Re: More hacked servers?
On Fri, 28 Nov 2003, Marcel Hicking wrote: I'd definitely prefer to have them working on getting things up and running again and do the forensics. They should waste a minute too much on reports that might proove wrong finally anyway. Minute? Every minute is cucial... So hmm.. They dont eat, talking with their family, cleaning, sleeping, etc since 21 November? :-) This would confuse everyone more than it would help. And, honestly, doesn't your experience show that wild guesses about how long complex things might take nearly alway provve wrong? Confuse? Come on... we are more intelligent than that. A lest, their servers have compromised, and it's a concern of all of us, becase we use THEIR packages. I WANT to known what they do actually, and maybe not you, but I'm sure the majority in this ML want to know... Let me clear: I don't want details about observations, but WHAT they do actually. Same as in company, the manager want to know sometimes what you do in a critical situation. I dont want a report with 100 pages, but 2-3 lines is sufficient. Theses servers have compromised since ~20 November, and we don't have a word about this, not one. Why would I want to know who's typing what right now? I'd be interested in a all-in-one final report, that's for sure, but I'll be happy with this. And in case any urgent security problem pops up during investigation I'm pretty sure we'll be informed right away. The secteam has done an amazing job in the past and I trust them to continue as responsible as before. I agree with you. Cheers, Marcel E. -- Eric LeBlanc [EMAIL PROTECTED] -- UNIX is user friendly. It's just selective about who its friends are. == -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: More hacked servers?
On Fri, 28 Nov 2003, Marcel Hicking wrote: I'd definitely prefer to have them working on getting things up and running again and do the forensics. They should waste a minute too much on reports that might proove wrong finally anyway. Minute? Every minute is cucial... So hmm.. They dont eat, talking with their family, cleaning, sleeping, etc since 21 November? :-) This would confuse everyone more than it would help. And, honestly, doesn't your experience show that wild guesses about how long complex things might take nearly alway provve wrong? Confuse? Come on... we are more intelligent than that. A lest, their servers have compromised, and it's a concern of all of us, becase we use THEIR packages. I WANT to known what they do actually, and maybe not you, but I'm sure the majority in this ML want to know... Let me clear: I don't want details about observations, but WHAT they do actually. Same as in company, the manager want to know sometimes what you do in a critical situation. I dont want a report with 100 pages, but 2-3 lines is sufficient. Theses servers have compromised since ~20 November, and we don't have a word about this, not one. Why would I want to know who's typing what right now? I'd be interested in a all-in-one final report, that's for sure, but I'll be happy with this. And in case any urgent security problem pops up during investigation I'm pretty sure we'll be informed right away. The secteam has done an amazing job in the past and I trust them to continue as responsible as before. I agree with you. Cheers, Marcel E. -- Eric LeBlanc [EMAIL PROTECTED] -- UNIX is user friendly. It's just selective about who its friends are. ==
Re: More hacked servers?
On Thu, 27 Nov 2003, Dan Jacobson wrote: So, give the people some time and after the details are disclosed - learn from their experience and use it in your work. Let's examine natural disasters, e.g. a typhoon. The pros agree that the public must be able to get to timely reports issued from the disaster control center, via e.g. local radio stations. Here in the debian world, there was one announcement posted on the 21st, then blackness. One assumes those in charge have been replaced by zombies and the typhoon is headed our way. I agree. A least, they can stay us informed about their actions... for example: 21 sep: hacked, we moved all domain to blah, bluh, blih. 22 sep: investiguation started, by X, X. We think it will take X hours/day/month/years 24 sep: We still investiguate, please be patient, we think we will terminate that in two hour/day/month/years. ... and so on, it's not so hard, and it's take 2 minutes or less. E. -- Eric LeBlanc [EMAIL PROTECTED] -- UNIX is user friendly. It's just selective about who its friends are. ==
Re: Debian Stable server hacked
On Thu, 7 Aug 2003, Thijs Welman wrote: Thanks. I forgot to mantion that i am subscribed to debian-security-announce as well (ofcourse ;)). As far as the kernel updates are concerned: i use my own kernel. At this moment that's 2.4.21 with Alan Cox' patches (ac4). Could be there's an exploit in that kernelversion. Maybe i should consider to go back to a debian-packagekernel... Anyone any comment on or experience with debian vs custom kernels? -- Thijs Since 7 years, I always use custom kernels, and I never had problems (bugs nor exploits). It's run very well and smoothly :) E. -- Eric LeBlanc [EMAIL PROTECTED] -- UNIX is user friendly. It's just selective about who its friends are. == -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian Stable server hacked
On Thu, 7 Aug 2003, Thijs Welman wrote: Thanks. I forgot to mantion that i am subscribed to debian-security-announce as well (ofcourse ;)). As far as the kernel updates are concerned: i use my own kernel. At this moment that's 2.4.21 with Alan Cox' patches (ac4). Could be there's an exploit in that kernelversion. Maybe i should consider to go back to a debian-packagekernel... Anyone any comment on or experience with debian vs custom kernels? -- Thijs Since 7 years, I always use custom kernels, and I never had problems (bugs nor exploits). It's run very well and smoothly :) E. -- Eric LeBlanc [EMAIL PROTECTED] -- UNIX is user friendly. It's just selective about who its friends are. ==
Re: chkrootkit and LKM
the prog compare the proc list in /proc and the output of command 'ps'. So, when the chkrootkit will list in /proc, and then get an output from ps, the time between two operation is larger enough to create others process (or die/kill)... that's why this check is not VERY reliable. E. -- Eric LeBlanc [EMAIL PROTECTED] -- UNIX is user friendly. It's just selective about who its friends are. == On Mon, 26 May 2003, IC0N wrote: Bonjour as Jacques Lavignotte [EMAIL PROTECTED] and Jens Schuessler [EMAIL PROTECTED] posted in their mails at 7th of March 2003 i have exactly the same alert message using chkrootkit: Checking `lkm'... You have 1 process hidden for readdir command You have 1 process hidden for ps command Warning: Possible LKM Trojan installed Sometimes I get 2 or 3 processes, sometimes NONE is there a plausible reason why there could be a hidden prozess? hidden even for root? even if LKM is not installed? i did not find any possible reason. i only know that i can also reproduce the alert by installing debian on a brand new harddisk. i used debian woody 3.0 with kernel 2.2 CD Image of 11th of december 2002. greetings icon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Have I been hacked?
