Re: debian7 compromised (rk)
On Fri, Jul 12, 2013 at 7:04 PM, Security wrote: > Hi all snip... Today I done a backup of this script that contains a huge list of server > compromised. Later I re-install whole system. > > Can be usuful send this rk? > If the regular tools do not find it, file bugs against them (or even file them upstream to reduce turn around time). Additionally, you could upload all suspect files to virustotal - where they are handed off to all the major AV vendors (mostly useful for mail gateways and that other wormy OS). HTH, cheers, Scott. E.g.: supaplex@tv:~$ apt-cache search rootkit chkrootkit - rootkit detector rkhunter - rootkit, backdoor, sniffer and exploit scanner unhide - Forensic tool to find hidden processes and ports unhide.rb - Forensic tool to find processes hidden by rootkits
Re: Student Security Project
Try searching for debian snapshots. before a point release you can exclude security from sources.list, purge the package and install again. Regards, Scott Edwards On Sep 3, 2011 6:38 PM, "Jonathan Wiltshire" wrote: > (Moving to public list, since this is not an embargoed enquiry) > > On Sat, Sep 03, 2011 at 03:32:02PM -0700, Chris Quinones wrote: >> Hello, I am a student at a local university studying computer information systems. I am currently enrolled in a security class centered around ethical hacking. We are to choose from a list of several operating systems in order to install on our assigned workstations so that we can exploit documented vulnerabilities. Debian is the OS which I have chosen. I need help finding version 6.0 (squeeze) WITHOUT the (6.0.1) and (6.0.2) updates so these vulnerabilities which have been documented on your site but have been patched up in the last two releases remain. I have looked at your /debian-archive site for older versions but can only find an .iso file for the 6.0.2 version. If I cannot find an original 6.0 release is there anyway I can uninstall the security packages introduced in the last two releases without compromising the stababiltiy of the platform? I appreciate the time taken to read and address this email. Thank you in advance and you have a >> blessed day. > > Try http://cdimage.debian.org/cdimage/archive/ > > -- > Jonathan Wiltshire j...@debian.org > Debian Developer http://people.debian.org/~jmw > > 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Re: DSA-2141-2
On Sun, Jan 9, 2011 at 5:04 PM, Hugh McDonald wrote: > This advisory would be more useful to an administrator if package "nss" were > known to "http://www.debian.org/packages";, or if it contained references to > the affected debian package or packages. I presume the package referred to > in > the advisory is the Mozilla package, but I have no idea how to find out what > files that package contains, or what the equivalent debian files are named. > I have ensured that the packages mentioned in the accompanying advisories, > DSA-2141-1 and DSA-2141-3, have been upgraded to the versions recommended in > these two advisories -- I hope that is sufficient. > > > > -- > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > Archive: http://lists.debian.org/4d2a4d05.4060...@symac.net > > Are you looking for libnss3? http://packages.debian.org/search?keywords=libnss3&searchon=names&suite=all§ion=all -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktinyvw7nwuhkrjauzotku_oguhdgq-bma3bca...@mail.gmail.com
Re: exim4 router problems since 2 days / sucpicous process "zinit" is pstree
>> I agree, this is a root exploit, and once you have root you can pretty >> much hide anything you want. >>> >>> No question, reinstall. Depending on your scope, http://www.cert.org/tech_tips/win-UNIX-system_compromise.html still has some value. It sounds as though you'll probably be fine with a reinstall (nuke from orbit, of trusted media). If you use anything from backups, be cautious of any content after any trusted time. Eg, when you know it wasn't an issue, not just think it wasn't an issue. You don't want to introduce a weakness the attacker left some place else (like a database password, misc settings, etc). Good luck :) Scott. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktik7+ihfwvfg1vmqfv2q+kbkiw+hgtnfmptvv...@mail.gmail.com
Re: Proc::UID test problems
On Fri, Aug 6, 2010 at 3:27 PM, Gordon Haverland wrote: > I wrote a program to help install a package, which makes use of > effective UID changes. And Proc::UID fits those requirements > nicely. > > On my computer (Debian/unstable), Proc::UID compiles and installs > fine. On another computer (Debian/stable), the SUID test (04) and > the SGID test (05) both fail. Installing perl-suid didn't help. > Any ideas what is wrong? The tests fail on command lines that > look like: > > system("04_test.t2"); > > where the script 04_test.t2 is SUID.. > > Thanks > Gord Last time I dabbled with suid-perl, I was informed it's depreciated. I'm not sure if Debian takes the same stance on it. Regards, Scott. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/aanlktimsr_3zkum0zkjvfhaa6tp9fex8hmhehqrst...@mail.gmail.com
