Re: Port 113 (auth) accept or deny?
On 2002-02-09, Brandon High wrote: [...] should I open(accept) or close(deny, perhaps reject?) the port 113??? I've got it closed on my machines. I don't know what you might need it for. We've been through at least once, haven't we? *sigh* Please read the whole thread: http://lists.debian.org/debian-security/2001/debian-security-200108/msg00297.html s. -- (0 Jakub Jankowski [url]: s.atn.pl Life is a bitch, //\ shasta@IRCnet [rlu]: 174516 and then you die V_/_ [EMAIL PROTECTED] [ekg]: 921514 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Port 113 (auth) accept or deny?
On 2002-02-09, Brandon High wrote: should I open(accept) or close(deny, perhaps reject?) the port 113??? [...] I just don't know what you might need the ident server for. That's why you should read that thread. It was explained there several times, IIRC. s. -- (0 Jakub Jankowski [url]: s.atn.pl Life is a bitch, //\ shasta@IRCnet [rlu]: 174516 and then you die V_/_ [EMAIL PROTECTED] [ekg]: 921514 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Port 113 (auth) accept or deny?
On 2002-02-09, Brandon High wrote: should I open(accept) or close(deny, perhaps reject?) the port 113??? [...] I just don't know what you might need the ident server for. That's why you should read that thread. It was explained there several times, IIRC. s. -- (0 Jakub Jankowski [url]: s.atn.pl Life is a bitch, //\ [EMAIL PROTECTED] [rlu]: 174516 and then you die V_/_ [EMAIL PROTECTED] [ekg]: 921514
Layne (was: Re: Is ident secure?)
On 2001-08-31, Layne wrote: SEND ME NO MORE E-MAIL YOU SPERM BURPING GUTTER SLUT. FUCK YOU. Couldn't list-admins blackhole this moron? Please? :) shasta -- (0 Jakub Jankowski [url]: s.atn.pl Beauty is skin deep; //\ [EMAIL PROTECTED] ugly goes right V_/_ [EMAIL PROTECTED] to the bone.
Re: strangelog
On 2001-08-12, Rudy Gevaert wrote: This weekend I got a strange log: [...] Aug 11 06:25:03 alhandra su[3584]: + ??? root-nobody Aug 11 06:25:03 alhandra PAM_unix[3584]: (su) session opened for user nobody by +(uid=0) [...] I'm sure I was asleep at that time... What is this? Did someone log in? Nope, noone logged in. Or was it a service who su'ed? (I doubt it). It was one of your cron jobs, I suppose. Jakub. -- (0 Jakub Jankowski Beauty is skin deep; //\ [EMAIL PROTECTED]ugly goes right V_/_ [EMAIL PROTECTED]to the bone.
Re: auth.log
On 2001-06-20, Matthias Fritschi wrote: Jun 20 06:25:02 blacksun su[2095]: + ??? root-nobody Jun 20 06:25:02 blacksun PAM_unix[2095]: (su) session opened for user nobody by (uid=0) could that mean somebody got into the server using a security leak in a process running as nobody? at this time, i was still sleepeing [...] No. It means that some process running with root privileges switched its uid to nobody's. There is some cron job executed at 6:25am probably, this is the most common reason of 'automatic' su'ing from root to nobody. Look for files containing string 25 6 * somewhere under /var. Their contents should explain you many things. I hope it'll help. matthias fritschi Jakub Jankowski -- (0 Jakub Jankowski [url]: s.atn.pl Beauty is skin deep; //\ [EMAIL PROTECTED] [uin]: 70171776ugly goes right V_/_ [EMAIL PROTECTED] [cell]: 502110186 to the bone.
Re: Exploit
On 2001-06-09, Tomasz Olszewski wrote: Could you please tell me how I can prevent from following exploit: Do you really think it's an 'exploit'? ; shasta@quasimodo admin$ cat l33t.sh #!/bin/sh echo 1|nux r007 3xp10|7 by 1c4m7uf cd /tmp cat ex.c eof int getuid() { return 0; } int geteuid() { return 0; } int getgid() { return 0; } int getegid() { return 0; } eof gcc -shared ex.c -oex.so LD_PRELOAD=/tmp/ex.so sh rm /tmp/ex.so /tmp/ex.c shasta@quasimodo admin$ ./l33t.sh 1|nux r007 3xp10|7 by 1c4m7uf sh-2.03# id uid=0(root) gid=0(root) groups=4(adm),10(wheel),80(network),98(proc) (okay, some think we're r00t now, but... ;) sh-2.03# cat /etc/shadow cat: /etc/shadow: Permission denied sh-2.03# cd /root sh: cd: /root: Permission denied So. How can you mess up anything using this 3xp10|7? ; s. -- (0 Jakub Jankowski [url]: s.atn.pl Beauty is skin deep; //\ shasta@IRCnet [uin]: 70171776ugly goes right V_/_ [EMAIL PROTECTED] [cell]: 502110186 to the bone. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Exploit
On 2001-06-09, Tomasz Olszewski wrote: Could you please tell me how I can prevent from following exploit: Do you really think it's an 'exploit'? ; [EMAIL PROTECTED] admin$ cat l33t.sh #!/bin/sh echo 1|nux r007 3xp10|7 by 1c4m7uf cd /tmp cat ex.c eof int getuid() { return 0; } int geteuid() { return 0; } int getgid() { return 0; } int getegid() { return 0; } eof gcc -shared ex.c -oex.so LD_PRELOAD=/tmp/ex.so sh rm /tmp/ex.so /tmp/ex.c [EMAIL PROTECTED] admin$ ./l33t.sh 1|nux r007 3xp10|7 by 1c4m7uf sh-2.03# id uid=0(root) gid=0(root) groups=4(adm),10(wheel),80(network),98(proc) (okay, some think we're r00t now, but... ;) sh-2.03# cat /etc/shadow cat: /etc/shadow: Permission denied sh-2.03# cd /root sh: cd: /root: Permission denied So. How can you mess up anything using this 3xp10|7? ; s. -- (0 Jakub Jankowski [url]: s.atn.pl Beauty is skin deep; //\ [EMAIL PROTECTED] [uin]: 70171776ugly goes right V_/_ [EMAIL PROTECTED] [cell]: 502110186 to the bone.
Re: Strange output from last command
On 2001-03-21, William R. Ward wrote: My wtmp file seems to have some rather strange entries... xx pts/3xxx.xxx.xxx.xxx Wed Mar 21 14:17 still logged in date { Wed Mar 21 02:00 still logged in date | Wed Mar 21 02:00 still logged in [...] On my debian box, rdate -s some.time.server adds similar entries to my wtmp. I guess you synchronize your system clock using rdate, don't you? I hope it will help. --Bill. Regards, Jakub. -- (0 Jakub Jankowski [url]: none //\ shasta@IRCnet [uin]: 70771776 V_/_ [EMAIL PROTECTED] [cell]: 502110186 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Strange output from last command
On 2001-03-21, William R. Ward wrote: My wtmp file seems to have some rather strange entries... xx pts/3xxx.xxx.xxx.xxx Wed Mar 21 14:17 still logged in date { Wed Mar 21 02:00 still logged in date | Wed Mar 21 02:00 still logged in [...] On my debian box, rdate -s some.time.server adds similar entries to my wtmp. I guess you synchronize your system clock using rdate, don't you? I hope it will help. --Bill. Regards, Jakub. -- (0 Jakub Jankowski [url]: none //\ [EMAIL PROTECTED] [uin]: 70771776 V_/_ [EMAIL PROTECTED] [cell]: 502110186