Re: Port 113 (auth) accept or deny?

2002-02-09 Thread Jakub Jankowski 

On 2002-02-09, Brandon High wrote:

[...]
 should I open(accept) or close(deny, perhaps reject?) the port 113???

I've got it closed on my machines. I don't know what you might need it
for.

We've been through at least once, haven't we? *sigh*

Please read the whole thread:
http://lists.debian.org/debian-security/2001/debian-security-200108/msg00297.html

s.

-- 
(0  Jakub Jankowski  [url]: s.atn.pl   Life is a bitch,
//\   shasta@IRCnet   [rlu]: 174516  and then you die
V_/_  [EMAIL PROTECTED]   [ekg]: 921514


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Port 113 (auth) accept or deny?

2002-02-09 Thread Jakub Jankowski 

On 2002-02-09, Brandon High wrote:

  should I open(accept) or close(deny, perhaps reject?) the port 113???
[...]
I just don't know what you might need the ident server for.

That's why you should read that thread. It was explained there several
times, IIRC.

s.

-- 
(0  Jakub Jankowski  [url]: s.atn.pl   Life is a bitch,
//\   shasta@IRCnet   [rlu]: 174516  and then you die
V_/_  [EMAIL PROTECTED]   [ekg]: 921514


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Port 113 (auth) accept or deny?

2002-02-09 Thread Jakub Jankowski 
On 2002-02-09, Brandon High wrote:

  should I open(accept) or close(deny, perhaps reject?) the port 113???
[...]
I just don't know what you might need the ident server for.

That's why you should read that thread. It was explained there several
times, IIRC.

s.

-- 
(0  Jakub Jankowski  [url]: s.atn.pl   Life is a bitch,
//\   [EMAIL PROTECTED]   [rlu]: 174516  and then you die
V_/_  [EMAIL PROTECTED]   [ekg]: 921514

Layne (was: Re: Is ident secure?)

2001-08-31 Thread Jakub Jankowski 
On 2001-08-31, Layne wrote:

SEND ME NO MORE E-MAIL YOU SPERM BURPING GUTTER SLUT. FUCK YOU.

 Couldn't list-admins blackhole this moron? Please? :)

 shasta

-- 
(0  Jakub Jankowski  [url]: s.atn.pl   Beauty is skin deep;
//\   [EMAIL PROTECTED]  ugly goes right
V_/_  [EMAIL PROTECTED]  to the bone.

Re: strangelog

2001-08-12 Thread Jakub Jankowski 
On 2001-08-12, Rudy Gevaert wrote:

This weekend I got a strange log:
[...]
Aug 11 06:25:03 alhandra su[3584]: + ??? root-nobody
Aug 11 06:25:03 alhandra PAM_unix[3584]: (su) session opened for user
nobody by
+(uid=0)
[...]
I'm sure I was asleep at that time... What is this?  Did someone log in?

 Nope, noone logged in.

Or was it a service who su'ed? (I doubt it).

 It was one of your cron jobs, I suppose.

 Jakub.

-- 
(0  Jakub Jankowski  Beauty is skin deep;
//\   [EMAIL PROTECTED]ugly goes right
V_/_  [EMAIL PROTECTED]to the bone.

Re: auth.log

2001-06-20 Thread Jakub Jankowski 
On 2001-06-20, Matthias Fritschi wrote:

  Jun 20 06:25:02 blacksun su[2095]: + ??? root-nobody
  Jun 20 06:25:02 blacksun PAM_unix[2095]: (su) session opened for user 
  nobody by (uid=0)

could that mean somebody got into the server using a security leak in
a process running as nobody? at this time, i was still sleepeing
[...]

 No. It means that some process running with root privileges switched
its uid to nobody's. There is some cron job executed at 6:25am
probably, this is the most common reason of 'automatic' su'ing from
root to nobody. Look for files containing string 25 6 * somewhere
under /var. Their contents should explain you many things.

 I hope it'll help.

matthias fritschi

 Jakub Jankowski

-- 
(0  Jakub Jankowski  [url]: s.atn.pl   Beauty is skin deep;
//\   [EMAIL PROTECTED]   [uin]: 70171776ugly goes right
V_/_  [EMAIL PROTECTED]  [cell]: 502110186   to the bone.

