date:20031125

Re: chkrootkit and lkm

2003-11-25 Thread Marek Habersack

On Tue, Nov 25, 2003 at 06:42:21PM -0600, Adam Heath scribbled:
[snip]
> > are however four processes (ksoftirqd_CPU0, kswapd, bdflush, kupdated)
> > in existence that show a PID of 0.
> > Am I right to assume that this is not the lkm kit, but rather some
> > weiredness in PID assignment?
> >
> > The same PID thing is happening on my testing/unstable laptop -
> > compromised as well or something else amiss in the distro, maybe related
> > to the server break ins?
> 
> Are you running 2.6, or the backported TLS patches on 2.4?
it seems it's not only there. I think it's also the -aa kernels which show
this behavior (that would include 2.4.23rcX).

marek


signature.asc
Description: Digital signature

Re: chkrootkit and lkm

2003-11-25 Thread Marek Habersack

On Tue, Nov 25, 2003 at 06:42:21PM -0600, Adam Heath scribbled:
[snip]
> > are however four processes (ksoftirqd_CPU0, kswapd, bdflush, kupdated)
> > in existence that show a PID of 0.
> > Am I right to assume that this is not the lkm kit, but rather some
> > weiredness in PID assignment?
> >
> > The same PID thing is happening on my testing/unstable laptop -
> > compromised as well or something else amiss in the distro, maybe related
> > to the server break ins?
> 
> Are you running 2.6, or the backported TLS patches on 2.4?
it seems it's not only there. I think it's also the -aa kernels which show
this behavior (that would include 2.4.23rcX).

marek


signature.asc
Description: Digital signature

Re: chkrootkit and lkm

2003-11-25 Thread Johannes Graumann

Thanks to everybody who was taking the time to sooth the novice ... ;0)

Joh

On Tue, 25 Nov 2003 12:18:35 -0800
Johannes Graumann <[EMAIL PROTECTED]> wrote:

> Hello,
> 
> This is a testing/unstable system.
> 
> I was just running 'chkrootkit' and came across this warning:
> 
> > Checking `lkm'... You have 4 process hidden for ps command
> > Warning: Possible LKM Trojan installed
> 
> I did some reading and made sure the number is not changing (due to
> running 'chkrootkit' while new processes are started and /proc and
> 'ps' are not syncronized) - it remains 4.
> I then went ahead and manually checked the output of 'ls -a /proc'
> against that of 'ps -A' and found out, that there are 4 processes in
> /proc  (3-6) which don't show up as PIDs in the 'ps -A' output. There
> are however four processes (ksoftirqd_CPU0, kswapd, bdflush, kupdated)
> in existence that show a PID of 0.
> Am I right to assume that this is not the lkm kit, but rather some
> weiredness in PID assignment?
> 
> The same PID thing is happening on my testing/unstable laptop -
> compromised as well or something else amiss in the distro, maybe
> related to the server break ins?
> 
> Any comment is highly appreciated.
> 
> Joh
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact
> [EMAIL PROTECTED]
> 
>

Re: chkrootkit and lkm

2003-11-25 Thread Johannes Graumann

Thanks to everybody who was taking the time to sooth the novice ... ;0)

Joh

On Tue, 25 Nov 2003 12:18:35 -0800
Johannes Graumann <[EMAIL PROTECTED]> wrote:

> Hello,
> 
> This is a testing/unstable system.
> 
> I was just running 'chkrootkit' and came across this warning:
> 
> > Checking `lkm'... You have 4 process hidden for ps command
> > Warning: Possible LKM Trojan installed
> 
> I did some reading and made sure the number is not changing (due to
> running 'chkrootkit' while new processes are started and /proc and
> 'ps' are not syncronized) - it remains 4.
> I then went ahead and manually checked the output of 'ls -a /proc'
> against that of 'ps -A' and found out, that there are 4 processes in
> /proc  (3-6) which don't show up as PIDs in the 'ps -A' output. There
> are however four processes (ksoftirqd_CPU0, kswapd, bdflush, kupdated)
> in existence that show a PID of 0.
> Am I right to assume that this is not the lkm kit, but rather some
> weiredness in PID assignment?
> 
> The same PID thing is happening on my testing/unstable laptop -
> compromised as well or something else amiss in the distro, maybe
> related to the server break ins?
> 
> Any comment is highly appreciated.
> 
> Joh
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact
> [EMAIL PROTECTED]
> 
> 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: How efficient is mounting /usr ro?

2003-11-25 Thread Russell Coker

On Wed, 26 Nov 2003 07:45, Chema <[EMAIL PROTECTED]> wrote:
> RC> Why would you get better performance?  If you mount noatime then
> RC> there's no writes to a file system that is accessed in a read-only
> RC> fashion and there should not be any performance issue.
>
> Hum, ¿are you talking only about ext3?  'Couse I don't think the reading

I am talking about any file system.  When only reading from a file system 
there should not be any performance difference when comparing a RO mount vs a 
NOATIME mount.  If there is a difference then it's a bug in the file system.

> performance of ext2 and reiserfs/jfs/whatever will be the same just by
> freezing the access time.

Of course different file systems give different performance characteristics, I 
know this well, I wrote one of the two benchmarks used in the URL you cite.

> ext3 is just a
> somewhat dirty hack on ext2, and without journaling their performance would
> be probably the same.

My point is that for read-only operations ext2 and the original ext3 should 
give the same performance.

Incidentally if you want significantly better performance for such things then 
you want to run 2.6.0 or a Red Hat kernel so you get directory hashing on 
ext3.  It appears from a casual code inspection that 2.6.0-test10 does not 
support directory hashing for ext2.  So in 2.6.0-test10 ext3 should 
significantly outperform ext2 when there are large numbers of files in a 
directory.  I'll have to do some benchmarks on this.

> Now, how much difference really makes noatime??

The difference it makes is that reading from the disk will never cause disk 
writes.  If you access large numbers of files or if you have IO hardware that 
has a bottleneck of write bandwidth (EG a typical mail server) then NOATIME 
makes a significant difference.

> Also, access time is usually a piece of information I'll like to keep. 

In which case you need to mount RW and your entire arguement is bogus.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: How efficient is mounting /usr ro?

2003-11-25 Thread Russell Coker

On Wed, 26 Nov 2003 07:45, Chema <[EMAIL PROTECTED]> wrote:
> RC> Why would you get better performance?  If you mount noatime then
> RC> there's no writes to a file system that is accessed in a read-only
> RC> fashion and there should not be any performance issue.
>
> Hum, ¿are you talking only about ext3?  'Couse I don't think the reading

I am talking about any file system.  When only reading from a file system 
there should not be any performance difference when comparing a RO mount vs a 
NOATIME mount.  If there is a difference then it's a bug in the file system.

> performance of ext2 and reiserfs/jfs/whatever will be the same just by
> freezing the access time.

Of course different file systems give different performance characteristics, I 
know this well, I wrote one of the two benchmarks used in the URL you cite.

> ext3 is just a
> somewhat dirty hack on ext2, and without journaling their performance would
> be probably the same.

My point is that for read-only operations ext2 and the original ext3 should 
give the same performance.

Incidentally if you want significantly better performance for such things then 
you want to run 2.6.0 or a Red Hat kernel so you get directory hashing on 
ext3.  It appears from a casual code inspection that 2.6.0-test10 does not 
support directory hashing for ext2.  So in 2.6.0-test10 ext3 should 
significantly outperform ext2 when there are large numbers of files in a 
directory.  I'll have to do some benchmarks on this.

> Now, how much difference really makes noatime??

The difference it makes is that reading from the disk will never cause disk 
writes.  If you access large numbers of files or if you have IO hardware that 
has a bottleneck of write bandwidth (EG a typical mail server) then NOATIME 
makes a significant difference.

> Also, access time is usually a piece of information I'll like to keep. 

In which case you need to mount RW and your entire arguement is bogus.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Re: Fwd: Cron apt-get update && apt-get -y upgrade

2003-11-25 Thread Marcel Weber

Linux wrote:
OK, now I got really worried

Because I'm a bit lazy I've put the apt-get update & upgrade into the crontab 
of one of my machines.

Now is the question, how do I know if those installed packages are hacked or 
not ? Some suggestions and help please ?