Check if your program have rotated the logs... cd /var/log ls -l wtmp* and, check in /etc/cron* or do a crontab -l (in user root) E. -- Eric LeBlanc [EMAIL PROTECTED] -- UNIX is user friendly. It's just selective about who its friends are. == On Wed, 7 May 2003, Ian Goodall wrote: I am running a debian woody server and when I checked the last users yesterday I a large number of logins in the list. On running the command today I get the following: dev1:/home/ian# last ian pts/0172.16.3.195 Wed May 7 14:49 still logged in team1pts/0blue99.ex.ac.uk Wed May 7 13:21 - 13:57 (00:35) I have run chkrootkit but nothing was found. I have never had this before. Am I being paranoid or is someone trying to cover up their tracks? Thanks ijg0 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: syn flood attacked?
On Fri, 17 May 2002, Michal Melewski wrote: May 17 23:03:11 ms2 kernel: possible SYN flooding on port 25. Sending cookies. Am I being syn flood attacked? How can I get rid of this? Hello In this case you are probably a target of a SYN Flood atack. What you have to do is to compile your kernel with option with protect_against_synflood (or something like this, but for sure in network submenu). Make sure to read the help for this option because compiling it into kernel isn't enough... (you have to issue a command echo 1 /don't/remember/where ;) ) It is activated... it's called cookies, as show above. For more informations, read this documentation: http://cr.yp.to/syncookies.html Eric -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: syn flood attacked?
On Fri, 17 May 2002, Michal Melewski wrote: May 17 23:03:11 ms2 kernel: possible SYN flooding on port 25. Sending cookies. Am I being syn flood attacked? How can I get rid of this? Hello In this case you are probably a target of a SYN Flood atack. What you have to do is to compile your kernel with option with protect_against_synflood (or something like this, but for sure in network submenu). Make sure to read the help for this option because compiling it into kernel isn't enough... (you have to issue a command echo 1 /don't/remember/where ;) ) It is activated... it's called cookies, as show above. For more informations, read this documentation: http://cr.yp.to/syncookies.html Eric -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: what is means ? + rootkits..
On Fri, 19 Apr 2002, Jan Johansson wrote: Then they dont know what they are saying, i would say that Tripwire / AIDE / such will be 100% efficient in detecting kits _PROVIDING_ that your database is current, and is stored in a tamper-proof location... and ofcource you actually use and update teh IDS database. In security, never said 100%, never. Nothing are good to fully trust. All are good to be a paranoid, as told by AIDE. And read the paper (do a search a relevant The future is here): http://staff.washington.edu/dittrich/misc/faqs/rootkits.faq -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: what is means ? + rootkits..