Re: Finally
Will it run in wine? ^U Does it blend? On Jul 4, 2010 1:11 AM, "Fred Concklin" wrote: I can switch back ;) "Adobe PDF" wrote: >New Version of Adobe PDF for all Windows platforms > >In this issue: > >* New Version of Adobe PDF Reader for all Windows platforms > >--- > >New Version of Adobe PDF Reader for all Windows platforms > >Dear valued customers, > >50%-60% of your daily office works requires document handling.70% of your documents requires extra editing.80% of your documents requires exchanging with your peers, customers or partners.20%-30% of these documents are in PDF formats with different version, created by various engines. > > >We are proud to introduce the new and proved Adobe Acrobat Reader, version 2010 with enhanced features for viewing, creating, editing, printing and internet-sharing PDF documents. > >To learn more about new features and how to install this best-of-breed application, you can: > >+ Go to &CID=141818 ">Adobe Acrobat Reader or copy and paste this link to your web browser: &CID=141819 "> http://wl3.peer360.com/b/Z1Z28nqE7qcKMZ0dm4Z1/mle.asp?hl=&CID=141820 + Get your options, download and boost your works productivity. > >A full version of Office suite is also available for your download. > >&CID=141821 ">DOWNLOAD ADOBE ACROBAT READER 2010 TODAY > >Thanks and best regards, > >John Draks > >Adobe Acrobat Reader > >54 Pestersam | CA 96745 | USA | Hotline 1800 845 845| >website: http://www.adobe-v2010.com/ > >--- > >Use this link to tell a friend about this publication: http://wl3.peer360.com/b/Z1Z28nqE7qcKMZ0dm4Z1/tell.asp?BID=Z1Z28nqE7qcKMZ0dm4Z1&VID=1&hl=11991430 > >To unsubscribe from this publication, click here: http://wl3.peer360.com/b/Z1Z28nqE7qcKMZ0dm4Z1/unsubscribe.asp?BID=Z1Z28nqE7qcKMZ0dm4Z1&VID=1&hl=11991430 > > > >54 Pestersam | CA 96745 | USA | Hotline 1800 845 845| USA -- Fred Concklin -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/f72fa053-e127-4362-b30e-d9477cdd0...@email.android.com
Re: Linux infected ?
It still has the same permissions as any other process by that user. There are a few viruses that can infect elf binaries when running from a windows host, so it's not all that isolated based on execution platform. On Jan 29, 2009 4:00 AM, "Török Edwin" wrote: Rodrigo Hashimoto wrote: > Hi, > > I received a file via e-mail and tried to open it, then the icewe... It may attempt to infect the other programs you installed with wine. It shouldn't be able to modify any of your Linux program that you have installed, since only root can do that (you're not running iceweasel/icedove as root, are you?). Try scanning your .wine directory like this: $ clamscan -ri ~/.wine Best regards, --Edwin -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscri...
Re: openssl / x509 certs
On Wed, May 14, 2008 at 11:09 AM, Hr. Philip Rueegsegger <[EMAIL PROTECTED]> wrote: > How can I check if a rsa key created by 'openssl genrsa ...' and its x509 > certificate is vulnerable ? The utility ssh-vulnkey seems to only check ssh > keys. Thanks in advance ! > What CVE IDs does this apply to, and are there any references to tools for this task on ssl certs as well? I'm curious too (with no time on my hands with finals all this week) TIA Scott
I.S.C. bind9 openssl Security Advisory. [revised]
Does this affect sarge? -- Forwarded message -- From: Mark Andrews <[EMAIL PROTECTED]> Date: Nov 2, 2006 10:11 PM Subject: Internet Systems Consortium Security Advisory. [revised] To: [EMAIL PROTECTED] Internet Systems Consortium Security Advisory. BIND 9: OpenSSL Vulnerabilities. 31 October 2006 Versions affected: BIND 9.0.x (all versions of BIND 9.0) BIND 9.1.x (all versions of BIND 9.1) BIND 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.6-P1, 9.2.7b1, 9.2.7rc1 and 9.2.7rc2 BIND 9.3.0, 9.3.1, 9.3.2, 9.3.2-P1, 9.3.3b1, 9.3.3rc1 and 9.3.3rc2 BIND 9.4.0a1, 9.4.0a2, 9.4.0a3, 9.4.0a4, 9.4.0a5, 9.4.0a6, 9.4.0b1 and 9.4.0b2 Severity: Moderate (see below) Exploitable: Remotely Description: Because of OpenSSL's recently announced vulnerabilities (CAN-2006-4339, CVE-2006-2937 and CVE-2006-2940) which affect named, we are announcing this workaround and releasing patches. A proof of concept attack on OpenSSL has been demonstrated for CAN-2006-4339. OpenSSL is required to use DNSSEC with BIND. ISC had included the OpenSSL library in the BIND distribution, and in more recent versions, the OpenSSL library was required, but no longer a part of the distribution. Workaround: Recompile named with a known good version of OpenSSL. OpenSSL 0.9.8d and 0.9.7l or greater are known to be good versions. For both KEY and DNSKEY resource record types, Generate RSASHA1 and RSAMD5 keys using the -e option to dnssec-keygen if the current keys were generated using the default exponent of 3. You can determine if a key is vulnerable by looking at the algorithm (1 or 5) and the first three characters of the base64 encoded RSA key. RSASHA1 (5) and RSAMD5 (1) keys that start with AQM, AQN, AQO or AQP are vulnerable. For example, this RSASHA1 (5) key is vulnerable