Re: Call for testers (putting SSP in Debian)

[Steve Kemp]

On Mon, Feb 23, 2004 at 12:46:59AM +0100, Thomas Sj?gren wrote:

 with gcc-3.3 (1:3.3.3ds4-0pre4) the maintainers updated the SSP patch.

  That's great news.

 It is not however applied by default. 
 I submitted a bug report [1] about this, but the problem is that my
 experience with GCC w. SSP in only on the x86 arch. So if you got any
 experience with it on different archs please read the bug reports (see
 the urls below) and send your info so that the Debian GCC-maintainers has 
 enough info to make a good decision about applying the patch.

  For what it's worth I've made a version of GCC with the SSP patches
 enabled available for Debian here:

http://people.debian.org/~skx/apt.html

  Description here:

http://shellcode.org/Cat/

  I'll try to get these updated with the new patch included in case
 people wish to try these out in a simple manner.  (i386 only, sadly).

Steve
--
# Debian Security Audit Project
http://www.shellcode.org/Audit/



pgp0.pgp
Description: PGP signature

Tripwire (clone) which would you prefer?

[Jan Lhr]

Greetings,

well, I looking for an open source intrusion detection. At first, tripwire 
caputures my attention, but the last open source version seems to be three 
years old - is it still in development or badly vulnerable?
Then I searched for tripwire in the woody packages and found integrit and 
bsign - so which would you prefer and why?
Are there any interesting other projekt that worth looking for?

Keep smiling
yanosz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

RE: Tripwire (clone) which would you prefer?

[Toni Heinonen]

I have used AIDE (Advanced Intrusion Detection Environment) both in production use and 
when I've been an instructor on unix security courses I've made the students learn to 
use it, because it's really simple and easy to use. Even though it's quite simple, I 
don't see it lacking anything important in qualities.

TONI HEINONEN  
  
TELEWARE OY
Tel. +358 40 836 1815
Itkeskuksen Maamerkki
00930 Helsinki, Finland
[EMAIL PROTECTED] * www.teleware.fi


 -Original Message-
 From: Jan Lhr [mailto:[EMAIL PROTECTED]
 Sent: Monday, February 23, 2004 11:42 AM
 To: [EMAIL PROTECTED]
 Subject: Tripwire (clone) which would you prefer?
 
 
 Greetings,
 
 well, I looking for an open source intrusion detection. At 
 first, tripwire 
 caputures my attention, but the last open source version 
 seems to be three 
 years old - is it still in development or badly vulnerable?
 Then I searched for tripwire in the woody packages and found 
 integrit and 
 bsign - so which would you prefer and why?
 Are there any interesting other projekt that worth looking for?
 
 Keep smiling
 yanosz
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact 
 [EMAIL PROTECTED]
 
 
P  
^n.+rzelujz+.n7mx*'-+--zby

Re: Tripwire (clone) which would you prefer?

[Lupe Christoph]

On Monday, 2004-02-23 at 10:42:05 +0100, Jan Lühr wrote:

 well, I looking for an open source intrusion detection. At first, tripwire 
 caputures my attention, but the last open source version seems to be three 
 years old - is it still in development or badly vulnerable?
 Then I searched for tripwire in the woody packages and found integrit and 
 bsign - so which would you prefer and why?
 Are there any interesting other projekt that worth looking for?

Stable != bad, ask the Debian project :-P

I'm using a combination of Tripwire and AIDE. Before I decided on that,
I did a survey of intergity checkers. I didn't find bsign then, but
integrit. At that time 3.00.05 was most current. It did not offer a
variety of hashes, only SHA1. It offered no database integrity like
Tripwire does (and seemingly AIDE now, too). In general it was one of
the better tools, but not as flexible and versatile as AIDE and
Tripwire.

HTH,
Lupe Christoph
-- 
| [EMAIL PROTECTED]   |   http://www.lupe-christoph.de/ |
| Violence is the resort of the violent Lu Tze |
| Thief of Time, Terry Pratchett   |


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Hey My girl Bought me the patch

[Lionel Franklin]

http://beboy66.info/p3/?id=lgherbs



Q9arrack

RE: Tripwire (clone) which would you prefer?