I think they are not. They are all part of the woody r2 release, that's 
already out on the mirrors. These are the newly changed packages:

console-data  korrigiert Unterstützung für
  Sun-Tastaturen
debianutils   verhindert unendliche CPU-Benutzung
gnupg Sicherheits-Update vom Autor und
  Kompatibilitätskorrektur
intlfonts behebt Lizenzprobleme
jigdo unterstützt jetzt aktuelle
  cdimage-Archive
liblocale-gettext-perlkorrigiert schweren Fehler
libphp-adodb  verhindert potentiellen Datenverlust
libprinterconf, pconf-detect  funktionierte vorher nicht
nano  korrigiert nerviges Misfeature für
  boot-floppies
procmail  verhindert potentiellen Datenverlust
procpskorrigiert Absturz-Misfeature
python-pgsql  verhindert potentiellen Datenverlust
shorewall korrigiert unbeabsichtigte
  Netzwerkausfälle
snmpkit   Paket enthielt keine Binär-Komponenten
spamassassin  entfernt abgeschaltetes   
  relays.osirusoft.com
util-linuxPatch für Kernel 2.4.19 für MIPS
xnc   verhindert Zusammenbruch des
  Menü-Systems
zlib  Sicherheits-Korrektur (CAN-2003-0107)
Regards

Marcel

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Fwd: Cron apt-get update && apt-get -y upgrade

2003-11-25 Thread Marcel Weber


Linux wrote:

OK, now I got really worried

Because I'm a bit lazy I've put the apt-get update & upgrade into the crontab 
of one of my machines.


Now is the question, how do I know if those installed packages are hacked or 
not ? Some suggestions and help please ?




I think they are not. They are all part of the woody r2 release, that's 
already out on the mirrors. These are the newly changed packages:


console-data  korrigiert Unterstützung für
  Sun-Tastaturen
debianutils   verhindert unendliche CPU-Benutzung
gnupg Sicherheits-Update vom Autor und
  Kompatibilitätskorrektur
intlfonts behebt Lizenzprobleme
jigdo unterstützt jetzt aktuelle
  cdimage-Archive
liblocale-gettext-perlkorrigiert schweren Fehler
libphp-adodb  verhindert potentiellen Datenverlust
libprinterconf, pconf-detect  funktionierte vorher nicht
nano  korrigiert nerviges Misfeature für
  boot-floppies
procmail  verhindert potentiellen Datenverlust
procpskorrigiert Absturz-Misfeature
python-pgsql  verhindert potentiellen Datenverlust
shorewall korrigiert unbeabsichtigte
  Netzwerkausfälle
snmpkit   Paket enthielt keine Binär-Komponenten
spamassassin  entfernt abgeschaltetes   
  relays.osirusoft.com
util-linuxPatch für Kernel 2.4.19 für MIPS
xnc   verhindert Zusammenbruch des
  Menü-Systems
zlib  Sicherheits-Korrektur (CAN-2003-0107)

Regards

Marcel

Re: chkrootkit and lkm

2003-11-25 Thread Adam Heath

On Tue, 25 Nov 2003, Johannes Graumann wrote:

> Hello,
>
> This is a testing/unstable system.
>
> I was just running 'chkrootkit' and came across this warning:
>
> > Checking `lkm'... You have 4 process hidden for ps command
> > Warning: Possible LKM Trojan installed
>
> I did some reading and made sure the number is not changing (due to
> running 'chkrootkit' while new processes are started and /proc and 'ps'
> are not syncronized) - it remains 4.
> I then went ahead and manually checked the output of 'ls -a /proc'
> against that of 'ps -A' and found out, that there are 4 processes in
> /proc  (3-6) which don't show up as PIDs in the 'ps -A' output. There
> are however four processes (ksoftirqd_CPU0, kswapd, bdflush, kupdated)
> in existence that show a PID of 0.
> Am I right to assume that this is not the lkm kit, but rather some
> weiredness in PID assignment?
>
> The same PID thing is happening on my testing/unstable laptop -
> compromised as well or something else amiss in the distro, maybe related
> to the server break ins?

Are you running 2.6, or the backported TLS patches on 2.4?


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: chkrootkit and lkm

2003-11-25 Thread Adam Heath

On Tue, 25 Nov 2003, Johannes Graumann wrote:

> Hello,
>
> This is a testing/unstable system.
>
> I was just running 'chkrootkit' and came across this warning:
>
> > Checking `lkm'... You have 4 process hidden for ps command
> > Warning: Possible LKM Trojan installed
>
> I did some reading and made sure the number is not changing (due to
> running 'chkrootkit' while new processes are started and /proc and 'ps'
> are not syncronized) - it remains 4.
> I then went ahead and manually checked the output of 'ls -a /proc'
> against that of 'ps -A' and found out, that there are 4 processes in
> /proc  (3-6) which don't show up as PIDs in the 'ps -A' output. There
> are however four processes (ksoftirqd_CPU0, kswapd, bdflush, kupdated)
> in existence that show a PID of 0.
> Am I right to assume that this is not the lkm kit, but rather some
> weiredness in PID assignment?
>
> The same PID thing is happening on my testing/unstable laptop -
> compromised as well or something else amiss in the distro, maybe related
> to the server break ins?

Are you running 2.6, or the backported TLS patches on 2.4?

RE: chkrootkit and lkm

2003-11-25 Thread Michael Bordignon


> I was just running 'chkrootkit' and came across this warning:
> 
> > Checking `lkm'... You have 4 process hidden for ps command
> > Warning: Possible LKM Trojan installed

I have the same problem.. I believe it's a bug in chkrootkit


Michael


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: chkrootkit and lkm

2003-11-25 Thread Michael Bordignon


> I was just running 'chkrootkit' and came across this warning:
> 
> > Checking `lkm'... You have 4 process hidden for ps command
> > Warning: Possible LKM Trojan installed

I have the same problem.. I believe it's a bug in chkrootkit


Michael

Re: Debian servers "hacked"?

2003-11-25 Thread Michael Stone

On Sat, Nov 22, 2003 at 02:32:45AM -0500, George Georgalis wrote:
I thought it was odd there where ~50 urgent security updates all in one
evening.
Those weren't security updates, they were 3.0r2 (aka stable). Check
the debian-devel-announce archives. (When they come back on line.)
Mike Stone

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: chkrootkit and lkm

2003-11-25 Thread Adam D. Barratt

On Tue, 2003-11-25 at 20:18, Johannes Graumann wrote:
[...]
> I was just running 'chkrootkit' and came across this warning:
> 
> > Checking `lkm'... You have 4 process hidden for ps command
> > Warning: Possible LKM Trojan installed
[...]
> I then went ahead and manually checked the output of 'ls -a /proc'
> against that of 'ps -A' and found out, that there are 4 processes in
> /proc  (3-6) which don't show up as PIDs in the 'ps -A' output. There
> are however four processes (ksoftirqd_CPU0, kswapd, bdflush, kupdated)
> in existence that show a PID of 0.
> Am I right to assume that this is not the lkm kit, but rather some
> weiredness in PID assignment?

Yes. Well, rather to do with how `ps' handles the processes in question.

> The same PID thing is happening on my testing/unstable laptop -
> compromised as well or something else amiss in the distro, maybe related
> to the server break ins?

It's nothing at all to do with the compromise, and everything to do with
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=217525> (`ps shows
incorrect pid value') and
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=217278>
(`chkrootkit: doesn't work too well with kernel threads').

(FWIW, the bugs were filed 31 and 33 days ago, against procps and
chkrootkit respectively, and
http://bugs.debian.org/{procps,chkrootkit}> is currently
operational, although lacking a record of activity since late last
week.)

Your machine is behaving no more strangely than thousands of other
sarge/sid boxes. :-)

Adam


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: chkrootkit and lkm

2003-11-25 Thread Javier Fernández-Sanguino Peña

On Tue, Nov 25, 2003 at 12:18:35PM -0800, Johannes Graumann wrote:
> Hello,
> 
> This is a testing/unstable system.
> 
> I was just running 'chkrootkit' and came across this warning:
> 
> > Checking `lkm'... You have 4 process hidden for ps command
> > Warning: Possible LKM Trojan installed
> 
(...)
> 
> Any comment is highly appreciated.

This is known bug in chkrootkit, it does not understand processes with pid 
'0' (kernel threads) which are not listed under /proc and emits this 
"alert".

As a matter of fact it was reported previous to the compromise. Please
check the following bugs for more information:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=217278
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=217278

HTH

Javi

signature.asc
Description: Digital signature

Re: Debian servers "hacked"?

2003-11-25 Thread Michael Stone


On Sat, Nov 22, 2003 at 02:32:45AM -0500, George Georgalis wrote:

I thought it was odd there where ~50 urgent security updates all in one
evening.


Those weren't security updates, they were 3.0r2 (aka stable). Check
the debian-devel-announce archives. (When they come back on line.)

Mike Stone

Re: Debian servers "hacked"?

2003-11-25 Thread Johann Koenig

On Saturday November 22 at 02:32am
George Georgalis <[EMAIL PROTECTED]> wrote:

> So, are these compromised updates or urgent patches? I'm guessing the
> former..

