Vanishing /etc/modules ...
Hi, I have been experiencing something weird lately. I am setting up a couple of kerberos/ldap authentification servers with a woody enhanced. By enhanced, I mean that I use several testing packages like syslog-ng, slapd or openssl. I also use a custom 2.6.1 kernel. Now the problem is that, since these servers are experimental, I often reboot them but this time, no access at all on the network.. After a short investigation (5 sec :-P), i realise that no network is available because the nic module is not loaded, which is in turn due to the file /etc/modules being erased. Even if I am still testing this setup, the network was working untouch for weeks, and I have not touch this file at all on any of these computers. For the same reason, I have not maid any md5sums of the binaries as tampering-detection test. This is most certainly a bug in a package I upgraded (related to the fact that 2.6.0 kernels should not need this file but /etc/modprobe.conf??? or at least that is what I read without being able to actually use this ). But just in case, is there anyone experiencing the same kind of issue? Now, why do I post that on a security ML? I think that this kind of thing has a serious security implication. If one upgrades a package and then reboot 6 mounths later, He is fucked without knowing why. I am also not sure at 100% that it is a package bug but maybe a vile tampering. So has there been anyone experiencing that? And even if this server will be reinstalled from scratch before reaching production, should I do something now? thanks for your advices jacques -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: LKM
On Mon, 2004-01-26 at 11:40, Thiago Ribeiro wrote: Hi, When I run tiger, I got a follow error: NEW: --WARN-- [rootkit004f] Chkrootkit has detected a possible rootkit installation NEW: Warning: Possible LKM Trojan installed But I alredy list my proccess and did find nothing... What's can be this? You know what a LKM is ? It's a Loadable Kernel Module and it can hide himself and processes and files... So please check your computer -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: LKM
On Mon, 2004-01-26 at 10:06, Matthijs wrote: On Mon, 2004-01-26 at 11:40, Thiago Ribeiro wrote: Hi, When I run tiger, I got a follow error: NEW: --WARN-- [rootkit004f] Chkrootkit has detected a possible rootkit installation NEW: Warning: Possible LKM Trojan installed But I alredy list my proccess and did find nothing... What's can be this? You know what a LKM is ? It's a Loadable Kernel Module and it can hide himself and processes and files... So please check your computer Please make sure this isn't the faulty chrootkit... that mis-reported an LKM existing on you boxen. First off, what version of tiger and chrootkit are you using? If chkrootkit is not the misguided version, use the latest versions of both versions of both. -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry signature.asc Description: This is a digitally signed message part
Re: LKM
Thiago Ribeiro [EMAIL PROTECTED] writes: Hi, When I run tiger, I got a follow error: NEW: --WARN-- [rootkit004f] Chkrootkit has detected a possible rootkit installation NEW: Warning: Possible LKM Trojan installed But I alredy list my proccess and did find nothing... What's can be this? Are you runing nautilus? Apparently, some of the nautilus processes are hidden (I don't know why) and thus make chkrootkit complain about possible LKM infection. Try a: $ chkrootkit -x lkm Yannick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Mail processing tool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 26 Jan 2004, Raffaele D'Elia wrote: -Original Message- From: Florent Rougon [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Sun, 25 Jan 2004 23:00:36 +0100 Subject: Re: Mail processing tool [...] I agree again. Moreover I think fetchmail/procmail solution doesn't fit my needs. Stop. If someone has another idea...great. Otherwise...thanks. Radel Have a look at mailagent. AFAIK it depends only on perl. Has ability to execute commands as is expandable via perl snippets. I'm not sure how usable it is, however, because I have only had short time with its manpage and haven't really played with this thing (yet :-) ). bye T. - -- ** A C programmer asked whether computer had Buddha's nature. ** ** As the answer, master did rm -rif on the programmer's home** ** directory. And then the C programmer became enlightened... ** ** ** ** Tomasz Rola mailto:[EMAIL PROTECTED] ** -BEGIN PGP SIGNATURE- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQA/AwUBQBWGJxETUsyL9vbiEQJlvgCggjOjpCkRTHx2uwxhDfwUv8JatIIAoOAT mHmmh64oOcQGvHcSWh41cIbQ =dexD -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Mail processing tool