[Domonkos Czinke]

Hello,

Actually Im using Integrit with Coda. I store the binary and the database on a read 
only coda mount (you can't mount it rw unless you know the coda password), and its 
really fast and reliable. So my vote is Integrit, btw you should check all of them and 
then make a decision for you needs.

Best regards,
Domonkos Czinke

-Original Message-
From: Jan Lhr [mailto:[EMAIL PROTECTED] 
Sent: Monday, February 23, 2004 10:42 AM
To: [EMAIL PROTECTED]
Subject: Tripwire (clone) which would you prefer?


Greetings,

well, I looking for an open source intrusion detection. At first, tripwire 
caputures my attention, but the last open source version seems to be three 
years old - is it still in development or badly vulnerable?
Then I searched for tripwire in the woody packages and found integrit and 
bsign - so which would you prefer and why?
Are there any interesting other projekt that worth looking for?

Keep smiling
yanosz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Tripwire (clone) which would you prefer?

[Dariush Pietrzak]

 I did a survey of intergity checkers. I didn't find bsign then, but
 I'd vote against bsign - it modifies original binaries, thus rendering
debian md5 sums useless. ( It would be great if one could get packages with
bsign-signed binaries, signed by DDs or release team ).
 I prefer integrit it's very convienient - and convenience comes with a
price - in default mode of operation it updates your md5sums, so you can
run it and get incremental notifies about what changes in your system.
That might not be want you want.

-- 
Dariush Pietrzak,
Key fingerprint = 40D0 9FFB 9939 7320 8294  05E0 BCC7 02C4 75CC 50D9


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Tripwire (clone) which would you prefer?

[Richard Atterer]

Also see this page for a useful comparison between AIDE and tripwire:

http://www.fbunet.de/aide.shtml

Cheers,

  Richard

-- 
  __   _
  |_) /|  Richard Atterer |  GnuPG key:
  | \/¯|  http://atterer.net  |  0x888354F7
  ¯ '` ¯


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Tripwire (clone) which would you prefer?

[Javier Fernndez-Sanguino Pea]

On Mon, Feb 23, 2004 at 10:42:05AM +0100, Jan Lühr wrote:
 Greetings,
 
 well, I looking for an open source intrusion detection. At first, tripwire 
 caputures my attention, but the last open source version seems to be three 
 years old - is it still in development or badly vulnerable?
 Then I searched for tripwire in the woody packages and found integrit and 
 bsign - so which would you prefer and why?
 Are there any interesting other projekt that worth looking for?

Besides aide (which is nice, and has already been mentioned) there is also
samhain (in unstable, should be easy to backport) which has some
interesting features.

Regards

Javi


signature.asc
Description: Digital signature

Could DSA 438 apply to 2.4.22 images from woody-proposed-updates

[Xavier Poinsard]

Hi all,

I suppose the DSA-438 is applying to kernel 2.4.22 images from 
woody-proposed-updates which have not been updated.
Is this planned or is it safer not to use images from 
woody-proposed-updates ?

Thanks.

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Tripwire (clone) which would you prefer?

[Dariush Pietrzak]

 samhain (in unstable, should be easy to backport) which has some
 interesting features.
 And those interesting features should make you cautious before you deploy
samhain in production environment. I find it rather intrusive.

-- 
Dariush Pietrzak,
Key fingerprint = 40D0 9FFB 9939 7320 8294  05E0 BCC7 02C4 75CC 50D9


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Could DSA 438 apply to 2.4.22 images from woody-proposed-updates

[Michael Stone]

On Mon, Feb 23, 2004 at 12:01:02PM +0100, Xavier Poinsard wrote:
I suppose the DSA-438 is applying to kernel 2.4.22 images from 
woody-proposed-updates which have not been updated.
Is this planned or is it safer not to use images from 
woody-proposed-updates ?
The security team doesn't update proposed-updates. (p-u is a use at
your own risk section of the archive) Talk to whoever put the package
together.
Mike Stone

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: 2.2 Kernel Fix

[Sven Hoexter]

On Fri, Feb 20, 2004 at 09:56:12AM +0100, Dariush Pietrzak wrote:
  2.2 series of kernels, sincee they're apparently vulnerable too?
  You can find the patch on bugtraq/isec/etc, attached is a peek at it
Don't use this one! This one produces kernel panics after a few hours on
my systems. I suggest to use the one from the 2.2.25-ow2 patch.
You can find it at http://www.openwall.com/linux (mentioned that also in
another thread).

