Does anyone have experiences with plash?
Hi, I just looked at this tool: http://plash.beasts.org/ It describes it self as a chroot alternative/ helper. I was just wondering if someone has tested it and found it usable (i.e. that it makes it faster to set up chroot jails) also if someone can say anything about the security of the code. Kind regards, Tarjei -- Tarjei Huse <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
How efficient is mounting /usr ro?
Hi, The Securing Debian manual suggest one should set the /usr partition to ro and use remount when you install new programs. I was just wondering how much security one gains with this. Wouldn't most hackers go after the programs in the /bin and /sbin directories anyway? Thanks for any input. Tarjei
How efficient is mounting /usr ro?
Hi, The Securing Debian manual suggest one should set the /usr partition to ro and use remount when you install new programs. I was just wondering how much security one gains with this. Wouldn't most hackers go after the programs in the /bin and /sbin directories anyway? Thanks for any input. Tarjei -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Looking for a simple SSL-CA package
Hi, I'd like to thank all who contributed. > If you don't want to run your own certificate authority or pay a > commercial one to sign your key, and you don't have a lot of > certificates to deal with, you can have each key simply be self-signed, > which I believe is what's being recommended here. Actually, there are a number of reasons why I want to run a more fully featured CA: -> I'd like to use certs for authenticating slave openldapservers. -> I want to use the certs to let laptopusers send mail through my mailservers. -> I want to have a system to let pops and imaps users install the certificates on their machines through a simple webinterface. -> It has to be operated w/o a gui. I think I'll end up with pyca (www.pyca.org) as it seems to have most of these features in place. The other possibilities are openca which is IMHO to complicated for my needs and tinyca (that many on this list suggested) that doesn't (please correct me if I'm wrong) give me the finished scripts for importing certs in outlook, IE, Mozilla and other programs. If there are other alternatives out there, please let me know. Again, I thank you for your contributions. Tarjei > noah > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Looking for a simple SSL-CA package
Hi, I'd like to thank all who contributed. > If you don't want to run your own certificate authority or pay a > commercial one to sign your key, and you don't have a lot of > certificates to deal with, you can have each key simply be self-signed, > which I believe is what's being recommended here. Actually, there are a number of reasons why I want to run a more fully featured CA: -> I'd like to use certs for authenticating slave openldapservers. -> I want to use the certs to let laptopusers send mail through my mailservers. -> I want to have a system to let pops and imaps users install the certificates on their machines through a simple webinterface. -> It has to be operated w/o a gui. I think I'll end up with pyca (www.pyca.org) as it seems to have most of these features in place. The other possibilities are openca which is IMHO to complicated for my needs and tinyca (that many on this list suggested) that doesn't (please correct me if I'm wrong) give me the finished scripts for importing certs in outlook, IE, Mozilla and other programs. If there are other alternatives out there, please let me know. Again, I thank you for your contributions. Tarjei > noah >
Looking for a simple SSL-CA package
Hi, I'm no expert on handling certificates and I hope not having to learn all the commandline switches of openssl by heart. However, I do need a simple setup of a CA that I may use for creating selfsigned certificates, webpages that clients may use to import the certificates and also a way to organize certificare revocationlists etc. What are the alternatives besides OpenCA? Does anyone know of a set of scipts that are a bit less complex and at the same time gives me some of the same functionality? Tarjei
Looking for a simple SSL-CA package
Hi, I'm no expert on handling certificates and I hope not having to learn all the commandline switches of openssl by heart. However, I do need a simple setup of a CA that I may use for creating selfsigned certificates, webpages that clients may use to import the certificates and also a way to organize certificare revocationlists etc. What are the alternatives besides OpenCA? Does anyone know of a set of scipts that are a bit less complex and at the same time gives me some of the same functionality? Tarjei -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: postfix security configuration
This might help: http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt On Mon, 2003-08-11 at 13:37, Marcel Weber wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > Am Montag, 11.08.03, um 12:59 Uhr (Europe/Zurich) schrieb Tomasz > Papszun: > >> > > > > If you want to prevent them from using non existing sender addresses > > from your domain, you can do it by creating a file (lookup table) for > > postmap(1), containing all allowed addresses with "OK" and another > > table containing your domainname with "REJECT". > > > > If you want to prevent them from using sender addresses from other > > domain, it's also possible with properly prepared config. > > > > If you want to prevent them from using other (not their own) sender > > addresses from your domain, you must use SMTP AUTH, I'm afraid. > > > > -- > > Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only > > [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] > > > > Theoretically there is another possibility. Actually pop-before-smtp > does nothing than watching the log file, picking the ip address of the > pop client and putting this address for a certain time into a postmap > for postfix. If you would use the user's email address as his pop3 > login name (within a sql or ldap db, for example), one could take this > information and write it into another postmap file. This would > necessite some modification of the pop-before-smtp script, but I think > it wouldn't be too hard to implement. It wouldn't be perfect, though: > Imagine two users logged in at the same time. Under this situation each > user could "abuse" the other user's email address. > > For a really secure system, there is no way around smtp auth. > pop-before-smtp relies on ip addresses. But what about NAT? Users > coming from a private masqueraded network, could misuse your server at > their pleasure, if one user from this network has logged into his pop3 > account. > > Regards > > Marcel > > > > -BEGIN PGP SIGNATURE- > > iD8DBQE/N3/y1EXMUTKVE5URAjPsAKD1sVpkeqHSIcYnungYkuF/fNyumgCg7pmF > o2GTZhfgn7NnZ63P8HLSpEI= > =B+0b > -END PGP SIGNATURE- > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: postfix security configuration
