Re: logcheck thinks that system is under attack, related to ssl problem?
On Thu, Oct 16, 2003 at 02:02:23PM -0500, Micah Anderson wrote: > Pretty exciting... is there any place that we can track the progress > of this? I'm very interested to make an assessment of what is going on > to determine if I should just patch the existing logcheck so that it > stops sending me attack alerts, or if I should wait for this overhaul > to come out. I've created the project page upon Alioth, but nothing much has been entered there. I'll try and start that over the weekend. So far the SVN repository has been uploaded and we've got to start planning changes - adding documentation is probably the single biggest priority, but it may well be more effective to document how we want it to work, then update the code than documenting what currently happens. At the moment things are a little confused as John has just moved house and hasn't yet got reliable internet access. (Worse case I'll have to force him to come to the pub, and we can have discussions over beer :) Steve --
Re: logcheck thinks that system is under attack, related to ssl problem?
On Thu, Oct 16, 2003 at 02:02:23PM -0500, Micah Anderson wrote: > Pretty exciting... is there any place that we can track the progress > of this? I'm very interested to make an assessment of what is going on > to determine if I should just patch the existing logcheck so that it > stops sending me attack alerts, or if I should wait for this overhaul > to come out. I've created the project page upon Alioth, but nothing much has been entered there. I'll try and start that over the weekend. So far the SVN repository has been uploaded and we've got to start planning changes - adding documentation is probably the single biggest priority, but it may well be more effective to document how we want it to work, then update the code than documenting what currently happens. At the moment things are a little confused as John has just moved house and hasn't yet got reliable internet access. (Worse case I'll have to force him to come to the pub, and we can have discussions over beer :) Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: logcheck thinks that system is under attack, related to ssl problem?
On Thu, 16 Oct 2003 14:02:23 -0500 Micah Anderson <[EMAIL PROTECTED]> wrote: > Pretty exciting... is there any place that we can track the progress > of this? I'm very interested to make an assessment of what is going on > to determine if I should just patch the existing logcheck so that it > stops sending me attack alerts, or if I should wait for this overhaul > to come out. I emptied the files violations and cracking so I see everything which doesn't match an ignore pattern. I assume that if an attack report never matches them. Alain
Re: logcheck thinks that system is under attack, related to ssl problem?
Pretty exciting... is there any place that we can track the progress of this? I'm very interested to make an assessment of what is going on to determine if I should just patch the existing logcheck so that it stops sending me attack alerts, or if I should wait for this overhaul to come out. Thanks! micah Steve Kemp schrieb am Tuesday, den 07. October 2003: > On Tue, Oct 07, 2003 at 09:52:59AM +0200, Alain Tesio wrote: > > > I had exactly the same problem, it's because logcheck look for cracking > > patterns before removing lines which should be ignored, it shouldn't be > > hard to fix. > > logcheck is in the middle of a major overhaul by myself and the > former maintainer, which is why it looks like much hasn't changed with > it for the past few weeks. Months? :( > > There's a new project in the process of being finalised using Alioth > to host it, and things should start to get better with in quickly once > it's up and running. > > .. right now I'm just waiting for the SVN repository to be created > so that the history can be imported. > > Steve > -- > # Debian Security Audit Project > http://www.steve.org.uk/Debian/ > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: logcheck thinks that system is under attack, related to ssl problem?
On Thu, 16 Oct 2003 14:02:23 -0500 Micah Anderson <[EMAIL PROTECTED]> wrote: > Pretty exciting... is there any place that we can track the progress > of this? I'm very interested to make an assessment of what is going on > to determine if I should just patch the existing logcheck so that it > stops sending me attack alerts, or if I should wait for this overhaul > to come out. I emptied the files violations and cracking so I see everything which doesn't match an ignore pattern. I assume that if an attack report never matches them. Alain -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: logcheck thinks that system is under attack, related to ssl problem?
Pretty exciting... is there any place that we can track the progress of this? I'm very interested to make an assessment of what is going on to determine if I should just patch the existing logcheck so that it stops sending me attack alerts, or if I should wait for this overhaul to come out. Thanks! micah Steve Kemp schrieb am Tuesday, den 07. October 2003: > On Tue, Oct 07, 2003 at 09:52:59AM +0200, Alain Tesio wrote: > > > I had exactly the same problem, it's because logcheck look for cracking > > patterns before removing lines which should be ignored, it shouldn't be > > hard to fix. > > logcheck is in the middle of a major overhaul by myself and the > former maintainer, which is why it looks like much hasn't changed with > it for the past few weeks. Months? :( > > There's a new project in the process of being finalised using Alioth > to host it, and things should start to get better with in quickly once > it's up and running. > > .. right now I'm just waiting for the SVN repository to be created > so that the history can be imported. > > Steve > -- > # Debian Security Audit Project > http://www.steve.org.uk/Debian/ > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: logcheck thinks that system is under attack, related to ssl problem?