Sven
-- 
If God passed a mic to me to speak
I'd say stay in bed, world
Sleep in peace
   [The Cardigans - No sleep]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

chkrootkit - possible bad news`

[Greg]

I am running Debian on a Dec Alpha PC164.

I decided to run chkrootkit and was surprised by the following line.

Checking `bindshell'... INFECTED (PORTS:  1524 31337)

I am not sure how no interpret this.  I have checked logs, as well as binary
checks and everything seems fine.  Can someone help me interpret the logs.
I will attach them at the tail of the email in case the may be helpful.


I don't know what my next step would be.  If in deed I have been 'rooted'
then I should obviously format and rebuild the server.

Thanks in advance.

Greg MEATPLOW

#
 #chkrootkit

alpha:~# chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not found
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not infected
Checking `inetdconf'... not infected
Checking `identd'... not found
Checking `killall'... not found
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not found
Checking `mail'... not infected
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not found
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `write'... not infected
Checking `aliens'...
/dev/st- /dev/sto
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing
found
Searching for suspicious files and dirs, it may take a while... nothing
found
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... INFECTED (PORTS:  1524 31337)
Checking `lkm'... nothing detected
Checking `rexedcs'... not found
Checking `sniffer'...   eth0 is not promisc
Checking `wted'... nothing deleted
Checking `z2'...
nothing deleted


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: chkrootkit - possible bad news`

[Ricardo Kustner]

On Tuesday 24 February 2004 07:53, Greg wrote:
 I am running Debian on a Dec Alpha PC164.

 I decided to run chkrootkit and was surprised by the following line.

 Checking `bindshell'... INFECTED (PORTS:  1524 31337)

Try a nmap port scan from the outside to your ip address. If those ports are 
open but netstat doesn't show them as LISTENING chances are your netstat is 
modified to hide the connections.
You may also want to run chkrootkit when booted from single user mode.

Regards,

Ricardo.

 I am not sure how no interpret this.  I have checked logs, as well as
 binary checks and everything seems fine.  Can someone help me interpret
 the logs. I will attach them at the tail of the email in case the may be
 helpful.


 I don't know what my next step would be.  If in deed I have been 'rooted'
 then I should obviously format and rebuild the server.

 Thanks in advance.

 Greg MEATPLOW

 #
  #chkrootkit

 alpha:~# chkrootkit
 ROOTDIR is `/'
 Checking `amd'... not found
 Checking `basename'... not infected
 Checking `biff'... not found
 Checking `chfn'... not infected
 Checking `chsh'... not infected
 Checking `cron'... not infected
 Checking `date'... not infected
 Checking `du'... not infected
 Checking `dirname'... not infected
 Checking `echo'... not infected
 Checking `egrep'... not infected
 Checking `env'... not infected
 Checking `find'... not infected
 Checking `fingerd'... not found
 Checking `gpm'... not found
 Checking `grep'... not infected
 Checking `hdparm'... not found
 Checking `su'... not infected
 Checking `ifconfig'... not infected
 Checking `inetd'... not infected
 Checking `inetdconf'... not infected
 Checking `identd'... not found
 Checking `killall'... not found
 Checking `ldsopreload'... not infected
 Checking `login'... not infected
 Checking `ls'... not infected
 Checking `lsof'... not found
 Checking `mail'... not infected
 Checking `mingetty'... not found
 Checking `netstat'... not infected
 Checking `named'... not infected
 Checking `passwd'... not infected
 Checking `pidof'... not infected
 Checking `pop2'... not found
 Checking `pop3'... not found
 Checking `ps'... not infected
 Checking `pstree'... not found
 Checking `rpcinfo'... not infected
 Checking `rlogind'... not found
 Checking `rshd'... not found
 Checking `slogin'... not infected
 Checking `sendmail'... not infected
 Checking `sshd'... not infected
 Checking `syslogd'... not infected
 Checking `tar'... not infected
 Checking `tcpd'... not infected
 Checking `top'... not infected
 Checking `telnetd'... not found
 Checking `timed'... not found
 Checking `traceroute'... not infected
 Checking `write'... not infected
 Checking `aliens'...
 /dev/st- /dev/sto
 Searching for sniffer's logs, it may take a while... nothing found
 Searching for HiDrootkit's default dir... nothing found
 Searching for t0rn's default files and dirs... nothing found
 Searching for t0rn's v8 defaults... nothing found
 Searching for Lion Worm default files and dirs... nothing found
 Searching for RSHA's default files and dir... nothing found
 Searching for RH-Sharpe's default files... nothing found
 Searching for Ambient's rootkit (ark) default files and dirs... nothing
 found
 Searching for suspicious files and dirs, it may take a while... nothing
 found
 Searching for LPD Worm files and dirs... nothing found
 Searching for Ramen Worm files and dirs... nothing found
 Searching for Maniac files and dirs... nothing found
 Searching for RK17 files and dirs... nothing found
 Searching for Ducoci rootkit... nothing found
 Searching for Adore Worm... nothing found
 Searching for ShitC Worm... nothing found
 Searching for Omega Worm... nothing found
 Searching for Sadmind/IIS Worm... nothing found
 Searching for MonKit... nothing found
 Searching for anomalies in shell history files... nothing found
 Checking `asp'... not infected
 Checking `bindshell'... INFECTED (PORTS:  1524 31337)
 Checking `lkm'... nothing detected
 Checking `rexedcs'... not found
 Checking `sniffer'...   eth0 is not promisc
 Checking `wted'... nothing deleted
 Checking `z2'...
 nothing deleted

