Bug#520819: egroupware-calendar: XML-RPC interface posts as admin when normal user is logged in
Package: egroupware-calendar Version: 1.4.004-2.dfsg-4.1 Severity: important Tags: lenny, security All, I've been working to get the KDE PIM suite Kontact to work with eGroupWare Calendar. I ran into some problems, where the symptom was that allthough the data was entered into the database it didn't show up in the web interface, nor could it be synched to other devices. My investigation of the problem lead me to something that I feel could have important security considerations: I have created two users on the system, admin, which is a fully privileged user, and kjetil, a normal user (the two accounts share my name an email address though). With the admin user, I enabled the XML-RPC interface to eGroupWare. I then entered kjetil's credentials in Kontact's Calendar application. Now, it turns out that in spite of that Kontact does not have admin's credentials, eGroupWare enters the item as if it was entered by admin. This is made clear by this SQL query executed on my Postgresql database: egroupware=# SELECT egw_cal.cal_id, cal_owner, cal_public, cal_status, cal_user_id, account_lid FROM egw_cal JOIN egw_cal_user ON (egw_cal.cal_id = egw_cal_user.cal_id) JOIN egw_accounts ON (egw_accounts.account_id = egw_cal_user.cal_user_id); cal_id | cal_owner | cal_public | cal_status | cal_user_id | account_lid +---+++-+- 1 | 6 | 1 | A | 5 | admin 2 | 6 | 1 | A | 6 | kjetil 3 | 6 | 1 | A | 5 | admin 4 | 6 | 1 | A | 5 | admin 5 | 6 | 1 | A | 5 | admin 6 | 6 | 1 | A | 6 | kjetil Here, the two calendar items created by kjetil are created by either the web interface or a Nokia phone using SyncML. The other calendar items are entered by Kontact on a remote host. All items are entered into a calendar owned by kjetil. This seems to me to be raise security concerns, it seems very odd that a normal user should be able to enter something in the database with a higher privileged user's name. I have not investigated further if this is a manifestation of a larger privilege escalation problem. Nevertheless, just creating things in another user's name is a security concern. Furthermore, I haven't investigated if this problem is present in the latest eGroupWare release, or only in the packages in Debian Lenny. These packages now lags somewhat behind upstream, so I hope that Debian maintainers can have a look at the problem. -- System Information: Debian Release: 5.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages egroupware-calendar depends on: ii egroupware-core 1.4.004-2.dfsg-4.1 web-based groupware suite - core m ii egroupware-etemplate 1.4.004-2.dfsg-4.1 web-based groupware suite - widget ii egroupware-infolog1.4.004-2.dfsg-4.1 web-based groupware suite - infolo egroupware-calendar recommends no packages. egroupware-calendar suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: Serious bug in security update for Crypt::CBC
Hi all! Sorry to be jumping in without preserving the In-Reply-To. Allard Hoeve wrote: I'm afraid this new package introduces some serious errors in software that depends on this package. I have tested the new package on three different Sarge machines with the following results. Please reproduce using attached perl script. This bug jumped up and bit us too during testing, and it has been reported as bug #356810: http://bugs.debian.org/356810 so, it is now clear that it poses a serious problem for users, as it breaks the default behaviour. However, Please remove the update from the security archive. ...it is not that simple. If you read the original advisory: http://www.securityfocus.com/archive/1/archive/1/425966/100/0/threaded you'll see that we have (indirectly) been relying on weak and deprecated behaviour. While this is not the sort of breakage you expect from stable, it underlines that security is not just about blindly upgrading packages. So, it is probably better to get a heads-up from something that breaks down than getting the heads up from someone who breaks in... :-) The problem in this case is that we don't know if it is serious: The difficulty of breaking data encrypted using this flawed algorithm is unknown, but it should be assumed that all information encrypted in this way has been, or could someday be, compromised. Given that the upgrade certainly breaks stable, a DSA could have suggested the workaround as the correct path for sysadmins: If using Crypt::CBC versions 2.16 and lower, pass the -salt=1 option to Crypt::CBC-new(). I.e., say you should do this now to upgrade your systems. Many users are likely to be bit by this upgrade, so, indeed, it may be a reasonable path to remove the security upgrade and instead suggest the workaround. Best, Kjetil -- Kjetil Kjernsmo Information Systems Developer Opera Software ASA pgpQXF0ABTsYf.pgp Description: PGP signature
Re: Unusual spam recently - hummm
On fredag 4. juni 2004, 03:24, s. keeling wrote: I'm sick of whitelisting. It doesn't work if you care about communicating with people you've never met. Me too. And I think that most absolutes, whether it is a single rule to accept an e-mail or a single rule to reject is a Bad Thing[tm] But I'd like to plug a bug report of mine, FOAF-based whitelists: http://bugzilla.spamassassin.org/show_bug.cgi?id=3408 FOAF, Friend-of-a-Friend is meant to be used to mark up relationships, and so, SpamAssassin could set a lower negative score to those you know someone who knows, etc... If FOAF becomes as widespread as personal homepages, it could be really useful. So, let me also plug another bug report of mine, let KAddressbook export FOAF: http://bugs.kde.org/show_bug.cgi?id=72653 If I only had time to write the code... :-) Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: Unusual spam recently - hummm
On fredag 4. juni 2004, 03:24, s. keeling wrote: I'm sick of whitelisting. It doesn't work if you care about communicating with people you've never met. Me too. And I think that most absolutes, whether it is a single rule to accept an e-mail or a single rule to reject is a Bad Thing[tm] But I'd like to plug a bug report of mine, FOAF-based whitelists: http://bugzilla.spamassassin.org/show_bug.cgi?id=3408 FOAF, Friend-of-a-Friend is meant to be used to mark up relationships, and so, SpamAssassin could set a lower negative score to those you know someone who knows, etc... If FOAF becomes as widespread as personal homepages, it could be really useful. So, let me also plug another bug report of mine, let KAddressbook export FOAF: http://bugs.kde.org/show_bug.cgi?id=72653 If I only had time to write the code... :-) Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: Unusual spam recently - hummm
On torsdag 3. juni 2004, 20:24, s. keeling wrote: This is a bad suggestion. My ISP requires us (by blocking port 25 outbound) to use their SMTP server. Therefore I cannot connect to the Considering 60% - 80% of the traffic these days is crap, this is beginning to look like a fairly reasonable restriction. If you can figure out how to have SMTP negotiate that your ISP legitimately handles mail for your domain, that's the only way around it I can see. There are a lot of spam friendlies out there for whom no amount of reporting spam will have any effect on their actions. Refusing forgeries is the only solution for those. Then I think it is much more reasonable to let SpamAssassin or some other good spam scanner have a look at it, then reject in the SMTP dialogue based on not only a single characteristic. SA will also give hammy scores, so even if there is one spammy thing about the message, a few hammy things can let it pass through nevertheless. It is straightforward to set this up using the Exim4 backports and SA. Vennlig Tiddeli-bom, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: Unusual spam recently - hummm
On torsdag 3. juni 2004, 20:53, Alvin Oga wrote: you have to post process your emails after you already received it. ...and then it is a bit late to bounce, isn't it...? Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: Unusual spam recently - hummm
On torsdag 3. juni 2004, 20:24, s. keeling wrote: This is a bad suggestion. My ISP requires us (by blocking port 25 outbound) to use their SMTP server. Therefore I cannot connect to the Considering 60% - 80% of the traffic these days is crap, this is beginning to look like a fairly reasonable restriction. If you can figure out how to have SMTP negotiate that your ISP legitimately handles mail for your domain, that's the only way around it I can see. There are a lot of spam friendlies out there for whom no amount of reporting spam will have any effect on their actions. Refusing forgeries is the only solution for those. Then I think it is much more reasonable to let SpamAssassin or some other good spam scanner have a look at it, then reject in the SMTP dialogue based on not only a single characteristic. SA will also give hammy scores, so even if there is one spammy thing about the message, a few hammy things can let it pass through nevertheless. It is straightforward to set this up using the Exim4 backports and SA. Vennlig Tiddeli-bom, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: Unusual spam recently - hummm
On torsdag 3. juni 2004, 20:53, Alvin Oga wrote: you have to post process your emails after you already received it. ...and then it is a bit late to bounce, isn't it...? Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: Large, constant incoming traffic
On tirsdag 18. mai 2004, 14:17, Javier Fernández-Sanguino Peña wrote: On Thu, May 13, 2004 at 09:02:45PM +0200, Kjetil Kjernsmo wrote: Hm, chkrootkit says that eth0 is not promiscuous... And as I said, I don't think I ever got Snort to work right... :-) Are you sure that's not a bug in chkrootkit (false negative)? No idea! :-) It seems that chkrookit (since 0.42b-1) fixed this, from the changelog: * ifpromisc now parses /proc/net/packet so that it can provide better diagnostics. (forwarded patch upstream) (closes: #214990) But you would not see that if you are running stable (no backports) and linux 2.4 I'm using a backport of chkrootkit, specifically Norbert's, it says: chkrootkit version 0.43 But for all I know better diagnostics doesn't really imply that it can't be a false negative... BTW, the traffic has just seized, so my ISP has apparently been able to pin it down. I have sent them a message asking what happened, but haven't got a response. I really feel like sending the people responsible for this machine an invoice for two days of consultancy, that's the real cost for me. People need to realize that damage inflicted on others is also a part of Windows TCO... At least to see what happens. Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: Large, constant incoming traffic
On tirsdag 18. mai 2004, 14:17, Javier Fernández-Sanguino Peña wrote: On Thu, May 13, 2004 at 09:02:45PM +0200, Kjetil Kjernsmo wrote: Hm, chkrootkit says that eth0 is not promiscuous... And as I said, I don't think I ever got Snort to work right... :-) Are you sure that's not a bug in chkrootkit (false negative)? No idea! :-) It seems that chkrookit (since 0.42b-1) fixed this, from the changelog: * ifpromisc now parses /proc/net/packet so that it can provide better diagnostics. (forwarded patch upstream) (closes: #214990) But you would not see that if you are running stable (no backports) and linux 2.4 I'm using a backport of chkrootkit, specifically Norbert's, it says: chkrootkit version 0.43 But for all I know better diagnostics doesn't really imply that it can't be a false negative... BTW, the traffic has just seized, so my ISP has apparently been able to pin it down. I have sent them a message asking what happened, but haven't got a response. I really feel like sending the people responsible for this machine an invoice for two days of consultancy, that's the real cost for me. People need to realize that damage inflicted on others is also a part of Windows TCO... At least to see what happens. Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: Large, constant incoming traffic
On torsdag 13. mai 2004, 19:32, Robert Jakubowski wrote: The best way to see what is going on is to dump the traffic to a file and analyse it. Tcpdump and ethereal are great tools for that purpose. Great! Reagan Blundell also told me about them offline. Ethereal will make the job easier and should give you a clue. If you are affraid the server has been compromised you have to use another computer to get reliable information. I don't know your network setup and what you have at disposal. If it is cable/DSL you could connect your server through a hub, hook up the other computer to the hub and do the dump (you may have to use a crossover cable between the modem and the hub). Yup. It's in server hosting at a provider, and I don't have physical access there... So, I have no option but to do it remotely (or perhaps I could if eth0 was promiscuous, but it isn't?). Anyway, what I see in tcpdump after filtering out my own ssh traffic, and some DNS traffic (which might have something to do with it, but makes a lot of noise), I see (easynet.no is my provider): 19:41:29.459644 217.77.34.162.2090 226.122.204.181.1434: udp 376 [ttl 1] 19:41:29.565792 arp who-has 217.77.32.171 tell core-1-e2.easynet.no 19:41:29.675637 217.77.34.162.2090 234.195.198.113.1434: udp 376 [ttl 1] 19:41:29.786000 217.77.34.162.2090 226.210.233.101.1434: udp 376 [ttl 1] 19:41:30.013227 217.77.34.162.2090 226.115.252.196.1434: udp 376 [ttl 1] 19:41:30.120437 217.77.34.162.2090 234.221.95.51.1434: udp 376 [ttl 1] 19:41:30.449589 217.77.34.162.2090 226.53.242.62.1434: udp 376 [ttl 1] 19:41:30.556784 217.77.34.162.2090 234.225.213.78.1434: udp 376 [ttl 1] 19:41:30.563271 arp who-has 217.77.32.171 tell core-1-e2.easynet.no 19:41:30.683433 arp who-has 217.77.34.95 tell core-1-e3.easynet.no 19:41:30.773817 217.77.34.162.2090 226.95.50.32.1434: udp 376 [ttl 1] 19:41:30.800550 pooh.kjernsmo.net.39441 www.easynet.no.domain: 6695+ PTR? 78.79.65.194.in-addr.arpa. (43) (DF) 19:41:30.884041 217.77.34.162.2090 234.111.203.166.1434: udp 376 [ttl 1] 19:41:31.212205 217.77.34.162.2090 234.209.110.68.1434: udp 376 [ttl 1] 19:41:31.321424 www.easynet.no.domain pooh.kjernsmo.net.39445: 61615 1/2/0 (106) (DF) 19:41:31.429747 217.77.34.162.2090 226.20.247.203.1434: udp 376 [ttl 1] 19:41:31.563113 arp who-has 217.77.32.171 tell core-1-e2.easynet.no 19:41:31.648080 217.77.34.162.2090 234.191.213.120.1434: udp 376 [ttl 1] 19:41:31.683087 arp who-has 217.77.34.95 tell core-1-e3.easynet.no 19:41:31.755080 217.77.34.162.2090 234.234.114.255.1434: udp 376 [ttl 1] 19:41:31.973809 217.77.34.162.2090 226.44.34.125.1434: udp 376 [ttl 1] 19:41:32.083993 217.77.34.162.2090 226.58.55.41.1434: udp 376 [ttl 1] 19:41:32.192344 217.77.34.162.2090 234.247.236.46.1434: udp 376 [ttl 1] M, I don't know what machine 217.77.34.162 is, but I wouldn't be surprised if it sits in the same server room as my box... Does this tell you anything. Thanks a lot for the help! Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Large, constant incoming traffic
On torsdag 13. mai 2004, 20:15, Lars Ellenberg wrote: 19:41:29.675637 217.77.34.162.2090 234.195.198.113.1434: udp 376 [ttl 1] ok, chances are that 217.77.34.162 runs an unpatches MS-SQL server, was infected, and now tries to compromise the world, and its own subnet, where you happen to be in. Oh, I see. But one thing I do not understand, it doesn't seem like this traffic is directed at me, since it's not my address that's the destination...? Are they routing their traffic through me or something? iirc there has been some worm targetting Microsoft SQL server early 2003, maybe it is still active sometimes, maybe there is a new one. OK. I tried nmap -O 217.77.34.162 but got nothing. I have found that they are running IIS on their web server though. And I can't find any hosts in that company's netblock. you are safe, but this should show in some DROP or REJECT statistics. have a look at the output of iptables -vnL OK. Very little there... It is not very detailed, since I'm using -P, is that a Bad Idea? This is what it says: Chain INPUT (policy DROP 157K packets, 10M bytes) That's still nowhere near the total amount of data I've been getting. There's of course a lot more, but nothing that seems relevant. BTW, would I have anything to loose by going iptables -I INPUT -i eth0 -s 217.77.34.162 -j REJECT you want to tell the guy responsible for 217.77.34.162, and the hostmaster at easynet.no, that they have a compromised machine, and should take it offline. Hm, OK, but I need to feel a little more certain about what's going on... Given I find no signs that the machine is actually up, and that I still don't understand the traffic pattern, and that you want them to pay for the traffic they are causing you. Well, it is more the time I've been wasting, I spent almost two full days, in a very critical period... But I do not expect to be charged for the bandwidth, no... Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Large, constant incoming traffic
On torsdag 13. mai 2004, 20:37, Gian Piero Carrubba wrote: Il gio, 2004-05-13 alle 19:53, Kjetil Kjernsmo ha scritto: [...] 19:41:32.083993 217.77.34.162.2090 226.58.55.41.1434: udp 376 [ttl 1] 19:41:32.192344 217.77.34.162.2090 234.247.236.46.1434: udp 376 [ttl 1] A switched lan, I see ;) Hehe, it doesn't mean so much to me right now, but a Google will educate... It can be slammer [1] (if so, I guess why the ISP tech is so busy :) Yeah, it seems consensus about that... As you run snort, the eth is probably in promiscuous mode. I think this is the reason you see ifconfig counter increasing (though the packets aren't leading to your server). This and a non-switched lan, of course. Hm, chkrootkit says that eth0 is not promiscuous... And as I said, I don't think I ever got Snort to work right... :-) Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Large, constant incoming traffic
On torsdag 13. mai 2004, 22:10, Florian Weimer wrote: * Kjetil Kjernsmo: Oh, I see. But one thing I do not understand, it doesn't seem like this traffic is directed at me, since it's not my address that's the destination...? Are they routing their traffic through me or something? It's some odd switch-router whose forwarding table is overflown by Slammer, and it switches to broadcast mode. Or something like that. Have you been able to contact anyone at Easynet? Yup, I finally had a chat with someone there, but he wasn't the network guy, though. But what he said was that the server had been moved out of their network long ago, and they hadn't really an idea where the box was broadcasting from Not that I understand it, but I was told to call tomorrow morning an talk with the network guy, he had noticed some abnormal activity, but not seen as much as I had. But we should be able to track it down together. But I think we've found out what it was, yes! Thanks a lot folks! Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Large, constant incoming traffic
