Re: I want to somehow "crack" the Uefi "Bios" screen of my packard bell ENLG81BA Notebook

[Sven Joachim]

On 2016-11-12 09:02 +0100, David wrote:

> I want to somehow "crack" the Uefi "Bios" screen of my ENLG81BA Notebook.
>
> For example for looking into the Boot order or editing it.
>
> The question is how I can use a grml CD / DVD / USB-Stick (I have
> already downloaded the grml iso image).
>
> Or is it possible even without grml through a command line when GRUB
> is starting?

There should be "System setup" in the grub menu.  If it isn't there, use
'c' to get a commandline and type "fwsetup".

Cheers,
   Sven

I want to somehow "crack" the Uefi "Bios" screen of my packard bell ENLG81BA Notebook

[David]

I want to somehow "crack" the Uefi "Bios" screen of my ENLG81BA Notebook.

For example for looking into the Boot order or editing it.

The question is how I can use a grml CD / DVD / USB-Stick (I have 
already downloaded the grml iso image).


Or is it possible even without grml through a command line when GRUB is 
starting?


The F2 key that during boot opens the Uefi "Bios" screen does not work.

The F12 that normally unlocks the F2, also does not work.

Loading the Debian efivars kernel module which is necessary to execute 
the programs efivar and efibootmgr is impossible, it results in 
following error message:


***

modprobe: ERROR: could not insert 'efivars': No such device

***

... the assumption is that the ENLG81BA is very, very good protected 
against opening the Uefi "Bios" screen.


I no longer have Windows on it, under Windows 10 I could install the 
"easyUEFI" Program and use the menu command


reboot into Uefi screen.

But because I no longer have Windows I can no longer use that program.

***

I want to even know more about my computer. The next question is: can 
the computer, when executing update-grub and the old Windows 7 disk 
attached through usb, find it?


And if it finds it - can it then even boot the externally attached 
Windows 7 disk?


This is an hpdv9000 harddisk and I found that no cases are available; I 
had to order - through ebay - a case which is shipped directly from 
China, delivery time one to two months, which is not for usb cable but 
fits into the CD / DVD slot, do not know when I will receive it and 
whether it will work or not.


***

Hope there is somebody out there who has the exact same computer model 
as me, and exact knowledge about its use and configuration under Debian. 
Debian itself - it is the "stretch" (testing) distribution - boots and 
works fine.

Re: Does the HDCP crack have any implications for Debian?

[Chris Bannister]

On Sat, Sep 18, 2010 at 01:38:51AM +0200, Klistvud wrote:
 Dne, 17. 09. 2010 23:33:00 je Aaron Toponce napisal(a):
 That is, if Blu-ray is here to stay.
 
 
 I wouldn't count on that. The useful lifespan of each subsequent
 media support has been steadily decreasing since at least the advent
 of celluloid film. Vinyl records lasted for, give or take, 7 or 8
 decades.

Not true. They are still the preferred choice amongst serious audiophiles.

-- 
Religion is excellent stuff for keeping common people quiet.
   -- Napoleon Bonaparte


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20100921094417.ge19...@fischer

Re: Does the HDCP crack have any implications for Debian?

[Scott Ferguson]

 On 21/09/10 19:44, Chris Bannister wrote:
 On Sat, Sep 18, 2010 at 01:38:51AM +0200, Klistvud wrote:
 Dne, 17. 09. 2010 23:33:00 je Aaron Toponce napisal(a):
 That is, if Blu-ray is here to stay.

 I wouldn't count on that. The useful lifespan of each subsequent
 media support has been steadily decreasing since at least the advent
 of celluloid film. Vinyl records lasted for, give or take, 7 or 8
 decades.
 Not true. They are still the preferred choice amongst serious audiophiles.

True, but how many companies still press LPs? More than piano roll
manufacturers?
I did hear that there is at least 2 LP makers - though I wouldn't expect
the number to increase anytime soon.
Whereas CDs are still manufactured by no one (?)
Ditto floppy disks. (and crts).

Given the amount of time and money being sunk into higher storage
capacity mediums I'd expect to see blu-ray replaced within 5 years (if
not earlier).
I've still got rolls of Super8 - but it's no longer manufactured either.

Cheers

-- 
*In case you never receive this mail, please notify me immediately* 


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4c988003.7030...@gmail.com

Re: Does the HDCP crack have any implications for Debian?

[Klistvud]

Dne, 21. 09. 2010 11:44:17 je Chris Bannister napisal(a):

On Sat, Sep 18, 2010 at 01:38:51AM +0200, Klistvud wrote:
 I wouldn't count on that. The useful lifespan of each subsequent
 media support has been steadily decreasing since at least the advent
 of celluloid film. Vinyl records lasted for, give or take, 7 or 8
 decades.

Not true. They are still the preferred choice amongst serious  
audiophiles.


Just as film is still the preferred choice among (some) serious  
photographers. Can't argue against that. To clarify: it was the  
large-scale, mainstream consumer market lifespan what I had in mind  
when I wrote useful lifespan. As opposed to niche market lifespan.


--
Regards,

Klistvud
Certifiable Loonix User #481801
http://bufferoverflow.tiddlyspot.com

Please reply to the list, not to me.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1285064661.215...@compax

Re: Does the HDCP crack have any implications for Debian?

[Doug]

On 09/21/2010 05:50 AM, Scott Ferguson wrote:

  On 21/09/10 19:44, Chris Bannister wrote:
   

On Sat, Sep 18, 2010 at 01:38:51AM +0200, Klistvud wrote:
 

Dne, 17. 09. 2010 23:33:00 je Aaron Toponce napisal(a):
   

That is, if Blu-ray is here to stay.

 

I wouldn't count on that. The useful lifespan of each subsequent
media support has been steadily decreasing since at least the advent
of celluloid film. Vinyl records lasted for, give or take, 7 or 8
decades.
   

Not true. They are still the preferred choice amongst serious audiophiles.

 

True, but how many companies still press LPs? More than piano roll
manufacturers?
I did hear that there is at least 2 LP makers - though I wouldn't expect
the number to increase anytime soon.
Whereas CDs are still manufactured by no one (?)
Ditto floppy disks. (and crts).