More likely part of 3.0r2. I've attached the message from
debian-announce.
-- 
-johann koenig
Now Playing: Red Hot Chili Peppers - The Greeting Song : Blood Sugar Sex
Magik
Today is Prickle-Prickle, the 37th day of The Aftermath in the YOLD 3169
My public pgp key: http://mental-graffiti.com/pgp/johannkoenig.pgp


Debian_GNU_Linux_3.0_updated_(r2)
Description: Binary data


pgp0.pgp
Description: PGP signature

Re: chkrootkit and lkm

2003-11-25 Thread Adam D. Barratt

On Tue, 2003-11-25 at 20:18, Johannes Graumann wrote:
[...]
> I was just running 'chkrootkit' and came across this warning:
> 
> > Checking `lkm'... You have 4 process hidden for ps command
> > Warning: Possible LKM Trojan installed
[...]
> I then went ahead and manually checked the output of 'ls -a /proc'
> against that of 'ps -A' and found out, that there are 4 processes in
> /proc  (3-6) which don't show up as PIDs in the 'ps -A' output. There
> are however four processes (ksoftirqd_CPU0, kswapd, bdflush, kupdated)
> in existence that show a PID of 0.
> Am I right to assume that this is not the lkm kit, but rather some
> weiredness in PID assignment?

Yes. Well, rather to do with how `ps' handles the processes in question.

> The same PID thing is happening on my testing/unstable laptop -
> compromised as well or something else amiss in the distro, maybe related
> to the server break ins?

It's nothing at all to do with the compromise, and everything to do with
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=217525> (`ps shows
incorrect pid value') and
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=217278>
(`chkrootkit: doesn't work too well with kernel threads').

(FWIW, the bugs were filed 31 and 33 days ago, against procps and
chkrootkit respectively, and
http://bugs.debian.org/{procps,chkrootkit}> is currently
operational, although lacking a record of activity since late last
week.)

Your machine is behaving no more strangely than thousands of other
sarge/sid boxes. :-)

Adam

Re: chkrootkit and lkm

2003-11-25 Thread Javier Fernández-Sanguino Peña

On Tue, Nov 25, 2003 at 12:18:35PM -0800, Johannes Graumann wrote:
> Hello,
> 
> This is a testing/unstable system.
> 
> I was just running 'chkrootkit' and came across this warning:
> 
> > Checking `lkm'... You have 4 process hidden for ps command
> > Warning: Possible LKM Trojan installed
> 
(...)
> 
> Any comment is highly appreciated.

This is known bug in chkrootkit, it does not understand processes with pid 
'0' (kernel threads) which are not listed under /proc and emits this 
"alert".

As a matter of fact it was reported previous to the compromise. Please
check the following bugs for more information:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=217278
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=217278

HTH

Javi

signature.asc
Description: Digital signature

Re: Debian servers "hacked"?

2003-11-25 Thread Johann Koenig

On Saturday November 22 at 02:32am
George Georgalis <[EMAIL PROTECTED]> wrote:

> So, are these compromised updates or urgent patches? I'm guessing the
> former..

More likely part of 3.0r2. I've attached the message from
debian-announce.
-- 
-johann koenig
Now Playing: Red Hot Chili Peppers - The Greeting Song : Blood Sugar Sex
Magik
Today is Prickle-Prickle, the 37th day of The Aftermath in the YOLD 3169
My public pgp key: http://mental-graffiti.com/pgp/johannkoenig.pgp


Debian_GNU_Linux_3.0_updated_(r2)
Description: Binary data


pgpafxXrtzlLm.pgp
Description: PGP signature

Re: How efficient is mounting /usr ro?

2003-11-25 Thread Chema

On Tue, 25 Nov 2003 21:14:21 +1100
Russell Coker <[EMAIL PROTECTED]> wrote:

RC> On Tue, 25 Nov 2003 19:51, Chema <[EMAIL PROTECTED]>
RC> wrote:
RC> > Making /usr read-only is not for that kind of security.  It will
RC> > keep your data safe from corruption (soft one, anyway: a disk
RC> > crash will take anything with it ;-).  Besides, you can get a
RC> > better performance formating it with ext2, since you'll not need
RC> > journaling.
RC> 
RC> Why would you get better performance?  If you mount noatime then
RC> there's no writes to a file system that is accessed in a read-only
RC> fashion and there should not be any performance issue.

Hum, ¿are you talking only about ext3?  'Couse I don't think the reading performance 
of ext2 and reiserfs/jfs/whatever will be the same just by freezing the access time.  
Any test will tell you that they are not in usual conditions, e.g. 
http://fsbench.netnation.com/.  ext3 is just a somewhat dirty hack on ext2, and 
without journaling their performance would be probably the same.

Now, how much difference really makes noatime??

Also, access time is usually a piece of information I'll like to keep.  Probably some 
programs (maybee popularity-contest) would also like to know what is being touched.


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

chkrootkit and lkm

2003-11-25 Thread Johannes Graumann

Hello,

This is a testing/unstable system.

I was just running 'chkrootkit' and came across this warning:

> Checking `lkm'... You have 4 process hidden for ps command
> Warning: Possible LKM Trojan installed

I did some reading and made sure the number is not changing (due to
running 'chkrootkit' while new processes are started and /proc and 'ps'
are not syncronized) - it remains 4.
I then went ahead and manually checked the output of 'ls -a /proc'
against that of 'ps -A' and found out, that there are 4 processes in
/proc  (3-6) which don't show up as PIDs in the 'ps -A' output. There
are however four processes (ksoftirqd_CPU0, kswapd, bdflush, kupdated)
in existence that show a PID of 0.
Am I right to assume that this is not the lkm kit, but rather some
weiredness in PID assignment?

The same PID thing is happening on my testing/unstable laptop -
compromised as well or something else amiss in the distro, maybe related
to the server break ins?

Any comment is highly appreciated.

Joh


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: More hacked servers?

2003-11-25 Thread Marek Habersack

On Sun, Nov 23, 2003 at 01:09:27AM -0500, Jim Hubbard scribbled:
> After the Linux kernel server got hacked a few weeks ago, and now this
> successful attack at Debian, my confidence is shaken.  I hope we'll see full
> disclosure about exactly what happened and what's being done to prevent it.
Shaken? Without even knowing what caused the breach? What if it was Apache?
Or php? (or anything else)? From your words I assume (perhaps wrongly) that
you a) blindly believe in Linux-based OS security and, b) don't take into
account the human factor of computing. As for a) above - all and every
software has bugs, no OS is 100% secure, some bugs might be exploited some
not - don't let yourself be misguided by the open source "preachers" who
sing gospels about OS software being unbreakable etc - it's not true, it's
dangerous, it's false. It applies to _all_ software out there. As for b) -
from my experience I know that 90% of security breaches result from a human
error. It is usually an administrator who forgot (or didn't know how) to
check or secure one (or more) piece of software. And, please note, it does
NOT mean the person responsible for the service is not qualified to do the
job - not at all, s/he is just a human, and humans make errors. The hard thing
after that is to admit to making the mistake or committing an error and,
even harder, to fix it. And that's what is happening now - several people
have been working hard on restoring the service and determining the facts to
know how did it happen and, let me state that, I'm sure the same mistake
won't ever happen again (the mistake might lie somewhere beyond the debian
circle, we don't know that yet).So, give the people some time and after the
details are disclosed - learn from their experience and use it in your work.

best regards,

marek


signature.asc
Description: Digital signature

Re: Debian servers "hacked"?

2003-11-25 Thread George Georgalis

On Fri, Nov 21, 2003 at 01:27:09PM +0100, Jan Wagner wrote:
>On Friday 21 November 2003 13:18, Thomas Sj?gren wrote:
>> On Fri, Nov 21, 2003 at 01:13:35PM +0100, Jan Wagner wrote:
>> > http://luonnotar.infodrom.org/~joey/debian-announce.txt
>>
>> Read that a minute ago, but what happended?
>
>Thats ATM unknown. It seems, that nobody (except the bad boys) has access to 
>the boxes. But there are ppl on the way to catch local access. Thats all I 
>heared.

I thought it was odd there where ~50 urgent security updates all in one
evening.

One of my computers managed to pull several deb updates before
security.debian.org was taken off line:

# ls -1 /var/cache/apt/archives/
bsdutils_1%3a2.11n-7_i386.deb
console-data_1999.08.29-24.2_all.deb
debianutils_1.16.2woody1_i386.deb
lock
mount_2.11n-7_i386.deb
nano_1.0.6-3_i386.deb
partial
procmail_3.22-5_i386.deb
procps_1%3a2.0.7-8.woody1_i386.deb
util-linux_2.11n-7_i386.deb
zlib1g_1%3a1.1.4-1.0woody0_i386.deb

So, are these compromised updates or urgent patches? I'm guessing the
former...

// George


-- 
GEORGE GEORGALIS, System Admin/Architectcell: 646-331-2027<
Security Services, Web, Mail,mailto:[EMAIL PROTECTED] 
Multimedia, DB, DNS and Metrics.   http://www.galis.org/george 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: How efficient is mounting /usr ro?