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all! In turn to you with a bit of desperation now. It feels like I'm under some kind of attack. Maybe I've even been compromised. The last few days, I've experienced an insane and constant amount of incoming traffic. I'm not sure how long it has lasted, but I would think 3-4 days, and it is constant at 260 kB/s. It varies very little from that number, perhaps down to 255 sometimes, and sometimes up to 265, but essentially, it changes very little over time, at least over an interval of a couple of seconds. And I can't for the life of me figure out where it's coming from... This is what netstat says: [EMAIL PROTECTED]:~ netstat -tan Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp0 0 0.0.0.0:32771 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:4 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:32772 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:110 0.0.0.0:* LISTEN tcp0 0 127.0.0.1:783 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:111 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp0 0 217.77.32.186:530.0.0.0:* LISTEN tcp0 0 127.0.0.1:530.0.0.0:* LISTEN tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:54320.0.0.0:* LISTEN tcp0 0 0.0.0.0:25 0.0.0.0:* LISTEN tcp0 0 127.0.0.1:953 0.0.0.0:* LISTEN tcp0 0 217.77.32.186:2280.213.253.77:32782 ESTABLISHED tcp0 0 217.77.32.186:2280.213.253.77:33738 ESTABLISHED tcp0272 217.77.32.186:2280.213.253.77:32778 ESTABLISHED 217.77.32.186 is my server, the machine that is in trouble, and 80.213.253.77 is the current IP of my workstation. There are connections now and then, but nothing unnatural, and nothing that can account for that there aren't variations... Most of the listening ports are actually firewalled off from the world: (The 1654 ports scanned but not shown below are in state: filtered) PORTSTATE SERVICE 4/tcp open unknown 22/tcp open ssh 25/tcp open smtp 80/tcp open http 110/tcp open pop3 (port 4 is SFS, which is in Debian, nmap should perhaps be told...?) The filtered ports should drop packets. In addition to the occasional netstat, I'm looking closely with ksysguard. There is a ksysguardd running at the remote machine, which is giving me the data. It is all in agreement with what netstat says, and the data rate is in agreement to, I have verified it by going ifconfig twice 100 seconds apart and compare the RX bytes: entry. I did a kernel upgrade yesterday, so I have even rebooted the machine, and since the reboot, it has according to ifconfig received something like 3 GiB of data. In one day... But this makes it likely that there isn't a local fault, I think. Also, there is little outgoing traffic. I have no idea where all those data are going... There is certainly not room for them on the hard drive, unless somebody is in the box and is deleting stuff, and who has du and df trojanned, but then df shows the same as /proc/partitions I can't see anything abnormal, neither on the disks, in the logs, in the connections made to the machine, in the process table or anything... But then, I don't really know too much about looking... :-) Since my workstation is the only machine I can see that has a persistent connection to the server, I've investigated the possibility that something here is causing it. But there is little outgoing traffic here, so it seems extremely unlikely. I think it looks like something is throwing packets at me, and doesn't care what happens to them... However, then I would think the packets were thrown at an open port, because I would think that since IPtables would drop the packets, it would show up in the statistics as dropped, and it isn't. Or, is it possible that the statistics is simply wrong: There are no data being thrown at me? I've briefly talked with my hosting company, and they've got a good Linux guy there, but he was too busy to help me now. If I haven't allready, I'm afraid I'll hit my 10 GB/month quota very soon now. I really don't want that to happen, especially if it isn't my fault that this is happening. I run AIDE, and I run chkrootkit occasionally. I've gone through the auto-setup of a backport of Snort, but it has never actually told me anything, so I suppose it isn't really configured. I'm trying a Nessus attack against the poor box now, but it is very slow... Thanks for reading this far, and, well, your ideas on what I can do would be much appreciated. Best, Kjetil - -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski
Re: Large, constant incoming traffic
On torsdag 13. mai 2004, 19:32, Robert Jakubowski wrote: The best way to see what is going on is to dump the traffic to a file and analyse it. Tcpdump and ethereal are great tools for that purpose. Great! Reagan Blundell also told me about them offline. Ethereal will make the job easier and should give you a clue. If you are affraid the server has been compromised you have to use another computer to get reliable information. I don't know your network setup and what you have at disposal. If it is cable/DSL you could connect your server through a hub, hook up the other computer to the hub and do the dump (you may have to use a crossover cable between the modem and the hub). Yup. It's in server hosting at a provider, and I don't have physical access there... So, I have no option but to do it remotely (or perhaps I could if eth0 was promiscuous, but it isn't?). Anyway, what I see in tcpdump after filtering out my own ssh traffic, and some DNS traffic (which might have something to do with it, but makes a lot of noise), I see (easynet.no is my provider): 19:41:29.459644 217.77.34.162.2090 226.122.204.181.1434: udp 376 [ttl 1] 19:41:29.565792 arp who-has 217.77.32.171 tell core-1-e2.easynet.no 19:41:29.675637 217.77.34.162.2090 234.195.198.113.1434: udp 376 [ttl 1] 19:41:29.786000 217.77.34.162.2090 226.210.233.101.1434: udp 376 [ttl 1] 19:41:30.013227 217.77.34.162.2090 226.115.252.196.1434: udp 376 [ttl 1] 19:41:30.120437 217.77.34.162.2090 234.221.95.51.1434: udp 376 [ttl 1] 19:41:30.449589 217.77.34.162.2090 226.53.242.62.1434: udp 376 [ttl 1] 19:41:30.556784 217.77.34.162.2090 234.225.213.78.1434: udp 376 [ttl 1] 19:41:30.563271 arp who-has 217.77.32.171 tell core-1-e2.easynet.no 19:41:30.683433 arp who-has 217.77.34.95 tell core-1-e3.easynet.no 19:41:30.773817 217.77.34.162.2090 226.95.50.32.1434: udp 376 [ttl 1] 19:41:30.800550 pooh.kjernsmo.net.39441 www.easynet.no.domain: 6695+ PTR? 78.79.65.194.in-addr.arpa. (43) (DF) 19:41:30.884041 217.77.34.162.2090 234.111.203.166.1434: udp 376 [ttl 1] 19:41:31.212205 217.77.34.162.2090 234.209.110.68.1434: udp 376 [ttl 1] 19:41:31.321424 www.easynet.no.domain pooh.kjernsmo.net.39445: 61615 1/2/0 (106) (DF) 19:41:31.429747 217.77.34.162.2090 226.20.247.203.1434: udp 376 [ttl 1] 19:41:31.563113 arp who-has 217.77.32.171 tell core-1-e2.easynet.no 19:41:31.648080 217.77.34.162.2090 234.191.213.120.1434: udp 376 [ttl 1] 19:41:31.683087 arp who-has 217.77.34.95 tell core-1-e3.easynet.no 19:41:31.755080 217.77.34.162.2090 234.234.114.255.1434: udp 376 [ttl 1] 19:41:31.973809 217.77.34.162.2090 226.44.34.125.1434: udp 376 [ttl 1] 19:41:32.083993 217.77.34.162.2090 226.58.55.41.1434: udp 376 [ttl 1] 19:41:32.192344 217.77.34.162.2090 234.247.236.46.1434: udp 376 [ttl 1] M, I don't know what machine 217.77.34.162 is, but I wouldn't be surprised if it sits in the same server room as my box... Does this tell you anything. Thanks a lot for the help! Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: Large, constant incoming traffic
On torsdag 13. mai 2004, 20:15, Lars Ellenberg wrote: 19:41:29.675637 217.77.34.162.2090 234.195.198.113.1434: udp 376 [ttl 1] ok, chances are that 217.77.34.162 runs an unpatches MS-SQL server, was infected, and now tries to compromise the world, and its own subnet, where you happen to be in. Oh, I see. But one thing I do not understand, it doesn't seem like this traffic is directed at me, since it's not my address that's the destination...? Are they routing their traffic through me or something? iirc there has been some worm targetting Microsoft SQL server early 2003, maybe it is still active sometimes, maybe there is a new one. OK. I tried nmap -O 217.77.34.162 but got nothing. I have found that they are running IIS on their web server though. And I can't find any hosts in that company's netblock. you are safe, but this should show in some DROP or REJECT statistics. have a look at the output of iptables -vnL OK. Very little there... It is not very detailed, since I'm using -P, is that a Bad Idea? This is what it says: Chain INPUT (policy DROP 157K packets, 10M bytes) That's still nowhere near the total amount of data I've been getting. There's of course a lot more, but nothing that seems relevant. BTW, would I have anything to loose by going iptables -I INPUT -i eth0 -s 217.77.34.162 -j REJECT you want to tell the guy responsible for 217.77.34.162, and the hostmaster at easynet.no, that they have a compromised machine, and should take it offline. Hm, OK, but I need to feel a little more certain about what's going on... Given I find no signs that the machine is actually up, and that I still don't understand the traffic pattern, and that you want them to pay for the traffic they are causing you. Well, it is more the time I've been wasting, I spent almost two full days, in a very critical period... But I do not expect to be charged for the bandwidth, no... Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: Large, constant incoming traffic
On torsdag 13. mai 2004, 20:37, Gian Piero Carrubba wrote: Il gio, 2004-05-13 alle 19:53, Kjetil Kjernsmo ha scritto: [...] 19:41:32.083993 217.77.34.162.2090 226.58.55.41.1434: udp 376 [ttl 1] 19:41:32.192344 217.77.34.162.2090 234.247.236.46.1434: udp 376 [ttl 1] A switched lan, I see ;) Hehe, it doesn't mean so much to me right now, but a Google will educate... It can be slammer [1] (if so, I guess why the ISP tech is so busy :) Yeah, it seems consensus about that... As you run snort, the eth is probably in promiscuous mode. I think this is the reason you see ifconfig counter increasing (though the packets aren't leading to your server). This and a non-switched lan, of course. Hm, chkrootkit says that eth0 is not promiscuous... And as I said, I don't think I ever got Snort to work right... :-) Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: Large, constant incoming traffic
On torsdag 13. mai 2004, 22:10, Florian Weimer wrote: * Kjetil Kjernsmo: Oh, I see. But one thing I do not understand, it doesn't seem like this traffic is directed at me, since it's not my address that's the destination...? Are they routing their traffic through me or something? It's some odd switch-router whose forwarding table is overflown by Slammer, and it switches to broadcast mode. Or something like that. Have you been able to contact anyone at Easynet? Yup, I finally had a chat with someone there, but he wasn't the network guy, though. But what he said was that the server had been moved out of their network long ago, and they hadn't really an idea where the box was broadcasting from Not that I understand it, but I was told to call tomorrow morning an talk with the network guy, he had noticed some abnormal activity, but not seen as much as I had. But we should be able to track it down together. But I think we've found out what it was, yes! Thanks a lot folks! Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: Update of security-critical outdated packages
Agh! I had written down a lengthy reply, and just before sending it, a fuse blew and took my machine down with it. Why don't we get PSUs with built-in UPSes that last a minute or so, enough to change the fuse or take a clean shutdown...? Probably because most PCs run an OS that goes down so often, an occasional fuse is just one-in-many... Oh well...: On Thursday 15 January 2004 19:51, Rich Puhek wrote: Kjetil Kjernsmo wrote: Again, that's not how I read DSA-297. They advise using newer versions of snort because it recognizes newer attacks. Any security holes in snort will continue to be patched. In other words, if someone discovered today that woody's snort version has a buffer overflow, you can bet that snort will be updated in security within a few days. Yes, of course. But it is completely irrelevant to my point. The key difference here is in the use of the term security issues. The security release is used to patch holes in a server. The version of snort in stable has no security issues in the sense that installing it does not open you up to attack. But you'd never know if you were attacked, would you...? :-) YMMV, but using an old NIDS is a security issue by my standards... I mean, why are you running a NIDS in the first place? If your system is so rock hard nobody can break in, you don't need it, unless you install it just for the laughs of looking at script kiddies getting spanked by your countermeasures... :-) That's not why I run a NIDS... On a general production server, no. Now think about why: you might have to upgrade lots of dependancies, you might get stuck with incompletely tested software, it's more difficult to maintain security updates. Those are also the arguements used for not arbitrarily upgrading packages in stable! Exactly! But that's why I addressed this argument in my initial post, re-read it. You may find that upgrading to unstable (or a hibrid of unstable packages) is just about ideal for something like an IDS or an antispam server. Machines like that tend to need bleeding-edge software, so almost by definition, they end up runing unstable. Yup, sure, if I could, I'd have that. But I have neither the hosting capacity nor the hardware to do that. I have to settle for a single system for all these things, and I'm sure I'm not alone. Yep, but it is still besides the point: Really good reason for keeping outdated packages in the archive (ok, you provided one above)? Is the arguement that old packages like snort should be removed altogether, or that packages I really find important should be upgraded more aggressively? No no. Neither, of course. I have not advocated the complete removal of a package. I have just asked the question, what is the point of having a package that you shouldn't use in the archive? There are many things you can do, for example replace it with a well-tested update, or yes, you could remove it, or something entirely different... should SpamAssassin be upgraded because I don't want to receive spam that's been catchable for a year? I've addressed exactly the case of SA in my initial post. It is a completely different matter. SA must be kept up-to-date, indeed, but there are no security issues with using the old package. Should PHP be upgraded because I want to be able to serve pages that have been written in a language version supported for the last year (like $_FILES['userfile']['error'] ). Should perl be upgraded because it's a very important language? No, no, no. Again, this is something I addressed in my initial post, but I'll answer to hopefully clear up some misunderstandings: These packages are usuable, and there are no security issues with using them (probably to the contrary). If you want the latest and greatest, you can always do a backport or use somebody elses backport, but you may have to suffer some instability. But nobody is going to tell you shouldn't use old versions PHP or Perl, because they still do the job they were designed to do when they were released. A NIDS, OTOH, was designed to report known attacks when it was released, and it doesn't do that job anymore, because many more attacks are known. In the worst case, it could result in a successful and not-easy-to-see breakin into your system, that an updated NIDS would trivially catch. These two things are very, very, very different. So, let us get back to this question: Also, how do we decide what's important enought to be upgraded immediately? Well, it is not easy to formulate, but the intent with my post is to initiate some discussion on the point. Let me try a starting point: If a package that harden* depends on (or even recommends) is so outdated the security team finds that it must recommend that users install a backport, then that backport should be included in the next point release. Big difference: If the WM is a bit unstable, or it has a bit weird performance
Re: Update of security-critical outdated packages
Agh! I had written down a lengthy reply, and just before sending it, a fuse blew and took my machine down with it. Why don't we get PSUs with built-in UPSes that last a minute or so, enough to change the fuse or take a clean shutdown...? Probably because most PCs run an OS that goes down so often, an occasional fuse is just one-in-many... Oh well...: On Thursday 15 January 2004 19:51, Rich Puhek wrote: Kjetil Kjernsmo wrote: Again, that's not how I read DSA-297. They advise using newer versions of snort because it recognizes newer attacks. Any security holes in snort will continue to be patched. In other words, if someone discovered today that woody's snort version has a buffer overflow, you can bet that snort will be updated in security within a few days. Yes, of course. But it is completely irrelevant to my point. The key difference here is in the use of the term security issues. The security release is used to patch holes in a server. The version of snort in stable has no security issues in the sense that installing it does not open you up to attack. But you'd never know if you were attacked, would you...? :-) YMMV, but using an old NIDS is a security issue by my standards... I mean, why are you running a NIDS in the first place? If your system is so rock hard nobody can break in, you don't need it, unless you install it just for the laughs of looking at script kiddies getting spanked by your countermeasures... :-) That's not why I run a NIDS... On a general production server, no. Now think about why: you might have to upgrade lots of dependancies, you might get stuck with incompletely tested software, it's more difficult to maintain security updates. Those are also the arguements used for not arbitrarily upgrading packages in stable! Exactly! But that's why I addressed this argument in my initial post, re-read it. You may find that upgrading to unstable (or a hibrid of unstable packages) is just about ideal for something like an IDS or an antispam server. Machines like that tend to need bleeding-edge software, so almost by definition, they end up runing unstable. Yup, sure, if I could, I'd have that. But I have neither the hosting capacity nor the hardware to do that. I have to settle for a single system for all these things, and I'm sure I'm not alone. Yep, but it is still besides the point: Really good reason for keeping outdated packages in the archive (ok, you provided one above)? Is the arguement that old packages like snort should be removed altogether, or that packages I really find important should be upgraded more aggressively? No no. Neither, of course. I have not advocated the complete removal of a package. I have just asked the question, what is the point of having a package that you shouldn't use in the archive? There are many things you can do, for example replace it with a well-tested update, or yes, you could remove it, or something entirely different... should SpamAssassin be upgraded because I don't want to receive spam that's been catchable for a year? I've addressed exactly the case of SA in my initial post. It is a completely different matter. SA must be kept up-to-date, indeed, but there are no security issues with using the old package. Should PHP be upgraded because I want to be able to serve pages that have been written in a language version supported for the last year (like $_FILES['userfile']['error'] ). Should perl be upgraded because it's a very important language? No, no, no. Again, this is something I addressed in my initial post, but I'll answer to hopefully clear up some misunderstandings: These packages are usuable, and there are no security issues with using them (probably to the contrary). If you want the latest and greatest, you can always do a backport or use somebody elses backport, but you may have to suffer some instability. But nobody is going to tell you shouldn't use old versions PHP or Perl, because they still do the job they were designed to do when they were released. A NIDS, OTOH, was designed to report known attacks when it was released, and it doesn't do that job anymore, because many more attacks are known. In the worst case, it could result in a successful and not-easy-to-see breakin into your system, that an updated NIDS would trivially catch. These two things are very, very, very different. So, let us get back to this question: Also, how do we decide what's important enought to be upgraded immediately? Well, it is not easy to formulate, but the intent with my post is to initiate some discussion on the point. Let me try a starting point: If a package that harden* depends on (or even recommends) is so outdated the security team finds that it must recommend that users install a backport, then that backport should be included in the next point release. Big difference: If the WM is a bit unstable, or it has a bit weird performance