This might help: http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt On Mon, 2003-08-11 at 13:37, Marcel Weber wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > > Am Montag, 11.08.03, um 12:59 Uhr (Europe/Zurich) schrieb Tomasz > Papszun: > >> > > > > If you want to prevent them from using non existing sender addresses > > from your domain, you can do it by creating a file (lookup table) for > > postmap(1), containing all allowed addresses with "OK" and another > > table containing your domainname with "REJECT". > > > > If you want to prevent them from using sender addresses from other > > domain, it's also possible with properly prepared config. > > > > If you want to prevent them from using other (not their own) sender > > addresses from your domain, you must use SMTP AUTH, I'm afraid. > > > > -- > > Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only > > [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] > > > > Theoretically there is another possibility. Actually pop-before-smtp > does nothing than watching the log file, picking the ip address of the > pop client and putting this address for a certain time into a postmap > for postfix. If you would use the user's email address as his pop3 > login name (within a sql or ldap db, for example), one could take this > information and write it into another postmap file. This would > necessite some modification of the pop-before-smtp script, but I think > it wouldn't be too hard to implement. It wouldn't be perfect, though: > Imagine two users logged in at the same time. Under this situation each > user could "abuse" the other user's email address. > > For a really secure system, there is no way around smtp auth. > pop-before-smtp relies on ip addresses. But what about NAT? Users > coming from a private masqueraded network, could misuse your server at > their pleasure, if one user from this network has logged into his pop3 > account. > > Regards > > Marcel > > > > -BEGIN PGP SIGNATURE- > > iD8DBQE/N3/y1EXMUTKVE5URAjPsAKD1sVpkeqHSIcYnungYkuF/fNyumgCg7pmF > o2GTZhfgn7NnZ63P8HLSpEI= > =B+0b > -END PGP SIGNATURE- >
Re: recommendations for FTP server
On Fri, 2003-06-20 at 18:56, Stephen Gran wrote: > Hello all, > > I am thinking about setting up an FTP server to be used by myself and a > couple of friends. The box it will be running on is basically stock > Woody, and is currently only running apache and NAT'ing for a LAN. > > I'd like the FTP server to not allow anonymous logins (which I assume > most can do), chroot users to their home directories, and have some sort > of encrypted connections (over SSL would be nice). I have thought about > just using sftp, but currently ssh connections are rerouted to another > box on the LAN, and I'd like to leave that set up as is, if possible. How about setting your ssh server to another port? If your friends know about it, this shouldn't be a problem. Tarjei -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: recommendations for FTP server
On Fri, 2003-06-20 at 18:56, Stephen Gran wrote: > Hello all, > > I am thinking about setting up an FTP server to be used by myself and a > couple of friends. The box it will be running on is basically stock > Woody, and is currently only running apache and NAT'ing for a LAN. > > I'd like the FTP server to not allow anonymous logins (which I assume > most can do), chroot users to their home directories, and have some sort > of encrypted connections (over SSL would be nice). I have thought about > just using sftp, but currently ssh connections are rerouted to another > box on the LAN, and I'd like to leave that set up as is, if possible. How about setting your ssh server to another port? If your friends know about it, this shouldn't be a problem. Tarjei
Re: OT: Is it so easy to break into an NIS?
Networks needing a greater degree of privacy and authentication can try AFS/Kerberos (entailing non-free server-end software). Substituting LDAP-SSL for NIS is arguably a step forward, but then NFS remains a problem (No Friggin' Security). Doesn't NFS v4 answer some of these problems? Does anyone know of when we'll see nfs v4 and what it's security features are? Regarding AFS/Kerberos, isn't openafs an OSS solution? Tarjei
Re: OT: Is it so easy to break into an NIS?
Networks needing a greater degree of privacy and authentication can try AFS/Kerberos (entailing non-free server-end software). Substituting LDAP-SSL for NIS is arguably a step forward, but then NFS remains a problem (No Friggin' Security). Doesn't NFS v4 answer some of these problems? Does anyone know of when we'll see nfs v4 and what it's security features are? Regarding AFS/Kerberos, isn't openafs an OSS solution? Tarjei -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: NFS, password transparency, and security
Hi, Just thought I'd chip inn some support for LDAP. Also a kerberos pointer: www.bayour.com has a very good ldap+kerberos howto for debian written by Turbo Fredrikson. Also you should check out directory administrator for admining your directory. A simple ldap client for administrating ldap users. Now, the last thing: Does anyone have a URL for the SFS fileserver system? Tarjei -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: NFS, password transparency, and security
Hi, Just thought I'd chip inn some support for LDAP. Also a kerberos pointer: www.bayour.com has a very good ldap+kerberos howto for debian written by Turbo Fredrikson. Also you should check out directory administrator for admining your directory. A simple ldap client for administrating ldap users. Now, the last thing: Does anyone have a URL for the SFS fileserver system? Tarjei -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Securing bind..