2003-11-25 Thread Chema

On Tue, 25 Nov 2003 21:14:21 +1100
Russell Coker <[EMAIL PROTECTED]> wrote:

RC> On Tue, 25 Nov 2003 19:51, Chema <[EMAIL PROTECTED]>
RC> wrote:
RC> > Making /usr read-only is not for that kind of security.  It will
RC> > keep your data safe from corruption (soft one, anyway: a disk
RC> > crash will take anything with it ;-).  Besides, you can get a
RC> > better performance formating it with ext2, since you'll not need
RC> > journaling.
RC> 
RC> Why would you get better performance?  If you mount noatime then
RC> there's no writes to a file system that is accessed in a read-only
RC> fashion and there should not be any performance issue.

Hum, ¿are you talking only about ext3?  'Couse I don't think the reading 
performance of ext2 and reiserfs/jfs/whatever will be the same just by freezing 
the access time.  Any test will tell you that they are not in usual conditions, 
e.g. http://fsbench.netnation.com/.  ext3 is just a somewhat dirty hack on 
ext2, and without journaling their performance would be probably the same.

Now, how much difference really makes noatime??

Also, access time is usually a piece of information I'll like to keep.  
Probably some programs (maybee popularity-contest) would also like to know what 
is being touched.

chkrootkit and lkm

2003-11-25 Thread Johannes Graumann

Hello,

This is a testing/unstable system.

I was just running 'chkrootkit' and came across this warning:

> Checking `lkm'... You have 4 process hidden for ps command
> Warning: Possible LKM Trojan installed

I did some reading and made sure the number is not changing (due to
running 'chkrootkit' while new processes are started and /proc and 'ps'
are not syncronized) - it remains 4.
I then went ahead and manually checked the output of 'ls -a /proc'
against that of 'ps -A' and found out, that there are 4 processes in
/proc  (3-6) which don't show up as PIDs in the 'ps -A' output. There
are however four processes (ksoftirqd_CPU0, kswapd, bdflush, kupdated)
in existence that show a PID of 0.
Am I right to assume that this is not the lkm kit, but rather some
weiredness in PID assignment?

The same PID thing is happening on my testing/unstable laptop -
compromised as well or something else amiss in the distro, maybe related
to the server break ins?

Any comment is highly appreciated.

Joh

Re: Fwd: Cron apt-get update && apt-get -y upgrade

2003-11-25 Thread Noah L. Meyerhans

On Sat, Nov 22, 2003 at 11:23:52AM +0100, Linux wrote:
> The following looks a lot worse to me...
> bsdutils, mount util-linux, console-data, procps, zlib1g, gnupg, 
> util-linux-locales
> 
> Suggestions + help how I should do that ?

See
http://slashdot.org/article.pl?sid=03/11/23/1730227&mode=thread&tid=185&tid=90

Also note that there is no reason to believe that the archive was
compromised in any way.

noah



pgp0.pgp
Description: PGP signature

Re: More hacked servers?

2003-11-25 Thread Marek Habersack

On Sun, Nov 23, 2003 at 01:09:27AM -0500, Jim Hubbard scribbled:
> After the Linux kernel server got hacked a few weeks ago, and now this
> successful attack at Debian, my confidence is shaken.  I hope we'll see full
> disclosure about exactly what happened and what's being done to prevent it.
Shaken? Without even knowing what caused the breach? What if it was Apache?
Or php? (or anything else)? From your words I assume (perhaps wrongly) that
you a) blindly believe in Linux-based OS security and, b) don't take into
account the human factor of computing. As for a) above - all and every
software has bugs, no OS is 100% secure, some bugs might be exploited some
not - don't let yourself be misguided by the open source "preachers" who
sing gospels about OS software being unbreakable etc - it's not true, it's
dangerous, it's false. It applies to _all_ software out there. As for b) -
from my experience I know that 90% of security breaches result from a human
error. It is usually an administrator who forgot (or didn't know how) to
check or secure one (or more) piece of software. And, please note, it does
NOT mean the person responsible for the service is not qualified to do the
job - not at all, s/he is just a human, and humans make errors. The hard thing
after that is to admit to making the mistake or committing an error and,
even harder, to fix it. And that's what is happening now - several people
have been working hard on restoring the service and determining the facts to
know how did it happen and, let me state that, I'm sure the same mistake
won't ever happen again (the mistake might lie somewhere beyond the debian
circle, we don't know that yet).So, give the people some time and after the
details are disclosed - learn from their experience and use it in your work.

best regards,

marek


signature.asc
Description: Digital signature

Re: Debian servers "hacked"?

2003-11-25 Thread George Georgalis

On Fri, Nov 21, 2003 at 01:27:09PM +0100, Jan Wagner wrote:
>On Friday 21 November 2003 13:18, Thomas Sj?gren wrote:
>> On Fri, Nov 21, 2003 at 01:13:35PM +0100, Jan Wagner wrote:
>> > http://luonnotar.infodrom.org/~joey/debian-announce.txt
>>
>> Read that a minute ago, but what happended?
>
>Thats ATM unknown. It seems, that nobody (except the bad boys) has access to 
>the boxes. But there are ppl on the way to catch local access. Thats all I 
>heared.

I thought it was odd there where ~50 urgent security updates all in one
evening.

One of my computers managed to pull several deb updates before
security.debian.org was taken off line:

# ls -1 /var/cache/apt/archives/
bsdutils_1%3a2.11n-7_i386.deb
console-data_1999.08.29-24.2_all.deb
debianutils_1.16.2woody1_i386.deb
lock
mount_2.11n-7_i386.deb
nano_1.0.6-3_i386.deb
partial
procmail_3.22-5_i386.deb
procps_1%3a2.0.7-8.woody1_i386.deb
util-linux_2.11n-7_i386.deb
zlib1g_1%3a1.1.4-1.0woody0_i386.deb

So, are these compromised updates or urgent patches? I'm guessing the
former...

// George


-- 
GEORGE GEORGALIS, System Admin/Architectcell: 646-331-2027<
Security Services, Web, Mail,mailto:[EMAIL PROTECTED] 
Multimedia, DB, DNS and Metrics.   http://www.galis.org/george

Re: Debian servers "hacked"?

2003-11-25 Thread Ricardo Kustner

On Friday 21 November 2003 15:14, Thomas Sjögren wrote:
> On Fri, Nov 21, 2003 at 02:17:52PM +0200, Johann Spies wrote:
> > On Fri, Nov 21, 2003 at 12:38:50PM +0100, Thomas Sjögren wrote:
> > > Anyone to shed some light over this
> > There has been an announcement on the Debian-announce-list a few
> > minutes ago which clarifies the situation.  I have asked Martin to
> > publish the the announcement in this list also.
> Yes, I know. The last 5 replies i've got was with the url to that
> announcement.
> What i'm interested in was how it could happen.

If you're patient for a little while, I'm sure that'll be announced. The most 
imporant thing right now is that everything is secured and fixed IMHO. 

Regards,

Ricardo.

-- 


Ricardo Kustner
IC&S Linux Professionals
Stadhouderslaan 57
3583 JD UTRECHT
T: 030-6355730 
F: 030-6355731 

PGP-key:
http://www.ic-s.nl/keys/ricardo.txt


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Fwd: Cron apt-get update && apt-get -y upgrade

2003-11-25 Thread Noah L. Meyerhans

On Sat, Nov 22, 2003 at 11:23:52AM +0100, Linux wrote:
> The following looks a lot worse to me...
> bsdutils, mount util-linux, console-data, procps, zlib1g, gnupg, 
> util-linux-locales
> 
> Suggestions + help how I should do that ?

See
http://slashdot.org/article.pl?sid=03/11/23/1730227&mode=thread&tid=185&tid=90

Also note that there is no reason to believe that the archive was
compromised in any way.

noah



pgpZyZag7HSkc.pgp
Description: PGP signature

Re: Debian servers "hacked"?

2003-11-25 Thread Lukas Ruf

-BEGIN PGP SIGNED MESSAGE-

> Thomas Sj?gren <[EMAIL PROTECTED]> [2003-11-21 16:43]:
>
> On Fri, Nov 21, 2003 at 02:17:52PM +0200, Johann Spies wrote:
> > On Fri, Nov 21, 2003 at 12:38:50PM +0100, Thomas SjÃgren wrote:
> > > Anyone to shed some light over this?
> >
> > There has been an announcement on the Debian-announce-list a few
> > minutes ago which clarifies the situation.  I have asked Martin to
> > publish the the announcement in this list also.
> >
>
> Yes, I know. The last 5 replies i've got was with the url to that
> announcement.