   

/snip/
Borders has a full section of CDs.  How else will you buy music?  
One-offs at 99¢ from I-tunes?
If I want an album of Chopin, am I going to have to watch a BR video of 
somebody playing it?

(That's a tough one for drivers with CD players!)

You can still buy floppies at Radio Shack.  And cassette tape.  I don't 
know for how long.

The rumor is that they will be bought by a big-box consumer appliance store.

--doug


--
Blessed  are the peacekeepers...for they shall be shot at from both sides. 
--A.M. Greeley


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Archive: http://lists.debian.org/4c992f26.2090...@optonline.net

Re: Does the HDCP crack have any implications for Debian?

[Scott Ferguson]

 On 19/09/10 06:04, Mark Allums wrote:
 On 9/18/2010 4:55 AM, Scott Ferguson wrote:
 I'm very
 happy with the performance I get by simply copying the bluerays I buy to
 hard drive, and I prefer keep my media on hdd.


 This bears some explanation.  Are you watching stuff from Blu-Ray on a
 Debian machine?  How?  What is the process?


PAU supported video, blu-ray player, makemkv, vlc, google ;-p

-- 
*In case you never receive this mail, please notify me immediately* 


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4c95ef97.4030...@gmail.com

Re: Does the HDCP crack have any implications for Debian?

[Angus Hedger]

On Sat, 18 Sep 2010 10:51:21 +1000
Scott Ferguson prettyfly.producti...@gmail.com wrote:
 The key is legitimate (confirmed by Intel)  - what has been
 misreported is that the key is used for encrypting the contents of
 the disk... the disks are encrypted using AACS,  it's the stream from
 the player to the screen that is encrypted with HDCP.
 The key (I want it printed on a bedsheet) is most likely to turn up
 in a FPGA board, to be used by people wanting to rip the stream (need
 fast RAID and a few TB of space).

You would need around about 1TB of space for 1 movie uncompressed and
the FPGA/raid would need to be able to sustain around about 120-200MB/s.

So it would need to be a highend FPGA/Raid, but the whole thing could
probs be had for around about £1000 + disks.



--
Regards,

Angus Hedger

Debian GNU/Linux User   PGP Public Key 0xEE6A4B97


signature.asc
Description: PGP signature

Re: Does the HDCP crack have any implications for Debian?

[Scott Ferguson]

 On 18/09/10 19:10, Angus Hedger wrote:
 On Sat, 18 Sep 2010 10:51:21 +1000
 Scott Ferguson prettyfly.producti...@gmail.com wrote:
 The key is legitimate (confirmed by Intel)  - what has been
 misreported is that the key is used for encrypting the contents of
 the disk... the disks are encrypted using AACS,  it's the stream from
 the player to the screen that is encrypted with HDCP.
 The key (I want it printed on a bedsheet) is most likely to turn up
 in a FPGA board, to be used by people wanting to rip the stream (need
 fast RAID and a few TB of space).
 You would need around about 1TB of space for 1 movie uncompressed and
 the FPGA/raid would need to be able to sustain around about 120-200MB/s.

 So it would need to be a highend FPGA/Raid, but the whole thing could
 probs be had for around about £1000 + disks.



 --
 Regards,

 Angus Hedger

 Debian GNU/Linux User PGP Public Key 0xEE6A4B97

Agreed (though I've no idea what a UK (?) pound is worth. 1920 x 1080 x
24 bits per pixel x 24 fps = 145MB/sec (not allowing for audio)
I suspect there would only be two types of user for the key - vendors of
home entertainment systems might become a market (though they already
use a system to bypass restrictions on projectors), and commercial
pirating operations (the ones who actually press disks). Though the
articles I've read all talk about pirates I suspect the reporters are
just *cough* wrong (pre-release pirate material is copied from studio
prior to encryption).
I recall reading an article by a Google engineer where he spoke of a
(Linux) system using multiple off-the-shelf computers with software (?)
RAID  to achieve near-RAM speed disk access - and an evaluation FPGA
card from www.xilinx.com is fairly cheap...

With reference to the original posters question - maybe, just maybe, the
key might become part of a driver to allow any display to display a
stream from a blueray player... but I won't be writing it. I'm very
happy with the performance I get by simply copying the bluerays I buy to
hard drive, and I prefer keep my media on hdd.

Cheers



-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4c948ca2.9070...@gmail.com

Blu-ray status in Linux (was: Does the HDCP crack have any implications for Debian?)

[Camaleón]

On Fri, 17 Sep 2010 22:29:49 +0100, Angus Hedger wrote:

 On Fri, 17 Sep 2010 16:12:47 -0500 Mark Allums wrote:
 
(...)

 I'm not interested in that, but I wondered if that meant that we would
 eventually be able to play Blu-Ray on Debian machines.  Do you suppose
 we will see Blu-Ray support in VLC anytime soon?
 
(...)
 
 It means that BR playback on linux is closer, for example windows has a
 protected content layer that passes the content from the player to the
 screen, with this key you could build something like that for windows.

Mmmm, just out of curiosity (as I don't own a BD player neither have Blu-
ray discs to play) but, do you mean there is currently no way to play Blu-
ray in Linux? :-?

Or just to put it in other words, what is the current status of the Blu-
ray technology in Linux?

It seems there is a project¹ that allows viewing such media type, but 
does it work nice, has any drawbacks...?

¹ http://themediaviking.com/software/bluray-linux/

Greetings,

-- 
Camaleón


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/pan.2010.09.18.14.39...@gmail.com

Re: Does the HDCP crack have any implications for Debian?

[Mark Allums]

On 9/18/2010 4:55 AM, Scott Ferguson wrote:

I'm very
happy with the performance I get by simply copying the bluerays I buy to
hard drive, and I prefer keep my media on hdd.



This bears some explanation.  Are you watching stuff from Blu-Ray on a 
Debian machine?  How?  What is the process?



--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Archive: http://lists.debian.org/4c951b6b.9080...@allums.com

Does the HDCP crack have any implications for Debian?

[Mark Allums]

The master key to HDCP was leaked and it has been reported that it is 
legitimate, meaning it is now possible to crack Blu-Ray.


I'm not interested in that, but I wondered if that meant that we would 
eventually be able to play Blu-Ray on Debian machines.  Do you suppose 
we will see Blu-Ray support in VLC anytime soon?