On Fri, 19 Apr 2002, Jan Johansson wrote: Then they dont know what they are saying, i would say that Tripwire / AIDE / such will be 100% efficient in detecting kits _PROVIDING_ that your database is current, and is stored in a tamper-proof location... and ofcource you actually use and update teh IDS database. In security, never said 100%, never. Nothing are good to fully trust. All are good to be a paranoid, as told by AIDE. And read the paper (do a search a relevant The future is here): http://staff.washington.edu/dittrich/misc/faqs/rootkits.faq -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A question about some network services
On Tue, 2 Apr 2002, Anne Carasik wrote: On Tue, Apr 02, 2002 at 07:45:21PM +0200, eim wrote: A question about some network services == Hallo Debian folks, By default, on my debian boxes, I disable this network services which are enabled automaticly during a fresh Debian stable aka potato installtion: * daytime * time * discard Very simple.. play with telnet :-) [EMAIL PROTECTED]:~$ telnet 0 daytime Trying 0.0.0.0... Connected to 0.0.0.0. Escape character is '^]'. Tue Apr 2 13:24:03 2002 Connection closed by foreign host. --- Conclusion: daytime is used to see the time in a remote machine. [EMAIL PROTECTED]:~$ telnet 0 discard Trying 0.0.0.0... Connected to 0.0.0.0. Escape character is '^]'. test hello blah ^] telnet quit --- Conclusion: As the name said, it's used for a test I think... He simply ignore all your words. [EMAIL PROTECTED]:~$ telnet 0 time Trying 0.0.0.0... Connected to 0.0.0.0. Escape character is '^]'. ÀTvNConnection closed by foreign host. --- Conclusion: It's used by a program... such as NTP, because the output is not comprehensive for us. Eric -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: log analyze applications
On 27 Feb 2002, eim wrote: * logcheck (System Log Analyzer) [SNIP] network activity and so on... everything works quite well, the only problem is: they generate *REALLY* much mail traffic with lots of output which I can't read all. So my question is, has anyone a good solution for checking syslogs, netlogs, etc. in order to have a simple and strict overview of system activities ? Are there any tools which are smarter, faster and cleaner as my combination of log analyze apps. ? The most smarter you can find is you brain. Logcheck is very useful and does not send many e-mails if you know how to configure correctly. In other words, if you don't want to see some messages, so add theses messages in appropriate ignore file... Here, each week, in one log file, I have approxymately 800 000 lines, and I use logchecker to search some words (and discard other words) to put in report and e-mail it to me, and (it's luck or it's a good configuration?) each e-mail which I had recieved are useful for me. Eric -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: log analyze applications
On 27 Feb 2002, eim wrote: * logcheck (System Log Analyzer) [SNIP] network activity and so on... everything works quite well, the only problem is: they generate *REALLY* much mail traffic with lots of output which I can't read all. So my question is, has anyone a good solution for checking syslogs, netlogs, etc. in order to have a simple and strict overview of system activities ? Are there any tools which are smarter, faster and cleaner as my combination of log analyze apps. ? The most smarter you can find is you brain. Logcheck is very useful and does not send many e-mails if you know how to configure correctly. In other words, if you don't want to see some messages, so add theses messages in appropriate ignore file... Here, each week, in one log file, I have approxymately 800 000 lines, and I use logchecker to search some words (and discard other words) to put in report and e-mail it to me, and (it's luck or it's a good configuration?) each e-mail which I had recieved are useful for me. Eric
Re: Running root commands by http
Do u know webmin? http://webadmin.sourceforge.net/webmin/ Eric On Thu, 23 Aug 2001, Jean Baptiste Lallement wrote: Hi, U could use sudo ? Excerpt from http://www.courtesan.com/sudo/ --- Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while logging the commands and arguments. --- and run it with a cgi or php or whatever. Hth On Thu, Aug 23, 2001 at 02:58:23PM +0200, Emmanuel Lacour wrote: Hi, I wan't to get some opinions on doing this: Making someone to be able to create unix users by an http method (from an http browser). Making someone to be able to restart a daemon under the identity of root from http. I think about some methods: Running a cgi or system() under php + -use super to run the program -making the programs needed setuid root (bhh) -Sending a mail to the root containing specials header. A cron will inspect the root mailbox and execute commands as root, or a procmailrc? -Another idea more secure?? Thanks. Manu. -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com -- |_ | Jean Baptiste Lallement / / ZENI Corporationhttp://zeni.fr |___| Tel: 0 803 003 111 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Running root commands by http
Do u know webmin? http://webadmin.sourceforge.net/webmin/ Eric On Thu, 23 Aug 2001, Jean Baptiste Lallement wrote: Hi, U could use sudo ? Excerpt from http://www.courtesan.com/sudo/ --- Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while logging the commands and arguments. --- and run it with a cgi or php or whatever. Hth On Thu, Aug 23, 2001 at 02:58:23PM +0200, Emmanuel Lacour wrote: Hi, I wan't to get some opinions on doing this: Making someone to be able to create unix users by an http method (from an http browser). Making someone to be able to restart a daemon under the identity of root from http. I think about some methods: Running a cgi or system() under php + -use super to run the program -making the programs needed setuid root (bhh) -Sending a mail to the root containing specials header. A cron will inspect the root mailbox and execute commands as root, or a procmailrc? -Another idea more secure?? Thanks. Manu. -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com -- |_ | Jean Baptiste Lallement / / ZENI Corporationhttp://zeni.fr |___| Tel: 0 803 003 111 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: libwrap.h
I don't understand... I try to help it and I am made insult? Well if I insulted you, I present my major excuses to you, M'sieur... Eric LeBlanc E-Mail:[EMAIL PROTECTED] ICQ 50571872 Well, let's just say, 'if your VCR is still blinking 12:00, you don't want Linux'. --- Bruce Perens, Debian's Fearless Leader