I would be more than interested in seeing a digitally signed
email by one of the @debian persons that proves evidence.

wbr,
Lukas
- -- 
Lukas Ruf   | Wanna know anything about raw |
 | IP? ->  |
eMail Style Guide: |
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.3 (GNU/Linux)

iQCVAwUBP74zT2g5P0zSC6LtAQFV3wP/WB7E1PYy2zQqpVLiqZckwS386IrkoeAu
TpxzehXIr+wWKlamalNDrZujTn6WSX0kWtcbcKnLhkc//ttg0q3Cd3oBH8bEv5Sf
csGOA+3qsqN5qIkApk7p6pVBQIjcATuJMsUlFSfgICrq+f//lxJVJqU8qrV92AMx
WD2bO6XKB2o=
=XULl
-END PGP SIGNATURE-


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Fwd: Cron apt-get update && apt-get -y upgrade

2003-11-25 Thread Linux

OK, now I got really worried

Because I'm a bit lazy I've put the apt-get update & upgrade into the crontab 
of one of my machines.

Now is the question, how do I know if those installed packages are hacked or 
not ? Some suggestions and help please ?

I've removed procmail+nano+xbase-clients+xlibmesa3

The following looks a lot worse to me...
bsdutils, mount util-linux, console-data, procps, zlib1g, gnupg, 
util-linux-locales

Suggestions + help how I should do that ?
--Robert

13 packages upgraded, 0 newly installed, 0 to remove and 15  not upgraded.
Need to get 8369kB of archives. After unpacking 168kB will be used.
Get:1 http://ftp.it.debian.org stable/main bsdutils 1:2.11n-7 [39.5kB]
Get:2 http://ftp.it.debian.org stable/main debianutils 1.16.2woody1 [32.9kB]
Get:3 http://ftp.it.debian.org stable/main mount 2.11n-7 [99.3kB]
Get:4 http://ftp.it.debian.org stable/main util-linux 2.11n-7 [330kB]
Get:5 http://ftp.it.debian.org stable/main console-data 1999.08.29-24.2
- [869kB] Get:6 http://ftp.it.debian.org stable/main nano 1.0.6-3 [184kB]
Get:7 http://ftp.it.debian.org stable/main procps 1:2.0.7-8.woody1 [145kB]
Get:8 http://ftp.it.debian.org stable/main zlib1g 1:1.1.4-1.0woody0 [44.1kB]
Get:9 http://ftp.it.debian.org stable/main gnupg 1.0.6-4 [966kB]
- Get:10 http://ftp.it.debian.org stable/main procmail 3.22-5 [136kB]
Get:11 http://ftp.it.debian.org stable/main util-linux-locales 2.11n-7
- [646kB] Get:12 http://ftp.it.debian.org stable/main xlibmesa3 4.1.0-16woody1
- [3422kB] Get:13 http://ftp.it.debian.org stable/main xbase-clients


--  Forwarded Message  --

Fwd: Cron apt-get update && apt-get -y upgrade

2003-11-25 Thread Linux

OK, now I got really worried

Because I'm a bit lazy I've put the apt-get update & upgrade into the crontab 
of one of my machines.

Now is the question, how do I know if those installed packages are hacked or 
not ? Some suggestions and help please ?

I've removed procmail+nano+xbase-clients+xlibmesa3

The following looks a lot worse to me...
bsdutils, mount util-linux, console-data, procps, zlib1g, gnupg, 
util-linux-locales

Suggestions + help how I should do that ?
--Robert

13 packages upgraded, 0 newly installed, 0 to remove and 15  not upgraded.
Need to get 8369kB of archives. After unpacking 168kB will be used.
Get:1 http://ftp.it.debian.org stable/main bsdutils 1:2.11n-7 [39.5kB]
Get:2 http://ftp.it.debian.org stable/main debianutils 1.16.2woody1 [32.9kB]
Get:3 http://ftp.it.debian.org stable/main mount 2.11n-7 [99.3kB]
Get:4 http://ftp.it.debian.org stable/main util-linux 2.11n-7 [330kB]
Get:5 http://ftp.it.debian.org stable/main console-data 1999.08.29-24.2
- [869kB] Get:6 http://ftp.it.debian.org stable/main nano 1.0.6-3 [184kB]
Get:7 http://ftp.it.debian.org stable/main procps 1:2.0.7-8.woody1 [145kB]
Get:8 http://ftp.it.debian.org stable/main zlib1g 1:1.1.4-1.0woody0 [44.1kB]
Get:9 http://ftp.it.debian.org stable/main gnupg 1.0.6-4 [966kB]
- Get:10 http://ftp.it.debian.org stable/main procmail 3.22-5 [136kB]
Get:11 http://ftp.it.debian.org stable/main util-linux-locales 2.11n-7
- [646kB] Get:12 http://ftp.it.debian.org stable/main xlibmesa3 4.1.0-16woody1
- [3422kB] Get:13 http://ftp.it.debian.org stable/main xbase-clients


--  Forwarded Message  --

Subject: Cron <[EMAIL PROTECTED]>apt-get update && apt-get -y upgrade
Date: Friday 21 November 2003 03:17
From: CronDaemon <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]

Get:1 http://ftp.debian.nl stable/non-US/main Packages [44.5kB]
Get:2 http://ftp.it.debian.org stable/main Packages [1774kB]
Get:3 http://ftp.debian.nl stable/non-US/main Release [102B]
Hit http://ftp.debian.nl stable/non-US/contrib Packages
Get:4 http://ftp.debian.nl stable/non-US/contrib Release [105B]
Hit http://ftp.debian.nl stable/non-US/non-free Packages
Get:5 http://ftp.debian.nl stable/non-US/non-free Release [106B]
Get:6 http://ftp.debian.nl stable/non-US/main Sources [18.7kB]
Get:7 http://ftp.debian.nl stable/non-US/main Release [104B]
Hit http://ftp.debian.nl stable/non-US/contrib Sources
Get:8 http://ftp.debian.nl stable/non-US/contrib Release [107B]
Hit http://ftp.debian.nl stable/non-US/non-free Sources
Get:9 http://ftp.debian.nl stable/non-US/non-free Release [108B]
Hit http://ftp.debian.nl testing/non-US/main Packages
Get:10 http://ftp.debian.nl testing/non-US/main Release [88B]
Hit http://ftp.debian.nl testing/non-US/contrib Packages
Get:11 http://ftp.debian.nl testing/non-US/contrib Release [91B]
Hit http://ftp.debian.nl testing/non-US/non-free Packages
Get:12 http://ftp.debian.nl testing/non-US/non-free Release [92B]
Hit http://ftp.debian.nl testing/non-US/main Sources
Get:13 http://ftp.debian.nl testing/non-US/main Release [90B]
Hit http://ftp.debian.nl testing/non-US/contrib Sources
Get:14 http://ftp.debian.nl testing/non-US/contrib Release [93B]
Hit http://ftp.debian.nl testing/non-US/non-free Sources
Get:15 http://ftp.debian.nl testing/non-US/non-free Release [94B]
Get:16 http://ftp.it.debian.org stable/main Release [95B]
Get:17 http://ftp.it.debian.org stable/contrib Packages [49.2kB]
Get:18 http://ftp.it.debian.org stable/contrib Release [98B]
Get:19 http://ftp.it.debian.org stable/non-free Packages [65.3kB]
Get:20 http://ftp.it.debian.org stable/non-free Release [99B]
Get:21 http://ftp.it.debian.org stable/main Sources [729kB]
Get:22 http://ftp.it.debian.org stable/main Release [97B]
Get:23 http://ftp.it.debian.org stable/contrib Sources [22.4kB]
Get:24 http://ftp.it.debian.org stable/contrib Release [100B]
Get:25 http://ftp.it.debian.org stable/non-free Sources [28.4kB]
Get:26 http://ftp.it.debian.org stable/non-free Release [101B]
Get:27 http://ftp.it.debian.org testing/main Packages [2600kB]
Get:28 http://ftp.it.debian.org testing/main Release [81B]
Hit http://ftp.it.debian.org testing/contrib Packages
Get:29 http://ftp.it.debian.org testing/contrib Release [84B]
Get:30 http://ftp.it.debian.org testing/non-free Packages [62.9kB]
Get:31 http://ftp.it.debian.org testing/non-free Release [85B]
Get:32 http://ftp.it.debian.org testing/main Sources [1036kB]
Get:33 http://ftp.it.debian.org testing/main Release [83B]
Hit http://ftp.it.debian.org testing/contrib Sources
Get:34 http://ftp.it.debian.org testing/contrib Release [86B]
Get:35 http://ftp.it.debian.org testing/non-free Sources [26.1kB]
Get:36 http://ftp.it.debian.org testing/non-free Release [87B]
Fetched 6460kB in 1m30s (71.0kB/s)
Reading Package Lists...
Building Dependency Tree...
Reading Package Lists...
Building Dependency Tree...
The following packages have been kept back
  courier-imap-ssl courier-mta-ssl courier-pop-ssl courier-ssl libc6
 libc6-dev libwraster2 locales lyn

Re: More hacked servers?

2003-11-25 Thread Marcel Weber


Jim Hubbard wrote:


After the Linux kernel server got hacked a few weeks ago, and now this
successful attack at Debian, my confidence is shaken.  I hope we'll see full
disclosure about exactly what happened and what's being done to prevent it.