--


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: chkrootkit - possible bad news`

[Sneferu]

You might not be hacked after all.
Read this: http://www.webhostgear.com/25.html
Also some googling might help ;-)

http://www.google.ro/search?q=%27bindshell%27...+INFECTED+%28PORTS%3A++1524+31337ie=UTF-8oe=UTF-8hl=robtnG=Caut%C4%83meta=

Looks like there are a lot of false positives on it.

Still, you should do a tripwire (or any other file checking) test if you 
have a previous record to match against. Nmap should give you a good idea 
about opened ports. Logs?

Probably there are some other things you can do...but this is what crosses 
my mind now.

Regards,
S
At 08:53 AM 2/24/2004, Greg wrote:

I am running Debian on a Dec Alpha PC164.

I decided to run chkrootkit and was surprised by the following line.

Checking `bindshell'... INFECTED (PORTS:  1524 31337)

I am not sure how no interpret this.  I have checked logs, as well as binary
checks and everything seems fine.  Can someone help me interpret the logs.
I will attach them at the tail of the email in case the may be helpful.
I don't know what my next step would be.  If in deed I have been 'rooted'
then I should obviously format and rebuild the server.
Thanks in advance.

Greg MEATPLOW

#
 #chkrootkit
alpha:~# chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not found
Checking `grep'... not infected
Checking `hdparm'... not found
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not infected
Checking `inetdconf'... not infected
Checking `identd'... not found
Checking `killall'... not found
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not found
Checking `mail'... not infected
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not found
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `write'... not infected
Checking `aliens'...
/dev/st- /dev/sto
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing
found
Searching for suspicious files and dirs, it may take a while... nothing
found
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... INFECTED (PORTS:  1524 31337)
Checking `lkm'... nothing detected
Checking `rexedcs'... not found
Checking `sniffer'...   eth0 is not promisc
Checking `wted'... nothing deleted
Checking `z2'...
nothing deleted
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]


---
Cauta-ti perechea pe http://dating.acasa.ro


---
Cauta-ti perechea pe http://dating.acasa.ro
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: chkrootkit - possible bad news`

[Igor L. Balusov]

May be you have installed fakebo?


Billy


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: chkrootkit - possible bad news`

[Gytis]

31337 - are your runing portsentry on that machine ?

Quote from the www.chkrootkit.org site:
I'm running PortSentry/klaxon. What's wrong with the bindshell test?
If you're running PortSentry/klaxon or another program that binds itself
to unused ports probably chkrootkit will give you a false positive on
the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp,
1999/tcp, 3879/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp,
27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp,
47889/tcp, 60001/tcp).