Update of security-critical outdated packages
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear all, It is an issue that's been bugging me for some time, and while I have tried to find good reasons, I have not, so I might as well write them down. I have a lot of respect for the security team, and I don't think I have anything to contribute other than my thoughts, but I'll try to share them. Many packages in stable are really outdated. After first installing Woody, I first thought that looking at the prospect of waiting one-and-a-half year for the next release would scare me away from Debian. Now that I've grown up a bit more, it doesn't. I'm perfectly fine with using backports for things like KDE. Also, if I was a sysadmin for a lot of boxes, supporting many not-too-savvy users, the release cycle is perfectly reasonable. For a stable system, pinning is not option, because you'll quite soon have to update things like libc6 if you do. It's not about that. Backports are fine for most purposes, and I'm fine with the release cycle. It's about a small handful of security-critical packages, like for example Snort. In the case of Snort, the security team has explicitly discouraged people from using the packages available in Woody, see DSA-297. I find it very hard to understand that in the cases where the security team strongly advises an upgrade, that the backported packages are not included in e.g. a point release. One may argue that such an upgrade will break some poor sysadmin's system, because he didn't expect an upgrade containing new features, or where old features were perhaps deprecated. However, if he had a clue, he wouldn't be using the packages to begin with. If it breaks his system, it was time he got a wake-up call anyway. I can't see that this is a valid argument. One could also argue that if many backages had to be backported to the old stable architecture, one would introduce instability because of the lack of extensive testing. To this, there are two responses: First of all, using outdated packages doesn't really give you much either, and some instabiliy is perhaps better than a package that gives you a false sense of security. Secondly, it is never going to be a lot of packages. The packages I can think immediately this is important for are snort and chkrootkit. It will probably be at most 1 in a 1000 packages that this concerns. Surely, things like SpamAssassin should be kept up-to-date, but it is a different problem to address, and one that I currently feel is adequately addressed by Norberts backports.org. Finally, there is a good argument, I think it was Tom Allison who forwarded it when I brought the issue up on debian-user, that if the backports would depend on an upgrade of other packages, like libc6, the system would soon be unstable. That's a very good point, but as far as I can see, there are working backports of snort and chkrootkit to Woody. In most cases, I would presume, you don't need to upgrade dependencies. An upgrade of a package would then just influence that package. So, this is just about the very few packages the security team feels are so outdated, one advice people not to use them. For those packages, the question is: What is the advantage of keeping so outdated packages in the archive? This is somewhat relevant to the point Ryan just raised in his recent post about better apt security with 3rd-party sites, since having outdated packages in the archive makes people use backports from 3rd-party sites, and you don't know the validity of these packages. It seems to me to be a perfect way to trojan a newbie's machines: The newbie hears on debian-user that he must update some of these packages: So, there is a malicious cracker who put a site up with official updates, and the newbie adds it to his sources.list. Instantly, he gets a version of Snort that ignores attacks and chkrootkit with a rootkit... Even if you could use debsigs, a newbie probably couldn't verify the package anyway, due to the lack of personal WOT. I think it is a rather bad situation. Again, I'm fine with backports for many packages, and I'm fine with the general release cycle, it's just the small number of critical security-related packages that I feel needs some discussion. Best, Kjetil - -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFABrIYlE/Gp2pqC7wRAs97AJ4kDjfjvYkEQOaMcXWUSR6gyW/MtQCfbE6w qYhFpBeLyO8l8PgfOyF6+QU= =rVlB -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Update of security-critical outdated packages
On Thursday 15 January 2004 17:33, Rich Puhek wrote: Depending on what you're doing, pinning actually can work quite well. Yup, and I do it on my workstation (not that I understand it, it is rather magic to me). Snort is related to you overall system security, yes, but new releases of Snort have to do with your desire to run the latest and greatest releast of a package, not with security issues. Well, that's not how I read DSA-297. I have no desire to run the latest and greatest release of a package on my production server, to the contrary, with the notable exception of SpamAssassin. I would argue that it is only because of security issues I would ever consider upgrading a package on a production server (and mine isn't even in production yet! :-) ). it may use snort just because it's handy for detecting strange patters which could indicate other network problems, etc. It could even have some locally-grown programs that use some snort tools. OK, valid argument, still, wouldn't it be rather rare compared to actually using it for what it is intended for? True, but security issues aren't forcing people to use backports. If they are, they don't understand how Debian handles security. Again, that's not how I read DSA-297. It's kind of off the topic, but if you're concerned about tools like snort, et. al., you should be at the experience level where verifying signatures of untrusted packages, It has nothing to do with experience. Sometimes, you just don't have the WOT needed to verify a package. Most probably, only those who have at some point attended a Debian keysigning party have a WOT suitable for that, and perhaps people who live in an area with many Debian users. In sparsely populated areas like Norway, a good WOT is a real luxury, and one of past year's most luxurious evenings was the Debian keysigning party... :-) upgrading to testing|unstable, You don't want to do that on a production system. doing apt-get source, or simply building from a tarball are viable options for you. Yep, but it is still besides the point: Really good reason for keeping outdated packages in the archive (ok, you provided one above)? Again, I'm fine with backports for many packages, and I'm fine with the general release cycle, it's just the small number of critical security-related packages that I feel needs some discussion. What's the difference if someone downloads a backport of snort or a backport of a window manager? Big difference: If the WM is a bit unstable, or it has a bit weird performance at times, I don't care. It's the cost of running unstable software. But if the NIDS fails to recognize an attack that's been known for two years, it is pretty serious. Either way, if the backport is evil, you're screwed. Yup, but that was a side-note. IMHO, it's been discussed to death already. Whether you want a brand new version of snort or a new version of KDE is irrelevant to the discussion of upgrades, the same issues still apply. Well, it may be that it has been discussed to death. I'm rather new here. But I respectfully disagree that the type of package is irrelevant to the discussion. Basically, I just like to hear your thoughts, because I really haven't found any good answers. Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Update of security-critical outdated packages
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear all, It is an issue that's been bugging me for some time, and while I have tried to find good reasons, I have not, so I might as well write them down. I have a lot of respect for the security team, and I don't think I have anything to contribute other than my thoughts, but I'll try to share them. Many packages in stable are really outdated. After first installing Woody, I first thought that looking at the prospect of waiting one-and-a-half year for the next release would scare me away from Debian. Now that I've grown up a bit more, it doesn't. I'm perfectly fine with using backports for things like KDE. Also, if I was a sysadmin for a lot of boxes, supporting many not-too-savvy users, the release cycle is perfectly reasonable. For a stable system, pinning is not option, because you'll quite soon have to update things like libc6 if you do. It's not about that. Backports are fine for most purposes, and I'm fine with the release cycle. It's about a small handful of security-critical packages, like for example Snort. In the case of Snort, the security team has explicitly discouraged people from using the packages available in Woody, see DSA-297. I find it very hard to understand that in the cases where the security team strongly advises an upgrade, that the backported packages are not included in e.g. a point release. One may argue that such an upgrade will break some poor sysadmin's system, because he didn't expect an upgrade containing new features, or where old features were perhaps deprecated. However, if he had a clue, he wouldn't be using the packages to begin with. If it breaks his system, it was time he got a wake-up call anyway. I can't see that this is a valid argument. One could also argue that if many backages had to be backported to the old stable architecture, one would introduce instability because of the lack of extensive testing. To this, there are two responses: First of all, using outdated packages doesn't really give you much either, and some instabiliy is perhaps better than a package that gives you a false sense of security. Secondly, it is never going to be a lot of packages. The packages I can think immediately this is important for are snort and chkrootkit. It will probably be at most 1 in a 1000 packages that this concerns. Surely, things like SpamAssassin should be kept up-to-date, but it is a different problem to address, and one that I currently feel is adequately addressed by Norberts backports.org. Finally, there is a good argument, I think it was Tom Allison who forwarded it when I brought the issue up on debian-user, that if the backports would depend on an upgrade of other packages, like libc6, the system would soon be unstable. That's a very good point, but as far as I can see, there are working backports of snort and chkrootkit to Woody. In most cases, I would presume, you don't need to upgrade dependencies. An upgrade of a package would then just influence that package. So, this is just about the very few packages the security team feels are so outdated, one advice people not to use them. For those packages, the question is: What is the advantage of keeping so outdated packages in the archive? This is somewhat relevant to the point Ryan just raised in his recent post about better apt security with 3rd-party sites, since having outdated packages in the archive makes people use backports from 3rd-party sites, and you don't know the validity of these packages. It seems to me to be a perfect way to trojan a newbie's machines: The newbie hears on debian-user that he must update some of these packages: So, there is a malicious cracker who put a site up with official updates, and the newbie adds it to his sources.list. Instantly, he gets a version of Snort that ignores attacks and chkrootkit with a rootkit... Even if you could use debsigs, a newbie probably couldn't verify the package anyway, due to the lack of personal WOT. I think it is a rather bad situation. Again, I'm fine with backports for many packages, and I'm fine with the general release cycle, it's just the small number of critical security-related packages that I feel needs some discussion. Best, Kjetil - -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFABrIYlE/Gp2pqC7wRAs97AJ4kDjfjvYkEQOaMcXWUSR6gyW/MtQCfbE6w qYhFpBeLyO8l8PgfOyF6+QU= =rVlB -END PGP SIGNATURE-
Re: Update of security-critical outdated packages
On Thursday 15 January 2004 17:33, Rich Puhek wrote: Depending on what you're doing, pinning actually can work quite well. Yup, and I do it on my workstation (not that I understand it, it is rather magic to me). Snort is related to you overall system security, yes, but new releases of Snort have to do with your desire to run the latest and greatest releast of a package, not with security issues. Well, that's not how I read DSA-297. I have no desire to run the latest and greatest release of a package on my production server, to the contrary, with the notable exception of SpamAssassin. I would argue that it is only because of security issues I would ever consider upgrading a package on a production server (and mine isn't even in production yet! :-) ). it may use snort just because it's handy for detecting strange patters which could indicate other network problems, etc. It could even have some locally-grown programs that use some snort tools. OK, valid argument, still, wouldn't it be rather rare compared to actually using it for what it is intended for? True, but security issues aren't forcing people to use backports. If they are, they don't understand how Debian handles security. Again, that's not how I read DSA-297. It's kind of off the topic, but if you're concerned about tools like snort, et. al., you should be at the experience level where verifying signatures of untrusted packages, It has nothing to do with experience. Sometimes, you just don't have the WOT needed to verify a package. Most probably, only those who have at some point attended a Debian keysigning party have a WOT suitable for that, and perhaps people who live in an area with many Debian users. In sparsely populated areas like Norway, a good WOT is a real luxury, and one of past year's most luxurious evenings was the Debian keysigning party... :-) upgrading to testing|unstable, You don't want to do that on a production system. doing apt-get source, or simply building from a tarball are viable options for you. Yep, but it is still besides the point: Really good reason for keeping outdated packages in the archive (ok, you provided one above)? Again, I'm fine with backports for many packages, and I'm fine with the general release cycle, it's just the small number of critical security-related packages that I feel needs some discussion. What's the difference if someone downloads a backport of snort or a backport of a window manager? Big difference: If the WM is a bit unstable, or it has a bit weird performance at times, I don't care. It's the cost of running unstable software. But if the NIDS fails to recognize an attack that's been known for two years, it is pretty serious. Either way, if the backport is evil, you're screwed. Yup, but that was a side-note. IMHO, it's been discussed to death already. Whether you want a brand new version of snort or a new version of KDE is irrelevant to the discussion of upgrades, the same issues still apply. Well, it may be that it has been discussed to death. I'm rather new here. But I respectfully disagree that the type of package is irrelevant to the discussion. Basically, I just like to hear your thoughts, because I really haven't found any good answers. Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: another kernel vulnerability
On Monday 05 January 2004 16:38, Thijs Welman wrote: This issue has been fixed in the 2.4.24 version (2004-01-05 13:55 UTC) Changelog: http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.24 Yeah, it seems Marcello released this to specifically address this issue. Perhaps he has adopted the policy of keeping a separate tree with just critical updates for the cases where things like this happens, so a new kernel can be pushed out the door rapidly. I remember seeing the policy proposal discussed on Kerneltrap some weeks ago. Anyway, any idea when we will see a kernel-source-2.4.24 package? Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: another kernel vulnerability
On Monday 05 January 2004 16:38, Thijs Welman wrote: This issue has been fixed in the 2.4.24 version (2004-01-05 13:55 UTC) Changelog: http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.24 Yeah, it seems Marcello released this to specifically address this issue. Perhaps he has adopted the policy of keeping a separate tree with just critical updates for the cases where things like this happens, so a new kernel can be pushed out the door rapidly. I remember seeing the policy proposal discussed on Kerneltrap some weeks ago. Anyway, any idea when we will see a kernel-source-2.4.24 package? Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: 2.4.18-bf2.4 version confusion, patches?