--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Archive: http://lists.debian.org/4c93d9cf.20...@allums.com

Re: Does the HDCP crack have any implications for Debian?

[Angus Hedger]

On Fri, 17 Sep 2010 16:12:47 -0500
Mark Allums m...@allums.com wrote:

 The master key to HDCP was leaked and it has been reported that it is 
 legitimate, meaning it is now possible to crack Blu-Ray.
 
 I'm not interested in that, but I wondered if that meant that we
 would eventually be able to play Blu-Ray on Debian machines.  Do you
 suppose we will see Blu-Ray support in VLC anytime soon?
 
 

HDCP =! BR. Blueray is protected by BD+ and acss, HDCP is what closes
the analog hole (between the player and the screen).

Having the HDCP key means you could make a virtual device that accepts
a HDCP encrypted single then passes it out in an unencrypted form to
the screen.

It means that BR playback on linux is closer, for example windows has a
protected content layer that passes the content from the player to the
screen, with this key you could build something like that for windows.

--
Regards,

Angus Hedger

Debian GNU/Linux User   PGP Public Key 0xEE6A4B97


signature.asc
Description: PGP signature

Re: Does the HDCP crack have any implications for Debian?

[Aaron Toponce]

On Fri, Sep 17, 2010 at 04:12:47PM -0500, Mark Allums wrote:
 The master key to HDCP was leaked and it has been reported that it
 is legitimate, meaning it is now possible to crack Blu-Ray.
 
 I'm not interested in that, but I wondered if that meant that we
 would eventually be able to play Blu-Ray on Debian machines.  Do you
 suppose we will see Blu-Ray support in VLC anytime soon?

I would count on it. As much as libdecss is a part of the GNU/Linux
ecosystem, I would expect libdehdcp, or similar to become a part of
the same. That is, if Blu-ray is here to stay.

-- 
. o .   o . o   . . o   o . .   . o .
. . o   . o o   o . o   . o o   . . o
o o o   . o .   . o o   o o .   o o o


signature.asc
Description: Digital signature

Re: Does the HDCP crack have any implications for Debian?

[Klistvud]

Dne, 17. 09. 2010 23:33:00 je Aaron Toponce napisal(a):

That is, if Blu-ray is here to stay.



I wouldn't count on that. The useful lifespan of each subsequent media  
support has been steadily decreasing since at least the advent of  
celluloid film. Vinyl records lasted for, give or take, 7 or 8 decades.  
CDs will hardly reach 5 decades. DVDs are being slowly supplanted by  
BluRay after having lasted, what, 2 decades? At that rate, BluRay  
should be dead in 10 years.


Good riddance.

--
Regards,

Klistvud
Certifiable Loonix User #481801
http://bufferoverflow.tiddlyspot.com

Please reply to the list, not to me.


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1284766731.2471...@compax

Re: Does the HDCP crack have any implications for Debian?

[Mark Allums]

On 9/17/2010 4:33 PM, Aaron Toponce wrote:

On Fri, Sep 17, 2010 at 04:12:47PM -0500, Mark Allums wrote:

The master key to HDCP was leaked and it has been reported that it
is legitimate, meaning it is now possible to crack Blu-Ray.

I'm not interested in that, but I wondered if that meant that we
would eventually be able to play Blu-Ray on Debian machines.  Do you
suppose we will see Blu-Ray support in VLC anytime soon?


I would count on it. As much as libdecss is a part of the GNU/Linux
ecosystem, I would expect libdehdcp, or similar to become a part of
the same. That is, if Blu-ray is here to stay.




As was pointed out by Angus Hedger, I realized that HDCP =/= Blu-Ray. 
The hope of some is that having the one will help with the other.  The 
success of Blu-Ray's encryption is in part because they can revoke keys 
and add new ones.  Newer movie releases use the new keys.  In some 
instances, older players will fail to play new movies without a firmware 
update.  (There are other reasons for this, like new codecs and new disc 
menus and other things.)


Still, we can hope.





--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Archive: http://lists.debian.org/4c9400e6.4020...@allums.com

Re: Does the HDCP crack have any implications for Debian?

[Scott Ferguson]

 On 18/09/10 07:12, Mark Allums wrote:
 The master key to HDCP was leaked and it has been reported that it is
 legitimate, meaning it is now possible to crack Blu-Ray.

 I'm not interested in that, but I wondered if that meant that we would
 eventually be able to play Blu-Ray on Debian machines.  Do you suppose
 we will see Blu-Ray support in VLC anytime soon?


The key is legitimate (confirmed by Intel)  - what has been misreported
is that the key is used for encrypting the contents of the disk... the
disks are encrypted using AACS,  it's the stream from the player to the
screen that is encrypted with HDCP.
The key (I want it printed on a bedsheet) is most likely to turn up in a
FPGA board, to be used by people wanting to rip the stream (need fast
RAID and a few TB of space).

So - sorry no relationship between the stream encypting key and the
ability to read the disk. The x264 encoder is more efficient than h264,
so the current method of ripping (lossy) still produces a better picture
quality than the legal releases.
Note: HDCP is what decides whether your monitor is allowed to display
the stream.
Hint: copy the disk to hdd and HDCP is removed from the equation.

for your edification:-
a forty times forty element matrix of fifty-six bit
hexadecimal numbers.

To generate a source key, take a forty-bit number that (in
binary) consists of twenty ones and twenty zeroes; this is
the source KSV. Add together those twenty rows of the matrix
that correspond to the ones in the KSV (with the lowest bit
in the KSV corresponding to the first row), taking all elements
modulo two to the power of fifty-six; this is the source
private key.

To generate a sink key, do the same, but with the transposed
matrix. snipbig table/snip

Cheers



-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4c940d09.4000...@gmail.com

Re: Paquete Crack

[Ricardo Frydman Eureka!]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Alejandro wrote:
 Me acabo de bajar el paquete Crack de debian para detectar passwords debiles
 en los usuarios de mi Debian Linux.
 
 Siguiendo el man del crack, yo corri este comando:
 
 #Crack -nice 5 /etc/passwd
 
 y al ver la salida con Crack-Reporter, me sale ingoring shadowed entry:
 user1.
 