and needs to be replaced as the base64 encoded RSA key starts with AQP. DNSKEY 256 3 5 ( AQPGP80zt8pQS5xVaaaD054XBet8sCKaYZ9WrnYyuznqNX kS91j6qqHuw7Y9kKAVsFoWfNw0CpahdIJIhUPFM1JRJtXh Ny1cg9Ok3kBnN+fwCe2LY3qOtweFbL9bSjgolQWr42AlFO jZnJVW1cECgVBfinKHBIEIIwIdHGGuLyIQaQ== ) Note: the use of RSAMD5 (1) is no longer recommended. Once you have generated new keys, use the key rollover process of your choice to put them into production. We expect your normal (non-emergency) processes to be adequate, however, you should do your own risk analysis against the costs of exploitation of weak keys and proceed accordingly. Fix: Upgrade to BIND 9.2.6-P2, BIND 9.3.2-P2, BIND 9.2.7rc3, BIND 9.3.3rc3 or BIND 9.4.0b3 then generate new RSASHA1 and RSAMD5 keys for all old keys using the old default exponent and perform a key rollover to these new keys. See above for how to determine if you are using the old default exponent. These new versions of named check that the OpenSSL version meet the mininum revision levels at configure time -- for Windows, compile time. These versions also change the default RSA exponent to be 65537 which is not vulnerable to the attacks described in CAN-2006-4339. Revision History: 20061102: Corrected fixed version number from BIND 9.2.3-P2 to BIND 9.3.2-P2. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Packet sniffing & regular users
> On Wed, Mar 02, 2005 at 04:14:51PM -0500, Brian Kim wrote: > | Getting back to the problem at hand, is it required to be a superuser > | in order to listen to all traffic coming in on a NIC? (I've always when binding to the NIC, yes. > | believed yes, but I'm just making sure here) And is it possible to > | drop a NIC into promisc mode (as root) and leave it there? tcpdump can be run as a normal user. I use it all the time to review captures already on disk. However, you won't be able to bind to an interface as a normal user. That's the issue you'll be running into, regardless about the state of promisc mode. You'll need to read up on the bridging and tun/tap capabilities for the kernel. I've used them before, but it seems so infrequent, that I usually lapse memory how to do most of that. (and no, I don't intend to be exhaustive on the issues surrounding the question original asked. if you still have questions about the ethics and legalese of sniffing, be sure to ask.) I am stressing you use caution in this matter. Your attempts to weaken the security in place may or may not cost you now. I don't have any idea what the scope of your project or experiment is - but I hope it's not accessible to the public Internet... Good luck, Scott Edwards -- Daxal Communications - http://www.daxal.com Surf the USA - http://www.surfthe.us -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Packet sniffing & regular users
On Wed, 2 Mar 2005 12:02:47 -0500, Brian Kim <[EMAIL PROTECTED]> wrote: > I'd like to give regular users the ability to sniff packets (and > possibly drop the NIC into promiscuous mode?), without having to deal > with sudo or su. How could I go about doing this? And if you provide a > solution, what sorts of security concerns does it present, aside from > the obvious "anyone can see anything" sort of concern? Sounds like a job for user-mode-linux. Scott Edwards -- Daxal Communications - http://www.daxal.com Surf the USA - http://www.surfthe.us -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: unsubscribe - and one reason why it's failing
On Wed, 23 Feb 2005 20:29:06 +0100, Jérôme Gaulin From: Jérôme Gaulin <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: debian-security@lists.debian.org Date: Wed, 23 Feb 2005 20:29:06 +0100 Subject: unsubscribe <[EMAIL PROTECTED]> wrote: > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > Notice how you're suppose to send this to REQUEST not just debian-security? This isn't a personal attack, but you and many others have missed paying attention to DETAIL. This is one reason you're not being unsubscribed, you're NOT following instructions correctly. If that fails, follow the instructions for 'trouble?'. Thanks. Scott Edwards Daxal Communications - http://www.daxal.com Surf the USA - http://www.surfthe.us
Re: Compromised system - still ok?
You'll want to evaluate the time and resources you'll consume, and to what end. Even in high profile cases, you have to do even more work to collect the damages awarded. It's like a triple whammy: 1. Your box gets compromised 2. You sue them 3. And then collect damages You'll quickly loose a case if there is any demonstration of negligence (that tail between your legs about the backup account - yea, you know, but didn't act. that's enough negligence to blow the case) All my comments are my own. Don't hesitate to seek professional counsel. Thanks, Scott Edwards Daxal Communications - http://www.daxal.com/ > after small or big cracking, one always have to make time, and > take more preventative measures vs spending time on forensics > unless you wanna lock um up :-) > > fun stuff > > c ya > alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]