On Sunday 04 January 2004 16:52, kuene wrote: only the kernel images are not pachted. so the kernel image packages are the only packages with security holes in it. even if you run debian-stable. is this right? Not quite. In addition to the bf-images, there are a bunch of images that are architecture-specific. Uhm, packages.debian.org are still down, otherwise you could have seen them there. Anyway, do dpkg -l kernel-image* you will at least see that there are a bunch. So, you're supposed to run one of those, and they are patched, and you were supposed to install one first thing after the installation. I don't know where it says so, I can't remember anything from the installation process nor the Installing Debian GNU/Linux 3.0 guide. I haven't re-read it thoroughly, but there is a section in chapter 9 about compiling a new kernel, but I can't see anything about this, at least not in boldface as it should be... :-) Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: 2.4.18-bf2.4 version confusion, patches?
On Sunday 04 January 2004 16:52, kuene wrote: only the kernel images are not pachted. so the kernel image packages are the only packages with security holes in it. even if you run debian-stable. is this right? Not quite. In addition to the bf-images, there are a bunch of images that are architecture-specific. Uhm, packages.debian.org are still down, otherwise you could have seen them there. Anyway, do dpkg -l kernel-image* you will at least see that there are a bunch. So, you're supposed to run one of those, and they are patched, and you were supposed to install one first thing after the installation. I don't know where it says so, I can't remember anything from the installation process nor the Installing Debian GNU/Linux 3.0 guide. I haven't re-read it thoroughly, but there is a section in chapter 9 about compiling a new kernel, but I can't see anything about this, at least not in boldface as it should be... :-) Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: Attempts to poison bayesian systems
On Monday 29 December 2003 00:12, Karsten M. Self wrote: _Random_ padding won't be effective. _Targeted_ padding will be, though spammers would have to target the non-spam keyword list of individual recipients to be highly effective (guessing wrong simply adds to the spamminess of an individual's keyword list). Indeed. But it underlines the importance that every individual needs to train the filter with his own ham. My previous university has not trained their filters well, and this seems like an effective attack against their filter. For me, all these messages have been tagged with BAYES_99. However, it seems like SA has no other rules that match these spams, so they seldom get above my reject-at-smtp threshold. Is it possible to make a rule to match this practice? Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Attempts to poison bayesian systems
On Monday 29 December 2003 00:12, Karsten M. Self wrote: _Random_ padding won't be effective. _Targeted_ padding will be, though spammers would have to target the non-spam keyword list of individual recipients to be highly effective (guessing wrong simply adds to the spamminess of an individual's keyword list). Indeed. But it underlines the importance that every individual needs to train the filter with his own ham. My previous university has not trained their filters well, and this seems like an effective attack against their filter. For me, all these messages have been tagged with BAYES_99. However, it seems like SA has no other rules that match these spams, so they seldom get above my reject-at-smtp threshold. Is it possible to make a rule to match this practice? Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: have the compromized debian servers been cleaned?
On Friday 05 December 2003 08:22, Mo Zhen Guang wrote: Hi, I am going to install a few new debian servers, but I worry about the integratity of the packages because of the incident of compromised debian servers some days ago. Can anybody confirm me if these servers are clean now? The server containing the packages was never compromised, so there should be no problem there. According to http://www.wiggy.net/debian/ the servers themselves have been reinstalled, yes. Best, Kjetil -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Upgrading Kernels...
On Thursday 04 December 2003 18:48, Eric D Nielsen wrote: I'm a little confused as to how/when I should upgrade my kernel. I'm not subscribed to this list a present, so please include me in the cc. OK. I'm a rather new user myself, but to ease the workload on the security team, who allready have their hands ful, I'll attempt an answer, but I basically just reiterate what I've heard here... :-) I'm using the 2.4.18.bf2.4 kernel. I saw that new headers for it were added to the security server recently, but don't know what else is needed. Does the machine need to be reboot'ed, after the apt-get upgrade? Yep. If you check the recent archives of this list (they are up now, right? I'm on a GPRS link, so I'm not going over to check), you'll see that you're not supposed to be running the bf2.4 kernel, you were supposed to go for a CPU-specific kernel shortly after installation. I must admit that I never saw anything about going for a CPU-specific kernel from the stuff I read when installing... But when I first did it, a friend of mine was telling me come on, you want your own kernel, own kernels are cool, go for it. So I did... To the rest of the folks here: Do the installation guide (or the installer dialog) tell you to change the kernel? I saw that kernel images were provided for some of the other Linux kernels, but not for the bf2.4 variant. Does this mean that the bf2.4 variant is already safe/patched as is, or that the packager/maintainer hasn't gotten to it yet? AFA I've understood, the idea is that you shouldn't have the bf2.4 variant shortly after installation. I might be wrong, but I got the impression they were not going to be patched. I'm a little wary of moving off the bf2.4, it seems to be the only one that likes my network configuration. Several of the machines I need to administer are hard to get local access to, so if the network goes, I'm out of luck. Yeah, I know how that feels... I've got difficulties physically getting to my main server too. It's a box I had donated, it runs excellently when it is up, but I often have to boot it several times to get it running. Upgrading a kernel implies a reboot (I think), so that's really scary. However, I think you have no option but to plunge into it... It was mentioned here a couple of days ago that there are certain differences between the bf2.4 kernel and the CPU-specific kernels in that in the latter some things are compiled as modules, rather than into the kernel. ne2k ethernet cards were mentioned specifically. So, there you may have a hint about why you haven't any of the other kernels working with your network. Loading the modules might fix the problem. I'm certainly not qualified to help you further here, but it is a track you can pursue. Start with once you get physical access to first, of course... :-) Best, Kjetil -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: have the compromized debian servers been cleaned?
On Friday 05 December 2003 08:22, Mo Zhen Guang wrote: Hi, I am going to install a few new debian servers, but I worry about the integratity of the packages because of the incident of compromised debian servers some days ago. Can anybody confirm me if these servers are clean now? The server containing the packages was never compromised, so there should be no problem there. According to http://www.wiggy.net/debian/ the servers themselves have been reinstalled, yes. Best, Kjetil
Re: Upgrading Kernels...
On Thursday 04 December 2003 18:48, Eric D Nielsen wrote: I'm a little confused as to how/when I should upgrade my kernel. I'm not subscribed to this list a present, so please include me in the cc. OK. I'm a rather new user myself, but to ease the workload on the security team, who allready have their hands ful, I'll attempt an answer, but I basically just reiterate what I've heard here... :-) I'm using the 2.4.18.bf2.4 kernel. I saw that new headers for it were added to the security server recently, but don't know what else is needed. Does the machine need to be reboot'ed, after the apt-get upgrade? Yep. If you check the recent archives of this list (they are up now, right? I'm on a GPRS link, so I'm not going over to check), you'll see that you're not supposed to be running the bf2.4 kernel, you were supposed to go for a CPU-specific kernel shortly after installation. I must admit that I never saw anything about going for a CPU-specific kernel from the stuff I read when installing... But when I first did it, a friend of mine was telling me come on, you want your own kernel, own kernels are cool, go for it. So I did... To the rest of the folks here: Do the installation guide (or the installer dialog) tell you to change the kernel? I saw that kernel images were provided for some of the other Linux kernels, but not for the bf2.4 variant. Does this mean that the bf2.4 variant is already safe/patched as is, or that the packager/maintainer hasn't gotten to it yet? AFA I've understood, the idea is that you shouldn't have the bf2.4 variant shortly after installation. I might be wrong, but I got the impression they were not going to be patched. I'm a little wary of moving off the bf2.4, it seems to be the only one that likes my network configuration. Several of the machines I need to administer are hard to get local access to, so if the network goes, I'm out of luck. Yeah, I know how that feels... I've got difficulties physically getting to my main server too. It's a box I had donated, it runs excellently when it is up, but I often have to boot it several times to get it running. Upgrading a kernel implies a reboot (I think), so that's really scary. However, I think you have no option but to plunge into it... It was mentioned here a couple of days ago that there are certain differences between the bf2.4 kernel and the CPU-specific kernels in that in the latter some things are compiled as modules, rather than into the kernel. ne2k ethernet cards were mentioned specifically. So, there you may have a hint about why you haven't any of the other kernels working with your network. Loading the modules might fix the problem. I'm certainly not qualified to help you further here, but it is a track you can pursue. Start with once you get physical access to first, of course... :-) Best, Kjetil
Re: When will kernel-image-2.4.23 be available ?
On Wednesday 03 December 2003 20:57, Phillip Hofmeister wrote: You may wish to look at the make-kpkg(kernel-package) package. It takes your stock 2.4.23 source and makes it into a nice .deb file for you. Note: This option is for those who have a working .config file. Experience in making your own config make (config|menuconfig|xconfig) is recommended. Yup! An option, I would think, is copying the appropriate config from /usr/share/kernel-package/Config (after installation of kernel-package of course) to .config in the dir you unpack the kernel-sources. Then start the config, disable all the things you know you don't need, and perhaps compile some much used stuff into the kernel rather than as module. Then, there's a really good howto at newbiedocs on sourceforge (no, I don't have the URL handy, I'm connected through a mobile phone... :-) ). Cheers, Kjetil -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Improved Debian Project Emergency Communications (was Re: communication structures crumbled)
On Friday 28 November 2003 13:14, Karsten M. Self wrote: That announcement wasn't delivered for all users until _after_ murphy was resurrected. I myself got the debian-security-announce message mailed Nov 21 on 25 Nov 2003 15:16:56 -0800. Hm, I got that late too, but the (unsigned) announcement got to debian-announce before the takedown. First I want to say that the Debian project, in extremely adverse circumnstances, comported itself well, disseminated information, if not fully effectively, well beyond its nominal capacity with both web and email services offline. Disclosures were timely, informative, and helpful, while restraining themselves to established facts and working within constraints of an as yet ongoing investigation. Very few organizations can claim as much. Not only this, but it appears at this point that the crown jewels -- the Debian archives and mirrored distribution points themselves -- were _not_ compromised. Commendable. Absolutely! I'll disagree with Martin's comment that the server compromise didn't constitute a security issue despite the lack of an archive compromise. Security affecting Debian servers _potentially_ affects Debian packages. Yes, and I think the point needs emphasis that even if the archives are not compromised, what has happened to the Debian servers is very relevant to the security of all Debian users. My first thought when heared about the compromise was ouch, that probably means, I'm vulnerable too. I considered for a moment to take my main server offline. The problem is of course that we all run the much of the same software that is on the Debian machines. Unless there are something generic that is a known problem (such as a sniffed password), or something that is special to one of the servers (e.g. BTS), the attacker might be able to use the attack he used on the Debian servers on pretty much _any_ Debian box. That's really scary. I learnt on /. that it had been a password compromise, so that meant, it was in the generic class of problems. We're always vulnerable towards that. But, we're all likely to be vulnerable to the local exploit used to gain root. Besides, it was /. :-) For these reasons, I think it is fair to say that any compromise on the Debian servers is very relevant to the security of all users. And that was the information I was missing earlier, to what extent I would myself be vulnerable. Also, I'm not a regular IRC user, so it didn't occur to me at the time that it was an alternative for gathering information. Besides, how is it with signatures on IRC? Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Improved Debian Project Emergency Communications (was Re: communication structures crumbled)
On Friday 28 November 2003 13:14, Karsten M. Self wrote: That announcement wasn't delivered for all users until _after_ murphy was resurrected. I myself got the debian-security-announce message mailed Nov 21 on 25 Nov 2003 15:16:56 -0800. Hm, I got that late too, but the (unsigned) announcement got to debian-announce before the takedown. First I want to say that the Debian project, in extremely adverse circumnstances, comported itself well, disseminated information, if not fully effectively, well beyond its nominal capacity with both web and email services offline. Disclosures were timely, informative, and helpful, while restraining themselves to established facts and working within constraints of an as yet ongoing investigation. Very few organizations can claim as much. Not only this, but it appears at this point that the crown jewels -- the Debian archives and mirrored distribution points themselves -- were _not_ compromised. Commendable. Absolutely! I'll disagree with Martin's comment that the server compromise didn't constitute a security issue despite the lack of an archive compromise. Security affecting Debian servers _potentially_ affects Debian packages. Yes, and I think the point needs emphasis that even if the archives are not compromised, what has happened to the Debian servers is very relevant to the security of all Debian users. My first thought when heared about the compromise was ouch, that probably means, I'm vulnerable too. I considered for a moment to take my main server offline. The problem is of course that we all run the much of the same software that is on the Debian machines. Unless there are something generic that is a known problem (such as a sniffed password), or something that is special to one of the servers (e.g. BTS), the attacker might be able to use the attack he used on the Debian servers on pretty much _any_ Debian box. That's really scary. I learnt on /. that it had been a password compromise, so that meant, it was in the generic class of problems. We're always vulnerable towards that. But, we're all likely to be vulnerable to the local exploit used to gain root. Besides, it was /. :-) For these reasons, I think it is fair to say that any compromise on the Debian servers is very relevant to the security of all users. And that was the information I was missing earlier, to what extent I would myself be vulnerable. Also, I'm not a regular IRC user, so it didn't occur to me at the time that it was an alternative for gathering information. Besides, how is it with signatures on IRC? Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: Uhm, so, what happened...?