Well wait for the findings of the debian security team. I think it is 
too early to be concerned.



By the way: From my time at IBM I know that they have a huge anti hacker 
/ cracker task force to defend IBM and it's costumers against attacks. 
It is some mixture between secret service and battleship galactica. It 
is not surprising that open source projects with lots of internet 
services running are an interesting target. As these projects cannot 
afford such costly countermeasures they have of course a bigger risk for 
getting hacked, resp. compromised.


But perhaps somebody is willing funding a dedicated debian system 
defense agency, that monitors and protects the debian systems on a 
24/365 base ;-)


Regards

Marcel

Re: More hacked servers?

2003-11-25 Thread Dale Amon

On Tue, Nov 25, 2003 at 08:21:14AM -0600, John Goerzen wrote:
> On Sun, Nov 23, 2003 at 01:09:27AM -0500, Jim Hubbard wrote:
> > After the Linux kernel server got hacked a few weeks ago, and now this
> > successful attack at Debian, my confidence is shaken.  I hope we'll see full
> 
> I'm curious: why would this serve to shake your confidence?

And to add to that... the linux kernel thing wasn't even
close. Someone got a phony update into a cvs server that
perhaps 4 people used. It never got close to a real 
release and given the checks in bitkeeper, not to
mention Linus... they'll have to get a lot more 
sophisticated for it to not be caught quickly.

I'll be interested in seeing the report on the debian events
*when* they've had a time to finish their forensics.

-- 
--
   Dale Amon [EMAIL PROTECTED]+44-7802-188325
   International linux systems consultancy
 Hardware & software system design, security
and networking, systems programming and Admin
  "Have Laptop, Will Travel"
--

Re: More hacked servers?

2003-11-25 Thread John Goerzen

On Sun, Nov 23, 2003 at 01:09:27AM -0500, Jim Hubbard wrote:
> After the Linux kernel server got hacked a few weeks ago, and now this
> successful attack at Debian, my confidence is shaken.  I hope we'll see full

I'm curious: why would this serve to shake your confidence?

-- John

Re: Debian servers "hacked"?

2003-11-25 Thread Thomas Sjögren

On Fri, Nov 21, 2003 at 09:17:33AM -0500, Michael Stone wrote:
> Thank you for not starting wild unfounded rumors. If you don't have the
> facts it is unproductive to speculate wildly, especially in a pejorative
> fashion.

No starting rumours or specualting, just asking how the servers got got
rooted. If i offended anyone i apologise.

/Thomas
-- 
== [EMAIL PROTECTED] | [EMAIL PROTECTED]
== Encrypted e-mails preferred | GPG KeyID: 114AA85C
--


signature.asc
Description: Digital signature

Re: More hacked servers?

2003-11-25 Thread Michael Stone


On Sun, Nov 23, 2003 at 01:09:27AM -0500, Jim Hubbard wrote:

After the Linux kernel server got hacked a few weeks ago, and now this
successful attack at Debian, my confidence is shaken.  I hope we'll see full
disclosure about exactly what happened and what's being done to prevent it.


We were up-front in reporting the problem, so why would you suggest we
would hide things later?

Mike Stone

More hacked servers?

2003-11-25 Thread Jim Hubbard

After the Linux kernel server got hacked a few weeks ago, and now this
successful attack at Debian, my confidence is shaken.  I hope we'll see full
disclosure about exactly what happened and what's being done to prevent it.

-Jim

Re: More hacked servers?

2003-11-25 Thread Marcel Weber

Jim Hubbard wrote:

After the Linux kernel server got hacked a few weeks ago, and now this
successful attack at Debian, my confidence is shaken.  I hope we'll see full
disclosure about exactly what happened and what's being done to prevent it.
Well wait for the findings of the debian security team. I think it is 
too early to be concerned.

By the way: From my time at IBM I know that they have a huge anti hacker 
/ cracker task force to defend IBM and it's costumers against attacks. 
It is some mixture between secret service and battleship galactica. It 
is not surprising that open source projects with lots of internet 
services running are an interesting target. As these projects cannot 
afford such costly countermeasures they have of course a bigger risk for 
getting hacked, resp. compromised.

But perhaps somebody is willing funding a dedicated debian system 
defense agency, that monitors and protects the debian systems on a 
24/365 base ;-)

Regards

Marcel





--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: More hacked servers?

2003-11-25 Thread Dale Amon

On Tue, Nov 25, 2003 at 08:21:14AM -0600, John Goerzen wrote:
> On Sun, Nov 23, 2003 at 01:09:27AM -0500, Jim Hubbard wrote:
> > After the Linux kernel server got hacked a few weeks ago, and now this
> > successful attack at Debian, my confidence is shaken.  I hope we'll see full
> 
> I'm curious: why would this serve to shake your confidence?

And to add to that... the linux kernel thing wasn't even
close. Someone got a phony update into a cvs server that
perhaps 4 people used. It never got close to a real 
release and given the checks in bitkeeper, not to
mention Linus... they'll have to get a lot more 
sophisticated for it to not be caught quickly.

I'll be interested in seeing the report on the debian events
*when* they've had a time to finish their forensics.

-- 
--
   Dale Amon [EMAIL PROTECTED]+44-7802-188325
   International linux systems consultancy
 Hardware & software system design, security
and networking, systems programming and Admin
  "Have Laptop, Will Travel"
--

-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: More hacked servers?

2003-11-25 Thread John Goerzen

On Sun, Nov 23, 2003 at 01:09:27AM -0500, Jim Hubbard wrote:
> After the Linux kernel server got hacked a few weeks ago, and now this
> successful attack at Debian, my confidence is shaken.  I hope we'll see full

I'm curious: why would this serve to shake your confidence?

-- John


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: 3.0r2 or hacked packages?

2003-11-25 Thread Santiago Vila

On Sun, 23 Nov 2003, Lupe Christoph wrote:

> Last night my apt-get update ... oicked up a number of unexpected
> packages:
>
> The following packages will be upgraded
>   bsdutils console-data debianutils mount nano procmail procps util-linux 
> util-linux-locales zlib1g zlib1g-dev
> 11 packages upgraded, 0 newly installed, 0 to remove and 0  not upgraded.
> Need to get 2743kB of archives. After unpacking 96.3kB will be used.
> Get:1 http://ftp.de.debian.org stable/main bsdutils 1:2.11n-7 [39.5kB]
> Get:2 http://ftp.de.debian.org stable/main debianutils 1.16.2woody1 [32.9kB]
> Get:3 http://ftp.de.debian.org stable/main mount 2.11n-7 [99.3kB]
> Get:4 http://ftp.de.debian.org stable/main util-linux 2.11n-7 [330kB]
> Get:5 http://ftp.de.debian.org stable/main console-data 1999.08.29-24.2 
> [869kB]
> Get:6 http://ftp.de.debian.org stable/main nano 1.0.6-3 [184kB]
> Get:7 http://ftp.de.debian.org stable/main procps 1:2.0.7-8.woody1 [145kB]
> Get:8 http://ftp.de.debian.org stable/main procmail 3.22-5 [136kB]
> Get:9 http://ftp.de.debian.org stable/main zlib1g-dev 1:1.1.4-1.0woody0 
> [218kB]
> Get:10 http://ftp.de.debian.org stable/main zlib1g 1:1.1.4-1.0woody0 [44.1kB]
> Get:11 http://ftp.de.debian.org stable/main util-linux-locales 2.11n-7 [646kB]
>
> The packages are not from stable/updates but from stable/main. I'm
> wondering if one of the people who cracked the servers managed to
> smuggle something "interesting" into the archives.
>
> Or is this just 3.0r2-to-be?
>
> I'm always worried when I see updates for stable without an
> announcement.
>
> Please enlighten me. ;-)

Debian 3.0r2 is made from security updates at security.debian.org
plus some important bugfixes from "proposed-updates" at ftp.debian.org.

There are not DSA announcements for the latter but they are announced
in debian-changes.

Re: Debian servers "hacked"?

2003-11-25 Thread Thomas Sjögren

On Fri, Nov 21, 2003 at 09:17:33AM -0500, Michael Stone wrote:
> Thank you for not starting wild unfounded rumors. If you don't have the
> facts it is unproductive to speculate wildly, especially in a pejorative
> fashion.

No starting rumours or specualting, just asking how the servers got got
rooted. If i offended anyone i apologise.

/Thomas
-- 
== [EMAIL PROTECTED] | [EMAIL PROTECTED]
== Encrypted e-mails preferred | GPG KeyID: 114AA85C
--


signature.asc
Description: Digital signature

Re: More hacked servers?

2003-11-25 Thread Michael Stone

On Sun, Nov 23, 2003 at 01:09:27AM -0500, Jim Hubbard wrote:
After the Linux kernel server got hacked a few weeks ago, and now this
successful attack at Debian, my confidence is shaken.  I hope we'll see full
disclosure about exactly what happened and what's being done to prevent it.
We were up-front in reporting the problem, so why would you suggest we
would hide things later?
Mike Stone

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

3.0r2 or hacked packages?