 Yo tengo elarchivo /etc/shadow, por lo tanto ahora corri:
 
 #Crack -nice 5 /etc/shadow
 
 y la salida me dice bad format /etc/shadow: user1 
 
 Como debo hacer entonces para saber si las passwords de mis usuarios de mi
 Debian son debiles o no ???

tiene menos de 6 caracteres?
usa solo numeros? solo letras?
tiene sentido? ejemplo: perrobobby
no usas caracteres especiales ·$%/()?
es la suma de datos importantes del user (nombre de hijo, domicilio de
casa, etc?)
No lo modificas a menudo ? (digamos cada 45-60 dias)

Si al menos una respuesta es positiva, son debiles.

El listado sigue, pero digamos que este es /grueso/.


 
 (tengo las passwords encriptadas en /etc/shadow les recuerdo)
 
 Muchas gracias
 
 Alejandro
 
 


- --
Ricardo A.Frydman
Consultor en Tecnología Open Source - Administrador de Sistemas
jabber: [EMAIL PROTECTED] - http://www.eureka-linux.com.ar
SIP # 1-747-667-9534
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFD9eRTkw12RhFuGy4RAhaDAJ0dyg7KbaiZB31cyTb2VIMKlERfEQCeLmt3
3zdFLTaS7Uze27XjY1Cfo7U=
=LGm4
-END PGP SIGNATURE-

Paquete Crack

[Alejandro]

Me acabo de bajar el paquete Crack de debian para detectar passwords debiles
en los usuarios de mi Debian Linux.

Siguiendo el man del crack, yo corri este comando:

#Crack -nice 5 /etc/passwd

y al ver la salida con Crack-Reporter, me sale ingoring shadowed entry:
user1.

Yo tengo elarchivo /etc/shadow, por lo tanto ahora corri:

#Crack -nice 5 /etc/shadow

y la salida me dice bad format /etc/shadow: user1 

Como debo hacer entonces para saber si las passwords de mis usuarios de mi
Debian son debiles o no ???

(tengo las passwords encriptadas en /etc/shadow les recuerdo)

Muchas gracias

Alejandro


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

crack attempt?

[Will Trillich]

aha -- i think i actually attracted a script kiddie!


- Forwarded message from root [EMAIL PROTECTED] -

Subject: boss 2004/08/09 02:02 system check
From: root [EMAIL PROTECTED]
Date: Mon, 09 Aug 2004 02:02:05 -0500
To: [EMAIL PROTECTED]

This mail is sent by logcheck. If you do not want to receive it any more,
please modify the configuration files in /etc/logcheck or deinstall logcheck.

Possible Security Violations
=-=-=-=-=-=-=-=-=-=
Aug  9 02:01:13 boss PAM_unix[17097]: authentication failure; (uid=0) - guest for ssh 
service
Aug  9 02:01:15 boss sshd[17097]: Failed password for guest from 216.57.26.222 port 
4839 ssh2
Aug  9 02:01:23 boss PAM_unix[17107]: authentication failure; (uid=0) - guest for ssh 
service
Aug  9 02:01:24 boss PAM_unix[17109]: authentication failure; (uid=0) - root for ssh 
service
Aug  9 02:01:25 boss sshd[17107]: Failed password for guest from 216.57.26.222 port 
1261 ssh2
Aug  9 02:01:26 boss sshd[17109]: Failed password for root from 216.57.26.222 port 
1302 ssh2
Aug  9 02:01:28 boss PAM_unix[17113]: authentication failure; (uid=0) - root for ssh 
service
Aug  9 02:01:30 boss sshd[17113]: Failed password for root from 216.57.26.222 port 
1450 ssh2
Aug  9 02:01:31 boss PAM_unix[17119]: authentication failure; (uid=0) - root for ssh 
service
Aug  9 02:01:34 boss sshd[17119]: Failed password for root from 216.57.26.222 port 
1574 ssh2
Aug  9 02:01:35 boss PAM_unix[17122]: authentication failure; (uid=0) - root for ssh 
service
Aug  9 02:01:37 boss sshd[17122]: Failed password for root from 216.57.26.222 port 
1630 ssh2
Aug  9 02:01:40 boss PAM_unix[17125]: authentication failure; (uid=0) - root for ssh 
service
Aug  9 02:01:41 boss sshd[17125]: Failed password for root from 216.57.26.222 port 
1823 ssh2
Aug  9 02:01:43 boss PAM_unix[17127]: authentication failure; (uid=0) - root for ssh 
service
Aug  9 02:01:45 boss sshd[17127]: Failed password for root from 216.57.26.222 port 
1939 ssh2

Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Aug  9 02:01:13 boss PAM_unix[17097]: authentication failure; (uid=0) - guest for ssh 
service
Aug  9 02:01:15 boss sshd[17097]: Failed password for guest from 216.57.26.222 port 
4839 ssh2
Aug  9 02:01:23 boss PAM_unix[17107]: authentication failure; (uid=0) - guest for ssh 
service
Aug  9 02:01:24 boss PAM_unix[17109]: authentication failure; (uid=0) - root for ssh 
service
Aug  9 02:01:25 boss sshd[17107]: Failed password for guest from 216.57.26.222 port 
1261 ssh2
Aug  9 02:01:26 boss sshd[17109]: Failed password for root from 216.57.26.222 port 
1302 ssh2
Aug  9 02:01:28 boss PAM_unix[17113]: authentication failure; (uid=0) - root for ssh 
service
Aug  9 02:01:30 boss sshd[17113]: Failed password for root from 216.57.26.222 port 
1450 ssh2
Aug  9 02:01:31 boss PAM_unix[17119]: authentication failure; (uid=0) - root for ssh 
service
Aug  9 02:01:34 boss sshd[17119]: Failed password for root from 216.57.26.222 port 
1574 ssh2
Aug  9 02:01:35 boss PAM_unix[17122]: authentication failure; (uid=0) - root for ssh 
service
Aug  9 02:01:37 boss sshd[17122]: Failed password for root from 216.57.26.222 port 
1630 ssh2
Aug  9 02:01:40 boss PAM_unix[17125]: authentication failure; (uid=0) - root for ssh 
service
Aug  9 02:01:41 boss sshd[17125]: Failed password for root from 216.57.26.222 port 
1823 ssh2
Aug  9 02:01:43 boss PAM_unix[17127]: authentication failure; (uid=0) - root for ssh 
service
Aug  9 02:01:45 boss sshd[17127]: Failed password for root from 216.57.26.222 port 
1939 ssh2

- End forwarded message -

the fact that each attempt is a few seconds from the previous
one (and that there were only eight tries) leads me to believe
this was a human, and not a 'bot of some sort.

he even tried guest! (standard windows hole -- is it of likely
cnocern to a debian system?)