On Tuesday 25 November 2003 13:29, Alan James wrote: On Tue, 25 Nov 2003 12:09:11 +0100, Kjetil Kjernsmo [EMAIL PROTECTED] wrote: I bet there are a lot of users running around scared, not knowing what to do really... Any advices for us?? Keep your eye on http://www.wiggy.net/debian/status/ Expect more details to appear there in a day or two. Yeah, nice summary, but it really doesn't address the issue: am I vulnerable to the same attack as was used to break in? Even if the answer is we don't know, it would be nice to hear somebody say that, and then say something more elaborate of what the unknowns are. Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Uhm, so, what happened...?
On Tuesday 25 November 2003 13:29, Alan James wrote: On Tue, 25 Nov 2003 12:09:11 +0100, Kjetil Kjernsmo [EMAIL PROTECTED] wrote: I bet there are a lot of users running around scared, not knowing what to do really... Any advices for us?? Keep your eye on http://www.wiggy.net/debian/status/ Expect more details to appear there in a day or two. Yeah, nice summary, but it really doesn't address the issue: am I vulnerable to the same attack as was used to break in? Even if the answer is we don't know, it would be nice to hear somebody say that, and then say something more elaborate of what the unknowns are. Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Uhm, so, what happened...?
Hi! It seems that something is up now? Just got a bunch of posts on debian-user, and got myself subscribed here again... The mailing list archives doesn't seem to be up, and therefore I can't check what you guys discussed before it all went offline. The announcement contained little information as to how the breakin was done, so my first thought was ouch, then I'm probably vulnerable too, since I run the same software, so I ran off to iptable all open ports... Then I read on /. that it was a password compromise. Then, I wouldn't be vulnerable or always vulnerable depending on how you see it.., But I mean, /.! :-) I bet there are a lot of users running around scared, not knowing what to do really... Any advices for us?? Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Uhm, so, what happened...?
Hi! It seems that something is up now? Just got a bunch of posts on debian-user, and got myself subscribed here again... The mailing list archives doesn't seem to be up, and therefore I can't check what you guys discussed before it all went offline. The announcement contained little information as to how the breakin was done, so my first thought was ouch, then I'm probably vulnerable too, since I run the same software, so I ran off to iptable all open ports... Then I read on /. that it was a password compromise. Then, I wouldn't be vulnerable or always vulnerable depending on how you see it.., But I mean, /.! :-) I bet there are a lot of users running around scared, not knowing what to do really... Any advices for us?? Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
unsubscribe
Vennlig Tiddeli-bom, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: unsubscribe
On Sunday 07 September 2003 18:59, Kjetil Kjernsmo wrote: To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Damn, damn, damn! I can't believe I actually did this Me, who get so irritated by people who don't manage to read the final couple of lines... Oh well, that's what I get for rushing it... I hope I'm not adding to the noise, I just wish to apologize to everyone. I'm sorry! Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
unsubscribe
Vennlig Tiddeli-bom, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: unsubscribe
On Sunday 07 September 2003 18:59, Kjetil Kjernsmo wrote: To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Damn, damn, damn! I can't believe I actually did this Me, who get so irritated by people who don't manage to read the final couple of lines... Oh well, that's what I get for rushing it... I hope I'm not adding to the noise, I just wish to apologize to everyone. I'm sorry! Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: Simple e-mail virus scanner
On Tuesday 19 August 2003 23:42, Noah L. Meyerhans wrote: After getting sick of all the virus crap in my inbox I installed the Thanks, that looks interesting! I'm using the Debian Stable Exim packages too, so I guess this is something I can just cut'n'paste in! :-) And it seems I really need it now... My server is getting hammered badly, and when fetching my e-mail this morning, my POP client timed out three times before I got it... This filter will reject at SMTP-time, right? One question there? Who gets the bounce? I'm getting a whole lot of bounces, and I don't want to bother anyone else with bounces that go to the wrong person... Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Simple e-mail virus scanner
On Wednesday 20 August 2003 17:05, Jay Kline wrote: The mail server that send the bounce. This is called a double bounce. Correct me if this is wrong ... Yes, it goes back to the server doing the sending. Its a double bounce when the bounce message itself bounces. I dont know how this virus is proigating itself, but I would imagine that if it does the sending itself, rejecting at the initial smtp session would not result in a double bounce. However, if it uses some relay (that it either set up itself, or found on a network, etc) and used forged headers, then it will go to some unsusspecting person (of whoever is in the headers). I've examined a few messages I've got now, and none of them had been through any relays. In fact, they had all been sent directly from dialups or *DSL users. Here are the headers of an example: Return-path: [EMAIL PROTECTED] Envelope-to: [EMAIL PROTECTED] Received: from mail by pooh.kjernsmo.net with spam-scanned (Exim 3.35 #1 (Debian)) id 19pYJ2-0007EM-00 for [EMAIL PROTECTED]; Wed, 20 Aug 2003 21:07:40 +0200 Received: from ppp-67-67-194-5.dsl.austtx.swbell.net ([67.67.194.5] helo=WILLNCANDY) by pooh.kjernsmo.net with esmtp (Exim 3.35 #1 (Debian)) id 19pYIZ-0007E7-00 for [EMAIL PROTECTED]; Wed, 20 Aug 2003 21:07:14 +0200 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Wicked screensaver Date: Wed, 20 Aug 2003 14:07:06 --0500 X-MailScanner: Found to be clean Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2600. X-MSMail-Priority: Normal X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=_NextPart_000_000FCE03 Message-Id: [EMAIL PROTECTED] (BTW, don't send anything to the [EMAIL PROTECTED] address, ever. It is intended as a spamtrap... Unfortunately, viruses like this limit it's usefulness as spamtrap, that's one of the reasons I want to filter this before going to SpamAssassin) OK, so if I get this correctly, a double bounce would result in that I get the bounce, but that that's unlikely to occur. But it is still not clear to me who gets the bounce, it would be the the sender on the envelope, but that's [EMAIL PROTECTED] in this case, right? And that's something I wouldn't want to happen... Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Simple e-mail virus scanner
On Tuesday 19 August 2003 23:42, Noah L. Meyerhans wrote: After getting sick of all the virus crap in my inbox I installed the Thanks, that looks interesting! I'm using the Debian Stable Exim packages too, so I guess this is something I can just cut'n'paste in! :-) And it seems I really need it now... My server is getting hammered badly, and when fetching my e-mail this morning, my POP client timed out three times before I got it... This filter will reject at SMTP-time, right? One question there? Who gets the bounce? I'm getting a whole lot of bounces, and I don't want to bother anyone else with bounces that go to the wrong person... Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: Simple e-mail virus scanner
On Wednesday 20 August 2003 17:05, Jay Kline wrote: The mail server that send the bounce. This is called a double bounce. Correct me if this is wrong ... Yes, it goes back to the server doing the sending. Its a double bounce when the bounce message itself bounces. I dont know how this virus is proigating itself, but I would imagine that if it does the sending itself, rejecting at the initial smtp session would not result in a double bounce. However, if it uses some relay (that it either set up itself, or found on a network, etc) and used forged headers, then it will go to some unsusspecting person (of whoever is in the headers). I've examined a few messages I've got now, and none of them had been through any relays. In fact, they had all been sent directly from dialups or *DSL users. Here are the headers of an example: Return-path: [EMAIL PROTECTED] Envelope-to: [EMAIL PROTECTED] Received: from mail by pooh.kjernsmo.net with spam-scanned (Exim 3.35 #1 (Debian)) id 19pYJ2-0007EM-00 for [EMAIL PROTECTED]; Wed, 20 Aug 2003 21:07:40 +0200 Received: from ppp-67-67-194-5.dsl.austtx.swbell.net ([67.67.194.5] helo=WILLNCANDY) by pooh.kjernsmo.net with esmtp (Exim 3.35 #1 (Debian)) id 19pYIZ-0007E7-00 for [EMAIL PROTECTED]; Wed, 20 Aug 2003 21:07:14 +0200 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Wicked screensaver Date: Wed, 20 Aug 2003 14:07:06 --0500 X-MailScanner: Found to be clean Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2600. X-MSMail-Priority: Normal X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=_NextPart_000_000FCE03 Message-Id: [EMAIL PROTECTED] (BTW, don't send anything to the [EMAIL PROTECTED] address, ever. It is intended as a spamtrap... Unfortunately, viruses like this limit it's usefulness as spamtrap, that's one of the reasons I want to filter this before going to SpamAssassin) OK, so if I get this correctly, a double bounce would result in that I get the bounce, but that that's unlikely to occur. But it is still not clear to me who gets the bounce, it would be the the sender on the envelope, but that's [EMAIL PROTECTED] in this case, right? And that's something I wouldn't want to happen... Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Simple e-mail virus scanner
Dear all, I guess I'm not really looking for a security solution, but I guess you folks are the most likely to know, so I try here... In the last couple of hours, I've got about 25 100KB of the recent Sobig.f M$ virus, along with about the same number of bogus there was a virus in an e-mail you sent. It would be really great to be able to filter those out so that I don't need to see them, that is, get them in a folder I can clean out now and then. But I don't want to run a full-scale virus scanner, because for the time being, I really don't need any, as no e-mail is read on an MS machine here. I figured, most viruses should be able to detect by using simple regexs, right? So, a simple scanner that looks for a number of regexs available from a repository could do the trick...? Or perhaps use something like Vipul's Razor for this kind of stuff...? So, I'm wondering, does anybody know about any such approach? Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Simple e-mail virus scanner
Dear all, I guess I'm not really looking for a security solution, but I guess you folks are the most likely to know, so I try here... In the last couple of hours, I've got about 25 100KB of the recent Sobig.f M$ virus, along with about the same number of bogus there was a virus in an e-mail you sent. It would be really great to be able to filter those out so that I don't need to see them, that is, get them in a folder I can clean out now and then. But I don't want to run a full-scale virus scanner, because for the time being, I really don't need any, as no e-mail is read on an MS machine here. I figured, most viruses should be able to detect by using simple regexs, right? So, a simple scanner that looks for a number of regexs available from a repository could do the trick...? Or perhaps use something like Vipul's Razor for this kind of stuff...? So, I'm wondering, does anybody know about any such approach? Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Passwordless Authentication (was Re: How to reduce sid security)
On Friday 01 August 2003 04:10, Peter Cordes wrote: You should use ssh-keygen to create a keypair on each machine, and copy the public key from the machine you generated it on to the other machine. This allows quick passwordless authentication. I've tried to do this many times, but I've failed... Is there a Very Verbose Guide to Passwordless Authentication with SSH somewhere...? :-) Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: XP box inside the firewall
On Wednesday 30 July 2003 23:44, Jeff wrote: You can set the notebook on a different network. Put the firewall/router on that network with another nic. It's the principle of a dmz... By putting the notebook on another network, and prohibitting access from that network to the internal network, you can keep your internal systems safer... Yeah, actually, I had been thinking about it. I recently got an old 3Com ISA card for NOK 5 (~ USD0.7) so I think I could insert another NIC. They talked about having a Wi-Fi base station, so I thought I'd keep it open but on a separate NIC so I can see what is going through there. That's what I intended to use it for. But when you mention it, treating the Windows box as a random machine trying to connect, that may be a good idea. This is a good option. In addition, or even instead of this, educate your parents about your security concerns. Assuming that you trust your parents, education could be the simplest solution. Well, I think the concern is mostly having a windows box on the inside, because it is not an option for them to not open attachments in mails they receive. Thus far, it has been relatively easy to identify e-mails with viruses, but it not difficult to envision a virus coming piggyback on an attachment you do expect from a sender you usually trust, and I think it is quite unlikely that there isn't a vulnerability in e.g. Word that can be exploited to make Word execute a script in a Word file regardless of if it is disabled. So, my education of them has been pretty much be aware that this box can easily be exploited, therefore, make sure there is nothing on that box that you would want to keep to yourself, and nothing that is not stored on the Linux workstation). Then, I have taken it upon myself to make sure that the box will not hurt the internal network or the rest of the Internet. Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Passwordless Authentication (was Re: How to reduce sid security)
On Friday 01 August 2003 04:10, Peter Cordes wrote: You should use ssh-keygen to create a keypair on each machine, and copy the public key from the machine you generated it on to the other machine. This allows quick passwordless authentication. I've tried to do this many times, but I've failed... Is there a Very Verbose Guide to Passwordless Authentication with SSH somewhere...? :-) Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: XP box inside the firewall
On Wednesday 30 July 2003 23:44, Jeff wrote: You can set the notebook on a different network. Put the firewall/router on that network with another nic. It's the principle of a dmz... By putting the notebook on another network, and prohibitting access from that network to the internal network, you can keep your internal systems safer... Yeah, actually, I had been thinking about it. I recently got an old 3Com ISA card for NOK 5 (~ USD0.7) so I think I could insert another NIC. They talked about having a Wi-Fi base station, so I thought I'd keep it open but on a separate NIC so I can see what is going through there. That's what I intended to use it for. But when you mention it, treating the Windows box as a random machine trying to connect, that may be a good idea. This is a good option. In addition, or even instead of this, educate your parents about your security concerns. Assuming that you trust your parents, education could be the simplest solution. Well, I think the concern is mostly having a windows box on the inside, because it is not an option for them to not open attachments in mails they receive. Thus far, it has been relatively easy to identify e-mails with viruses, but it not difficult to envision a virus coming piggyback on an attachment you do expect from a sender you usually trust, and I think it is quite unlikely that there isn't a vulnerability in e.g. Word that can be exploited to make Word execute a script in a Word file regardless of if it is disabled. So, my education of them has been pretty much be aware that this box can easily be exploited, therefore, make sure there is nothing on that box that you would want to keep to yourself, and nothing that is not stored on the Linux workstation). Then, I have taken it upon myself to make sure that the box will not hurt the internal network or the rest of the Internet. Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
XP box inside the firewall
Hi all! It seems I have to have an Windows XP box inside the firewall for some time to come... :-( (It's not my network, it's my parent's, and they have a laptop with XP, their workstation is allready on Woody). What I'm worried about is that someone may get into the XP box (by sending a trojan by e-mail for example), and so have something on the inside they can use to take down the rest of the network. It would be a lot more serious if they got to the workstation or the router/firewall itself, because they are almost always on. My parents know that they shouldn't have anything of value on the laptop as long as it running XP. The question is really if I could do something in the firewall that would help isolate the XP box somewhat. Closing outgoing ports (input ports are all closed), drop certain types of packages, or something like that? Any ideas? Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
XP box inside the firewall
Hi all! It seems I have to have an Windows XP box inside the firewall for some time to come... :-( (It's not my network, it's my parent's, and they have a laptop with XP, their workstation is allready on Woody). What I'm worried about is that someone may get into the XP box (by sending a trojan by e-mail for example), and so have something on the inside they can use to take down the rest of the network. It would be a lot more serious if they got to the workstation or the router/firewall itself, because they are almost always on. My parents know that they shouldn't have anything of value on the laptop as long as it running XP. The question is really if I could do something in the firewall that would help isolate the XP box somewhat. Closing outgoing ports (input ports are all closed), drop certain types of packages, or something like that? Any ideas? Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: Removing invalid keys from keyring
On Thursday 27 March 2003 08:53, Lars Ellenberg wrote: On Wed, Mar 26, 2003 at 05:28:35PM +0100, Kjetil Kjernsmo wrote: Is there a way to remove revoked/expired and otherwise invalid or useless keys from a GPG keyring, in batch? well, I do not know how to automatically list only invalid keys. OK. # # edit that file, _delete_ every line corresponding to a _valid_ key # Eh, well, that's really the issue. For with 4500 keys in that file, that is going to take a long time... :-) So, that is the part that needs automagicallization... Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Removing invalid keys from keyring
On Thursday 27 March 2003 08:53, Lars Ellenberg wrote: On Wed, Mar 26, 2003 at 05:28:35PM +0100, Kjetil Kjernsmo wrote: Is there a way to remove revoked/expired and otherwise invalid or useless keys from a GPG keyring, in batch? well, I do not know how to automatically list only invalid keys. OK. # # edit that file, _delete_ every line corresponding to a _valid_ key # Eh, well, that's really the issue. For with 4500 keys in that file, that is going to take a long time... :-) So, that is the part that needs automagicallization... Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Removing invalid keys from keyring
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, I guess this question might be more suited on gnupg-users, but as I'm not subscribed to that list, I hope you can forgive me for asking here... It is a really short question... Is there a way to remove revoked/expired and otherwise invalid or useless keys from a GPG keyring, in batch? I once downloaded the 4500 keys that were closest to me, but many of them are invalid now, and I'd like to remove those in a quick way? Are there possibly any scripts lying around? Cheers, Kjetil - -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+gdVUlE/Gp2pqC7wRAuMfAJ0S6ZCqvbwqOWvniKll0VS2yFJ3GACdH7O5 n1/6EF0XsnD3E7QuCduh/WQ= =Q6Zm -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Removing invalid keys from keyring
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, I guess this question might be more suited on gnupg-users, but as I'm not subscribed to that list, I hope you can forgive me for asking here... It is a really short question... Is there a way to remove revoked/expired and otherwise invalid or useless keys from a GPG keyring, in batch? I once downloaded the 4500 keys that were closest to me, but many of them are invalid now, and I'd like to remove those in a quick way? Are there possibly any scripts lying around? Cheers, Kjetil - -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+gdVUlE/Gp2pqC7wRAuMfAJ0S6ZCqvbwqOWvniKll0VS2yFJ3GACdH7O5 n1/6EF0XsnD3E7QuCduh/WQ= =Q6Zm -END PGP SIGNATURE-
Re: is iptables enough?