The way to avoid this kind of threads over and over again is to *document* them. I find that there are quite a number of people willing to answer emails in the list but not willing to take some time and *write* about it. Ok, here's my (standard) suggestion: Make a system of anotations to the manual. Thous, it's possible to just cut-n-paste the different mails into the manual and thus make something that different people can contribute to without setting up docbook . F.x. in such a situation it's quite for the person who asked the question to update the docs without commiting to writing _the_ authorative work on securing bind. I usually try to contribute the knowledge I get from maillinglists to faq's and comments if it's easy to do so, f.x to contribute comments to php. Would it be possible to add this? Tarjei
Re: Securing bind..
> > >The way to avoid this kind of threads over and over again is to *document* >them. I find that there are quite a number of people willing to answer emails in the >list but not willing to take some time and *write* about it. > Ok, here's my (standard) suggestion: Make a system of anotations to the manual. Thous, it's possible to just cut-n-paste the different mails into the manual and thus make something that different people can contribute to without setting up docbook . F.x. in such a situation it's quite for the person who asked the question to update the docs without commiting to writing _the_ authorative work on securing bind. I usually try to contribute the knowledge I get from maillinglists to faq's and comments if it's easy to do so, f.x to contribute comments to php. Would it be possible to add this? Tarjei -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Mail server anti-virus software?
and i'd recommend postfix. I run postfix + kavcheck + avcheck (do a google and you'll probably find it). kavcheck's postfix implementation isn't very good, but the avcheck program comes complete with a howto do set it up chroot. Very nice. Combine this with crontab and you can update twice daily for the best results. Tarjei trying hard to stay away from a religious war, i am keeping this as factual as possible. postfix and qmail don't really have any functional differences. both can do the same, both have the same features, and both are very powerful and cool. however, they use completely different configuration paradigms, and while there is little to be said against doing it the qmail-way, postfix seems more intuitive to the newbie who's always only worried about configuration files. qmail does not have a configuration file like postfix, it uses a mixture of directory hierarchies, filenames, and contents to configure the mail server. once you understood the paradigm, you can do whatever you want, as said. if you aren't used to qmail, then it will have a steeper learning curve than postfix. i am sure some folks will disagree. the only way to answer it for yourself is to try them both. finally, it has to be mentioned that qmail's author, DJ Bernstein, is an excellent coder, just like postfix's author Wietse Venema. postfix is fully open-source and GPL, while qmail has a rather ridiculous propriertary license, preventing a binary distributions as we have it with .deb packages. the qmail package maintainer has done a good job though, and while you need some -dev libraries to install qmail, it's more or less automatic. *but*, and this is something that i probably shouldn't state here, but which i feel important. it's not about the functionality of the software, it's about the principle. Wietse, the author of postfix, advertises it as "competitor" of qmail, not "enemy". DJB, the author of qmail, on the other hand, chooses to be present on the mailing lists of "competing" software (like postfix-users or bind9-users) and publicly *trashes* the "competing" software, constantly telling the users that his product, qmail or djbdns respectively, doesn't suffer from such "childish sicknesses," and that instead of using the mailing list to solve their problems, they should switch to his software and not experience the problems. for me, that's reason enough not to support him. you are free to make up your own will though. especially because even though his software is good, it is not flawless!
Re: Mail server anti-virus software?
> > >and i'd recommend postfix. > I run postfix + kavcheck + avcheck (do a google and you'll probably find it). kavcheck's postfix implementation isn't very good, but the avcheck program comes complete with a howto do set it up chroot. Very nice. Combine this with crontab and you can update twice daily for the best results. Tarjei > >trying hard to stay away from a religious war, i am keeping this as >factual as possible. postfix and qmail don't really have any functional >differences. both can do the same, both have the same features, and both >are very powerful and cool. > >however, they use completely different configuration paradigms, and >while there is little to be said against doing it the qmail-way, postfix >seems more intuitive to the newbie who's always only worried about >configuration files. qmail does not have a configuration