2003-11-25 Thread Lupe Christoph

Hi!

Last night my apt-get update ... oicked up a number of unexpected
packages:

The following packages will be upgraded
  bsdutils console-data debianutils mount nano procmail procps util-linux 
util-linux-locales zlib1g zlib1g-dev 
11 packages upgraded, 0 newly installed, 0 to remove and 0  not upgraded.
Need to get 2743kB of archives. After unpacking 96.3kB will be used.
Get:1 http://ftp.de.debian.org stable/main bsdutils 1:2.11n-7 [39.5kB]
Get:2 http://ftp.de.debian.org stable/main debianutils 1.16.2woody1 [32.9kB]
Get:3 http://ftp.de.debian.org stable/main mount 2.11n-7 [99.3kB]
Get:4 http://ftp.de.debian.org stable/main util-linux 2.11n-7 [330kB]
Get:5 http://ftp.de.debian.org stable/main console-data 1999.08.29-24.2 [869kB]
Get:6 http://ftp.de.debian.org stable/main nano 1.0.6-3 [184kB]
Get:7 http://ftp.de.debian.org stable/main procps 1:2.0.7-8.woody1 [145kB]
Get:8 http://ftp.de.debian.org stable/main procmail 3.22-5 [136kB]
Get:9 http://ftp.de.debian.org stable/main zlib1g-dev 1:1.1.4-1.0woody0 [218kB]
Get:10 http://ftp.de.debian.org stable/main zlib1g 1:1.1.4-1.0woody0 [44.1kB]
Get:11 http://ftp.de.debian.org stable/main util-linux-locales 2.11n-7 [646kB]

The packages are not from stable/updates but from stable/main. I'm
wondering if one of the people who cracked the servers managed to
smuggle something "interesting" into the archives.

Or is this just 3.0r2-to-be?

I'm always worried when I see updates for stable without an
announcement.

Please enlighten me. ;-)

Thanks!
Lupe Christoph

PS: I'd like to compare these packages to the installed versions. How
can I do that with the least amount of hassle?
-- 
| [EMAIL PROTECTED]   |   http://www.lupe-christoph.de/ |
| "Violence is the resort of the violent" Lu Tze |
| "Thief of Time", Terry Pratchett   |

More hacked servers?

2003-11-25 Thread Jim Hubbard

After the Linux kernel server got hacked a few weeks ago, and now this
successful attack at Debian, my confidence is shaken.  I hope we'll see full
disclosure about exactly what happened and what's being done to prevent it.

-Jim



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Debian servers "hacked"?

2003-11-25 Thread Giacomo Mulas

On Tue, 25 Nov 2003, Dariush Pietrzak wrote:

>  Well since delayed woody release was released it surely means that
>  'they' know the answers. So I think this is a perfect time for
>  post-mortem.

It just means that they were able to check the released packages against
trusted sources, not that they finished post-mortem and restore for all
servers. Don't push them, you can trust that they will release all the
information, once they are finished with it.

Bye
Giacomo

-- 
_

Giacomo Mulas <[EMAIL PROTECTED]>
_

OSSERVATORIO ASTRONOMICO DI CAGLIARI
Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)

Tel. (OAC): +39 070 71180 248 Fax : +39 070 71180 222
Tel. (UNICA): +39 070 675 4916
_

"When the storms are raging around you, stay right where you are"
 (Freddy Mercury)
_

Re: Uhm, so, what happened...?

2003-11-25 Thread Alan James

On Tue, 25 Nov 2003 12:09:11 +0100, Kjetil Kjernsmo <[EMAIL PROTECTED]>
wrote:

>I bet there are a lot of users running around scared, not knowing what 
>to do really... Any advices for us??

Keep your eye on http://www.wiggy.net/debian/status/ 
Expect more details to appear there in a day or two.

Alan.

Re: 3.0r2 or hacked packages?

2003-11-25 Thread Santiago Vila

On Sun, 23 Nov 2003, Lupe Christoph wrote:

> Last night my apt-get update ... oicked up a number of unexpected
> packages:
>
> The following packages will be upgraded
>   bsdutils console-data debianutils mount nano procmail procps util-linux 
> util-linux-locales zlib1g zlib1g-dev
> 11 packages upgraded, 0 newly installed, 0 to remove and 0  not upgraded.
> Need to get 2743kB of archives. After unpacking 96.3kB will be used.
> Get:1 http://ftp.de.debian.org stable/main bsdutils 1:2.11n-7 [39.5kB]
> Get:2 http://ftp.de.debian.org stable/main debianutils 1.16.2woody1 [32.9kB]
> Get:3 http://ftp.de.debian.org stable/main mount 2.11n-7 [99.3kB]
> Get:4 http://ftp.de.debian.org stable/main util-linux 2.11n-7 [330kB]
> Get:5 http://ftp.de.debian.org stable/main console-data 1999.08.29-24.2 [869kB]
> Get:6 http://ftp.de.debian.org stable/main nano 1.0.6-3 [184kB]
> Get:7 http://ftp.de.debian.org stable/main procps 1:2.0.7-8.woody1 [145kB]
> Get:8 http://ftp.de.debian.org stable/main procmail 3.22-5 [136kB]
> Get:9 http://ftp.de.debian.org stable/main zlib1g-dev 1:1.1.4-1.0woody0 [218kB]
> Get:10 http://ftp.de.debian.org stable/main zlib1g 1:1.1.4-1.0woody0 [44.1kB]
> Get:11 http://ftp.de.debian.org stable/main util-linux-locales 2.11n-7 [646kB]
>
> The packages are not from stable/updates but from stable/main. I'm
> wondering if one of the people who cracked the servers managed to
> smuggle something "interesting" into the archives.
>
> Or is this just 3.0r2-to-be?
>
> I'm always worried when I see updates for stable without an
> announcement.
>
> Please enlighten me. ;-)

Debian 3.0r2 is made from security updates at security.debian.org
plus some important bugfixes from "proposed-updates" at ftp.debian.org.

There are not DSA announcements for the latter but they are announced
in debian-changes.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

3.0r2 or hacked packages?

2003-11-25 Thread Lupe Christoph

Hi!

Last night my apt-get update ... oicked up a number of unexpected
packages:

The following packages will be upgraded
  bsdutils console-data debianutils mount nano procmail procps util-linux 
util-linux-locales zlib1g zlib1g-dev 
11 packages upgraded, 0 newly installed, 0 to remove and 0  not upgraded.
Need to get 2743kB of archives. After unpacking 96.3kB will be used.
Get:1 http://ftp.de.debian.org stable/main bsdutils 1:2.11n-7 [39.5kB]
Get:2 http://ftp.de.debian.org stable/main debianutils 1.16.2woody1 [32.9kB]
Get:3 http://ftp.de.debian.org stable/main mount 2.11n-7 [99.3kB]
Get:4 http://ftp.de.debian.org stable/main util-linux 2.11n-7 [330kB]
Get:5 http://ftp.de.debian.org stable/main console-data 1999.08.29-24.2 [869kB]
Get:6 http://ftp.de.debian.org stable/main nano 1.0.6-3 [184kB]
Get:7 http://ftp.de.debian.org stable/main procps 1:2.0.7-8.woody1 [145kB]
Get:8 http://ftp.de.debian.org stable/main procmail 3.22-5 [136kB]
Get:9 http://ftp.de.debian.org stable/main zlib1g-dev 1:1.1.4-1.0woody0 [218kB]
Get:10 http://ftp.de.debian.org stable/main zlib1g 1:1.1.4-1.0woody0 [44.1kB]
Get:11 http://ftp.de.debian.org stable/main util-linux-locales 2.11n-7 [646kB]

The packages are not from stable/updates but from stable/main. I'm
wondering if one of the people who cracked the servers managed to
smuggle something "interesting" into the archives.

Or is this just 3.0r2-to-be?

I'm always worried when I see updates for stable without an
announcement.

Please enlighten me. ;-)

Thanks!
Lupe Christoph

PS: I'd like to compare these packages to the installed versions. How
can I do that with the least amount of hassle?
-- 
| [EMAIL PROTECTED]   |   http://www.lupe-christoph.de/ |
| "Violence is the resort of the violent" Lu Tze |
| "Thief of Time", Terry Pratchett   |


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Debian servers "hacked"?

2003-11-25 Thread Dariush Pietrzak

> information.  To suggest possible problems without knowing the scope and 
> without reading their write up is premature.  Better to ask questions 
> once they feel like they know the answers. :)
 Well since delayed woody release was released it surely means that
 'they' know the answers. So I think this is a perfect time for
 post-mortem.
 
> To speculate is to do a disservice.  Trust the debian security team; 
> they do their job well and you should know that security is never guranteed.
 Well, latest events seem to suggest that debian still lacks paranoia.