Hi! On Wednesday 19 March 2003 20:44, Jones wrote: Am I right in assuming that iptabes is enough as a firewall solution and that I would not need to buy any additional software. Well, I'm primarily responding to your second question, but the way I would do it, if I had the resources, would be to get a small Pentium 133 MHz box, booting from a floppy and use it as a router and firewall. No harddrive, a complete wasteland. But then, I'm really a newbie in all this, so you might want to listen to the pros... :-) Most of them are 1.x Ghz Pentium systems with 256MB RAM and 10 GB IDE hard drives. After increasing the RAM to 512MB, I think this should more than adequate for a system doing nothing but HTTP and SMTP/POP requests. My main server is a Pentium PRO 180 MHz with 96 MB RAM. It gets a lot of e-mail, and has a whole bunch of mailinglists distributing many hundred messages a day. It had some problems when it was overwhelmed by a old Mailman bug that resulted in it receiving a few ~200 KB messages a second, and tried to scan all those with SpamAssassin (it took me half an hour to type reboot :-) ), but other than that, the CPU is mostly idle. Also, I tried to run Apache Cocoon on it, it worked, but it clearly had too little RAM for that. If you plan to run Cocoon, then 512 MB would be nice, but similar solutions, like AxKit, demands much less. So, I think you would be fine with a much smaller box than that, but a 1 GHz with 256 MB is cool, if that is what you've got. Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: is iptables enough?
On Wednesday 19 March 2003 22:58, Rick Moen wrote: You could do that with Linux Router Project floppy images -- but booting from floppy is really cramped. Through some miracle of economising on space, they finally migrated to libc6 and kernel 2.2.x, but God only knows how. Hehe... Using a CDR gives you a lot more space. Bah, bloatware! ;-) I'm using Coyote Linux[1] the only place I currently require a router, works great. Indeed based on LRP. But then, it doesn't have things like snort or tiger, which I guess, is a requirement for some. Personally, I have a problem with all the information generated by those... I just don't have time to deal with it. Keeping it at an absolute minimum seemed like good idea in that position, as I guess when having more stuff that can break, more stuff will break... I looked at PicoBSD [2] too, just to insert some non-uniformity in the network, but couldn't make too much sense of it... [1] http://www.coyotelinux.com/ [2] http://people.freebsd.org/~picobsd/picobsd.html Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: is iptables enough?
On Wednesday 19 March 2003 22:58, Rick Moen wrote: You could do that with Linux Router Project floppy images -- but booting from floppy is really cramped. Through some miracle of economising on space, they finally migrated to libc6 and kernel 2.2.x, but God only knows how. Hehe... Using a CDR gives you a lot more space. Bah, bloatware! ;-) I'm using Coyote Linux[1] the only place I currently require a router, works great. Indeed based on LRP. But then, it doesn't have things like snort or tiger, which I guess, is a requirement for some. Personally, I have a problem with all the information generated by those... I just don't have time to deal with it. Keeping it at an absolute minimum seemed like good idea in that position, as I guess when having more stuff that can break, more stuff will break... I looked at PicoBSD [2] too, just to insert some non-uniformity in the network, but couldn't make too much sense of it... [1] http://www.coyotelinux.com/ [2] http://people.freebsd.org/~picobsd/picobsd.html Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: security.debian.org down?
On Monday 10 March 2003 21:41, Jeremy Drake wrote: I can ping security.debian.org, but cannot use http or ftp. It just hangs. non-us.debian.org is the same box, and having the same troubles. Is this just me? AOL... No response on port 80. I'm in Oslo, Norway. Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: security.debian.org down?
On Monday 10 March 2003 21:41, Jeremy Drake wrote: I can ping security.debian.org, but cannot use http or ftp. It just hangs. non-us.debian.org is the same box, and having the same troubles. Is this just me? AOL... No response on port 80. I'm in Oslo, Norway. Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: Bug #173254 Submitted: Snort In Stable Unusable
On Tuesday 17 December 2002 10:36, Sander Smeenk wrote: A prospective user wants an IDS so he/she does 'apt-cache search intrusion detection' sees 'snort - lightweight intrusion detection system' and decides to install it. Atleast, that is what I have seen most people doing. *raises hand* I wondering, could it be an idea to have a fast-moving archive for things like SpamAssassin rules, Nessus plugins, Snort signatures, perhaps virus signatures in the future, etc.? Has there been any discussion on such a topic? That way, one could package these things in separate packages, which is made available in a separate archive, and people can apt-get them from there as they do with security updates. Just a thought. Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bug #173254 Submitted: Snort In Stable Unusable
On Tuesday 17 December 2002 10:36, Sander Smeenk wrote: A prospective user wants an IDS so he/she does 'apt-cache search intrusion detection' sees 'snort - lightweight intrusion detection system' and decides to install it. Atleast, that is what I have seen most people doing. *raises hand* I wondering, could it be an idea to have a fast-moving archive for things like SpamAssassin rules, Nessus plugins, Snort signatures, perhaps virus signatures in the future, etc.? Has there been any discussion on such a topic? That way, one could package these things in separate packages, which is made available in a separate archive, and people can apt-get them from there as they do with security updates. Just a thought. Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/
Re: Where to install the firewall scripts
On Saturday 14 December 2002 22:53, bong sabolboro wrote: I am currently implementing a firewall using a notebook and Debian Woody. What is the best place to put the firewall rules that I want implemented for my local setup? Check out the Securing Debian Manual, specifically section 5.14.3.1 http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html#s-firewall-setup (wow, that has been updated since I did this... :-) ) Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Where to install the firewall scripts
On Saturday 14 December 2002 22:53, bong sabolboro wrote: I am currently implementing a firewall using a notebook and Debian Woody. What is the best place to put the firewall rules that I want implemented for my local setup? Check out the Securing Debian Manual, specifically section 5.14.3.1 http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html#s-firewall-setup (wow, that has been updated since I did this... :-) ) Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/
Re: test of non-subscribed user
On Monday 02 December 2002 18:25, Raymond Wood wrote: OK, so the problem is not with reporting genuine Spam to Razor; rather the problem is with incorrectly reporting legitimate email as Spam to Razor? Right! And, if they are not spammers who do this (see my other mail), then it might well be somebody who is sending legitimate e-mail to Razor, automatically, which is Really Bad[tm]. They probably do this on the basis of some spamfilter, and do it only for high scores. However, the problem is every spamfilter necessarily has false positives. For higher scores, they are fewer than for lower, but they're still there. Razor addresses this, but only if one can be positive there is _only_ spam that goes there. If razor gets legitimate mail from filters, then Razor will be no better than the worst filter that does this. So, those who forward mail to Razor by automatic means are really defeating the purpose of Razor. Of course, you may set up troll-boxes that never will get legitimate e-mail, and forward the stuff you get there to Razor. I have planned to do that. (Aside: I do that by having a line link rel=NeverEMail href=mailto:[EMAIL PROTECTED]; in many web pages, and that works excellently, this address is harvested and spammed, and when that happens, the intention is that subsequent mail is stopped. This markup may not work in the future, though, as more User Agents start to support the link element). This is why I think it may be spammers who actually do this, it is easy to see that spammers can drastically reduce the value of Razor by sending it large amounts of legitimate e-mail from the lists that Razor-users would normally use. I hear that the new Razor has some trust-model, that may be able to address this. Actually, I think we're in a arms-race with the spammers that requires the spam-tools to updated more frequently than the normal release-cycle would accomodate for, but that's another story. Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: test of non-subscribed user
On Monday 02 December 2002 18:11, Nathan E Norman wrote: Some people[1] report non-spam as spam to razor. For example, several security announcements from Debian have found their way into the razor database. This is obviously stupid. [1] At least, we think they are people, but the level of intelligence demonstrated leaves room for doubt. Uhm, could they be *gasp* spammers? I mean, it is the obvious way to attack razor, by adding high-distribution legitimate and important e-mail to the database, you can defeat razor since it would drastically reduce the value of the system? If this is true, it could also account for the obvious lack of intelligence... :-) Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/
Re: test of non-subscribed user
On Monday 02 December 2002 18:25, Raymond Wood wrote: OK, so the problem is not with reporting genuine Spam to Razor; rather the problem is with incorrectly reporting legitimate email as Spam to Razor? Right! And, if they are not spammers who do this (see my other mail), then it might well be somebody who is sending legitimate e-mail to Razor, automatically, which is Really Bad[tm]. They probably do this on the basis of some spamfilter, and do it only for high scores. However, the problem is every spamfilter necessarily has false positives. For higher scores, they are fewer than for lower, but they're still there. Razor addresses this, but only if one can be positive there is _only_ spam that goes there. If razor gets legitimate mail from filters, then Razor will be no better than the worst filter that does this. So, those who forward mail to Razor by automatic means are really defeating the purpose of Razor. Of course, you may set up troll-boxes that never will get legitimate e-mail, and forward the stuff you get there to Razor. I have planned to do that. (Aside: I do that by having a line link rel=NeverEMail href=mailto:[EMAIL PROTECTED] in many web pages, and that works excellently, this address is harvested and spammed, and when that happens, the intention is that subsequent mail is stopped. This markup may not work in the future, though, as more User Agents start to support the link element). This is why I think it may be spammers who actually do this, it is easy to see that spammers can drastically reduce the value of Razor by sending it large amounts of legitimate e-mail from the lists that Razor-users would normally use. I hear that the new Razor has some trust-model, that may be able to address this. Actually, I think we're in a arms-race with the spammers that requires the spam-tools to updated more frequently than the normal release-cycle would accomodate for, but that's another story. Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/
Spammers using a non-existant address as return-path
Dear all, I have just received a spam complaint, and unfortunately, some spammers have been using an address on one of my domains in their Return-Path and From-headers. How nice of them :-( . This address has never existed. I'm using the Exim packages from Woody. For quite some time, I have seen it show up in my server logs, I'm rotating them too often, I guess, and I don't remember exactly what I have seen long ago, but recently I have seen things like: 2002-11-15 01:48:08 verify failed for SMTP recipient [EMAIL PROTECTED] from H=mta458.mail.yahoo.com [216.136.130.123] I allow VRFY, and most of these come from yahoo.com or hotmail.com, I guess that has to do with spam filters they use. This address is probably getting a lot of bounces, which is then bounced off my server, and I don't want to waste my resources with accepting those, all in all I want to conserve as much as I can. But, is there something I _should_ do in this situation, like including some text in the bounce saying that this address has never existed, and is being abused by spammers? If yes, _how_ should I do it? I hope this is the right forum to ask... Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Spammers using a non-existant address as return-path
On Monday 25 November 2002 23:05, you wrote: I dont want to teach you to suck eggs, but I would suggest this test is run as an independant way to verify your safe. I always run it after a sendmail change, as i pay for volume personally and at 2 gig + a day a spam hit would do to me would break me finiancially. Oh, that's not the problem. My box doesn't relay (that is, it relays for the IP of my workstation and for the computer of my parents.), and I've had ORDB checking it. It is just that somebody has forged an address, which happens to have my domain name in it, so I risk getting some trouble with it. Thanks for the reply anyway! Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Spammers using a non-existant address as return-path
Dear all, I have just received a spam complaint, and unfortunately, some spammers have been using an address on one of my domains in their Return-Path and From-headers. How nice of them :-( . This address has never existed. I'm using the Exim packages from Woody. For quite some time, I have seen it show up in my server logs, I'm rotating them too often, I guess, and I don't remember exactly what I have seen long ago, but recently I have seen things like: 2002-11-15 01:48:08 verify failed for SMTP recipient [EMAIL PROTECTED] from H=mta458.mail.yahoo.com [216.136.130.123] I allow VRFY, and most of these come from yahoo.com or hotmail.com, I guess that has to do with spam filters they use. This address is probably getting a lot of bounces, which is then bounced off my server, and I don't want to waste my resources with accepting those, all in all I want to conserve as much as I can. But, is there something I _should_ do in this situation, like including some text in the bounce saying that this address has never existed, and is being abused by spammers? If yes, _how_ should I do it? I hope this is the right forum to ask... Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/
Re: Spammers using a non-existant address as return-path
On Monday 25 November 2002 23:05, you wrote: I dont want to teach you to suck eggs, but I would suggest this test is run as an independant way to verify your safe. I always run it after a sendmail change, as i pay for volume personally and at 2 gig + a day a spam hit would do to me would break me finiancially. Oh, that's not the problem. My box doesn't relay (that is, it relays for the IP of my workstation and for the computer of my parents.), and I've had ORDB checking it. It is just that somebody has forged an address, which happens to have my domain name in it, so I risk getting some trouble with it. Thanks for the reply anyway! Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/
Re: Debian kernel update?
