Re: Spyware / Adware
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 31 Aug 2004 16:50:09 +0200, Adrian 'Dagurashibanipal' von Bidder <[EMAIL PROTECTED]> wrote: > --nextPart1758276.ghG6qVoQ34 > Content-Type: text/plain; > charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > Content-Disposition: inline > > On Tuesday 31 August 2004 13.30, Volker Tanger wrote: > > [spyware/adware/trojans/...:] > >> Yes and no. When surfing as normal user *ware programs cannot install >> themselves as system services or overwrite programs simply as you/they >> do not have the (file) permissions to do so. > > Technically, for most purposes, malware installing itself into an > unprivileged user account and automatically starting itself through > ~/.bashrc or whatever is entirely possible, especially since most malware > these days seems to be used only as a base for DDOS attacks (including > sending spam), so no special privileges are necessary here. (And KDE and > Gnome are currently catching up nicely in the number of little useful (?) > daemons that are started on a desktop machine.) > There is no click the attachement and install the malware without your knowing it, in Linux. Could someone write a trojan that would do this? yes, is Linux vulnerable to "click the nudie pic and install the malware"? no, not in any way as bad as MS-Windows. IIRC, there was one bug in the libjpeg package a while back, which might allow this, but none of the broad vulnerabilities caused by bad design decisions in MS-Windows (free clue to MS, stop equating open, with execute. ) > Windows currently having >90% of the desktop market protects Linux and > other systems currently: malware could not propagate fast enough. > Also, most email clients don't offer to execute arbitrary email > attachments. OTOH, I wouldn't trust the Javascript implementations in > the Linux browsers any more than I trust the Javascript implementation > of IE. Except that the js implementation in Mozilla and the rest of the OSS browsers, is open, and subject to review. IE's isn't. > > Another thing that protects Linux systems: heterogenity. Binary > exploits usually only work properly when a program is compiled and > linked with specific compiler and library versions -- with different > versions, all you= > yes, one of the flaws of the MS way, is the monoculture it engenders. > get is a crash (which does no real harm in most cases). I think there > are far more different Linux versions out there than there are Windows > versions, so I *think* that even with Linux becoming a more attractive > target, you'll never get a single malware spreading with a speed > comparable to what's happening in Windows today. > Agreed, Linux isn't invulnerable, simply a lot less vulnerable in design, and even less vulnerable in practice. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBNMYyd90bcYOAWPYRAkcAAKCFSjteu8jzIQ8p6WBEyjj9rLrGFwCcDeif 2tgU+C13PsqjSmD/oQM5PWg= =z/NY -END PGP SIGNATURE- -- Jim Richardson http://www.eskimo.com/~warlock If you think you can tell me what to think, I think I will tell you where to go -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Positive press for Debian's security team
On Wed, 31 Mar 2004 01:20:09 +0200, Michael Stone <[EMAIL PROTECTED]> wrote: > On Tue, Mar 30, 2004 at 04:59:36PM -0600, Jones wrote: >>Positive press for Debian's security team. >> >>Using numbers from a pair of metrics, Forrester Research's >>recommendation was "businesses that value quick patches look to >>Microsoft and Debian". > > That's positive? They put us in the same category as Microsoft! This > will lose us some serious street cred. :) > Microsoft got good marks for releasing a patch soon after they announce a vulnerability. Never mind if said vulnerability was known about and pointed out to MS 6 months ago. Acccording to FR, the clock only started when MS made the announcement of it. -- Jim Richardson http://www.eskimo.com/~warlock A bureaucracy is like a septic tank -- all the really big shits float to the top.
