled at the network border, but could poorly-secured internal windows machines have been used as a springboard for an attack? The same goes for the below services, are you sure that all the machines and people on the same side of the firewall are completely trustworthy? This is a big hole if you're only firewalling at the border of your campus network, and have a wide variety of machines out there... - postfix (not accessible from outside) - bind9 (not accessible from outside) - mysql (firewalled) - proftpd (firewalled) - snmpd (firewalled) - amanda-client from inetd (firewalled) All packages are unmodified releases from Debian stable and, yes, i do update packes from security.debian.org as soon as there are any updates. :) Was anyone else logged in at the time? Perhaps one of your admins had a weak or compromised password? --Rich _ Rich Puhek ETN Systems Inc. 2125 1st Ave East Hibbing MN 55746 tel: 218.262.1130 email: [EMAIL PROTECTED] _
Re: Debian Stable server hacked
On Wed, 06 Aug 2003 16:01:39 +0200, Thijs Welman [EMAIL PROTECTED] wrote: My loganalyzer showed four Did not receive identification string from w.x.y.z logentries from sshd. This happens all the time and i certainly don't check all of them out, but i happen to do so this time. That's probably people testing to see if port 22 is open. I'm puzzled about how they managed to get those processes running (as root). There are no local accounts, other than some accounts for the sysadmins. Does anyone have any idea how they might have done this? Maybe they brute forced the root password ? Do you have PermitRootLogin yes in sshd_config ? I'd set up ssh to do protocol 2 only, no root logins, and no passwords/ public keys only if possible. You say that you have apache and php4 installed. Are you running any php applications that may have been compromised ? Although I'd expect those to leave the attacker with access to www-data rather than root. Alan.
Re: Debian Stable server hacked
Hello, Was anyone else logged in at the time? Perhaps one of your admins had a weak or compromised password? Install johntheripper if you want to check for weak passwords :D a great program! Hobbs. FOR ALL YOUR UNIX/LINUX QUESTIONS, visit: http://unixforum.co.uk -- _-'`-_-'`-_-'`-_-'`-_-'`-_-'`-_-'`-_-'`-_-'`-_-'`-_-'`-_-'`-_-'`-_ || | Richard Hobbs[EMAIL PROTECTED]http://mongeese.co.uk | | http://unixforum.co.uk | || | Registered Linux User: 313906 (http://counter.li.org) | || | There's only one way of life, and that's your own| | The Levellers | '`-_-'`-_-'`-_-'`-_-'`-_-'`-_-'`-_-'`-_-'`-_-'`-_-'`-_-'`-_-'`-_-' __ Send all your jokes to : [EMAIL PROTECTED] !! To subscribe, email: [EMAIL PROTECTED]
Re: Debian Stable server hacked
Thanx for the replies so far. Christian Hammers wrote: Try nmap to see which services are reachable from the network. Port State Service 22/tcp openssh 80/tcp openhttp 443/tcpopenhttps from within the campus network adds: Port State Service 21/tcp openftp 139/tcpopennetbios-ssn Rich Puhek wrote: NOTE: Ok, firewalled at the network border, but could poorly-secured internal windows machines have been used as a springboard for an attack? The same goes for the below services, are you sure that all the machines and people on the same side of the firewall are completely trustworthy? This is a big hole if you're only firewalling at the border of your campus network, and have a wide variety of machines out there... It's likely that there are numerous compromised systems wihtin the campus, unfortunately. They could have used one of those, that's possible. That means they must have exploited sshd, apache, apache-ssl, proftpd or samba. bind9 is open to a local 172.20-network (student housing), so is also candidate... Can't rule it out, but i can't imagine i would be the only one having problems... mysql is only open to three of my other servers. snmpd is only open to my monitoring server Was anyone else logged in at the time? Perhaps one of your admins had a weak or compromised password? Nope. No one was logged in at that time. The few logins in the logfile are accounted for. Alan James wrote: Maybe they brute forced the root password ? Do you have PermitRootLogin yes in sshd_config ? No, i didn't at that moment. But there's no sign of an succesfull root login. Not in ps aux, not in netstat and no ssh traffic other than my own session in tcpdump. I guess a brute-force would show up in the ssh logfiles. Only thing there is four times Did not receive identification string. You say that you have apache and php4 installed. Are you running any php applications that may have been compromised ? Although I'd expect those to leave the attacker with access to www-data rather than root. Thought of that myself. Checked the apache logfiles and went through the scripts... i don't have any 'candidates' besides Horde-2.1/Imp-3.1 and squirrelmail-1.4.0. But then there's still the www-data - root question... regards, Thijs Welman
Re: Debian Stable server hacked
- Original Message - From: Thijs Welman [EMAIL PROTECTED] To: debian-security@lists.debian.org Sent: Wednesday, August 06, 2003 5:56 PM Subject: Re: Debian Stable server hacked Thanx for the replies so far. [...] Thought of that myself. Checked the apache logfiles and went through the scripts... i don't have any 'candidates' besides Horde-2.1/Imp-3.1 and squirrelmail-1.4.0. But then there's still the www-data - root question... It is possible to write harmful php code which executes code on your server, and use that to trigger a local root exploit. I've seen one of those attempts one of my webservers, which tried to trigger a kernel exploit. Luckily we upgraded that kernel some days before the attempt. Regards, Teun