On Tue, Oct 07, 2003 at 09:52:59AM +0200, Alain Tesio wrote: > I had exactly the same problem, it's because logcheck look for cracking > patterns before removing lines which should be ignored, it shouldn't be > hard to fix. logcheck is in the middle of a major overhaul by myself and the former maintainer, which is why it looks like much hasn't changed with it for the past few weeks. Months? :( There's a new project in the process of being finalised using Alioth to host it, and things should start to get better with in quickly once it's up and running. .. right now I'm just waiting for the SVN repository to be created so that the history can be imported. Steve -- # Debian Security Audit Project http://www.steve.org.uk/Debian/
Re: logcheck thinks that system is under attack, related to ssl problem?
On Tue, Oct 07, 2003 at 09:52:59AM +0200, Alain Tesio wrote: > I had exactly the same problem, it's because logcheck look for cracking > patterns before removing lines which should be ignored, it shouldn't be > hard to fix. logcheck is in the middle of a major overhaul by myself and the former maintainer, which is why it looks like much hasn't changed with it for the past few weeks. Months? :( There's a new project in the process of being finalised using Alioth to host it, and things should start to get better with in quickly once it's up and running. .. right now I'm just waiting for the SVN repository to be created so that the history can be imported. Steve -- # Debian Security Audit Project http://www.steve.org.uk/Debian/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: logcheck thinks that system is under attack, related to ssl problem?
Micah Anderson wrote: Speaking of which, has anyone found a way to configure the active system attack key words? There is a user on my system whose email has the word "attacK' in it so that triggers logcheck, and I've tried every different exclusion file and regexp there is to make it ignore it, but I can't so I get a logcheck email everytime this guy gets or sends an email. Its gotten to the point that logcheck is becoming totally useless (ie. I wont read them because I put little value in the information that they contain). I've tried searching the web, and contacting the package maintainer, but no results. I had exactly the same problem, it's because logcheck look for cracking patterns before removing lines which should be ignored, it shouldn't be hard to fix. Alain
Re: logcheck thinks that system is under attack, related to ssl problem?
Micah Anderson wrote: Speaking of which, has anyone found a way to configure the active system attack key words? There is a user on my system whose email has the word "attacK' in it so that triggers logcheck, and I've tried every different exclusion file and regexp there is to make it ignore it, but I can't so I get a logcheck email everytime this guy gets or sends an email. Its gotten to the point that logcheck is becoming totally useless (ie. I wont read them because I put little value in the information that they contain). I've tried searching the web, and contacting the package maintainer, but no results. I had exactly the same problem, it's because logcheck look for cracking patterns before removing lines which should be ignored, it shouldn't be hard to fix. Alain -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: logcheck thinks that system is under attack, related to ssl problem?
Hi Noah Thanks again for your answer!! On Montag, 06-Okt-03 at 22:13:32, Noah L. Meyerhans wrote: > On Mon, Oct 06, 2003 at 10:07:23PM +0100, Andreas W?st wrote: >> I hope you've got some more ideas. I'm strictly following all the >> security updates, and have a light mix of woody and sid packages. > > run 'shutdown -rF now' > > See if the problem persists after the fsck. If it does, check the > files manually and see if they're really corrupted or something. > Sounds like you've just got a twisted and inconsistant filesystem. Well, I must admit that I've already have rebooted after this message appeared (well, just because I havent read my mail then, and only realised the logcheck message after a second reboot), but the problem didn't "survive" this first reboot, i.e. I've only received this mail once. But this shouln't mean anything, no? I've fscked the disk as you told, and the problem hasn't returned. But hey, shouldn't there be any file corruption when using ext3 (I mean, missing or incomplete files, ok, when the buffers couldn't get flushed anymore, but corrupted?? I thought that's where the journal comes into action.). -- Best wishes, and thanks a lot for your help, Andi
Re: logcheck thinks that system is under attack, related to ssl problem?
Hi Noah Thanks a lot for your fast answer! On Montag, 06-Okt-03 at 17:58:10, Noah L. Meyerhans wrote: > On Mon, Oct 06, 2003 at 05:31:05PM +0100, Andreas W?st wrote: >> Hmmm, so what? Are these problems somehow tied together? Furthermore, >> what is the probability that the system has really been cracked, and >> the logcheck message is not a false positive? I wonder, because it's >> not a server machine, it has no services running, except the dhcp >> client listening on a port. Nothing else. > > It sounds to me, from the symptoms you described, that /var has > somehow been mounted read-only. Check that first. Well, I wished it would be like that, but /var hasn't got its own partition, it gets mounted togehter with all the other stuff except /boot. > You don't have much evidence that it's a security issue at this point. > Logcheck's "active system attack" messages rarely indicate such a > thing. Don't do anything drastic like reinstall the system until > you've got better evidence that you've been cracked. In this case, I > doubt you have. Well, reinstall is the last resort since it always takes hours to get back the normal environment. I hope you've got some more ideas. I'm strictly following all the security updates, and have a light mix of woody and sid packages. Well, I further noticed some error messages from gconf, about not being able to delete some files, because they were not successfuly synced. I am seeing these messages quite often, although yesterday there were quite a lot of them. I've never really researched the topic, but I think it could be related to sleep, and therefore a not perfect flush of the buffers or something. I wonder if this might somehow have affected the logcheck stuff. -- Best wishes, Andi
Re: logcheck thinks that system is under attack, related to ssl problem?
