Re: Pat on the back
Viestissä Keskiviikko 17. Syyskuuta 2003 18:18, Robert Brockway kirjoitti: > Hi. I just wanted to say thanks to the security team for the rapid > deployment of the fixed versions of OpenSSH (twice). > > Often people are quick to post negative emails and not so quick to post > positive emails, so I just wanted to say that many of us really do > appreciate the work the security team does. Knowing that fixed versions > will be in the security archive quickly helps to keep my blood pressure > down :) > > Cheers, > Rob Same here. I give few applauds too. Keep the updates flowing in! Antti -- My PGP public key: http:://tola.org/pgp.txt
Re: Pat on the back
Viestissä Keskiviikko 17. Syyskuuta 2003 18:18, Robert Brockway kirjoitti: > Hi. I just wanted to say thanks to the security team for the rapid > deployment of the fixed versions of OpenSSH (twice). > > Often people are quick to post negative emails and not so quick to post > positive emails, so I just wanted to say that many of us really do > appreciate the work the security team does. Knowing that fixed versions > will be in the security archive quickly helps to keep my blood pressure > down :) > > Cheers, > Rob Same here. I give few applauds too. Keep the updates flowing in! Antti -- My PGP public key: http:://tola.org/pgp.txt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
An PHP exploit with Potato?
Hello, Is there an PHP exploit in Potato? I really don't know, below message in Dshield mailing lists claims so: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I finally got my hands on an exploit that will provide a remote shell (not root) for php < 4.0.6. It claims to exploit the following setups: (1) Debian 2.2r3 / Apache 1.3.20 / PHP 4.0.3 (2) Debian 2.2r3 / Apache 1.3.9 / PHP 4.0.3p1 (3) Debian 2.2r3 / Apache 1.3.9 / PHP 4.0.3p1 (4) Debian 2.2r3 / Apache 1.3.9 / PHP 4.0.3p1 (5) Debian 2.2r3 / Apache 1.3.9 / PHP 4.0.3p1 (7) Debian 2.2r3 / Apache 1.3.20 / PHP 4.0.5 (8) RedHat 7.1 / apache-1.3.19-5 from RPM / PHP/4.X (9) Mandrake 8.0 / apache-1.3.19-3mdk from RPM / PHP/4.X I had some success running it against RH 7.1. It causes apache to segfault in RH 7.2 (good indication that there may be a possible exploit). Advice: - - upgrade php The exploit needs to be able to 'POST' to a php url to work. It is a bit hard to pick it out in the apache log. Here is what you may see: Access Log: (the 'HEAD' is optional, but by default the exploit will check first if the server is in its list of possible targets) [26/Feb/2002:17:56:25 -0500] "HEAD / HTTP/1.1" 200 0 "-" "-" On RH 7.2 I see this... 1.2.3.4 - - [26/Feb/2002:17:48:35 -0500] "POST /phpinfo.php HTTP/1.1" 200 12083 "http://targetname/index.html"; "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)" On RH 7.1, you will not the the POST. But you may see things like this in your error log: [Tue Feb 26 17:56:31 2002] [error] [client 1.2.3.4] Invalid method in request ls /tmp (in this case, I did attempt to execute 'ls /tmp' ) - -- - --- [EMAIL PROTECTED] Join http://www.DShield.org Distributed Intrusion Detection System -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8fB/5wWQP+4im9DYRApkTAKCyncIqDy4lr84ARy962tGxTabtDwCaA8xG Jq4SH6kYUYR53ZEJHwOna+4= =kbGQ -END PGP SIGNATURE-
An PHP exploit with Potato?