$ whois 222.26.57.216.in-addr.arpa

No match found for 222.26.57.216.in-addr.arpa.

# ARIN WHOIS database, last updated 2004-08-09 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

$ whois 216.57.26.222
OrgName:eLink Communications INC. 
OrgID:  ELNK
Address:39 Broadway
Address:19th Floor
City:   New York
StateProv:  NY
PostalCode: 10006
Country:US

NetRange:   216.57.0.0 - 216.57.63.255 
CIDR:   216.57.0.0/18 
NetName:EUREKANETWORKS-IP-D839-18
NetHandle:  NET-216-57-0-0-1
Parent: NET-216-0-0-0-0
NetType:Direct Allocation
NameServer: NS-AUTH1.ISP.E-NT.NET
NameServer: NS-AUTH2.ISP.E-NT.NET
NameServer: NS-AUTH3.ISP.E-NT.NET
Comment:
RegDate:
Updated:2004-04-19

AbuseHandle: ENAA-ARIN
AbuseName:   Eureka Networks Abuse Administrator 
AbusePhone:  +1-800-562-4206
AbuseEmail:  [EMAIL PROTECTED] 

NOCHandle: EIA-ARIN
NOCName:   Eureka Networks IP Administrator 
NOCPhone:  +1-800-562-4206
NOCEmail:  [EMAIL PROTECTED] 

TechHandle: EIA-ARIN
TechName:   Eureka Networks IP Administrator 
TechPhone:  +1-800-562-4206
TechEmail:  [EMAIL PROTECTED] 

OrgAbuseHandle: ENAA-ARIN
OrgAbuseName:   Eureka 

Re: crack attempt?

[Philippe Marzouk]

On Tue, Aug 10, 2004 at 02:33:20AM -0500, Will Trillich wrote:
 
 aha -- i think i actually attracted a script kiddie!
 
 
[...]
 
 - End forwarded message -
 
 the fact that each attempt is a few seconds from the previous
 one (and that there were only eight tries) leads me to believe
 this was a human, and not a 'bot of some sort.
 
 he even tried guest! (standard windows hole -- is it of likely
 cnocern to a debian system?)
 

I have exactly the same thing in my logs since a few weeks. In general
from IPs with no reverse DNS set.
They test guest, test sometimes root.
It may be some automated tools as it is always the same logins which are
tried.

I don't worry about it as I do not have this kind of users on my systems
and root is of course not allowed direct ssh login.

Philippe


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: crack attempt?

[Alvin Oga]

hi ya will

On Tue, 10 Aug 2004, Will Trillich wrote:
 
 aha -- i think i actually attracted a script kiddie!

nah... those are free one-time audits from summ-buddy with two
much free thyme :-)

and you should be happy you don't get those few dozen times
per hour  and even more happier that they don't do anything else
like ping bomb or mail bomb or .. other silly fun stuff

c ya
alvin



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: crack attempt?

[John Summerfield]

Philippe Marzouk wrote:
On Tue, Aug 10, 2004 at 02:33:20AM -0500, Will Trillich wrote:
 

aha -- i think i actually attracted a script kiddie!
   

[...]
 

- End forwarded message -
the fact that each attempt is a few seconds from the previous
one (and that there were only eight tries) leads me to believe
this was a human, and not a 'bot of some sort.
he even tried guest! (standard windows hole -- is it of likely
cnocern to a debian system?)
   

I have exactly the same thing in my logs since a few weeks. In general
from IPs with no reverse DNS set.
They test guest, test sometimes root.
It may be some automated tools as it is always the same logins which are
tried.
I don't worry about it as I do not have this kind of users on my systems
and root is of course not allowed direct ssh login.
 

Same here, I saw someone knocking on one of my doors the other day.
--
Cheers
John
-- spambait
[EMAIL PROTECTED]  [EMAIL PROTECTED]
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: crack attempt?

[Katipo]

Philippe Marzouk wrote:
On Tue, Aug 10, 2004 at 02:33:20AM -0500, Will Trillich wrote:
 

aha -- i think i actually attracted a script kiddie!
   

[...]
 

- End forwarded message -
the fact that each attempt is a few seconds from the previous
one (and that there were only eight tries) leads me to believe
this was a human, and not a 'bot of some sort.
he even tried guest! (standard windows hole -- is it of likely
cnocern to a debian system?)
   

I have exactly the same thing in my logs since a few weeks. In general
from IPs with no reverse DNS set.
They test guest, test sometimes root.
It may be some automated tools as it is always the same logins which are
tried.
 

I've tracked it down to a couple of bored ISP help desk staff in the past.
This seems to be the main occupation for junior crackers.
They have some spare time, so they practice.
Regards,
David.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: crack attempt?

[JY]

Will Trillich wrote:
aha -- i think i actually attracted a script kiddie!
http://www.securityfocus.com/archive/75/370288/2004-07-31/2004-08-06/2
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: serial ou crack !! CrossOver Office , URGENTE

[Bento Loewesntein]

[EMAIL PROTECTED] wrote:

alguem conhece algum serial ou crack para o  CrossOver Office ?




cara, vontade de mandar pra algum lugar...

Os caras da Codeweavers ralam pra criar um produto de classe pra 
plataforma GNU/Linux e prestar suporte e depois ainda contribuem as 
melhorias deles pro Wine e você quer piratear ???


Que tal deixar de ser cara de pau e folgado e aprender a configurar o 
Wine normal ? já roda o office na boa graças ao bom trabalho da 
Codeweavers, Transgaming, colaboradores e clientes dessas empresas que 
pagam pelos produtos e suporte.


crack... tá certo... vai ver se eu tô na esquina...