-- 
Dariush Pietrzak,
Key fingerprint = 40D0 9FFB 9939 7320 8294  05E0 BCC7 02C4 75CC 50D9

Re: Debian servers "hacked"?

2003-11-25 Thread David A. Ulevitch


Thomas Sjögren wrote:


On Fri, Nov 21, 2003 at 01:27:09PM +0100, Jan Wagner wrote:
 

Thats ATM unknown. It seems, that nobody (except the bad boys) has access to 
the boxes. But there are ppl on the way to catch local access. Thats all I 
heared.
   



Ok, so there's no manual auditing on services, processes, etc (on a daily
basis) while the servers are running?

 

You know they will write a full post-mortem when they have all the 
information.  To suggest possible problems without knowing the scope and 
without reading their write up is premature.  Better to ask questions 
once they feel like they know the answers. :)


To speculate is to do a disservice.  Trust the debian security team; 
they do their job well and you should know that security is never guranteed.


-davidu



 David A. Ulevitch - Founder, EveryDNS.Net
 Washington University in St. Louis
 http://david.ulevitch.com -- http://everydns.net

Re: Debian servers "hacked"?

2003-11-25 Thread Giacomo Mulas

On Tue, 25 Nov 2003, Dariush Pietrzak wrote:

>  Well since delayed woody release was released it surely means that
>  'they' know the answers. So I think this is a perfect time for
>  post-mortem.

It just means that they were able to check the released packages against
trusted sources, not that they finished post-mortem and restore for all
servers. Don't push them, you can trust that they will release all the
information, once they are finished with it.

Bye
Giacomo

-- 
_

Giacomo Mulas <[EMAIL PROTECTED]>
_

OSSERVATORIO ASTRONOMICO DI CAGLIARI
Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA)

Tel. (OAC): +39 070 71180 248 Fax : +39 070 71180 222
Tel. (UNICA): +39 070 675 4916
_

"When the storms are raging around you, stay right where you are"
 (Freddy Mercury)
_

-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Uhm, so, what happened...?

2003-11-25 Thread Alan James

On Tue, 25 Nov 2003 12:09:11 +0100, Kjetil Kjernsmo <[EMAIL PROTECTED]>
wrote:

>I bet there are a lot of users running around scared, not knowing what 
>to do really... Any advices for us??

Keep your eye on http://www.wiggy.net/debian/status/ 
Expect more details to appear there in a day or two.

Alan.


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Uhm, so, what happened...?

2003-11-25 Thread Kjetil Kjernsmo

Hi!

It seems that something is up now? Just got a bunch of posts on 
debian-user, and got myself subscribed here again...
The mailing list archives doesn't seem to be up, and therefore I can't 
check what you guys discussed before it all went offline. 

The announcement contained little information as to how the breakin was 
done, so my first thought was "ouch, then I'm probably vulnerable too, 
since I run the same software", so I ran off to iptable all open 
ports... 

Then I read on /. that it was a password compromise. Then, I wouldn't be 
vulnerable or always vulnerable depending on how you see it.., But I 
mean, /.! :-) 
 
I bet there are a lot of users running around scared, not knowing what 
to do really... Any advices for us??

Best,

Kjetil
-- 
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
[EMAIL PROTECTED]  [EMAIL PROTECTED]  [EMAIL PROTECTED]
Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC

Re: Debian servers "hacked"?

2003-11-25 Thread Dariush Pietrzak

> information.  To suggest possible problems without knowing the scope and 
> without reading their write up is premature.  Better to ask questions 
> once they feel like they know the answers. :)
 Well since delayed woody release was released it surely means that
 'they' know the answers. So I think this is a perfect time for
 post-mortem.
 
> To speculate is to do a disservice.  Trust the debian security team; 
> they do their job well and you should know that security is never guranteed.
 Well, latest events seem to suggest that debian still lacks paranoia.

-- 
Dariush Pietrzak,
Key fingerprint = 40D0 9FFB 9939 7320 8294  05E0 BCC7 02C4 75CC 50D9


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Debian servers "hacked"?

2003-11-25 Thread David A. Ulevitch

Thomas Sjögren wrote:

On Fri, Nov 21, 2003 at 01:27:09PM +0100, Jan Wagner wrote:
 

Thats ATM unknown. It seems, that nobody (except the bad boys) has access to 
the boxes. But there are ppl on the way to catch local access. Thats all I 
heared.
   

Ok, so there's no manual auditing on services, processes, etc (on a daily
basis) while the servers are running?
 

You know they will write a full post-mortem when they have all the 
information.  To suggest possible problems without knowing the scope and 
without reading their write up is premature.  Better to ask questions 
once they feel like they know the answers. :)

To speculate is to do a disservice.  Trust the debian security team; 
they do their job well and you should know that security is never guranteed.

-davidu


 David A. Ulevitch - Founder, EveryDNS.Net
 Washington University in St. Louis
 http://david.ulevitch.com -- http://everydns.net



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Uhm, so, what happened...?

2003-11-25 Thread Kjetil Kjernsmo

Hi!

It seems that something is up now? Just got a bunch of posts on 
debian-user, and got myself subscribed here again...
The mailing list archives doesn't seem to be up, and therefore I can't 
check what you guys discussed before it all went offline. 

The announcement contained little information as to how the breakin was 
done, so my first thought was "ouch, then I'm probably vulnerable too, 
since I run the same software", so I ran off to iptable all open 
ports... 

Then I read on /. that it was a password compromise. Then, I wouldn't be 
vulnerable or always vulnerable depending on how you see it.., But I 
mean, /.! :-) 
 
I bet there are a lot of users running around scared, not knowing what 
to do really... Any advices for us??

Best,

Kjetil
-- 
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
[EMAIL PROTECTED]  [EMAIL PROTECTED]  [EMAIL PROTECTED]
Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: How efficient is mounting /usr ro?

2003-11-25 Thread Russell Coker

On Tue, 25 Nov 2003 19:51, Chema <[EMAIL PROTECTED]> wrote:
> Making /usr read-only is not for that kind of security.  It will keep your
> data safe from corruption (soft one, anyway: a disk crash will take
> anything with it ;-).  Besides, you can get a better performance formating
> it with ext2, since you'll not need journaling.

Why would you get better performance?  If you mount noatime then there's no 
writes to a file system that is accessed in a read-only fashion and there 
should not be any performance issue.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Re: How efficient is mounting /usr ro?

2003-11-25 Thread Russell Coker

On Tue, 25 Nov 2003 19:51, Chema <[EMAIL PROTECTED]> wrote:
> Making /usr read-only is not for that kind of security.  It will keep your
> data safe from corruption (soft one, anyway: a disk crash will take
> anything with it ;-).  Besides, you can get a better performance formating
> it with ext2, since you'll not need journaling.

Why would you get better performance?  If you mount noatime then there's no 
writes to a file system that is accessed in a read-only fashion and there 
should not be any performance issue.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: How efficient is mounting /usr ro?

2003-11-25 Thread Chema

On Thu, 09 Oct 2003 10:34:12 +0200
Tarjei Huse <[EMAIL PROTECTED]> wrote:

TH> Hi,
TH> The Securing Debian manual suggest one should set the /usr partition
TH> to ro and use remount when you install new programs. 
TH> I was just wondering how much security one gains with this. Wouldn't
TH> most hackers go after the programs in the /bin and /sbin directories
TH> anyway?

Making /usr read-only is not for that kind of security.  It will keep your data 
safe from corruption (soft one, anyway: a disk crash will take anything with it 
;-).  Besides, you can get a better performance formating it with ext2, since 
you'll not need journaling.

Now, there are ways to mount r-o /bin and /sbin, *and* to disable remounting 
them rw (unless you reset the box and provide a pass; its a kernel  patch or 
something which's name I can't remember -- but I want to!!).  There is some 
blurb about it here:

http://article.gmane.org/gmane.linux.debian.user/114759

And surely in other threads.

Re: How efficient is mounting /usr ro?

2003-11-25 Thread Chema

On Thu, 09 Oct 2003 10:34:12 +0200
Tarjei Huse <[EMAIL PROTECTED]> wrote:

TH> Hi,
TH> The Securing Debian manual suggest one should set the /usr partition
TH> to ro and use remount when you install new programs. 
TH> I was just wondering how much security one gains with this. Wouldn't
TH> most hackers go after the programs in the /bin and /sbin directories
TH> anyway?

Making /usr read-only is not for that kind of security.  It will keep your data safe 
from corruption (soft one, anyway: a disk crash will take anything with it ;-).  
Besides, you can get a better performance formating it with ext2, since you'll not 
need journaling.

Now, there are ways to mount r-o /bin and /sbin, *and* to disable remounting them rw 
(unless you reset the box and provide a pass; its a kernel  patch or something which's 
name I can't remember -- but I want to!!).  There is some blurb about it here:

http://article.gmane.org/gmane.linux.debian.user/114759

And surely in other threads.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

64 matches

Mail list logo