file like >postfix, it uses a mixture of directory hierarchies, filenames, and >contents to configure the mail server. once you understood the paradigm, >you can do whatever you want, as said. > >if you aren't used to qmail, then it will have a steeper learning curve >than postfix. i am sure some folks will disagree. the only way to answer >it for yourself is to try them both. > >finally, it has to be mentioned that qmail's author, DJ Bernstein, is an >excellent coder, just like postfix's author Wietse Venema. postfix is >fully open-source and GPL, while qmail has a rather ridiculous >propriertary license, preventing a binary distributions as we have it >with .deb packages. the qmail package maintainer has done a good job >though, and while you need some -dev libraries to install qmail, it's >more or less automatic. > >*but*, and this is something that i probably shouldn't state here, but >which i feel important. it's not about the functionality of the >software, it's about the principle. Wietse, the author of postfix, >advertises it as "competitor" of qmail, not "enemy". DJB, the author of >qmail, on the other hand, chooses to be present on the mailing lists of >"competing" software (like postfix-users or bind9-users) and publicly >*trashes* the "competing" software, constantly telling the users that >his product, qmail or djbdns respectively, doesn't suffer from such >"childish sicknesses," and that instead of using the mailing list to >solve their problems, they should switch to his software and not >experience the problems. for me, that's reason enough not to support >him. you are free to make up your own will though. especially because >even though his software is good, it is not flawless! > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: default security
Hmm. Here's a suggestion. - This idea is based on the asumtion that espesially serversystems need good security. 1. Make a votingpage and anounce it on debian-users asking what are the main servers people are running on their debian systems. 2. Go through the 10 highest and make sure they follow secure practies like libsafe. 3. Support security in these servers also for testing and unstable. I think it would be worthwhile to rethink the philosophy of debian-stable. Instead of saying the next version of debian is stable when all it's packages are stable, how about defining a stable version of each package, and saying that stable is a dynamic target. In the age of highspeed conections, most most people could then install debian over the 'net instead of the install cd's. I apoligize to all the people reading this list for filling it with rants. Will stop now. Tarjei
Re: default security
Hmm. Here's a suggestion. - This idea is based on the asumtion that espesially serversystems need good security. 1. Make a votingpage and anounce it on debian-users asking what are the main servers people are running on their debian systems. 2. Go through the 10 highest and make sure they follow secure practies like libsafe. 3. Support security in these servers also for testing and unstable. I think it would be worthwhile to rethink the philosophy of debian-stable. Instead of saying the next version of debian is stable when all it's packages are stable, how about defining a stable version of each package, and saying that stable is a dynamic target. In the age of highspeed conections, most most people could then install debian over the 'net instead of the install cd's. I apoligize to all the people reading this list for filling it with rants. Will stop now. Tarjei -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
default security
I recall there being discussion a while back about packaging chroot bind. I don't know whether or not anything came of it at all. There is Debian being what it is, are there any reasons why the debian bind package should not be chroot as the default instalation? One thing that might be a good idea, would be a security review of the main debian packages. It's probably beeing done for some already, but I would guess a lot of debian packages could benefit from even stricter default setups. For example, maybe libsafe should be default inn all installs. I know this would take some time to implement, but I think it would help the image of debian and linux over time. I'm often frustrated that the big distros (rh, mandrake) doesn't do more to harden their distros. For example the default install of ssh in RH still provides both ssh1 and ssh2 & root login. I know this is a rant, but maybe it would be wise to think of a way to implement this. At least, put more deamons in chroot jails and get libsafe compiled into every package. Tarjei
default security