- Original Message - 
From: Greg [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, February 24, 2004 8:53 AM
Subject: chkrootkit - possible bad news`


 I am running Debian on a Dec Alpha PC164.

 I decided to run chkrootkit and was surprised by the following line.

 Checking `bindshell'... INFECTED (PORTS:  1524 31337)

 I am not sure how no interpret this.  I have checked logs, as well as
binary
 checks and everything seems fine.  Can someone help me interpret the
logs.
 I will attach them at the tail of the email in case the may be helpful.


 I don't know what my next step would be.  If in deed I have been 'rooted'
 then I should obviously format and rebuild the server.

 Thanks in advance.

 Greg MEATPLOW

 #
  #chkrootkit

 alpha:~# chkrootkit
 ROOTDIR is `/'
 Checking `amd'... not found
 Checking `basename'... not infected
 Checking `biff'... not found
 Checking `chfn'... not infected
 Checking `chsh'... not infected
 Checking `cron'... not infected
 Checking `date'... not infected
 Checking `du'... not infected
 Checking `dirname'... not infected
 Checking `echo'... not infected
 Checking `egrep'... not infected
 Checking `env'... not infected
 Checking `find'... not infected
 Checking `fingerd'... not found
 Checking `gpm'... not found
 Checking `grep'... not infected
 Checking `hdparm'... not found
 Checking `su'... not infected
 Checking `ifconfig'... not infected
 Checking `inetd'... not infected
 Checking `inetdconf'... not infected
 Checking `identd'... not found
 Checking `killall'... not found
 Checking `ldsopreload'... not infected
 Checking `login'... not infected
 Checking `ls'... not infected
 Checking `lsof'... not found
 Checking `mail'... not infected
 Checking `mingetty'... not found
 Checking `netstat'... not infected
 Checking `named'... not infected
 Checking `passwd'... not infected
 Checking `pidof'... not infected
 Checking `pop2'... not found
 Checking `pop3'... not found
 Checking `ps'... not infected
 Checking `pstree'... not found
 Checking `rpcinfo'... not infected
 Checking `rlogind'... not found
 Checking `rshd'... not found
 Checking `slogin'... not infected
 Checking `sendmail'... not infected
 Checking `sshd'... not infected
 Checking `syslogd'... not infected
 Checking `tar'... not infected
 Checking `tcpd'... not infected
 Checking `top'... not infected
 Checking `telnetd'... not found
 Checking `timed'... not found
 Checking `traceroute'... not infected
 Checking `write'... not infected
 Checking `aliens'...
 /dev/st- /dev/sto
 Searching for sniffer's logs, it may take a while... nothing found
 Searching for HiDrootkit's default dir... nothing found
 Searching for t0rn's default files and dirs... nothing found
 Searching for t0rn's v8 defaults... nothing found
 Searching for Lion Worm default files and dirs... nothing found
 Searching for RSHA's default files and dir... nothing found
 Searching for RH-Sharpe's default files... nothing found
 Searching for Ambient's rootkit (ark) default files and dirs... nothing
 found
 Searching for suspicious files and dirs, it may take a while... nothing
 found
 Searching for LPD Worm files and dirs... nothing found
 Searching for Ramen Worm files and dirs... nothing found
 Searching for Maniac files and dirs... nothing found
 Searching for RK17 files and dirs... nothing found
 Searching for Ducoci rootkit... nothing found
 Searching for Adore Worm... nothing found
 Searching for ShitC Worm... nothing found
 Searching for Omega Worm... nothing found
 Searching for Sadmind/IIS Worm... nothing found
 Searching for MonKit... nothing found
 Searching for anomalies in shell history files... nothing found
 Checking `asp'... not infected
 Checking `bindshell'... INFECTED (PORTS:  1524 31337)
 Checking `lkm'... nothing detected
 Checking `rexedcs'... not found
 Checking `sniffer'...   eth0 is not promisc
 Checking `wted'... nothing deleted
 Checking `z2'...
 nothing deleted


 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact
[EMAIL PROTECTED]



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Call for testers (putting SSP in Debian)

[Steve Kemp]

On Mon, Feb 23, 2004 at 12:46:59AM +0100, Thomas Sj?gren wrote:

 with gcc-3.3 (1:3.3.3ds4-0pre4) the maintainers updated the SSP patch.