Hello, Is there an PHP exploit in Potato? I really don't know, below message in Dshield mailing lists claims so: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > I finally got my hands on an exploit that will provide a > remote shell (not root) for php < 4.0.6. It claims to exploit > the following setups: > > (1) Debian 2.2r3 / Apache 1.3.20 / PHP 4.0.3 > (2) Debian 2.2r3 / Apache 1.3.9 / PHP 4.0.3p1 > (3) Debian 2.2r3 / Apache 1.3.9 / PHP 4.0.3p1 > (4) Debian 2.2r3 / Apache 1.3.9 / PHP 4.0.3p1 > (5) Debian 2.2r3 / Apache 1.3.9 / PHP 4.0.3p1 > (7) Debian 2.2r3 / Apache 1.3.20 / PHP 4.0.5 > (8) RedHat 7.1 / apache-1.3.19-5 from RPM / PHP/4.X > (9) Mandrake 8.0 / apache-1.3.19-3mdk from RPM / PHP/4.X > > I had some success running it against RH 7.1. It causes > apache to segfault in RH 7.2 (good indication that there > may be a possible exploit). > > Advice: > - - upgrade php > > The exploit needs to be able to 'POST' to a php url to work. > > It is a bit hard to pick it out in the apache log. Here > is what you may see: > > Access Log: > > (the 'HEAD' is optional, but by default the exploit will > check first if the server is in its list of possible targets) > [26/Feb/2002:17:56:25 -0500] "HEAD / HTTP/1.1" 200 0 "-" "-" > > On RH 7.2 I see this... > > 1.2.3.4 - - [26/Feb/2002:17:48:35 -0500] "POST /phpinfo.php > HTTP/1.1" 200 12083 "http://targetname/index.html"; "Mozilla/4.0 > (compatible; MSIE 5.5; Windows NT 5.0)" > > > On RH 7.1, you will not the the POST. But you may see things > like this in your error log: > > [Tue Feb 26 17:56:31 2002] [error] [client 1.2.3.4] Invalid method > in request ls /tmp > > (in this case, I did attempt to execute 'ls /tmp' ) > > > > - -- > - --- > [EMAIL PROTECTED] Join http://www.DShield.org > Distributed Intrusion Detection System > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.0.6 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > iD8DBQE8fB/5wWQP+4im9DYRApkTAKCyncIqDy4lr84ARy962tGxTabtDwCaA8xG > Jq4SH6kYUYR53ZEJHwOna+4= > =kbGQ > -END PGP SIGNATURE- > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Whose problems?
Something bit odd happened today with my humble but small server. I'm not sure what, but I hope somebody could help, because I hope it doesnt't happen again. My connection basically is a ADL connection. I have private address in local ISP network to which I connect by Nokia M1122 ADSL router . I have fixed IP but there is NAT before big bad internet. I have Debian potato 2.2.19 with ipchains as a firewall. I've enabled with ICMP traceroute and other ICMP's that are required but not ECHO. I wasn't doing anything special but I noticed suddenly that lot of pings were coming at my server as firewall logs arrived. No matter otherwise, but I also noticed that connection to internet was not working properly. DNS queries to my ISP didn't work. Nslookup for example didn't work because no DNS server couldn't be found. Looking Ethreal, I could see that traffic was coming to server. This state of affairs lasted maybe 30-50 minutes or maybe more. I wasn't counting time, I was wondering was I under attack. After time, things returned to normal. Not sure why, I did add some specific rules to firewall concerning the domain where pings came, but as I was already denying them, so I'm not sure did it help. There came pings later too but nothing happened because them. As I contacted the origin of these pings, I was referred here: http://www.internap.com/measurements/readme.html Now, what did happen? Unfortunately I didn't know back then how to look my routers status so I don't have logs about it. Far as I can tell, traffict came to my server, but I was unable to send. Besides those pings, I can't figure anything exceptional that would have happened. Certainly I didn't do anything out of ordinary. Was fault in router, Debinan or somehow misconfigured firewall ? I'd add that that I rarely have anykind of problems with connectivity to internet. Antti Antti My PGP public key: http://linux.tola.org/~chicken/antti_pgp.txt -- Sex, rags and rock'n roll! --
Whose problems?