Re: Positive press for Debian's security team
On Wed, 31 Mar 2004 01:20:09 +0200, Michael Stone <[EMAIL PROTECTED]> wrote: > On Tue, Mar 30, 2004 at 04:59:36PM -0600, Jones wrote: >>Positive press for Debian's security team. >> >>Using numbers from a pair of metrics, Forrester Research's >>recommendation was "businesses that value quick patches look to >>Microsoft and Debian". > > That's positive? They put us in the same category as Microsoft! This > will lose us some serious street cred. :) > Microsoft got good marks for releasing a patch soon after they announce a vulnerability. Never mind if said vulnerability was known about and pointed out to MS 6 months ago. Acccording to FR, the clock only started when MS made the announcement of it. -- Jim Richardson http://www.eskimo.com/~warlock A bureaucracy is like a septic tank -- all the really big shits float to the top. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: chkrootkit - possible bad news`
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 24 Feb 2004 14:32:26 +0100, Greg <[EMAIL PROTECTED]> wrote: > I am running Debian on a Dec Alpha PC164. > > I decided to run chkrootkit and was surprised by the following line. > > Checking `bindshell'... INFECTED (PORTS: 1524 31337) > > I am not sure how no interpret this. I have checked logs, as well as binary > checks and everything "seems" fine. Can someone help me interpret the logs. > I will attach them at the tail of the email in case the may be helpful. > > > I don't know what my next step would be. If in deed I have been 'rooted' > then I should obviously format and rebuild the server. Are you running portsentry? if you are, shut it off, and rerun chkrootkit. If not, nmap the box from outside, and see if there is something listening on those ports, if there is, but netstat shows nothing there, then you've probably been cracked, and you know what to do. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAO6aUd90bcYOAWPYRAquCAKDfxWteagmgU8Qi4qDoY7TrMsPvPwCfQ8oA vfluFUl7UE5kvbbeT6XCVYU= =lM19 -END PGP SIGNATURE- -- Jim Richardson http://www.eskimo.com/~warlock Life imitates art, but does it have to imitate satire?
Re: chkrootkit - possible bad news`
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 24 Feb 2004 14:32:26 +0100, Greg <[EMAIL PROTECTED]> wrote: > I am running Debian on a Dec Alpha PC164. > > I decided to run chkrootkit and was surprised by the following line. > > Checking `bindshell'... INFECTED (PORTS: 1524 31337) > > I am not sure how no interpret this. I have checked logs, as well as binary > checks and everything "seems" fine. Can someone help me interpret the logs. > I will attach them at the tail of the email in case the may be helpful. > > > I don't know what my next step would be. If in deed I have been 'rooted' > then I should obviously format and rebuild the server. Are you running portsentry? if you are, shut it off, and rerun chkrootkit. If not, nmap the box from outside, and see if there is something listening on those ports, if there is, but netstat shows nothing there, then you've probably been cracked, and you know what to do. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAO6aUd90bcYOAWPYRAquCAKDfxWteagmgU8Qi4qDoY7TrMsPvPwCfQ8oA vfluFUl7UE5kvbbeT6XCVYU= =lM19 -END PGP SIGNATURE- -- Jim Richardson http://www.eskimo.com/~warlock Life imitates art, but does it have to imitate satire? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: DSA 438 - bad server time, bad kernel version or information delayed?
On Sat, 21 Feb 2004 22:20:05 +0100, Matt Zimmerman <[EMAIL PROTECTED]> wrote: > On Sat, Feb 21, 2004 at 11:09:09AM +0100, Jan L?hr wrote: > >> Am Samstag, 21. Februar 2004 01:10 schrieb Matt Zimmerman: >> .. >> >> > CERT rarely has anything to do with coordinating disclosure, and >> > there is no need to bring them into this discussion at all. The >> > coordination that happens is between vendors, like Debian, as >> > peers. >> > >> > Those last two cases are equivalent. Think about it. >> >> In the theory of capitalism, competition between vendors is the main >> aspect of going futher in development. > > Fortunately, Debian isn't driven by capitalism, and we benefit more > from cooperation than competition. > Debian competes for users, and just as importantly, developers, it's a free market of the mind :) -- Jim Richardson http://www.eskimo.com/~warlock Monday. Not just another day; a never ending spiral to Hell. (With a stop in Cleveland.) --Mark P. Beckman
Re: DSA 438 - bad server time, bad kernel version or information delayed?
