Re: Exploit in Upgrade Chain?

[The Well - Systems Administrator]

600 on /etc is technically more secure than the default 755 with normal 
POSIX systems, not less. If this is an exploit, it's one that locks 
things down tighter than they should normally be. :) Giacomo is correct 
that these incorrect perms can cause other issues, though not security 
related ones that I can think of.


Are there a different set of perms you had set on /etc manually? Any 
other indication that you've been exploited, or just a hunch based on 
circumstantial weirdness based on unexpected /etc privs and bastille?


Best regards,
-Chris

Boyd Stephen Smith Jr. wrote:

On Wednesday 11 February 2009 23:26:45 Stan Katz wrote:
  

I updated/upgraded both my AMD64 and AMD k6 "Etch" machines between Feb
10-11, 2009 using "Lenny" test. Both picked up a symptom I haven't seen
since the lpd exploit of the 1990's. This symptom manifests itself as
either a random escalation of the etc directory mode up to 600, or a
consistent escalation to mode 600 upon reboot.



My /etc is mode 755.  Why would that be a problem?  Some user/programs may 
need to read data out of the directory and root (the owner of my /etc) 
certainly needs write permissions.


  

I don't remember why the lpd
exploit did this. If this is an exploit, it shakes my confidence in debian
online updating.



I don't see how a 600 /etc can be exploited.  Do you have any other records 
that would indicate you are exploited, or is this just fear-mongering?


  

Also, the Bastille firewall on the
AMD64 began locking down port 80 after about 10min of operation. Adding 80
to all interfaces didn't help. Only shutting down Bastille cleared the
block.



Sounds like a bug in Bastille.  Can you reproduce reliably?  Have you checked 
your configuration?  If both, has you filed a bug yet?


  

I fear this is another indication of the exploit.



How/Why would these be related?

  

Has anyone else experienced this misbehavior after an upgrade?



Not here.  I've been running Lenny for a number of months.

  

Any
suggestions, other than a complete disk wipe on both machines? In any case,
where would I go for a trusted rebuild, if there truly is a sabateur in the
ranks of the Debian maintainers?



I'm forwarding to debian-security; perhaps they will have suggestions.  This 
topic is more appropriate for that list than debian-user anyway.
  



--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: antivirus for webserver

[Systems Administrator]

Laura Arjona Reina wrote:
My question is if it is needed to install an antivirus for keeping the 
webserver safe. And if it is needed, which antivirus could I use?
I thought about clamav but I read about problems keeping up-to-date 
the software shipped with etch-stable.


I wouldn't think so. Generally, anti-virus software on Linux and other 
Unix-like systems is to protect Windows clients from spreading viruses 
amongst themselves, not protecting a Linux server itself. If you're not 
doing mail or Samba on that box, don't really think it'd be very useful. 
On the other hand, you might look into more applicable things to Linux 
security like rkhunter and fail2ban, mod_security, etc. A quick audit 
with nikto and/or nessus wouldn't hurt. And also, keep things as up to 
date as possible.


Best of luck! :-)


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]