  That's great news.

 It is not however applied by default. 
 I submitted a bug report [1] about this, but the problem is that my
 experience with GCC w. SSP in only on the x86 arch. So if you got any
 experience with it on different archs please read the bug reports (see
 the urls below) and send your info so that the Debian GCC-maintainers has 
 enough info to make a good decision about applying the patch.

  For what it's worth I've made a version of GCC with the SSP patches
 enabled available for Debian here:

http://people.debian.org/~skx/apt.html

  Description here:

http://shellcode.org/Cat/

  I'll try to get these updated with the new patch included in case
 people wish to try these out in a simple manner.  (i386 only, sadly).

Steve
--
# Debian Security Audit Project
http://www.shellcode.org/Audit/



pgpHunalFeL80.pgp
Description: PGP signature

Tripwire (clone) which would you prefer?

[Jan Lühr]

Greetings,

well, I looking for an open source intrusion detection. At first, tripwire 
caputures my attention, but the last open source version seems to be three 
years old - is it still in development or badly vulnerable?
Then I searched for tripwire in the woody packages and found integrit and 
bsign - so which would you prefer and why?
Are there any interesting other projekt that worth looking for?

Keep smiling
yanosz

RE: Tripwire (clone) which would you prefer?

[Toni Heinonen]

I have used AIDE (Advanced Intrusion Detection Environment) both in production 
use and when I've been an instructor on unix security courses I've made the 
students learn to use it, because it's really simple and easy to use. Even 
though it's quite simple, I don't see it lacking anything important in 
qualities.

TONI HEINONEN   
 
TELEWARE OY
Tel. +358 40 836 1815
Itäkeskuksen Maamerkki
00930 Helsinki, Finland
[EMAIL PROTECTED] * www.teleware.fi


 -Original Message-
 From: Jan Lühr [mailto:[EMAIL PROTECTED]
 Sent: Monday, February 23, 2004 11:42 AM
 To: debian-security@lists.debian.org
 Subject: Tripwire (clone) which would you prefer?
 
 
 Greetings,
 
 well, I looking for an open source intrusion detection. At 
 first, tripwire 
 caputures my attention, but the last open source version 
 seems to be three 
 years old - is it still in development or badly vulnerable?
 Then I searched for tripwire in the woody packages and found 
 integrit and 
 bsign - so which would you prefer and why?
 Are there any interesting other projekt that worth looking for?
 
 Keep smiling
 yanosz
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact 
 [EMAIL PROTECTED]
 
 

Re: Tripwire (clone) which would you prefer?

[Lupe Christoph]

On Monday, 2004-02-23 at 10:42:05 +0100, Jan Lühr wrote:

 well, I looking for an open source intrusion detection. At first, tripwire 
 caputures my attention, but the last open source version seems to be three 
 years old - is it still in development or badly vulnerable?
 Then I searched for tripwire in the woody packages and found integrit and 
 bsign - so which would you prefer and why?
 Are there any interesting other projekt that worth looking for?

Stable != bad, ask the Debian project :-P

I'm using a combination of Tripwire and AIDE. Before I decided on that,
I did a survey of intergity checkers. I didn't find bsign then, but
integrit. At that time 3.00.05 was most current. It did not offer a
variety of hashes, only SHA1. It offered no database integrity like
Tripwire does (and seemingly AIDE now, too). In general it was one of
the better tools, but not as flexible and versatile as AIDE and
Tripwire.

HTH,
Lupe Christoph
-- 
| [EMAIL PROTECTED]   |   http://www.lupe-christoph.de/ |
| Violence is the resort of the violent Lu Tze |
| Thief of Time, Terry Pratchett   |

Hey My girl Bought me the patch

[Lionel Franklin]

http://beboy66.info/p3/?id=lgherbs



Q9arrack

RE: Tripwire (clone) which would you prefer?

[Domonkos Czinke]

Hello,

Actually Im using Integrit with Coda. I store the binary and the database on a 
read only coda mount (you can't mount it rw unless you know the coda password), 
and its really fast and reliable. So my vote is Integrit, btw you should check 
all of them and then make a decision for you needs.