On Tuesday 19 November 2002 09:43, Johann Spies wrote: Can we expect something similar from Debian? Or if not, how can we protect our systems in another way? I don't know much about the issues involved, but I have noted that 2.4.20-rc2 is out, and if I understand the changelogs right (which I may not, since I'm a newbie and not a kernel hacker... :-) ), the problem was fixed in this prerelease. Personally, I'm dropping by kernel.org every other day now hoping to see 2.4.20 released. I need to reconfigure a couple of things in the kernel anyway, but I might as well do it in this release. Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Debian kernel update?
On Tuesday 19 November 2002 09:43, Johann Spies wrote: Can we expect something similar from Debian? Or if not, how can we protect our systems in another way? I don't know much about the issues involved, but I have noted that 2.4.20-rc2 is out, and if I understand the changelogs right (which I may not, since I'm a newbie and not a kernel hacker... :-) ), the problem was fixed in this prerelease. Personally, I'm dropping by kernel.org every other day now hoping to see 2.4.20 released. I need to reconfigure a couple of things in the kernel anyway, but I might as well do it in this release. Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/
AIDE output after unclean shutdown
Hi folks! I'm wondering if you can offer me some advice like you so kindly have a couple of times in the past. This morning, my cocoon2 installation took off unexpectedly, exhausting all the resources of the box (which isn't too big...). I could connect to all the open ports, but nothing happened when I did. I had no option but to call the folks that host the server and tell them to go to the cooler room and push The Button. Arrrggh! While I think I have understood what caused the catastrophy, my AIDE log had the following output: changed:/lib/modules/2.4.19/modules.dep changed:/lib/modules/2.4.19/modules.generic_string changed:/lib/modules/2.4.19/modules.pcimap changed:/lib/modules/2.4.19/modules.isapnpmap changed:/lib/modules/2.4.19/modules.usbmap changed:/lib/modules/2.4.19/modules.parportmap changed:/lib/modules/2.4.19/modules.ieee1394map changed:/lib/modules/2.4.19/modules.pnpbiosmap Detailed information about changes: File: /lib/modules/2.4.19/modules.dep Mtime: 2002-11-04 21:16:56 , 2002-11-14 15:18:29 Ctime: 2002-11-04 21:16:56 , 2002-11-14 15:18:29 [snip] The latter time is exactly when the computer was so unelegantly shut down, so I assume that it has something to do with that, and not actually an intrusion attempt, but just to be sure: Are these modules known to change if a computer is shut down like this? (BTW, I'm hardly using any of them). Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
AIDE output after unclean shutdown
Hi folks! I'm wondering if you can offer me some advice like you so kindly have a couple of times in the past. This morning, my cocoon2 installation took off unexpectedly, exhausting all the resources of the box (which isn't too big...). I could connect to all the open ports, but nothing happened when I did. I had no option but to call the folks that host the server and tell them to go to the cooler room and push The Button. Arrrggh! While I think I have understood what caused the catastrophy, my AIDE log had the following output: changed:/lib/modules/2.4.19/modules.dep changed:/lib/modules/2.4.19/modules.generic_string changed:/lib/modules/2.4.19/modules.pcimap changed:/lib/modules/2.4.19/modules.isapnpmap changed:/lib/modules/2.4.19/modules.usbmap changed:/lib/modules/2.4.19/modules.parportmap changed:/lib/modules/2.4.19/modules.ieee1394map changed:/lib/modules/2.4.19/modules.pnpbiosmap Detailed information about changes: File: /lib/modules/2.4.19/modules.dep Mtime: 2002-11-04 21:16:56 , 2002-11-14 15:18:29 Ctime: 2002-11-04 21:16:56 , 2002-11-14 15:18:29 [snip] The latter time is exactly when the computer was so unelegantly shut down, so I assume that it has something to do with that, and not actually an intrusion attempt, but just to be sure: Are these modules known to change if a computer is shut down like this? (BTW, I'm hardly using any of them). Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/
Re: spam
On Tuesday 12 November 2002 11:21, Tim Haynes wrote: What I'd really like is to read through the body of the text and then have the MTA (exim in particular) run the mail by bogofilter, and then reject at the very end: `200 Message accepted for delivery', yeah *right*. Anyone got any HOWTOs for this with exim? :) Isn't this just about what Marc does with Exim and Spamassassin...? http://marc.merlins.org/linux/exim/sa.html He's even got Exim-4 debs with this stuff there. Or was it something else you had in mind? Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: spam
On Tuesday 12 November 2002 11:21, Tim Haynes wrote: What I'd really like is to read through the body of the text and then have the MTA (exim in particular) run the mail by bogofilter, and then reject at the very end: `200 Message accepted for delivery', yeah *right*. Anyone got any HOWTOs for this with exim? :) Isn't this just about what Marc does with Exim and Spamassassin...? http://marc.merlins.org/linux/exim/sa.html He's even got Exim-4 debs with this stuff there. Or was it something else you had in mind? Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/
AIDE Information Overload
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi folks! I'd like to ask what people do with their AIDE output at times when a lot of things change on their system? I've gone through the AIDE configuration, and I feel like having configured it well, to catch the things that might be trojaned while leaving out things that I would certainly change often. But I'm working a lot on the system these days, so the output just keeps growing out of hand really quick. I get a Too Much Information problem within a week of having created the database. Last night's output was close to 3000 lines, but I've had up to 6 lines of output there... I find it hard to keep up at all when the output exceeds a hundred lines. So, I've got to do something, but I don't really understand what. aide --update, ok, but what does that really mean? It just creates a new database to compare with the old, but then, I should keep the old, because there are too many changes for me to keep up and be certain that nothing Bad[tm] as slipped in But if I do, the problem just keeps growing... So I hope the kind folks here can offer some advice... :-) Best, Kjetil - -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9tWBllE/Gp2pqC7wRAh2mAJwLpsL5PmPehawrkmOC368xMsFENQCdHevV w81q6a0R1km8GbjxGTcZFng= =sOls -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
AIDE Information Overload
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi folks! I'd like to ask what people do with their AIDE output at times when a lot of things change on their system? I've gone through the AIDE configuration, and I feel like having configured it well, to catch the things that might be trojaned while leaving out things that I would certainly change often. But I'm working a lot on the system these days, so the output just keeps growing out of hand really quick. I get a Too Much Information problem within a week of having created the database. Last night's output was close to 3000 lines, but I've had up to 6 lines of output there... I find it hard to keep up at all when the output exceeds a hundred lines. So, I've got to do something, but I don't really understand what. aide --update, ok, but what does that really mean? It just creates a new database to compare with the old, but then, I should keep the old, because there are too many changes for me to keep up and be certain that nothing Bad[tm] as slipped in But if I do, the problem just keeps growing... So I hope the kind folks here can offer some advice... :-) Best, Kjetil - -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9tWBllE/Gp2pqC7wRAh2mAJwLpsL5PmPehawrkmOC368xMsFENQCdHevV w81q6a0R1km8GbjxGTcZFng= =sOls -END PGP SIGNATURE-
Re: Vulnerabilities found by Nessus
On Tuesday 15 October 2002 13:56, Yven Leist wrote: On Tuesday 15 October 2002 13:33, Kjetil Kjernsmo wrote: And I haven't been able to downgrade (hints are welcome! :-) ), but I do not have any testing or unstable Just put the following in lines in /etc/apt/preferences Package: * Pin: release a=stable Pin-Priority: 1001 Tried that, but it stopped when downgrading dpkg. PS: I hope you are aware of the fact that testing is security-wise really the worst distribution to run, much worse than unstable! Yeah, anxiously aware... I'm not tracking testing now, some security updates go right in anyway with apt-get upgrade. Others I download and install with dpkg -i. But I'm far from confident, downgrading would be optimal, because I wouldn't like to reinstall... Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Vulnerabilities found by Nessus
On Tuesday 15 October 2002 13:59, Javier Fernández-Sanguino Peña wrote: Try to reproduce this behavior. You can launch the attacks manually using 'nasl name-of-the-script' and trace the mail server to see if it really breaks. If it does: report upstream, if it doesn't then it's a bug in the plugin: report to the nessus development team. Uh-oh, slowly now, I'm a complete newbie in these things... :-) How do I see if it breaks? Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Vulnerabilities found by Nessus
On Tuesday 15 October 2002 14:59, Javier Fernández-Sanguino Peña wrote: jOn Tue, Oct 15, 2002 at 02:11:51PM +0200, Kjetil Kjernsmo wrote: On Tuesday 15 October 2002 13:59, Javier Fernández-Sanguino Peña wrote: Try to reproduce this behavior. You can launch the attacks manually using 'nasl name-of-the-script' OK, I needed libnasl-dev for that apparently. The plugin in question is apparently slmail_helo.nasl Mmmm, doesn't seem to work...: owl:/usr/lib/nessus/plugins# nasl slmail_helo.nasl slmail_helo.nasl : Warning : evaluating unknown variable - description ...? Ok. If you trace the mail daemon with: $ strace -f -p process_id_mail OK. $ perl -e 'print EHLO; print a x 500;' | nc localhost 25 root@pooh:~ perl -e 'print EHLO; print a x 500;' | nc localhost 25 220 pooh.kjernsmo.net ESMTP Exim 3.35 #1 Tue, 15 Oct 2002 15:34:24 +0200 421 pooh.kjernsmo.net: SMTP command timeout - closing connection root@pooh:/var/run strace -f -p 4456 read(0, 0x80c7ff8, 8192)= ? ERESTARTSYS (To be restarted) --- SIGALRM (Alarm clock) --- time(NULL) = 1034689164 open(/var/log/exim/mainlog, O_WRONLY|O_APPEND) = 2 fcntl64(2, F_GETFD) = 0 fcntl64(2, F_SETFD, FD_CLOEXEC) = 0 fstat64(2, {st_mode=S_IFREG|0640, st_size=134036, ...}) = 0 write(2, 2002-10-15 15:39:24 SMTP command..., 82) = 82 write(1, 421 pooh.kjernsmo.net: SMTP comm..., 66) = 66 munmap(0x40014000, 4096)= 0 _exit(1)= ? It didn't tell me a lot, I guess... (launched from /var/run just because I was looking if there was a pid-file there) Regarding the other vulnerability, you should see if the system is running out of file descriptors. See if, during the attack, 'netstat -an' returns a huge number of open connections to port 25. All systems are vulnerable to file descriptor exhaustion unless you configure limits. Sure. You might want to take a look at Bastille-linux (there is a Debian package for it) on how to configure some of this stuff automatically. OK, I'll install it. You should also read the Debian Securing Manual for more in-depth information. Yeah, I've read it, and done much of it, but understood all is of course another matter. :-) Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Vulnerabilities found by Nessus
Hi everybody! Now, I have finally configured all the security features that I wanted, so last night, I launched a full Nessus attack against my server, hammering on it with the possibly harmful plugins too. It survived that, but it also reports two vulnerabilities on the port 25. I've got Exim running there. I was a careless when I upgraded to Woody, so I managed to upgrade to testing instead this summer... And I haven't been able to downgrade (hints are welcome! :-) ), but I do not have any testing or unstable sources in my sources.list right now. Anyway, the Exim version is 3.35-1. Well, this is what Nessus said: - nessus report - . Vulnerability found on port smtp (25/tcp) : There is a buffer overflow when this MTA is issued the 'HELO' command issued by a too long argument. This problem may allow an attacker to execute arbitrary code on this computer, or to disable your ability to send or receive emails. Solution : contact your vendor for a patch. Risk factor : High CVE : CAN-1999-0284 . Vulnerability found on port smtp (25/tcp) : It was possible to crash the remote SMTP server by opening a great amount of sockets on it. This problem allows crackers to make your SMTP server crash, thus preventing you from sending or receiving e-mails, which will affect your work. Solution : If your SMTP server is contrained to a maximum number of processes, i.e. it's not running as root and as a ulimit 'max user processes' of 256, you may consider upping the limit with 'ulimit -u'. If your server has the ability to protect itself from SYN floods, you should turn on that features, i.e. Linux's CONFIG_SYN_COOKIES The best solution may be cisco's 'TCP intercept' feature. Risk factor : Serious CVE : CAN-1999-0846 --- end nessus report - Well, I don't know if I should be alarmed, I guess the whole reason for running nessus is to be alarmed, so I am... :-) And it seems it found these holes to be real (as opposed to a Qpopper hole it also reported, but that was based on the version number only, and I guess the patch there hsa been backported), so I'm seeking advice on what to do with this Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/
Re: Vulnerabilities found by Nessus
On Tuesday 15 October 2002 13:56, Yven Leist wrote: On Tuesday 15 October 2002 13:33, Kjetil Kjernsmo wrote: And I haven't been able to downgrade (hints are welcome! :-) ), but I do not have any testing or unstable Just put the following in lines in /etc/apt/preferences Package: * Pin: release a=stable Pin-Priority: 1001 Tried that, but it stopped when downgrading dpkg. PS: I hope you are aware of the fact that testing is security-wise really the worst distribution to run, much worse than unstable! Yeah, anxiously aware... I'm not tracking testing now, some security updates go right in anyway with apt-get upgrade. Others I download and install with dpkg -i. But I'm far from confident, downgrading would be optimal, because I wouldn't like to reinstall... Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/
Re: Vulnerabilities found by Nessus
On Tuesday 15 October 2002 13:59, Javier Fernández-Sanguino Peña wrote: Try to reproduce this behavior. You can launch the attacks manually using 'nasl name-of-the-script' and trace the mail server to see if it really breaks. If it does: report upstream, if it doesn't then it's a bug in the plugin: report to the nessus development team. Uh-oh, slowly now, I'm a complete newbie in these things... :-) How do I see if it breaks? Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/
Re: Vulnerabilities found by Nessus