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 26 Jan 2004, Raffaele D'Elia wrote: I agree again. Moreover I think fetchmail/procmail solution doesn't fit my needs. Stop. If someone has another idea...great. Otherwise...thanks. Radel Forgot to tell - although fetchmail is great for bulk email retrieval, I'm afraid it would be difficult/impossible to make it read single message or select them via a number. Maybe you will have to create some custom script in perl, using one of available modules, like libnet-perl package in Debian. bye T. - -- ** A C programmer asked whether computer had Buddha's nature. ** ** As the answer, master did rm -rif on the programmer's home** ** directory. And then the C programmer became enlightened... ** ** ** ** Tomasz Rola mailto:[EMAIL PROTECTED] ** -BEGIN PGP SIGNATURE- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQA/AwUBQBWJthETUsyL9vbiEQI/xwCgp/euesTclAuOAPGLJtWPlp7FBfgAoOCv 9y5QSqdY/H5ZVA0IflRK5N6F =XAbH -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Mail processing tool
And [EMAIL PROTECTED] spoke unto the world. And said: From: Florent Rougon [EMAIL PROTECTED] Jonas J Linde [EMAIL PROTECTED] wrote: Procmail is a big tool, I need something different: small, reliable, secure. Big? The gzipped source tar ball is 227kB. If you want something that processes mail in a fully customizable way I'm pretty sure you won't find anything much smaller than that. Great! 227kb of source tar ball... Netfilter's code is, much or less, the same. I think you consider netfilter a small tool, isn't you? Eh, we're talking about combining this with gnupg which is 3.5MB in source tar ball; so yes, I'd consider procmail a reasonably small tool considering that full customization was one of the requirements. Well, the procmail source code is written in a very... bizarre style. In my book, it doesn't qualify as reliable. I agree. Yeah, the code isn't all that beautiful but at least the author is using the same style consistently. I've seen worse; a lot worse... And please, don't think you can start flaming right away because you have been using procmail for the past ten years or so and never had the slightest impression of it losing a mail. That is not the point. The point is that its source code is very unpleasant to me, so *I* wouldn't rely on it for anything serious. That has nothing to do with your experience of its use. I agree again. Flaming? You asked a question, I gave a suggestion and there was a disagreement about the size of the tools. Where is the flaming in that? Or did you just agree to the latter part of that paragraph? In that case I agree too. Moreover I think fetchmail/procmail solution doesn't fit my needs. Stop. But of course. I'm not arguing that you should use these tools against your judgement. I would be interested in hearing if you find any better solution though. As was properly guessed I have been using the fetch- / procmail combination for ten years or so; apparently without loosing mail; the tricky part is to avoid mail loops. ;) If someone has another idea...great. Not me, sorry. Otherwise...thanks. You're welcome. :) -- Jonas J Linde [EMAIL PROTECTED] http://www.init.se/~jonas/ +46-707-492496 GE/IT$ d-() s++: a C++()$ UBVL++()$ P++ L+++$ E++ W++(-) N+ o-- K+ !w(+) O M@ V PS+ PE++(-) Y+ PGP+++ t 5 X R-@ tv- b+++ DI D++ G++(-) e+++ h--() r++ y UF+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Release.gpg files gone?
On Tue, Jan 27, 2004 at 03:32:18AM +0100, [EMAIL PROTECTED] wrote: I wrote on 18.01.2004 [Re: Release.gpg files gone?]: curiously, http://ftp-master.debian.org/ziyi_key_2004.asc contains key 0x1DB114E0 whereas the key-servers seem to contain key 0x63EFD949 Point 1: There seems to be an incorrect key for [EMAIL PROTECTED] on the key servers. Am I misinterpreting something? Is this not alarming? At the least: where do I find the authoritative information on what key is the correct one? I doubt many of us have met [EMAIL PROTECTED] personally, so how is the web of trust supposed to work, supposing noone signs that key? You're going to need to be a bit more specific, because I do not know what you are referring to. mizar:[~] gpg --keyserver keyring.debian.org --recv-keys 0x63EFD949 gpg: no valid OpenPGP data found. gpg: Total number processed: 0 That may have been the previous key, which is now expired, but I don't have a copy around to check. At any rate, the correct key is 0x1DB114E0, and it is signed by James Troup (one of [EMAIL PROTECTED]), as opposed to noone. [I want woody Release files signed with the new key] Is that too much to ask? Is it that complicated? Am I asking in the wrong place? I don't know, I don't know, and Yes. [EMAIL PROTECTED] handles the signing process. I believe the tool involved is ziyi: http://cvs.debian.org/dak/ziyi?cvsroot=dak -- - mdz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Mail processing tool