Best regards,
Domonkos Czinke

-Original Message-
From: Jan Lühr [mailto:[EMAIL PROTECTED] 
Sent: Monday, February 23, 2004 10:42 AM
To: debian-security@lists.debian.org
Subject: Tripwire (clone) which would you prefer?


Greetings,

well, I looking for an open source intrusion detection. At first, tripwire 
caputures my attention, but the last open source version seems to be three 
years old - is it still in development or badly vulnerable?
Then I searched for tripwire in the woody packages and found integrit and 
bsign - so which would you prefer and why?
Are there any interesting other projekt that worth looking for?

Keep smiling
yanosz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Tripwire (clone) which would you prefer?

[Dariush Pietrzak]

 I did a survey of intergity checkers. I didn't find bsign then, but
 I'd vote against bsign - it modifies original binaries, thus rendering
debian md5 sums useless. ( It would be great if one could get packages with
bsign-signed binaries, signed by DDs or release team ).
 I prefer integrit it's very convienient - and convenience comes with a
price - in default mode of operation it updates your md5sums, so you can
run it and get incremental notifies about what changes in your system.
That might not be want you want.

-- 
Dariush Pietrzak,
Key fingerprint = 40D0 9FFB 9939 7320 8294  05E0 BCC7 02C4 75CC 50D9

Re: Tripwire (clone) which would you prefer?

[Richard Atterer]

Also see this page for a useful comparison between AIDE and tripwire:

http://www.fbunet.de/aide.shtml

Cheers,

  Richard

-- 
  __   _
  |_) /|  Richard Atterer |  GnuPG key:
  | \/¯|  http://atterer.net  |  0x888354F7
  ¯ '` ¯

Re: Tripwire (clone) which would you prefer?

[Javier Fernández-Sanguino Peña]

On Mon, Feb 23, 2004 at 10:42:05AM +0100, Jan Lühr wrote:
 Greetings,
 
 well, I looking for an open source intrusion detection. At first, tripwire 
 caputures my attention, but the last open source version seems to be three 
 years old - is it still in development or badly vulnerable?
 Then I searched for tripwire in the woody packages and found integrit and 
 bsign - so which would you prefer and why?
 Are there any interesting other projekt that worth looking for?

Besides aide (which is nice, and has already been mentioned) there is also
samhain (in unstable, should be easy to backport) which has some
interesting features.

Regards

Javi


signature.asc
Description: Digital signature

Could DSA 438 apply to 2.4.22 images from woody-proposed-updates

[Xavier Poinsard]

Hi all,

I suppose the DSA-438 is applying to kernel 2.4.22 images from 
woody-proposed-updates which have not been updated.
Is this planned or is it safer not to use images from 
woody-proposed-updates ?


Thanks.

Re: Tripwire (clone) which would you prefer?

[Dariush Pietrzak]

 samhain (in unstable, should be easy to backport) which has some
 interesting features.
 And those interesting features should make you cautious before you deploy
samhain in production environment. I find it rather intrusive.

-- 
Dariush Pietrzak,
Key fingerprint = 40D0 9FFB 9939 7320 8294  05E0 BCC7 02C4 75CC 50D9

Re: Could DSA 438 apply to 2.4.22 images from woody-proposed-updates

[Michael Stone]

On Mon, Feb 23, 2004 at 12:01:02PM +0100, Xavier Poinsard wrote:
I suppose the DSA-438 is applying to kernel 2.4.22 images from 
woody-proposed-updates which have not been updated.
Is this planned or is it safer not to use images from 
woody-proposed-updates ?


The security team doesn't update proposed-updates. (p-u is a use at
your own risk section of the archive) Talk to whoever put the package
together.

Mike Stone

Re: 2.2 Kernel Fix

[Sven Hoexter]

On Fri, Feb 20, 2004 at 09:56:12AM +0100, Dariush Pietrzak wrote:
  2.2 series of kernels, sincee they're apparently vulnerable too?
  You can find the patch on bugtraq/isec/etc, attached is a peek at it
Don't use this one! This one produces kernel panics after a few hours on
my systems. I suggest to use the one from the 2.2.25-ow2 patch.
You can find it at http://www.openwall.com/linux (mentioned that also in
another thread).

Sven
-- 
If God passed a mic to me to speak
I'd say stay in bed, world
Sleep in peace
   [The Cardigans - No sleep]