On Sat, 21 Feb 2004 22:20:05 +0100, Matt Zimmerman <[EMAIL PROTECTED]> wrote: > On Sat, Feb 21, 2004 at 11:09:09AM +0100, Jan L?hr wrote: > >> Am Samstag, 21. Februar 2004 01:10 schrieb Matt Zimmerman: >> .. >> >> > CERT rarely has anything to do with coordinating disclosure, and >> > there is no need to bring them into this discussion at all. The >> > coordination that happens is between vendors, like Debian, as >> > peers. >> > >> > Those last two cases are equivalent. Think about it. >> >> In the theory of capitalism, competition between vendors is the main >> aspect of going futher in development. > > Fortunately, Debian isn't driven by capitalism, and we benefit more > from cooperation than competition. > Debian competes for users, and just as importantly, developers, it's a free market of the mind :) -- Jim Richardson http://www.eskimo.com/~warlock Monday. Not just another day; a never ending spiral to Hell. (With a stop in Cleveland.) --Mark P. Beckman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: How To Set Up Mail-out-only System ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 11 Feb 2004 02:40:07 +0100, Nick Boyce <[EMAIL PROTECTED]> wrote: > Sorry if this is a dumb question ... > > I've just set up a "secure" (you know .. more than usual) Debian system, > and want to arrange things so that it can send mail out when necessary > (in case anything happens that it thinks I should know about) but is > *not* constantly listening for incoming mail. > > Is there a best way of doing this ? > > The default Exim MTA is installed, and I've commented out the SMTP line > from inetd.conf, but there is a /etc/init.d/exim startup script that > comes with the Exim package, that has this : > ># Exit if exim runs from /etc/inetd.conf >if [ -f /etc/inetd.conf ] && grep -q "^ *smtp" /etc/inetd.conf; then >exit 0 >fi >[...] >case "$1" in > start) >echo -n "Starting MTA: " >start-stop-daemon --start --pidfile /var/run/exim/exim.pid \ >--exec $DAEMON -- -bd -q30m > > So one way or the other, Exim gets to listen. > > In exim.conf, there is ># This will cause it to accept mail only from the local interface >#local_interfaces = 127.0.0.1 > so I could set that option. Would that stop Exim from binding to the > ethernet interface ? > > Should I just remove the S20exim symlink from rc?.d ? > That seems a bit of a kludge. If this was NetBSD, I'd set something > like "exim=no" in somewhere like rc.conf ... is there a Debian > equivalent to that ? > > TIA for any advice. > Nick Boyce > Bristol, UK > > Just firewall off port 25 from the network. Leave it visible internally on the loopback, so you can still use it for a local MTA. -----BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAKZC5d90bcYOAWPYRAtGyAJ9i9GnQhUa9RxtPuerpGbktsZzLtQCgmOGW KVwsJnoPAF7pfFBNWbUPG8M= =w2SY -END PGP SIGNATURE- -- Jim Richardson http://www.eskimo.com/~warlock "We have to go forth and crush every world view that doesn't believe in tolerance and free speech," - David Brin
Re: How To Set Up Mail-out-only System ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 11 Feb 2004 02:40:07 +0100, Nick Boyce <[EMAIL PROTECTED]> wrote: > Sorry if this is a dumb question ... > > I've just set up a "secure" (you know .. more than usual) Debian system, > and want to arrange things so that it can send mail out when necessary > (in case anything happens that it thinks I should know about) but is > *not* constantly listening for incoming mail. > > Is there a best way of doing this ? > > The default Exim MTA is installed, and I've commented out the SMTP line > from inetd.conf, but there is a /etc/init.d/exim startup script that > comes with the Exim package, that has this : > ># Exit if exim runs from /etc/inetd.conf >if [ -f /etc/inetd.conf ] && grep -q "^ *smtp" /etc/inetd.conf; then >exit 0 >fi >[...] >case "$1" in > start) >echo -n "Starting MTA: " >start-stop-daemon --start --pidfile /var/run/exim/exim.pid \ >--exec $DAEMON -- -bd -q30m > > So one way or the other, Exim gets to listen. > > In exim.conf, there is ># This will cause it to accept mail only from the local interface >#local_interfaces = 127.0.0.1 > so I could set that option. Would that stop Exim from binding to the > ethernet interface ? > > Should I just remove the S20exim symlink from rc?.d ? > That seems a bit of a kludge. If this was NetBSD, I'd set something > like "exim=no" in somewhere like rc.conf ... is there a Debian > equivalent to that ? > > TIA for any advice. > Nick Boyce > Bristol, UK > > Just firewall off port 25 from the network. Leave it visible internally on the loopback, so you can still use it for a local MTA. -----BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAKZC5d90bcYOAWPYRAtGyAJ9i9GnQhUa9RxtPuerpGbktsZzLtQCgmOGW KVwsJnoPAF7pfFBNWbUPG8M= =w2SY -END PGP SIGNATURE- -- Jim Richardson http://www.eskimo.com/~warlock "We have to go forth and crush every world view that doesn't believe in tolerance and free speech," - David Brin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Hacked - is it my turn?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 03 Feb 2004 03:50:06 +0100, Alvin Oga <[EMAIL PROTECTED]> wrote: > > hi ya johannes > > On Mon, 2 Feb 2004, Johannes Graumann wrote: > >> > > Checking 'bindshell'... INFECTED [PORTS: 1524 31337] >> At this point I believe to be able to attribute this to portsentry >> running - '/etc/init.d/portsentry stop' makes it go away, >> '/etc/init.d/portsentry start' makes it reappear and I can create the >> message on a pristine system by installing portsentry (running in the >> default configuration). > > odd that portsentry does that... oh welll ... > portsentry opens and attaches to ports, it's "famous" for setting off false alarms for security tests. IMHO, it's a poor tool for using in securing a system, but it's probably better than nothing. Although you'd be far better off with snort. >> > 'tiger' also reports - while performing signature check of system >> > binaries, that /bin/ping, /usr/bin/chage, /usr/bin/at, /usr/bin/write >> > and /usr/bin/inetd don not match. This can not be confirmed by aide >> > (cd-burned database, unsafe binary) or debsums (unsafe binary). >> Javier stated as well: >> > Do _not_ rely on that if you are _not_ using a stable system (and >> > really, even then, unless you've regenerated the database yourself). >> This is a testing/unstable system. > > that doesn't explain why the semi-important binaries are not as > you expected ... you still need to confirm the size/md5 of the binaries > against a clean system and/or patched updated/upgraded box > >> If you don't buy this: please let me know and why. Since We are talking >> 20+ systems being dependent on one of the machines in question, I'm >> considering myself biased due to installation anxiety. > > maybe its time to spend an extra $300 for a 2nd backup machine and > keep it offline or more protected behind another secure firewall > - and also time to put all your binaries compressed onto cdrom > so that you can trivially compare binaries in a few seconds > and know if its been hacked or not > > - you'd also need to know which binaries changed on which date > from which package :-) Aide does a nice job of this, if you maintain a copy of the aide.db offsite, and check that too. On my machines, I do a series of tests Nightly aide, chkrootkit and tiger tests, verify local aide.db md5sum matches remote backup, and run the logs. I am setting up snort, for the purposes mostly of practice. These are web/mail servers, so I have a limited number of ports I have to have open, everything else is firewalled off. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAHx2Sd90bcYOAWPYRAqSwAJ0YPQCQZ5fvtsWMDRkRLTrKjcjdPQCdEtMe ahSRcZMY49OsTRoWIaCtQac= =XqM4 -END PGP SIGNATURE- -- Jim Richardson http://www.eskimo.com/~warlock It is dark. Your .sig has been eaten by a grue.