Something bit odd happened today with my humble but small server. I'm not sure what, but I hope somebody could help, because I hope it doesnt't happen again. My connection basically is a ADL connection. I have private address in local ISP network to which I connect by Nokia M1122 ADSL router . I have fixed IP but there is NAT before big bad internet. I have Debian potato 2.2.19 with ipchains as a firewall. I've enabled with ICMP traceroute and other ICMP's that are required but not ECHO. I wasn't doing anything special but I noticed suddenly that lot of pings were coming at my server as firewall logs arrived. No matter otherwise, but I also noticed that connection to internet was not working properly. DNS queries to my ISP didn't work. Nslookup for example didn't work because no DNS server couldn't be found. Looking Ethreal, I could see that traffic was coming to server. This state of affairs lasted maybe 30-50 minutes or maybe more. I wasn't counting time, I was wondering was I under attack. After time, things returned to normal. Not sure why, I did add some specific rules to firewall concerning the domain where pings came, but as I was already denying them, so I'm not sure did it help. There came pings later too but nothing happened because them. As I contacted the origin of these pings, I was referred here: http://www.internap.com/measurements/readme.html Now, what did happen? Unfortunately I didn't know back then how to look my routers status so I don't have logs about it. Far as I can tell, traffict came to my server, but I was unable to send. Besides those pings, I can't figure anything exceptional that would have happened. Certainly I didn't do anything out of ordinary. Was fault in router, Debinan or somehow misconfigured firewall ? I'd add that that I rarely have anykind of problems with connectivity to internet. Antti Antti My PGP public key: http://linux.tola.org/~chicken/antti_pgp.txt -- Sex, rags and rock'n roll! -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: HARASS ME MORE(READ THISS!!!!!)
At 08:58 1.9.2001, you wrote: I sent my server several complaints about all this harassment. I have 227 messages on my in box right now from solicitors like you who I never even subscribed to. If i click on receive messages right now I bet I get 80 more. Do you think that's fair? Do you blame me for being mad? Well, I don't know are you seriour or not(I suspect not). But in case you are, you're on an a EMAIL LIST called 'debian-security'. It IS NOT spam. Just look this, you'll find your messages in here with others, in the lists archive: http://lists.debian.org/debian-security/2001/debian-security-200108/threads.html But if you're just playing with us, I recommed to get something constructive to do. By adjectives and verbs you've been giving so far, I'd advice looking job in porn business. Antti Antti My PGP public key: http://linux.tola.org/~chicken/antti_pgp.txt -- Sex, rags and rock'n roll! --
Re: HARASS ME MORE(READ THISS!!!!!)
At 08:58 1.9.2001, you wrote: >I sent my server several complaints about all this harassment. I have 227 >messages on my in box right now from solicitors like you who I never even >subscribed to. If i click on receive messages right now I bet I get 80 more. >Do you think that's fair? Do you blame me for being mad? Well, I don't know are you seriour or not(I suspect not). But in case you are, you're on an a EMAIL LIST called 'debian-security'. It IS NOT spam. Just look this, you'll find your messages in here with others, in the lists archive: http://lists.debian.org/debian-security/2001/debian-security-200108/threads.html But if you're just playing with us, I recommed to get something constructive to do. By adjectives and verbs you've been giving so far, I'd advice looking job in porn business. Antti Antti My PGP public key: http://linux.tola.org/~chicken/antti_pgp.txt -- Sex, rags and rock'n roll! -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Sendmail DOS
At 13:16 22.2.2001, Berend De Schouwer wrote: event a DoS, from their description, if they are implemented correctly. At least, they'll offer as much protection as inetd can. I've used them before when a mail script when crazy and caused too many connections. Anyway, Debian Potato ships with Exim, not sendmail. So? Antti
Re: Sendmail DOS
At 13:16 22.2.2001, Berend De Schouwer wrote: >event a DoS, from >their description, if they are implemented correctly. At least, >they'll offer as much protection as inetd can. I've used them >before when a mail script when crazy and caused too many >connections. > >Anyway, Debian Potato ships with Exim, not sendmail. > So? Antti -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
PGP and GnuPG
How compatible are PGP Freeware international and keys made with GnuPG? I have some problems importing keys made with GnuPG to Windows PGP Freeware 6.53++ International. Lot of public keys do get imported, but many get bad parameter error, and I have two set of keys that I can't import at all. Still those keys are valid and functional. Antti
PGP and GnuPG
How compatible are PGP Freeware international and keys made with GnuPG? I have some problems importing keys made with GnuPG to Windows PGP Freeware 6.53++ International. Lot of public keys do get imported, but many get bad parameter error, and I have two set of keys that I can't import at all. Still those keys are valid and functional. Antti -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ISPs offering ssl-encrypted e-mail?