On Mon, Oct 06, 2003 at 10:07:23PM +0100, Andreas W?st wrote: > I hope you've got some more ideas. I'm strictly following all the > security updates, and have a light mix of woody and sid packages. run 'shutdown -rF now' See if the problem persists after the fsck. If it does, check the files manually and see if they're really corrupted or something. Sounds like you've just got a twisted and inconsistant filesystem. noah pgpMkqcLrTNel.pgp Description: PGP signature
Re: logcheck thinks that system is under attack, related to ssl problem?
Hi Noah Thanks again for your answer!! On Montag, 06-Okt-03 at 22:13:32, Noah L. Meyerhans wrote: > On Mon, Oct 06, 2003 at 10:07:23PM +0100, Andreas W?st wrote: >> I hope you've got some more ideas. I'm strictly following all the >> security updates, and have a light mix of woody and sid packages. > > run 'shutdown -rF now' > > See if the problem persists after the fsck. If it does, check the > files manually and see if they're really corrupted or something. > Sounds like you've just got a twisted and inconsistant filesystem. Well, I must admit that I've already have rebooted after this message appeared (well, just because I havent read my mail then, and only realised the logcheck message after a second reboot), but the problem didn't "survive" this first reboot, i.e. I've only received this mail once. But this shouln't mean anything, no? I've fscked the disk as you told, and the problem hasn't returned. But hey, shouldn't there be any file corruption when using ext3 (I mean, missing or incomplete files, ok, when the buffers couldn't get flushed anymore, but corrupted?? I thought that's where the journal comes into action.). -- Best wishes, and thanks a lot for your help, Andi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: logcheck thinks that system is under attack, related to ssl problem?
Hi Noah Thanks a lot for your fast answer! On Montag, 06-Okt-03 at 17:58:10, Noah L. Meyerhans wrote: > On Mon, Oct 06, 2003 at 05:31:05PM +0100, Andreas W?st wrote: >> Hmmm, so what? Are these problems somehow tied together? Furthermore, >> what is the probability that the system has really been cracked, and >> the logcheck message is not a false positive? I wonder, because it's >> not a server machine, it has no services running, except the dhcp >> client listening on a port. Nothing else. > > It sounds to me, from the symptoms you described, that /var has > somehow been mounted read-only. Check that first. Well, I wished it would be like that, but /var hasn't got its own partition, it gets mounted togehter with all the other stuff except /boot. > You don't have much evidence that it's a security issue at this point. > Logcheck's "active system attack" messages rarely indicate such a > thing. Don't do anything drastic like reinstall the system until > you've got better evidence that you've been cracked. In this case, I > doubt you have. Well, reinstall is the last resort since it always takes hours to get back the normal environment. I hope you've got some more ideas. I'm strictly following all the security updates, and have a light mix of woody and sid packages. Well, I further noticed some error messages from gconf, about not being able to delete some files, because they were not successfuly synced. I am seeing these messages quite often, although yesterday there were quite a lot of them. I've never really researched the topic, but I think it could be related to sleep, and therefore a not perfect flush of the buffers or something. I wonder if this might somehow have affected the logcheck stuff. -- Best wishes, Andi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: logcheck thinks that system is under attack, related to ssl problem?
On Mon, Oct 06, 2003 at 10:07:23PM +0100, Andreas W?st wrote: > I hope you've got some more ideas. I'm strictly following all the > security updates, and have a light mix of woody and sid packages. run 'shutdown -rF now' See if the problem persists after the fsck. If it does, check the files manually and see if they're really corrupted or something. Sounds like you've just got a twisted and inconsistant filesystem. noah pgp0.pgp Description: PGP signature
Re: logcheck thinks that system is under attack, related to ssl problem?