Re: Hacked - is it my turn?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 03 Feb 2004 03:50:06 +0100, Alvin Oga <[EMAIL PROTECTED]> wrote: > > hi ya johannes > > On Mon, 2 Feb 2004, Johannes Graumann wrote: > >> > > Checking 'bindshell'... INFECTED [PORTS: 1524 31337] >> At this point I believe to be able to attribute this to portsentry >> running - '/etc/init.d/portsentry stop' makes it go away, >> '/etc/init.d/portsentry start' makes it reappear and I can create the >> message on a pristine system by installing portsentry (running in the >> default configuration). > > odd that portsentry does that... oh welll ... > portsentry opens and attaches to ports, it's "famous" for setting off false alarms for security tests. IMHO, it's a poor tool for using in securing a system, but it's probably better than nothing. Although you'd be far better off with snort. >> > 'tiger' also reports - while performing signature check of system >> > binaries, that /bin/ping, /usr/bin/chage, /usr/bin/at, /usr/bin/write >> > and /usr/bin/inetd don not match. This can not be confirmed by aide >> > (cd-burned database, unsafe binary) or debsums (unsafe binary). >> Javier stated as well: >> > Do _not_ rely on that if you are _not_ using a stable system (and >> > really, even then, unless you've regenerated the database yourself). >> This is a testing/unstable system. > > that doesn't explain why the semi-important binaries are not as > you expected ... you still need to confirm the size/md5 of the binaries > against a clean system and/or patched updated/upgraded box > >> If you don't buy this: please let me know and why. Since We are talking >> 20+ systems being dependent on one of the machines in question, I'm >> considering myself biased due to installation anxiety. > > maybe its time to spend an extra $300 for a 2nd backup machine and > keep it offline or more protected behind another secure firewall > - and also time to put all your binaries compressed onto cdrom > so that you can trivially compare binaries in a few seconds > and know if its been hacked or not > > - you'd also need to know which binaries changed on which date > from which package :-) Aide does a nice job of this, if you maintain a copy of the aide.db offsite, and check that too. On my machines, I do a series of tests Nightly aide, chkrootkit and tiger tests, verify local aide.db md5sum matches remote backup, and run the logs. I am setting up snort, for the purposes mostly of practice. These are web/mail servers, so I have a limited number of ports I have to have open, everything else is firewalled off. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAHx2Sd90bcYOAWPYRAqSwAJ0YPQCQZ5fvtsWMDRkRLTrKjcjdPQCdEtMe ahSRcZMY49OsTRoWIaCtQac= =XqM4 -END PGP SIGNATURE- -- Jim Richardson http://www.eskimo.com/~warlock It is dark. Your .sig has been eaten by a grue. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: /usr/bin/ssh-copy-id & trojan or variant UNIX/Exploit-SSHIDEN
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 15 Jan 2004 20:50:11 +0100, Asim Saglam <[EMAIL PROTECTED]> wrote: > Dear all, > > Can anybody explain the following? > > My virus scanner reported the following after the scan tonight: > > /usr/bin/ssh-copy-id >Found trojan or variant UNIX/Exploit-SSHIDEN !!! > Please send a copy of the file to Network Associates > The file has been renamed. > Furthermore ls -al gives: > -rwxr-xr-x1 root root 1115 Sep 19 10:07 /usr/bin/ssh-copy-id > > Output of uname -a: > Linux 2.4.23 #1 Sun Dec 28 12:46:20 CET 2003 i686 unknown <http://kerneltrap.org/node/view/1958> Might want to consider upgrading to 2.4.24 or a patched 2.4.23, for the mremap() local root exploit. > -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAB5Ved90bcYOAWPYRAhMmAKDiUCtSQzw70oHrlnmgTvfM2QBSigCdEfhh 7OI3mZiHCJU/d2x2Ea9243g= =WpXR -END PGP SIGNATURE- -- Jim Richardson http://www.eskimo.com/~warlock Life is complex: it has a real part and an imaginary part.
Re: /usr/bin/ssh-copy-id & trojan or variant UNIX/Exploit-SSHIDEN
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thu, 15 Jan 2004 20:50:11 +0100, Asim Saglam <[EMAIL PROTECTED]> wrote: > Dear all, > > Can anybody explain the following? > > My virus scanner reported the following after the scan tonight: > > /usr/bin/ssh-copy-id >Found trojan or variant UNIX/Exploit-SSHIDEN !!! > Please send a copy of the file to Network Associates > The file has been renamed. > Furthermore ls -al gives: > -rwxr-xr-x1 root root 1115 Sep 19 10:07 /usr/bin/ssh-copy-id > > Output of uname -a: > Linux 2.4.23 #1 Sun Dec 28 12:46:20 CET 2003 i686 unknown <http://kerneltrap.org/node/view/1958> Might want to consider upgrading to 2.4.24 or a patched 2.4.23, for the mremap() local root exploit. > -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAB5Ved90bcYOAWPYRAhMmAKDiUCtSQzw70oHrlnmgTvfM2QBSigCdEfhh 7OI3mZiHCJU/d2x2Ea9243g= =WpXR -END PGP SIGNATURE- -- Jim Richardson http://www.eskimo.com/~warlock Life is complex: it has a real part and an imaginary part. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]