At 21:02 6.2.2001, Steve Robbins wrote: What you say is true of today, but of course cars have had a much longer history than computers. I've often wondered how the state of computer technology of today compares with the state of automobile technology of, say, the 1920s. (I don't know myself, and I'd welcome any recommendation of a book that explores this) I suspect that the early car driver also had to be a mechanic. ;-) People's expectation of quality in their automobile has certainly increased, but I do wonder what drives this, if you'll pardon the pun. Didn't high profile lobbyists (Ralph Nader?) pushing governments to enact safety standards have a lot to do with this? -Steve [OK, yes I know this is way off topic.] This is also off topic, but while safety has propably risen realiability as overall hasn't with cars. New cars have lot more technology that doesn't work like it should. Antti
Re: ISPs offering ssl-encrypted e-mail?
At 21:02 6.2.2001, Steve Robbins wrote: >What you say is true of today, but of course cars have had a much >longer history than computers. I've often wondered how the state of >computer technology of today compares with the state of automobile >technology of, say, the 1920s. (I don't know myself, and I'd welcome >any recommendation of a book that explores this) I suspect that the >early car driver also had to be a mechanic. ;-) > >People's expectation of quality in their automobile has certainly >increased, but I do wonder what drives this, if you'll pardon the pun. >Didn't high profile lobbyists (Ralph Nader?) pushing governments to >enact safety standards have a lot to do with this? > >-Steve > >[OK, yes I know this is way off topic.] > This is also off topic, but while safety has propably risen realiability as overall hasn't with cars. New cars have lot more technology that doesn't work like it should. Antti -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: logcheck
At 17:06 6.2.2001, you wrote: Antti Tolamo wrote: d where) > > I don't have logcheck.logfile at all??? neither do I. I have the list of logfiles in /usr/sbin/logcheck.sh maybe check there for the file names. > > What files there should be anyway? I have > no real way of knowing what should come with it. the important files are /etc/logcheck/logcheck.logfiles /etc/logcheck/logcheck.ignore.paranoid /etc/logcheck/logcheck.ignore.server /etc/logcheck/logcheck.ignore.workstation I miss those above. Are they anyway essential? Logcheck 1.1.1-4. Antti
Re: logcheck
At 16:23 6.2.2001, Robert Ramiega wrote: On Tue, Feb 06, 2001 at 04:03:13PM +0200, Antti Tolamo wrote: > > > I just noticed that my logcheck does double entries(same > entry is inserted twice). First comes one hour of entries, > then it is insterted again. > > What could cause this? Bad configuration ;o) On a serious side... Logcheck scans several logfiles some information is stored in more than one logfile (f.ex auth.log and syslog). Have a look at /etc/logcheck/logcheck.logfiles and/or /etc/syslog.conf (the first one will show You which logfiles are beeing scanned, the second one will let You configure syslogd and what gets logged where) I don't have logcheck.logfile at all??? What files there should be anyway? I have no real way of knowing what should come with it. I did install the logcheck debian package from debian mirror in Finland. Antti
logcheck
I just noticed that my logcheck does double entries(same entry is inserted twice). First comes one hour of entries, then it is insterted again. What could cause this? Antti
Re: logcheck