-Original Message- From: Florent Rougon [EMAIL PROTECTED] To: debian-security@lists.debian.org Date: Sun, 25 Jan 2004 23:00:36 +0100 Subject: Re: Mail processing tool Jonas J Linde [EMAIL PROTECTED] wrote: Procmail is a big tool, I need something different: small, reliable, secure. Big? The gzipped source tar ball is 227kB. If you want something that processes mail in a fully customizable way I'm pretty sure you won't find anything much smaller than that. Great! 227kb of source tar ball... Netfilter's code is, much or less, the same. I think you consider netfilter a small tool, isn't you? Well, the procmail source code is written in a very... bizarre style. In my book, it doesn't qualify as reliable. I agree. And please, don't think you can start flaming right away because you have been using procmail for the past ten years or so and never had the slightest impression of it losing a mail. That is not the point. The point is that its source code is very unpleasant to me, so *I* wouldn't rely on it for anything serious. That has nothing to do with your experience of its use. I agree again. Moreover I think fetchmail/procmail solution doesn't fit my needs. Stop. If someone has another idea...great. Otherwise...thanks. Radel ** Questo messaggio puo' contenere informazioni di carattere estremamente riservato e confidenziale. Qualora non foste i destinatari, vogliate immediatamente informarci con lo stesso mezzo ed eliminare il messaggio, con gli eventuali allegati, senza trattenerne copia. Qualsivoglia utilizzo non autorizzato del contenuto di questo messaggio costituisce violazione dell'obbligo di non prendere cognizione della corrispondenza tra altri soggetti, salvo piu' grave illecito, ed espone il responsabile alle relative conseguenze civili e penali. This message is being sent from Starcom Italia Srl and may contain information which is confidential or privileged. If you are not the intended recipient, please advise the sender immediately by reply e-mail and delete this message and any attachments without retaining a copy. Any unauthorized use of the content of this message is a breach of your duty to respect the confidentiality of the correspondence between other persons and can expose the responsible party to civil and/or criminal penalties, and may constitute a more serious offense. **
LKM
Hi, When I run tiger, I got a follow error: NEW: --WARN-- [rootkit004f] Chkrootkit has detected a possible rootkit installation NEW: Warning: Possible LKM Trojan installed But I alredy list my proccess and did find nothing... What's can be this?
Vanishing /etc/modules ...
Hi, I have been experiencing something weird lately. I am setting up a couple of kerberos/ldap authentification servers with a woody enhanced. By enhanced, I mean that I use several testing packages like syslog-ng, slapd or openssl. I also use a custom 2.6.1 kernel. Now the problem is that, since these servers are experimental, I often reboot them but this time, no access at all on the network.. After a short investigation (5 sec :-P), i realise that no network is available because the nic module is not loaded, which is in turn due to the file /etc/modules being erased. Even if I am still testing this setup, the network was working untouch for weeks, and I have not touch this file at all on any of these computers. For the same reason, I have not maid any md5sums of the binaries as tampering-detection test. This is most certainly a bug in a package I upgraded (related to the fact that 2.6.0 kernels should not need this file but /etc/modprobe.conf??? or at least that is what I read without being able to actually use this ). But just in case, is there anyone experiencing the same kind of issue? Now, why do I post that on a security ML? I think that this kind of thing has a serious security implication. If one upgrades a package and then reboot 6 mounths later, He is fucked without knowing why. I am also not sure at 100% that it is a package bug but maybe a vile tampering. So has there been anyone experiencing that? And even if this server will be reinstalled from scratch before reaching production, should I do something now? thanks for your advices jacques
Re: LKM
On Mon, 2004-01-26 at 11:40, Thiago Ribeiro wrote: Hi, When I run tiger, I got a follow error: NEW: --WARN-- [rootkit004f] Chkrootkit has detected a possible rootkit installation NEW: Warning: Possible LKM Trojan installed But I alredy list my proccess and did find nothing... What's can be this? You know what a LKM is ? It's a Loadable Kernel Module and it can hide himself and processes and files... So please check your computer
Re: LKM
On Mon, 2004-01-26 at 10:06, Matthijs wrote: On Mon, 2004-01-26 at 11:40, Thiago Ribeiro wrote: Hi, When I run tiger, I got a follow error: NEW: --WARN-- [rootkit004f] Chkrootkit has detected a possible rootkit installation NEW: Warning: Possible LKM Trojan installed But I alredy list my proccess and did find nothing... What's can be this? You know what a LKM is ? It's a Loadable Kernel Module and it can hide himself and processes and files... So please check your computer Please make sure this isn't the faulty chrootkit... that mis-reported an LKM existing on you boxen. First off, what version of tiger and chrootkit are you using? If chkrootkit is not the misguided version, use the latest versions of both versions of both. -- [EMAIL PROTECTED] REMEMBER ED CURRY! http://www.iwethey.org/ed_curry signature.asc Description: This is a digitally signed message part