--
Bento Loewenstein
-BEGIN GEEK CODE BLOCK-
Version: 3.1
GCM$/IT d--- s:+ a? C++() UL+++() UB+ P++ [EMAIL PROTECTED] E---
W+(++) N+ w--- PS++(+++) Y+ t(+) 5+++ X R tv+ b++ D++ G e+ h! r* y?
--END GEEK CODE BLOCK--

serial ou crack !! CrossOver Office , URGENTE

[batalhao]

alguem conhece algum serial ou crack para o  CrossOver Office ?

Re: serial ou crack !! CrossOver Office , URGENTE

[diogo leal andrade]

cara 
e porque não comprar ???
se for fazer pirataria então volte pro ruindows...

[]'s


Diogo Leal Andrade  - uin282411638   
 users.matrix.com.br/diogo_andrade 
 GNU/Linux Debian stable/unstable  
 linux user :317433 debian-br#501 

--- [EMAIL PROTECTED] escreveu:  alguem conhece
algum serial ou crack para o 
 CrossOver Office ?
 
 
 -- 
 To UNSUBSCRIBE, email to
 [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact
 [EMAIL PROTECTED]
  

__

Yahoo! GeoCities: a maneira mais fácil de criar seu web site grátis!
http://br.geocities.yahoo.com/

Re: serial ou crack !! CrossOver Office , URGENTE

[diogo leal andrade]

caceta 
o cara além de querer usar software pirata ainda usa a
porcaria do spam do uol

é muita viadagem pro meu gosto  


Diogo Leal Andrade  - uin282411638   
 users.matrix.com.br/diogo_andrade 
 GNU/Linux Debian stable/unstable  
 linux user :317433 debian-br#501 

--- diogo leal andrade [EMAIL PROTECTED]
escreveu:  cara 
 e porque não comprar ???
 se for fazer pirataria então volte pro ruindows...
 
 []'s
 
 
 Diogo Leal Andrade  - uin282411638   
  users.matrix.com.br/diogo_andrade 
  GNU/Linux Debian stable/unstable  
  linux user :317433 debian-br#501 
 
 --- [EMAIL PROTECTED] escreveu:  alguem conhece
 algum serial ou crack para o 
  CrossOver Office ?
  
  
  -- 
  To UNSUBSCRIBE, email to
  [EMAIL PROTECTED]
  with a subject of unsubscribe. Trouble? Contact
  [EMAIL PROTECTED]
   
 

__
 
 Yahoo! GeoCities: a maneira mais fácil de criar seu
 web site grátis!
 http://br.geocities.yahoo.com/
 
 
 -- 
 To UNSUBSCRIBE, email to
 [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact
 [EMAIL PROTECTED]
  

__

Yahoo! GeoCities: a maneira mais fácil de criar seu web site grátis!
http://br.geocities.yahoo.com/

Re: serial ou crack !! CrossOver Office , URGENTE

[Renato Salles]

Esse é o cara! Totalmente de acordo, em gênero, número e grau.


RSalles

diogo leal andrade disse:
 cara
 e porque não comprar ???
 se for fazer pirataria então volte pro ruindows...

 []'s


 Diogo Leal Andrade  - uin282411638
  users.matrix.com.br/diogo_andrade
  GNU/Linux Debian stable/unstable
  linux user :317433 debian-br#501

 --- [EMAIL PROTECTED] escreveu:  alguem conhece
 algum serial ou crack para o 
 CrossOver Office ?





-- 
A well-written program is its own heaven; a poorly-written program is its
own hell.
TAO of Programming - Book 4

Re: [OT] SCO's crack legal team

[Roberto Sanchez]

Greg Norris wrote:
On Thu, Nov 06, 2003 at 11:34:59PM -0500, Roberto Sanchez wrote:

Just out of curiousity, did you originally save it as a 24-bit or
8-bit PNG?  IIRC, GIFs are always 8-bit and 8-bit PNGs are comparable
in size.  I can understand how a 24-bit PNG would be bigger, but I can't
see how an 8-bit would be that much different in size.


The original image claims to be 8-bit... it's approximately 3 times the
size of the gif version.
  $ file cornscolio.*
  cornscolio.gif: GIF image data, version 89a, 788 x 1000
  cornscolio.png: PNG image data, 788 x 1000, 8-bit/color RGBA, non-interlaced
  $ ls -l cornscolio.*
  -rw-r--r--1 adricadric  263471 Nov  4 17:49 cornscolio.gif
  -rw-r--r--1 adricadric  743422 Nov  4 17:32 cornscolio.png

Have you looked at pngcrush?

apt-cache show pngcrush

-Roberto


pgp0.pgp
Description: PGP signature

Re: [OT] SCO's crack legal team

[Greg Folkert]

On Wed, 2003-11-05 at 20:35, csj wrote:
 On Wed, 5 Nov 2003 16:52:09 -0600,
 Greg Norris wrote:
  
  I thought this might provide some much-needed amusement... My
  wife has put together a picture of SCO's crack legal team,
  which pretty much explains their entire strategy.  Feel free to
  share! ;-)
  
 http://home.kc.rr.com/snidely/cornscolio.gif
 
 Speaking of IP hassles, maybe you should have exported that into
 the free png format.
http://www.gregfolkert.net/pics/satire/tn/scolegalteam.png.html

There ya be...


signature.asc
Description: This is a digitally signed message part

Re: [OT] SCO's crack legal team

[Greg Norris]

On Fri, Nov 07, 2003 at 04:36:30PM -0600, Alan Shutko wrote:
 That looks like it's 8 bits per color, or 24 bpp.  What does identify
 -verbose say about it?

It looks like you're correct.  Thanx, I'll remember this if the issue
comes up again. ;-)


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: [OT] SCO's crack legal team

[Greg Norris]

On Sat, Nov 08, 2003 at 01:06:15PM -0500, Roberto Sanchez wrote:
 Have you looked at pngcrush?
 
 apt-cache show pngcrush

No, but I'll definitely look into it for next time.  Thanx!