At 17:06 6.2.2001, you wrote: >Antti Tolamo wrote: >d where) > > > > I don't have logcheck.logfile at all??? > >neither do I. I have the list of logfiles in /usr/sbin/logcheck.sh >maybe check there for the file names. > > > > > > What files there should be anyway? I have > > no real way of knowing what should come with it. > > >the important files are > > >/etc/logcheck/logcheck.logfiles >/etc/logcheck/logcheck.ignore.paranoid >/etc/logcheck/logcheck.ignore.server >/etc/logcheck/logcheck.ignore.workstation I miss those above. Are they anyway essential? Logcheck 1.1.1-4. Antti -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: logcheck
At 16:23 6.2.2001, Robert Ramiega wrote: >On Tue, Feb 06, 2001 at 04:03:13PM +0200, Antti Tolamo wrote: > > > > > > I just noticed that my logcheck does double entries(same > > entry is inserted twice). First comes one hour of entries, > > then it is insterted again. > > > > What could cause this? > Bad configuration ;o) > On a serious side... Logcheck scans several logfiles some information is > stored in more than one logfile (f.ex auth.log and syslog). Have a look at > /etc/logcheck/logcheck.logfiles and/or > /etc/syslog.conf > (the first one will show You which logfiles are beeing scanned, the second > one will let You configure syslogd and what gets logged where) I don't have logcheck.logfile at all??? What files there should be anyway? I have no real way of knowing what should come with it. I did install the logcheck debian package from debian mirror in Finland. Antti -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
logcheck
I just noticed that my logcheck does double entries(same entry is inserted twice). First comes one hour of entries, then it is insterted again. What could cause this? Antti -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: ISPs offering ssl-encrypted e-mail?
At 20:03 2.2.2001, A. L. Meyers wrote: -BEGIN PGP SIGNED MESSAGE- Dear fellow Debianites, People talk a lot about security on the net but my efforts to find an ISP offering e. g. ssl-encrpypted e-mail services have been met by dismal responses to date, even in the country with the thickest computer population (ratio computers / humans) in the world: Switzerland. Even with "big, professional" ISPs, it was rare among "technical" staff to find someone who even understood the question. One comment was: "Even if it's encrpyted to here, how should we do the rest of the route?" Since more than 95 % of the users I know do not use pgp or gpg, will e-mail privacy on the web remain wishful thinking? Any suggestions? Best regards, Lucien No. Even PGP is bit dubious. I tried to use i with my Windows 2000, but the one persons GnuPG public keys I'd might have actually needed didn't import to my Freeware PGP at all. With other GnuPG keys I also had problems, with errors reported when importing them. I tested also with Windows 98, and same there. Non GnuPG keys seem to import without a fuss. Antti
Re: ISPs offering ssl-encrypted e-mail?
At 20:03 2.2.2001, A. L. Meyers wrote: >-BEGIN PGP SIGNED MESSAGE- > >Dear fellow Debianites, > >People talk a lot about security on the net but my efforts to find an ISP >offering e. g. ssl-encrpypted e-mail services have been met by dismal >responses to date, even in the country with the thickest computer population >(ratio computers / humans) in the world: Switzerland. > >Even with "big, professional" ISPs, it was rare among "technical" staff to >find someone who even understood the question. One comment was: "Even if >it's encrpyted to here, how should we do the rest of the route?" > >Since more than 95 % of the users I know do not use pgp or gpg, will e-mail >privacy on the web remain wishful thinking? > >Any suggestions? > >Best regards, > >Lucien No. Even PGP is bit dubious. I tried to use i with my Windows 2000, but the one persons GnuPG public keys I'd might have actually needed didn't import to my Freeware PGP at all. With other GnuPG keys I also had problems, with errors reported when importing them. I tested also with Windows 98, and same there. Non GnuPG keys seem to import without a fuss. Antti -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]