On Tuesday 15 October 2002 14:59, Javier Fernández-Sanguino Peña wrote: jOn Tue, Oct 15, 2002 at 02:11:51PM +0200, Kjetil Kjernsmo wrote: On Tuesday 15 October 2002 13:59, Javier Fernández-Sanguino Peña wrote: Try to reproduce this behavior. You can launch the attacks manually using 'nasl name-of-the-script' OK, I needed libnasl-dev for that apparently. The plugin in question is apparently slmail_helo.nasl Mmmm, doesn't seem to work...: owl:/usr/lib/nessus/plugins# nasl slmail_helo.nasl slmail_helo.nasl : Warning : evaluating unknown variable - description ...? Ok. If you trace the mail daemon with: $ strace -f -p process_id_mail OK. $ perl -e 'print EHLO; print a x 500;' | nc localhost 25 [EMAIL PROTECTED]:~ perl -e 'print EHLO; print a x 500;' | nc localhost 25 220 pooh.kjernsmo.net ESMTP Exim 3.35 #1 Tue, 15 Oct 2002 15:34:24 +0200 421 pooh.kjernsmo.net: SMTP command timeout - closing connection [EMAIL PROTECTED]:/var/run strace -f -p 4456 read(0, 0x80c7ff8, 8192)= ? ERESTARTSYS (To be restarted) --- SIGALRM (Alarm clock) --- time(NULL) = 1034689164 open(/var/log/exim/mainlog, O_WRONLY|O_APPEND) = 2 fcntl64(2, F_GETFD) = 0 fcntl64(2, F_SETFD, FD_CLOEXEC) = 0 fstat64(2, {st_mode=S_IFREG|0640, st_size=134036, ...}) = 0 write(2, 2002-10-15 15:39:24 SMTP command..., 82) = 82 write(1, 421 pooh.kjernsmo.net: SMTP comm..., 66) = 66 munmap(0x40014000, 4096)= 0 _exit(1)= ? It didn't tell me a lot, I guess... (launched from /var/run just because I was looking if there was a pid-file there) Regarding the other vulnerability, you should see if the system is running out of file descriptors. See if, during the attack, 'netstat -an' returns a huge number of open connections to port 25. All systems are vulnerable to file descriptor exhaustion unless you configure limits. Sure. You might want to take a look at Bastille-linux (there is a Debian package for it) on how to configure some of this stuff automatically. OK, I'll install it. You should also read the Debian Securing Manual for more in-depth information. Yeah, I've read it, and done much of it, but understood all is of course another matter. :-) Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/
Re: harden-clients idea
On Tuesday 08 October 2002 13:57, martin f krafft wrote: Use netcat for that. [*hm, man netcat*] Yeah, OK, thanks, I didn't know about that. That way, people with correct privileges could still use telnet for sensible things, yet the admin would be warned if they did something very careless with other packages. How would the admin be warned? Oh, wasn't that the point with the harden-clients package? If you attempt to install a Bad[tm] client, you will be told, because it conflicts with harden-clients? Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
harden-clients idea
Hi folks! I just had an idea the other, er..., night, that still seemed smart when I woke up, so I figured I'll post it here in case it is... :-) The problem with e.g. telnet isn't really that it shouldn't be used for anything, but that it shouldn't be used by somebody. It is quite OK to use to check what the webserver responds to a particular request, for example. But, you wouldn't want ma to use it and send her password in cleartext. What I did was that I changed group ownership of /usr/bin/telnet.netkit to staff and made it executable for only root and staff. I figured, something like that could harden-clients do too, configurable through standard means. That way, people with correct privileges could still use telnet for sensible things, yet the admin would be warned if they did something very careless with other packages. Clever? :-) (I'm not currently subscribed to this list, please keep me on the CC) Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/
Re: harden-clients idea
On Tuesday 08 October 2002 13:57, martin f krafft wrote: Use netcat for that. [*hm, man netcat*] Yeah, OK, thanks, I didn't know about that. That way, people with correct privileges could still use telnet for sensible things, yet the admin would be warned if they did something very careless with other packages. How would the admin be warned? Oh, wasn't that the point with the harden-clients package? If you attempt to install a Bad[tm] client, you will be told, because it conflicts with harden-clients? Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/
Re: Uh-oh. Cracked allready. I think...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi! Back after the weekend. I've done a bit of reading though. On Fri, 24 May 2002, Reagan Blundell wrote: On Fri, May 24, 2002 at 02:23:38PM +0200, Kjetil Kjernsmo wrote: 6346/tcp filteredgnutella filtered means there's no reply coming back on thos ports - most likely your ISP is blocking those ports. Yeah, they said that gnutella was limited. The fact they don't show up when you do a local scan confirms this. These services aren't running on your machine. So, what you're saying is that all this alarm is for no good reason...? There has been no l337 h4X0rz trying to get into my box? Well, that would be really be good news! Of course, it will not make me stop reading about how to secure the box. Best, Kjetil - -- Kjetil Kjernsmo Recent astrophysics graduate Problems worthy of attack University of Oslo, NorwayProve their worth by hitting back E-mail: [EMAIL PROTECTED]- Piet Hein Homepage URL:http://folk.uio.no/kjetikj/ [EMAIL PROTECTED]OpenPGP KeyID: 6A6A0BBC -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (OSF1) Comment: For info see http://www.gnupg.org iD8DBQE88juklE/Gp2pqC7wRAlP2AJ9mZz8/YXCWvurdra8bewptWqvKmwCbBmHm wBb2C4kIDfG1PQI6Ib8MwQE= =yQx/ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Uh-oh. Cracked allready. I think...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear Tim, dear all, Thanks for all the responses. I realize it's pretty bold trying put a box on the net without having extensive admin experience beforehand. But I think I'm learning fast, and I hope I'll be able to do it without placing any burden on the rest of the net. That is, except for you guys... :-) Your help is greatly appreciated! On 23 May 2002, Tim Haynes wrote: Kjetil Kjernsmo [EMAIL PROTECTED] writes: To address this first: It is the gnutella server that causes alarm, so is there anything I could have done that would install gnutella but escape my attention? I certainly never did apt-get install gnutella (I tried apt-get remove gnutella yesterday, with no effect). Is it likely that if I don't know how it got there, has been installed by a cracker? I've tried to telnet 217.77.32.186 6346 but get no connection. Well if something's got on there that you don't remember installing, can I have some of what you're taking? ;) Hehe... I was so sure it would be at least one copy of Star Wars II, but no... ;-) There's nothing here... I've walked through the whole disk, and I can't find anything of any size that I don't know what is. Whatever it is, it has to be rather small... It's at this point that you should start debugging what's really listening on your box from what a scanner says you are. I suggest you nmap yourself to see what ports you really have open, and compare against netstat -plant | grep LIST (here's your first potential clue: if netstat complains about `-p', it's been trojanned.) It complained about -p when I wasn't root... OK. This is what nmap says, launched from my workstation: Port State Service 22/tcp openssh 25/tcp opensmtp 53/tcp opendomain 80/tcp openhttp 110/tcpopenpop-3 111/tcpopensunrpc 137/tcpfilterednetbios-ns 138/tcpfilterednetbios-dgm 139/tcpfilterednetbios-ssn 1024/tcp openkdm 1025/tcp openlisten 6346/tcp filteredgnutella Whereas this is nmap from the machine itself: kjetil@pooh:~$ nmap pooh Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) Warning: You are not root -- using TCP pingscan rather than ICMP Interesting ports on pooh.kjernsmo.net (217.77.32.186): (The 1545 ports scanned but not shown below are in state: closed) Port State Service 22/tcp openssh 25/tcp opensmtp 53/tcp opendomain 80/tcp openhttp 110/tcpopenpop-3 111/tcpopensunrpc 139/tcpopennetbios-ssn 1024/tcp openkdm 1025/tcp openlisten So, the suspicious gnutella port isn't in the latter. I don't know what kdm is doing there, BTW. I unselected X and desktop in the initial tasksel. There seems to have been installed some X stuff nevertheless, but neither KDE nor kdm has ever been installed on this box. So for netstat: pooh:~# netstat -plant | grep LIST tcp0 0 0.0.0.0:10240.0.0.0:* LISTEN 209/rpc.statd tcp0 0 0.0.0.0:10250.0.0.0:* LISTEN 236/rpc.mountd tcp0 0 0.0.0.0:139 0.0.0.0:* LISTEN 218/inetd tcp0 0 0.0.0.0:110 0.0.0.0:* LISTEN 218/inetd tcp0 0 0.0.0.0:111 0.0.0.0:* LISTEN 123/portmap tcp0 0 0.0.0.0:80 0.0.0.0:* LISTEN 6586/apache tcp0 0 217.77.32.186:530.0.0.0:* LISTEN 194/named tcp0 0 127.0.0.1:530.0.0.0:* LISTEN 194/named tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN 285/sshd tcp0 0 127.0.0.1:953 0.0.0.0:* LISTEN 201/lwresd tcp0 0 0.0.0.0:25 0.0.0.0:* LISTEN 218/inetd (slightly reformatted to fit better) Next, if you've got a socket listener or 6346 (IIRC, the most frequently used gnutella port), try telnetting into it and see what banner, if any, it presents. Nope, nothing... pooh:~# telnet 217.77.32.186 6346 Trying 217.77.32.186... telnet: Unable to connect to remote host: Connection refused to be sure. At some stage you should probably run _chkrootkit_ on the blighter, too. Yeah, I've done that several times. chkrootkit was described in Securing Debian, so I installed it before moving it, but only ran it just after I saw the gnutella port. Nothing detected. Do you have an original AIDE database from immediately after it was installed? Uh, don't think so. I installed snort, but didn't take the time to play with it. I thought that would do the job too... Can I get the required information from the snort install...? I tried to set the suggested PermitRootLogin for ssh to no, but ssh gave me some messsage that I thought meant it did't recognize it. That's weird. Try running an sshd from a terminal
Re: Uh-oh. Cracked allready. I think...
| f998091a416e9dca4879218cae269bb8 /bin/fuser All OK. You probably haven't been had just yet. Sounds good. You should keep an eye the incoming/outgoing traffic, though; I thought I saw a utility for analysing how many hosts/ports a box contacts over time recently, which will help. OK, I'll search. Set up snort and AIDE as a matter of urgency too They're up. AIDE looked easy to configure, apt seemed to do that. I'll have a closer look at snort. - I won't promise that this is not after the horse has bolted, but I think you're probably OK at the moment. But you won't be if you go on with portmap Now gone... and dns dangling around all over the place, nor will you be aware what's going off if you don't start firewalling things properly and keep a close eye on your IDS. I'll read up on IPtables. BTW, I just off the phone with my host. They said that as long as I'm on the case and take it seriously, they're cool. Besides, the Gnutella port is somewhat limited, so it is limited what kind of damage intruders can do through that port. Best, Kjetil - -- Kjetil Kjernsmo Recent astrophysics graduate Problems worthy of attack University of Oslo, NorwayProve their worth by hitting back E-mail: [EMAIL PROTECTED]- Piet Hein Homepage URL:http://folk.uio.no/kjetikj/ [EMAIL PROTECTED]OpenPGP KeyID: 6A6A0BBC -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (OSF1) Comment: For info see http://www.gnupg.org iD8DBQE87k9OlE/Gp2pqC7wRAknZAJ9Ek29j+lI+NBWy+hC8IoSRhqbGEACgg+Ya 33xXDoQBzJClZb21u+zFzUo= =pBnZ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Uh-oh. Cracked allready. I think...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear Tim, dear all, Thanks for all the responses. I realize it's pretty bold trying put a box on the net without having extensive admin experience beforehand. But I think I'm learning fast, and I hope I'll be able to do it without placing any burden on the rest of the net. That is, except for you guys... :-) Your help is greatly appreciated! On 23 May 2002, Tim Haynes wrote: Kjetil Kjernsmo [EMAIL PROTECTED] writes: To address this first: It is the gnutella server that causes alarm, so is there anything I could have done that would install gnutella but escape my attention? I certainly never did apt-get install gnutella (I tried apt-get remove gnutella yesterday, with no effect). Is it likely that if I don't know how it got there, has been installed by a cracker? I've tried to telnet 217.77.32.186 6346 but get no connection. Well if something's got on there that you don't remember installing, can I have some of what you're taking? ;) Hehe... I was so sure it would be at least one copy of Star Wars II, but no... ;-) There's nothing here... I've walked through the whole disk, and I can't find anything of any size that I don't know what is. Whatever it is, it has to be rather small... It's at this point that you should start debugging what's really listening on your box from what a scanner says you are. I suggest you nmap yourself to see what ports you really have open, and compare against netstat -plant | grep LIST (here's your first potential clue: if netstat complains about `-p', it's been trojanned.) It complained about -p when I wasn't root... OK. This is what nmap says, launched from my workstation: Port State Service 22/tcp openssh 25/tcp opensmtp 53/tcp opendomain 80/tcp openhttp 110/tcpopenpop-3 111/tcpopensunrpc 137/tcpfilterednetbios-ns 138/tcpfilterednetbios-dgm 139/tcpfilterednetbios-ssn 1024/tcp openkdm 1025/tcp openlisten 6346/tcp filteredgnutella Whereas this is nmap from the machine itself: [EMAIL PROTECTED]:~$ nmap pooh Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) Warning: You are not root -- using TCP pingscan rather than ICMP Interesting ports on pooh.kjernsmo.net (217.77.32.186): (The 1545 ports scanned but not shown below are in state: closed) Port State Service 22/tcp openssh 25/tcp opensmtp 53/tcp opendomain 80/tcp openhttp 110/tcpopenpop-3 111/tcpopensunrpc 139/tcpopennetbios-ssn 1024/tcp openkdm 1025/tcp openlisten So, the suspicious gnutella port isn't in the latter. I don't know what kdm is doing there, BTW. I unselected X and desktop in the initial tasksel. There seems to have been installed some X stuff nevertheless, but neither KDE nor kdm has ever been installed on this box. So for netstat: pooh:~# netstat -plant | grep LIST tcp0 0 0.0.0.0:10240.0.0.0:* LISTEN 209/rpc.statd tcp0 0 0.0.0.0:10250.0.0.0:* LISTEN 236/rpc.mountd tcp0 0 0.0.0.0:139 0.0.0.0:* LISTEN 218/inetd tcp0 0 0.0.0.0:110 0.0.0.0:* LISTEN 218/inetd tcp0 0 0.0.0.0:111 0.0.0.0:* LISTEN 123/portmap tcp0 0 0.0.0.0:80 0.0.0.0:* LISTEN 6586/apache tcp0 0 217.77.32.186:530.0.0.0:* LISTEN 194/named tcp0 0 127.0.0.1:530.0.0.0:* LISTEN 194/named tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN 285/sshd tcp0 0 127.0.0.1:953 0.0.0.0:* LISTEN 201/lwresd tcp0 0 0.0.0.0:25 0.0.0.0:* LISTEN 218/inetd (slightly reformatted to fit better) Next, if you've got a socket listener or 6346 (IIRC, the most frequently used gnutella port), try telnetting into it and see what banner, if any, it presents. Nope, nothing... pooh:~# telnet 217.77.32.186 6346 Trying 217.77.32.186... telnet: Unable to connect to remote host: Connection refused to be sure. At some stage you should probably run _chkrootkit_ on the blighter, too. Yeah, I've done that several times. chkrootkit was described in Securing Debian, so I installed it before moving it, but only ran it just after I saw the gnutella port. Nothing detected. Do you have an original AIDE database from immediately after it was installed? Uh, don't think so. I installed snort, but didn't take the time to play with it. I thought that would do the job too... Can I get the required information from the snort install...? I tried to set the suggested PermitRootLogin for ssh to no, but ssh gave me some messsage that I thought meant it did't recognize it. That's weird. Try running an sshd from