Re: Exploit

2001-06-09 Thread Jakub Jankowski 

On 2001-06-09, Tomasz Olszewski wrote:

Could you please tell me how I can prevent from following exploit:

 Do you really think it's an 'exploit'? ;

shasta@quasimodo admin$ cat l33t.sh
#!/bin/sh
echo 1|nux r007 3xp10|7 by 1c4m7uf
cd /tmp
cat ex.c eof
int getuid() { return 0; }
int geteuid() { return 0; }
int getgid() { return 0; }
int getegid() { return 0; }
eof
gcc -shared ex.c -oex.so
LD_PRELOAD=/tmp/ex.so sh
rm /tmp/ex.so /tmp/ex.c

shasta@quasimodo admin$ ./l33t.sh
1|nux r007 3xp10|7 by 1c4m7uf

sh-2.03# id
uid=0(root) gid=0(root) groups=4(adm),10(wheel),80(network),98(proc)

(okay, some think we're r00t now, but... ;)

sh-2.03# cat /etc/shadow
cat: /etc/shadow: Permission denied
sh-2.03# cd /root
sh: cd: /root: Permission denied

 So. How can you mess up anything using this 3xp10|7? ;

 s.

-- 
(0  Jakub Jankowski  [url]: s.atn.pl   Beauty is skin deep;
//\   shasta@IRCnet   [uin]: 70171776ugly goes right
V_/_  [EMAIL PROTECTED]  [cell]: 502110186   to the bone.


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: Exploit

2001-06-09 Thread Jakub Jankowski 
On 2001-06-09, Tomasz Olszewski wrote:

Could you please tell me how I can prevent from following exploit:

 Do you really think it's an 'exploit'? ;

[EMAIL PROTECTED] admin$ cat l33t.sh
#!/bin/sh
echo 1|nux r007 3xp10|7 by 1c4m7uf
cd /tmp
cat ex.c eof
int getuid() { return 0; }
int geteuid() { return 0; }
int getgid() { return 0; }
int getegid() { return 0; }
eof
gcc -shared ex.c -oex.so
LD_PRELOAD=/tmp/ex.so sh
rm /tmp/ex.so /tmp/ex.c

[EMAIL PROTECTED] admin$ ./l33t.sh
1|nux r007 3xp10|7 by 1c4m7uf

sh-2.03# id
uid=0(root) gid=0(root) groups=4(adm),10(wheel),80(network),98(proc)

(okay, some think we're r00t now, but... ;)

sh-2.03# cat /etc/shadow
cat: /etc/shadow: Permission denied
sh-2.03# cd /root
sh: cd: /root: Permission denied

 So. How can you mess up anything using this 3xp10|7? ;

 s.

-- 
(0  Jakub Jankowski  [url]: s.atn.pl   Beauty is skin deep;
//\   [EMAIL PROTECTED]   [uin]: 70171776ugly goes right
V_/_  [EMAIL PROTECTED]  [cell]: 502110186   to the bone.

Re: Strange output from last command

2001-03-21 Thread Jakub Jankowski 

On 2001-03-21, William R. Ward wrote:

My wtmp file seems to have some rather strange entries...

xx   pts/3xxx.xxx.xxx.xxx  Wed Mar 21 14:17   still logged in
date { Wed Mar 21 02:00   still logged in
date | Wed Mar 21 02:00   still logged in
[...]

 On my debian box, rdate -s some.time.server adds similar entries to
my wtmp. I guess you synchronize your system clock using rdate, don't
you? I hope it will help.

--Bill.

 Regards,
  Jakub.

-- 
(0  Jakub Jankowski  [url]: none
//\   shasta@IRCnet   [uin]: 70771776
V_/_  [EMAIL PROTECTED]  [cell]: 502110186


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Strange output from last command

2001-03-21 Thread Jakub Jankowski 
On 2001-03-21, William R. Ward wrote:

My wtmp file seems to have some rather strange entries...

xx   pts/3xxx.xxx.xxx.xxx  Wed Mar 21 14:17   still logged in
date { Wed Mar 21 02:00   still logged in
date | Wed Mar 21 02:00   still logged in
[...]

 On my debian box, rdate -s some.time.server adds similar entries to
my wtmp. I guess you synchronize your system clock using rdate, don't
you? I hope it will help.

--Bill.

 Regards,
  Jakub.

-- 
(0  Jakub Jankowski  [url]: none
//\   [EMAIL PROTECTED]   [uin]: 70771776
V_/_  [EMAIL PROTECTED]  [cell]: 502110186