> > >I recall there being discussion a while back about packaging chroot >bind. I don't know whether or not anything came of it at all. There is > Debian being what it is, are there any reasons why the debian bind package should not be chroot as the default instalation? One thing that might be a good idea, would be a security review of the main debian packages. It's probably beeing done for some already, but I would guess a lot of debian packages could benefit from even stricter default setups. For example, maybe libsafe should be default inn all installs. I know this would take some time to implement, but I think it would help the image of debian and linux over time. I'm often frustrated that the big distros (rh, mandrake) doesn't do more to harden their distros. For example the default install of ssh in RH still provides both ssh1 and ssh2 & root login. I know this is a rant, but maybe it would be wise to think of a way to implement this. At least, put more deamons in chroot jails and get libsafe compiled into every package. Tarjei -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Rãspuns: Rãspuns: finding hidden processes
Thanks to everyone who answered. I think I found the answer: I got three apps who has been installed --with-prefix=/usr/local/appname Their pidfiles will then be in /usr/local/app/var/ not? Thus they will not be in the mentioned places, am I correct? (suspecting I am not ;( ) Tarjei Petre Daniel wrote: > > its okay to me.i didn't followed so close your emails and replies, > your system was compromised,or you just suspect that? > is that a permanent online box? can you unplugged it and look closely into > it? > chkrootkit is pretty gewd,but personally i trust only me. *grin* > take care, > Dani. > > -Mesaj original- > De la: Tarjei Huse [mailto:[EMAIL PROTECTED] > Trimis: Monday, December 03, 2001 1:01 PM > Catre: debian-security@lists.debian.org > Cc: debian-security@lists.debian.org > Subiect: Re: Rãspuns: finding hidden processes > > Thanks, I got: > dev_to_tty > tdev > /dev/pts/%s > /dev/%s > /dev/tty%s > /dev/pty%s > /dev/%snsole > Obsolete W option not supported. (You have a /dev/drum?) > > Any comments? Does this look ok? > > Tarjei > > Petre Daniel wrote: > > > > -Mesaj original- > > De la: Tarjei Huse [mailto:[EMAIL PROTECTED] > > Trimis: Monday, December 03, 2001 9:15 AM > > Catre: debian-security@lists.debian.org > > Cc: debian-security@lists.debian.org > > Subiect: finding hidden processes > > > > Hi If I run chkproc from the chkrootid package I get: > > You have 3 process hidden for readdir command > > You have 3 process hidden for ps command > > > > How can I find these processes? > > Tarjei > > > > try "strings /bin/ps | grep dev" and if ps is corrupted you will see the > > location > > of the configuration files for the rootkit.go there and look into > them.good > > luck. > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] > > > > _ > > Do You Yahoo!? > > Get your free @yahoo.com address at http://mail.yahoo.com > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > _ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Rãspuns: finding hidden processes
Thanks, I got: dev_to_tty tdev /dev/pts/%s /dev/%s /dev/tty%s /dev/pty%s /dev/%snsole Obsolete W option not supported. (You have a /dev/drum?) Any comments? Does this look ok? Tarjei Petre Daniel wrote: > > -Mesaj original- > De la: Tarjei Huse [mailto:[EMAIL PROTECTED] > Trimis: Monday, December 03, 2001 9:15 AM > Catre: debian-security@lists.debian.org > Cc: debian-security@lists.debian.org > Subiect: finding hidden processes > > Hi If I run chkproc from the chkrootid package I get: > You have 3 process hidden for readdir command > You have 3 process hidden for ps command > > How can I find these processes? > Tarjei > > try "strings /bin/ps | grep dev" and if ps is corrupted you will see the > location > of the configuration files for the rootkit.go there and look into them.good > luck. > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > _ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com
Re: Rãspuns: Rãspuns: finding hidden processes
Thanks to everyone who answered. I think I found the answer: I got three apps who has been installed --with-prefix=/usr/local/appname Their pidfiles will then be in /usr/local/app/var/ not? Thus they will not be in the mentioned places, am I correct? (suspecting I am not ;( ) Tarjei Petre Daniel wrote: > > its okay to me.i didn't followed so close your emails and replies, > your system was compromised,or you just suspect that? > is that a permanent online box? can you unplugged it and look closely into > it? > chkrootkit is pretty gewd,but personally i trust only me. *grin* > take care, > Dani. > > -Mesaj original- > De la: Tarjei Huse [mailto:[EMAIL PROTECTED]] > Trimis: Monday, December 03, 2001 1:01 PM > Catre: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subiect: Re: Rãspuns: finding hidden processes > > Thanks, I got: > dev_to_tty > tdev > /dev/pts/%s > /dev/%s > /dev/tty%s > /dev/pty%s > /dev/%snsole > Obsolete W option not supported. (You have a /dev/drum?) > > Any comments? Does this look ok? > > Tarjei > > Petre Daniel wrote: > > > > -Mesaj original- > > De la: Tarjei Huse [mailto:[EMAIL PROTECTED]] > > Trimis: Monday, December 03, 2001 9:15 AM > > Catre: [EMAIL PROTECTED] > > Cc: [EMAIL PROTECTED] > > Subiect: finding hidden processes > > > > Hi If I run chkproc from the chkrootid package I get: > > You have 3 process hidden for readdir command > > You have 3 process hidden for ps command > > > > How can I find these processes? > > Tarjei > > > > try "strings /bin/ps | grep dev" and if ps is corrupted you will see the > > location > > of the configuration files for the rootkit.go there and look into > them.good > > luck. > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] > > > > _ > > Do You Yahoo!? > > Get your free @yahoo.com address at http://mail.yahoo.com > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > _ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Rãspuns: finding hidden processes