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: [OT] SCO's crack legal team

[Greg Norris]

On Thu, Nov 06, 2003 at 11:34:59PM -0500, Roberto Sanchez wrote:
 Just out of curiousity, did you originally save it as a 24-bit or
 8-bit PNG?  IIRC, GIFs are always 8-bit and 8-bit PNGs are comparable
 in size.  I can understand how a 24-bit PNG would be bigger, but I can't
 see how an 8-bit would be that much different in size.

The original image claims to be 8-bit... it's approximately 3 times the
size of the gif version.

  $ file cornscolio.*
  cornscolio.gif: GIF image data, version 89a, 788 x 1000
  cornscolio.png: PNG image data, 788 x 1000, 8-bit/color RGBA, non-interlaced

  $ ls -l cornscolio.*
  -rw-r--r--1 adricadric  263471 Nov  4 17:49 cornscolio.gif
  -rw-r--r--1 adricadric  743422 Nov  4 17:32 cornscolio.png


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: [OT] SCO's crack legal team

[Alan Shutko]

Greg Norris [EMAIL PROTECTED] writes:

 The original image claims to be 8-bit... it's approximately 3 times the
 size of the gif version.

That looks like it's 8 bits per color, or 24 bpp.  What does identify
-verbose say about it?

-- 
Alan Shutko [EMAIL PROTECTED] - I am the rocks.
DOS Gang version...DOS.N.HOOD


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: [OT] SCO's crack legal team

[Dave Thayer]

On Wed, Nov 05, 2003 at 04:52:09PM -0600, Greg Norris wrote:
 I thought this might provide some much-needed amusement... My wife has
 put together a picture of SCO's crack legal team, which pretty much
 explains their entire strategy.  Feel free to share! ;-)

Heh, heh, heh. He said 'crack'. Heh heh heh.

-- 
Dave Thayer   | WARNING: Persons denying the existence of 
Denver, Colorado USA  | robots may be robots themselves.
[EMAIL PROTECTED] | 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: [OT] SCO's crack legal team

[csj]

On Wed, 5 Nov 2003 16:52:09 -0600,
Greg Norris wrote:
 
 I thought this might provide some much-needed amusement... My
 wife has put together a picture of SCO's crack legal team,
 which pretty much explains their entire strategy.  Feel free to
 share! ;-)
 
http://home.kc.rr.com/snidely/cornscolio.gif

Speaking of IP hassles, maybe you should have exported that into
the free png format.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: [OT] SCO's crack legal team

[Greg Norris]

On Thu, Nov 06, 2003 at 09:35:53AM +0800, csj wrote:
 Speaking of IP hassles, maybe you should have exported that into
 the free png format.

The original version was png, actually... I converted it to gif because
more browsers handle that format, and it has a significantly smaller
file size in this instance.  The site it's hosted on has a minimal
bandwidth allocation, so size was not an insignificant concern.  In
addition, the gif patent has expired in the USA (and is very close to
doing so elsewhere), and simply isn't an issue which troubles me all
that much.

If anyone requests the png version, I'd be happy to email it.  People
are welcome to share either version (email, posting on the web,
whatever).


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: [OT] SCO's crack legal team

[Roberto Sanchez]

Greg Norris wrote:
On Thu, Nov 06, 2003 at 09:35:53AM +0800, csj wrote:

Speaking of IP hassles, maybe you should have exported that into
the free png format.


The original version was png, actually... I converted it to gif because
more browsers handle that format, and it has a significantly smaller
file size in this instance.  The site it's hosted on has a minimal
bandwidth allocation, so size was not an insignificant concern.  In
addition, the gif patent has expired in the USA (and is very close to
doing so elsewhere), and simply isn't an issue which troubles me all
that much.
If anyone requests the png version, I'd be happy to email it.  People
are welcome to share either version (email, posting on the web,
whatever).

Just out of curiousity, did you originally save it as a 24-bit or
8-bit PNG?  IIRC, GIFs are always 8-bit and 8-bit PNGs are comparable
in size.  I can understand how a 24-bit PNG would be bigger, but I can't
see how an 8-bit would be that much different in size.
-Roberto


pgp0.pgp
Description: PGP signature

[OT] SCO's crack legal team

[Greg Norris]

I thought this might provide some much-needed amusement... My wife has
put together a picture of SCO's crack legal team, which pretty much
explains their entire strategy.  Feel free to share! ;-)

   http://home.kc.rr.com/snidely/cornscolio.gif


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: [OT] SCO's crack legal team

[Paul William]

On Thu, 2003-11-06 at 11:52, Greg Norris wrote:
 I thought this might provide some much-needed amusement... My wife has
 put together a picture of SCO's crack legal team, which pretty much
 explains their entire strategy.  Feel free to share! ;-)
 
http://home.kc.rr.com/snidely/cornscolio.gif

LOL. Nice. 

-- 

 .''`. Paul William
: :'  :Debian admin and user
`. `'`
  `-  Debian - when you have better things to do than fixing a system


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: crack traces in /var ?

[Andreas von Heydwolff]

Jesse Meyer wrote:
On Fri, 25 Jul 2003, Andreas von Heydwolff wrote:


[ Snip most details of computer setup and getting cracked ]


When you install a system, unless its absolutely necessary, install it
from behind a firewall.
Then, before you set up any sort of firewall on the machine, start 
disabling ports - most servers can be configured to listen to only 
the local loopback device or the internal network.  Even without a 
firewall, your system should be secure.  (Hint:  'listen', 'bind', 
'allow from', 'interface', etc in config files to limit what device 
the server listens to, and xinetd to limit those services that 
traditionally start from inetd.)
I was a bit sloppy on this - my previous install was better in that respect.

Your goal is to be able to scan your machine (via nmap), and find 
no unnecessary service listening to the outside interface.  
IS running nessus from within aimed at eth0 with the outside IP address 
equivalent? This is what I did earlier.

Then, build up your firewall scripts.

Connect to the internet and do all the security updates.
A secured Woody as the firewall box should make it viable to run SID 
inside the network again, wouldn't it?

Finally, use a security scanner from outside your machine ( I 
believe that http://www.grc.com has one [about the only thing 
the site's good for, IMHO]).
grc.com is a good start.

http://check.lfd.niedersachsen.de/start.php is more comprehensive, 
provided by the Data Protection Registrar of the federal state of 
Niedersachsen in Germany.