On Mon, 06 Oct 2003, Noah L. Meyerhans wrote: > > You don't have much evidence that it's a security issue at this point. > Logcheck's "active system attack" messages rarely indicate such a thing. > Don't do anything drastic like reinstall the system until you've got > better evidence that you've been cracked. In this case, I doubt you > have. > Speaking of which, has anyone found a way to configure the active system attack key words? There is a user on my system whose email has the word "attacK' in it so that triggers logcheck, and I've tried every different exclusion file and regexp there is to make it ignore it, but I can't so I get a logcheck email everytime this guy gets or sends an email. Its gotten to the point that logcheck is becoming totally useless (ie. I wont read them because I put little value in the information that they contain). I've tried searching the web, and contacting the package maintainer, but no results. Thanks, micah pgpaGKEe3owA6.pgp Description: PGP signature
Re: logcheck thinks that system is under attack, related to ssl problem?
On Mon, 06 Oct 2003, Noah L. Meyerhans wrote: > > You don't have much evidence that it's a security issue at this point. > Logcheck's "active system attack" messages rarely indicate such a thing. > Don't do anything drastic like reinstall the system until you've got > better evidence that you've been cracked. In this case, I doubt you > have. > Speaking of which, has anyone found a way to configure the active system attack key words? There is a user on my system whose email has the word "attacK' in it so that triggers logcheck, and I've tried every different exclusion file and regexp there is to make it ignore it, but I can't so I get a logcheck email everytime this guy gets or sends an email. Its gotten to the point that logcheck is becoming totally useless (ie. I wont read them because I put little value in the information that they contain). I've tried searching the web, and contacting the package maintainer, but no results. Thanks, micah pgp0.pgp Description: PGP signature
Re: logcheck thinks that system is under attack, related to ssl problem?
On Mon, Oct 06, 2003 at 05:31:05PM +0100, Andreas W?st wrote: > Hmmm, so what? Are these problems somehow tied together? Furthermore, > what is the probability that the system has really been cracked, and the > logcheck message is not a false positive? I wonder, because it's not a > server machine, it has no services running, except the dhcp client > listening on a port. Nothing else. It sounds to me, from the symptoms you described, that /var has somehow been mounted read-only. Check that first. You don't have much evidence that it's a security issue at this point. Logcheck's "active system attack" messages rarely indicate such a thing. Don't do anything drastic like reinstall the system until you've got better evidence that you've been cracked. In this case, I doubt you have. noah pgpemPt7kOxA8.pgp Description: PGP signature
logcheck thinks that system is under attack, related to ssl problem?
Hi I've got a rather wierd problem. Since this morning, I cannot connect anymore to a pop mail server using ssl, evolution complains about a bad signature of the certificate. This is since I've booted my machine today. At the same time, one minute before I got the after-startup report from logcheck, logcheck sent me a mail with an "ACTIVE SYSTEM ATTACK!" subject, saying: "Cleaned rules files exist in /var/lib/logcheck/cleaned directory that cannot be removed. This may be an attempt to spoof the log checker." Hmmm, so what? Are these problems somehow tied together? Furthermore, what is the probability that the system has really been cracked, and the logcheck message is not a false positive? I wonder, because it's not a server machine, it has no services running, except the dhcp client listening on a port. Nothing else. Which steps would you propose to take next? It's very unfortunate, since I am having absolutely no time at the moment, so I think I'll just leave the machine switched off for now. Maybe I should go for a complete reinstall. -- Best wishes, Andi
Re: logcheck thinks that system is under attack, related to ssl problem?
On Mon, Oct 06, 2003 at 05:31:05PM +0100, Andreas W?st wrote: > Hmmm, so what? Are these problems somehow tied together? Furthermore, > what is the probability that the system has really been cracked, and the > logcheck message is not a false positive? I wonder, because it's not a > server machine, it has no services running, except the dhcp client > listening on a port. Nothing else. It sounds to me, from the symptoms you described, that /var has somehow been mounted read-only. Check that first. You don't have much evidence that it's a security issue at this point. Logcheck's "active system attack" messages rarely indicate such a thing. Don't do anything drastic like reinstall the system until you've got better evidence that you've been cracked. In this case, I doubt you have. noah pgp0.pgp Description: PGP signature
logcheck thinks that system is under attack, related to ssl problem?
Hi I've got a rather wierd problem. Since this morning, I cannot connect anymore to a pop mail server using ssl, evolution complains about a bad signature of the certificate. This is since I've booted my machine today. At the same time, one minute before I got the after-startup report from logcheck, logcheck sent me a mail with an "ACTIVE SYSTEM ATTACK!" subject, saying: "Cleaned rules files exist in /var/lib/logcheck/cleaned directory that cannot be removed. This may be an attempt to spoof the log checker." Hmmm, so what? Are these problems somehow tied together? Furthermore, what is the probability that the system has really been cracked, and the logcheck message is not a false positive? I wonder, because it's not a server machine, it has no services running, except the dhcp client listening on a port. Nothing else. Which steps would you propose to take next? It's very unfortunate, since I am having absolutely no time at the moment, so I think I'll just leave the machine switched off for now. Maybe I should go for a complete reinstall. -- Best wishes, Andi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]