Thanks, I got: dev_to_tty tdev /dev/pts/%s /dev/%s /dev/tty%s /dev/pty%s /dev/%snsole Obsolete W option not supported. (You have a /dev/drum?) Any comments? Does this look ok? Tarjei Petre Daniel wrote: > > -Mesaj original- > De la: Tarjei Huse [mailto:[EMAIL PROTECTED]] > Trimis: Monday, December 03, 2001 9:15 AM > Catre: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subiect: finding hidden processes > > Hi If I run chkproc from the chkrootid package I get: > You have 3 process hidden for readdir command > You have 3 process hidden for ps command > > How can I find these processes? > Tarjei > > try "strings /bin/ps | grep dev" and if ps is corrupted you will see the > location > of the configuration files for the rootkit.go there and look into them.good > luck. > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > _ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: finding hidden processes
Thanks to all who answered. I'm trying toanswer the question "is this suspicious?" and if yes "what could "normal" explenations be? All help is highly appreciated :) PS: I'm running CyrusImapd, I seem to remember that cyrus does not use pid, could this be true? And would that be the answer to the question of what these 3 pids are? (nmap on my host returns notthing). Tarjei Here's the output I got: pid: 1 init [3] pid: 1001 lsarpcd-D pid: 1003 srvsvcd-D pid: 1005 winregd-D pid: 1007 wkssvcd-D pid: 1010 spoolssd-D pid: 1027 svcctld-D pid: 1050 /bin/sh/usr/local/mysql/bin/safe_mysqld--basedir=/usr/local/mysql--log=/usr/local/mysql/var/mail.log pid: 1072 /usr/local/mysql/libexec/mysqld--basedir=/usr/local/mysql--datadir=/usr/local/mysql/var--user=mysql--pid-file=/usr/local/mysql/var/mail.pid--skip-locking--log=/usr/local/mysql/var/mail.log pid: 1074 smbd-D pid: 10748 CROND pid: 10752 /usr/bin/perl-w/usr/local/apache/cgi-bin/mailgraph.pl-l/var/log/maillog pid: 1076 nmbd-D pid: 1079 /usr/local/mysql/libexec/mysqld--basedir=/usr/local/mysql--datadir=/usr/local/mysql/var--user=mysql--pid-file=/usr/local/mysql/var/mail.pid--skip-locking--log=/usr/local/mysql/var/mail.log pid: 1080 /usr/local/mysql/libexec/mysqld--basedir=/usr/local/mysql--datadir=/usr/local/mysql/var--user=mysql--pid-file=/usr/local/mysql/var/mail.pid--skip-locking--log=/usr/local/mysql/var/mail.log pid: 10873 /usr/sbin/slapd-uldap-hldap:/// ldaps:/// pid: 10912 CROND pid: 10916 /usr/bin/perl-w/usr/local/apache/cgi-bin/mailgraph.pl-l/var/log/maillog pid: 111 pid: 11162 /usr/cyrus/bin/master pid: 1117 /sbin/mingettytty2 pid: 1118 /sbin/mingettytty3 pid: 1119 /sbin/mingettytty4 pid: 1120 /sbin/mingettytty5 pid: 1121 /sbin/mingettytty6 pid: 11490 /usr/sbin/[EMAIL PROTECTED] pid: 11623 /usr/sbin/[EMAIL PROTECTED] pid: 1755 smbd-D pid: 2 pid: 2020 CROND pid: 2024 /usr/bin/perl-w/usr/local/apache/cgi-bin/mailgraph.pl-l/var/log/maillog pid: 22970 CROND pid: 22974 /usr/bin/perl-w/usr/local/apache/cgi-bin/mailgraph.pl-l/var/log/maillog pid: 23690 /usr/sbin/[EMAIL PROTECTED] pid: 2445 /usr/local/apache/bin/httpd-DSSL pid: 2448 /usr/local/mysql/libexec/mysqld--basedir=/usr/local/mysql--datadir=/usr/local/mysql/var--user=mysql--pid-file=/usr/local/mysql/var/mail.pid--skip-locking--log=/usr/local/mysql/var/mail.log pid: 2488 smbd-D pid: 2491 CROND pid: 2495 /usr/bin/perl-w/usr/local/apache/cgi-bin/mailgraph.pl-l/var/log/maillog pid: 25175 /usr/local/apache/bin/httpd-DSSL pid: 25176 /usr/local/apache/bin/httpd-DSSL pid: 25177 /usr/local/apache/bin/httpd-DSSL pid: 25178 /usr/local/apache/bin/httpd-DSSL pid: 25179 /usr/local/apache/bin/httpd-DSSL pid: 25180 /usr/local/apache/bin/httpd-DSSL pid: 25236 named-unamed pid: 25239 named-unamed pid: 25240 named-unamed pid: 25241 named-unamed pid: 25242 named-unamed pid: 2525 /usr/sbin/[EMAIL PROTECTED] pid: 25279 /usr/local/apache/bin/httpd-DSSL pid: 2546 /usr/sbin/[EMAIL PROTECTED] pid: 26085 /usr/local/apache/bin/httpd-DSSL pid: 27478 CROND pid: 27482 /usr/bin/perl-w/usr/local/apache/cgi-bin/mailgraph.pl-l/var/log/maillog pid: 28045 ./kavdaemon-dl-MP-Y-V-*-f=/ctl/tst pid: 28131 /usr/sbin/[EMAIL PROTECTED] pid: 2937 /usr/cyrus/bin/imapd pid: 3 pid: 30278 smbd-D pid: 30442 /usr/local/mysql/libexec/mysqld--basedir=/usr/local/mysql--datadir=/usr/local/mysql/var--user=mysql--pid-file=/usr/local/mysql/var/mail.pid--skip-locking--log=/usr/local/mysql/var/mail.log pid: 30443 /usr/local/mysql/libexec/mysqld--basedir=/usr/local/mysql--datadir=/usr/local/mysql/var--user=mysql--pid-file=/usr/local/mysql/var/mail.pid--skip-locking--log=/usr/local/mysql/var/mail.log pid: 30444 /usr/local/mysql/libexec/mysqld--basedir=/usr/local/mysql--datadir=/usr/local/mysql/var--user=mysql--pid-file=/usr/local/mysql/var/mail.pid--skip-locking--log=/usr/local/mysql/var/mail.log pid: 30445 /usr/local/mysql/libexec/mysqld--basedir=/usr/local/mysql--datadir=/usr/local/mysql/var--user=mysql--pid-file=/usr/local/mysql/var/mail.pid--skip-locking--log=/usr/local/mysql/var/mail.log pid: 30446 /usr/local/mysql/libexec/mysqld--basedir=/usr/local/mysql--datadir=/usr/local/mysql/var--user=mysql--pid-file=/usr/local/mysql/var/mail.pid--skip-locking--log=/usr/local/mysql/var/mail.log pid: 30449 /usr/local/mysql/libexec/mysqld--basedir=/usr/local/mysql--datadir=/usr/local/mysql/var--user=mysql--pid-file=/usr/local/mysql/var/mail.pid--skip-locking--log=/usr/local/mysql/var/mail.log pid: 30451 /usr/local/mysql/libexec/mysqld--basedir=/usr/local/mysql--datadir=/usr/local/mysql/var--user=mysql--pid-file=/usr/local/mysql/var/mail.pid--skip-locking--log=/usr/local/mysql/var/mail.log pid: 30452 /usr/local/apache/bin/httpd-DSSL pid: 30466 /usr/local/mysql/libexec/mysqld--basedir=/usr/local/mysql--datadir=/usr/local/mysql/var--user=mysql--pid-file=/usr/local/mysql/var/mail.pid--skip-locking--log=/usr/local/mysql/var/mail.log pid: 30651 CROND pid: 30655 /usr/bin/perl-w/usr/local/apache/cgi-bin/mailgraph.pl-l/var/log/maillog
Re: finding hidden processes
Could this be caused because I do not have all pids in the same dir? Tarjei [EMAIL PROTECTED] wrote: > > > Hi If I run chkproc from the chkrootid package I get: > > You have 3 process hidden for readdir command > > You have 3 process hidden for ps command > > > > How can I find these processes? > > Use a ps command from an uncorrupted system. > > If you made a bootable CD for installing your system you can mount it > and try running PS from it. You can also try a forced reinstall of the > package that contains ps. > > ## > | Bryan Andersen | > | [EMAIL PROTECTED], [EMAIL PROTECTED] | > | http://www.nerdvest.com/ | > ##
finding hidden processes
Hi If I run chkproc from the chkrootid package I get: You have 3 process hidden for readdir command You have 3 process hidden for ps command How can I find these processes? Tarjei
Re: finding hidden processes
Thanks to all who answered. I'm trying toanswer the question "is this suspicious?" and if yes "what could "normal" explenations be? All help is highly appreciated :) PS: I'm running CyrusImapd, I seem to remember that cyrus does not use pid, could this be true? And would that be the answer to the question of what these 3 pids are? (nmap on my host returns notthing). Tarjei Here's the output I got: pid: 1 init [3] pid: 1001 lsarpcd-D pid: 1003 srvsvcd-D pid: 1005 winregd-D pid: 1007 wkssvcd-D pid: 1010 spoolssd-D pid: 1027 svcctld-D pid: 1050 /bin/sh/usr/local/mysql/bin/safe_mysqld--basedir=/usr/local/mysql--log=/usr/local/mysql/var/mail.log pid: 1072 /usr/local/mysql/libexec/mysqld--basedir=/usr/local/mysql--datadir=/usr/local/mysql/var--user=mysql--pid-file=/usr/local/mysql/var/mail.pid--skip-locking--log=/usr/local/mysql/var/mail.log pid: 1074 smbd-D pid: 10748 CROND pid: 10752 /usr/bin/perl-w/usr/local/apache/cgi-bin/mailgraph.pl-l/var/log/maillog pid: 1076 nmbd-D pid: 1079 /usr/local/mysql/libexec/mysqld--basedir=/usr/local/mysql--datadir=/usr/local/mysql/var--user=mysql--pid-file=/usr/local/mysql/var/mail.pid--skip-locking--log=/usr/local/mysql/var/mail.log pid: 1080 /usr/local/mysql/libexec/mysqld--basedir=/usr/local/mysql--datadir=/usr/local/mysql/var--user=mysql--pid-file=/usr/local/mysql/var/mail.pid--skip-locking--log=/usr/local/mysql/var/mail.log pid: 10873 /usr/sbin/slapd-uldap-hldap:/// ldaps:/// pid: 10912 CROND pid: 10916 /usr/bin/perl-w/usr/local/apache/cgi-bin/mailgraph.pl-l/var/log/maillog pid: 111 pid: 11162 /usr/cyrus/bin/master pid: 1117 /sbin/mingettytty2 pid: 1118 /sbin/mingettytty3 pid: 1119 /sbin/mingettytty4 pid: 1120 /sbin/mingettytty5 pid: 1121 /sbin/mingettytty6 pid: 11490 [EMAIL PROTECTED] pid: 11623 [EMAIL PROTECTED] pid: 1755 smbd-D pid: 2 pid: 2020 CROND pid: 2024 /usr/bin/perl-w/usr/local/apache/cgi-bin/mailgraph.pl-l/var/log/maillog pid: 22970 CROND pid: 22974 /usr/bin/perl-w/usr/local/apache/cgi-bin/mailgraph.pl-l/var/log/maillog pid: 23690 [EMAIL PROTECTED] pid: 2445 /usr/local/apache/bin/httpd-DSSL pid: 2448 /usr/local/mysql/libexec/mysqld--basedir=/usr/local/mysql--datadir=/usr/local/mysql/var--user=mysql--pid-file=/usr/local/mysql/var/mail.pid--skip-locking--log=/usr/local/mysql/var/mail.log pid: 2488 smbd-D pid: 2491 CROND pid: 2495 /usr/bin/perl-w/usr/local/apache/cgi-bin/mailgraph.pl-l/var/log/maillog pid: 25175 /usr/local/apache/bin/httpd-DSSL pid: 25176 /usr/local/apache/bin/httpd-DSSL pid: 25177 /usr/local/apache/bin/httpd-DSSL pid: 25178 /usr/local/apache/bin/httpd-DSSL pid: 25179 /usr/local/apache/bin/httpd-DSSL pid: 25180 /usr/local/apache/bin/httpd-DSSL pid: 25236 named-unamed pid: 25239 named-unamed pid: 25240 named-unamed pid: 25241 named-unamed pid: 25242 named-unamed pid: 2525 [EMAIL PROTECTED] pid: 25279 /usr/local/apache/bin/httpd-DSSL pid: 2546 [EMAIL PROTECTED] pid: 26085 /usr/local/apache/bin/httpd-DSSL pid: 27478 CROND pid: 27482 /usr/bin/perl-w/usr/local/apache/cgi-bin/mailgraph.pl-l/var/log/maillog pid: 28045 ./kavdaemon-dl-MP-Y-V-*-f=/ctl/tst pid: 28131 [EMAIL PROTECTED] pid: 2937 /usr/cyrus/bin/imapd pid: 3 pid: 30278 smbd-D pid: 30442 /usr/local/mysql/libexec/mysqld--basedir=/usr/local/mysql--datadir=/usr/local/mysql/var--user=mysql--pid-file=/usr/local/mysql/var/mail.pid--skip-locking--log=/usr/local/mysql/var/mail.log pid: 30443 /usr/local/mysql/libexec/mysqld--basedir=/usr/local/mysql--datadir=/usr/local/mysql/var--user=mysql--pid-file=/usr/local/mysql/var/mail.pid--skip-locking--log=/usr/local/mysql/var/mail.log pid: 30444 /usr/local/mysql/libexec/mysqld--basedir=/usr/local/mysql--datadir=/usr/local/mysql/var--user=mysql--pid-file=/usr/local/mysql/var/mail.pid--skip-locking--log=/usr/local/mysql/var/mail.log pid: 30445 /usr/local/mysql/libexec/mysqld--basedir=/usr/local/mysql--datadir=/usr/local/mysql/var--user=mysql--pid-file=/usr/local/mysql/var/mail.pid--skip-locking--log=/usr/local/mysql/var/mail.log pid: 30446 /usr/local/mysql/libexec/mysqld--basedir=/usr/local/mysql--datadir=/usr/local/mysql/var--user=mysql--pid-file=/usr/local/mysql/var/mail.pid--skip-locking--log=/usr/local/mysql/var/mail.log pid: 30449 /usr/local/mysql/libexec/mysqld--basedir=/usr/local/mysql--datadir=/usr/local/mysql/var--user=mysql--pid-file=/usr/local/mysql/var/mail.pid--skip-locking--log=/usr/local/mysql/var/mail.log pid: 30451 /usr/local/mysql/libexec/mysqld--basedir=/usr/local/mysql--datadir=/usr/local/mysql/var--user=mysql--pid-file=/usr/local/mysql/var/mail.pid--skip-locking--log=/usr/local/mysql/var/mail.log pid: 30452 /usr/local/apache/bin/httpd-DSSL pid: 30466 /usr/local/mysql/libexec/mysqld--basedir=/usr/local/mysql--datadir=/usr/local/mysql/var--user=mysql--pid-file=/usr/local/mysql/var/mail.pid--skip-locking--log=/usr/local/mysql/var/mail.log pid: 30651 CROND pid: 30655 /usr/bin/perl-w/usr/local/apache/cgi-bin/mailgraph.pl-l/var/log/maillog pid: 31632 smbd-D pid: 31665 /usr/cyrus/bin/imapd-s pid: 3
Re: finding hidden processes
Could this be caused because I do not have all pids in the same dir? Tarjei [EMAIL PROTECTED] wrote: > > > Hi If I run chkproc from the chkrootid package I get: > > You have 3 process hidden for readdir command > > You have 3 process hidden for ps command > > > > How can I find these processes? > > Use a ps command from an uncorrupted system. > > If you made a bootable CD for installing your system you can mount it > and try running PS from it. You can also try a forced reinstall of the > package that contains ps. > > ## > | Bryan Andersen | > | [EMAIL PROTECTED], [EMAIL PROTECTED] | > | http://www.nerdvest.com/ | > ## -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
finding hidden processes
Hi If I run chkproc from the chkrootid package I get: You have 3 process hidden for readdir command You have 3 process hidden for ps command How can I find these processes? Tarjei -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Security Update
> what's that actually mean? Is that mean that i already have the most > secure that debian have? Yes, but there is still a lot to do on setup. :) I'll cut and paste from a earlyer post on this list (not mine): Scott Henson wrote:http >Can any one point me to the best books, how-to's, articles, scripts, etc. on >hardening debian and making it really secure, but still easy to use? I was >looking on the debian site and I saw a security how-to, but for some reason >it would not let me access it. It said i didnt have permision to view it. > > >-Scott Henson > > A few good tips on this site: http://wwwcmc.pharm.uu.nl/gillies/debian/ A few more security tips: http://tinyplanet.ca/pubs/debian/html/c206.html This is a good security site, I think some guy on this lists manages it. http://www.linux-sec.net/ This is the link that I have for the Securing Debian HOW-TO, it appears to be down too http://joker.rhwd.de/doc/Securing-Debian-HOWTO/Securing-Debian-HOWTO.htm You can also download an exaple Debian IPtables script from: http://www.debiandiary.f2s.com/files/iptables.sh Yours, Tarjei > thx for the patience... > > Mark. > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Security Update
> what's that actually mean? Is that mean that i already have the most > secure that debian have? Yes, but there is still a lot to do on setup. :) I'll cut and paste from a earlyer post on this list (not mine): Scott Henson wrote:http >Can any one point me to the best books, how-to's, articles, scripts, etc. on >hardening debian and making it really secure, but still easy to use? I was >looking on the debian site and I saw a security how-to, but for some reason >it would not let me access it. It said i didnt have permision to view it. > > >-Scott Henson > > A few good tips on this site: http://wwwcmc.pharm.uu.nl/gillies/debian/ A few more security tips: http://tinyplanet.ca/pubs/debian/html/c206.html This is a good security site, I think some guy on this lists manages it. http://www.linux-sec.net/ This is the link that I have for the Securing Debian HOW-TO, it appears to be down too http://joker.rhwd.de/doc/Securing-Debian-HOWTO/Securing-Debian-HOWTO.htm You can also download an exaple Debian IPtables script from: http://www.debiandiary.f2s.com/files/iptables.sh Yours, Tarjei > thx for the patience... > > Mark. > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