(For those who want to use it: The first button is to confirm that the 
displayed IP address is indeed yours, the second button starts the test. 
Page two displays three buttons in the top row start self-test, stop 
... and ... WITHOUT (ohne) SSL and you can select only a phase 1, 2 
or 3 with the buttons beneath.)

BTW, TIP, the ZIP cartridge testing program from grc.com is excellent. 
It checks and if necessary disables flakey sectors on ZIP disks, moving 
data to the 10% spare sectors provided on disks for this purpose by 
Iomega. Needs to be run from Windows though.
You don't want your security system to consist solely of your 
firewall - firewalls are supposed to supplement your defense!

Just my $.02

~ Jesse Meyer
Thanks, Jesse.

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: crack traces in /var ?

[Andreas von Heydwolff]

Thanks to all contributors for your helpful, kind and informative 
responses and discussion. I will now unsubscribe temporarily and be back 
by the middle of next month, then at first reinstalling...

Of course, should there be further postings I'll be happy to read them 
later.

Take care,

Andreas

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: crack traces in /var ?

[Ron Johnson]

On Fri, 2003-07-25 at 01:54, Andreas von Heydwolff wrote:
 Paul Johnson wrote:
[snip]
 Err, and one more: Should I buy a hardware firewall/router instead of 
 fiddeling around with iptables as an amateur?

No, just do a better job of firewalling.  Maybe get a trashheap 
special, install a minimal Debian on it and have it be your fw.

http://morizot.net/firewall/gen/ will do a good job of generating
an iptables script.

-- 
+-+
| Ron Johnson, Jr.Home: [EMAIL PROTECTED] |
| Jefferson, LA  USA  |
| |
| I'm not a vegetarian because I love animals, I'm a vegetarian  |
|  because I hate vegetables!|
|unknown  |
+-+



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: crack traces in /var ?

[Andreas von Heydwolff]

Ron Johnson wrote:
On Fri, 2003-07-25 at 01:54, Andreas von Heydwolff wrote:

Paul Johnson wrote:
[snip]

Err, and one more: Should I buy a hardware firewall/router instead of 
fiddeling around with iptables as an amateur?


No, just do a better job of firewalling.  Maybe get a trashheap 
special, install a minimal Debian on it and have it be your fw.

http://morizot.net/firewall/gen/ will do a good job of generating
an iptables script.
Thanks, Ron. I have been using a trashheap AMD 133MHz with a 200M 
harddisk and a woody stable install with iptables/firestarter so far but 
perhaps I had the firewall open just a bit too long once during 
maintenance. Will give http://morizot.net/firewall/gen/ a try - have 
been wanting to get rid of X plus the gnome libs on this little machine 
for some time anyway.

Andreas

PS sorry, Ron, for the private mail - keep forgetting about Mozilla's 
reply behavior

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: crack traces in /var ?

[David Z Maze]

(Some of this is my personal opinion; I don't claim to be a security
expert.)

Andreas von Heydwolff [EMAIL PROTECTED] writes:

 My home dir contains no database files but lots of proprietary
 WordPerfect docs, pdfs, oggs/mp3s/wavs and jpgs and my mail
 archive.

The thing you're mostly worried about is things that can have
executable code in them.  Your PDFs, pictures, and music are probably
all okay (unless you picked up something that was intentionally going
after them); I'd be a little worried about scripting code buried in
the WordPerfect files.  But it's not like you have a bunch of things
compiled by hand in your home directory that are potentially infected,
it sounds like.

 It is always mounted noexec,nosuid,nodev,user.

(This isn't much security; the attacker is almost certainly root so
nosuid is irrelevant, and if you have /home/me/bin/foo you can
explicitly run '/lib/ld-linux.so /home/me/bin/foo' to run the binary
regardless of noexecness.)

 And, lastly for now: The /var/crackdir dir has a timestamp X. Does
 this mean the crack most probably did not happen before day X?

See touch(1).  The timestamp is completely meaningless.

-- 
David Maze [EMAIL PROTECTED]  http://people.debian.org/~dmaze/
Theoretical politics is interesting.  Politicking should be illegal.
-- Abra Mitchell


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: crack traces in /var ?

[Greg Folkert]

On Fri, 2003-07-25 at 02:54, Andreas von Heydwolff wrote:
 Err, and one more: Should I buy a hardware firewall/router instead of 
 fiddeling around with iptables as an amateur?

Well, if you dare run Testing or Unstable... (Don;t know if it is
available for Woody) there is a VERY nice package that is called:

fwbuilder

I have used it since ... a long time ago, and it continues to improve
with each revision. It has a firewall wizard the blocks everything. You
have to make exceptions in order to get traffic IN. It is very nice and
makes short work of the whole thing.

Just remember Order of Execution of the Rules is the FOREMOST import. As
the first rule that applies WINS. So if you put your catch-all in before
your exceptions... well the exceptions won't matter.

fwbuilder supports a number of netfilter/iptables type of systems.

http://www.fwbuilder.org

ttfn


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: crack traces in /var ?

[Andy Firman]

 Oh well. Second time this year. 


How on earth and why are you getting cracked?

Can you share with us the reasons you have been cracked twice in 7 months?

What services do you think are being compromised?

What kind of security (if any) policies do you implement besides iptables?

Is it possible you were not implementing iptables correctly?
(I recommend Shorewall to help implement iptables the right way)


This is one thing I never want to happen to my servers, hence all the questions.

Maybe we can learn from your mistakes.  I would appreciate the information.

Andy

 



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: crack traces in /var ?

[Andreas von Heydwolff]

Andy Firman wrote:
Oh well. Second time this year. 
snip
Maybe we can learn from your mistakes.  I would appreciate the information.
(If you want it short, this may not be for you - here goes:)

Andy, thanks for your interest. I consider myself still a newbie, this 
is my third Debian year, Corel Linux got me started after an 
unconvincing try at RedHat5 years earlier. I have no prefessional IT 
background but like 'puters and am reading a lot around in the 
newsgroups, Howtos etc.

Policy: I have no services open to the outside, exceptions are mentioned 
below. There are only trusted users inside the network. Besides iptables 
I have set nosuid,nodev,noexec flags for my home dir and other storage 
partitions. I run tiger and chkrootkit occasionally, i.e. once or twice 
a week, sometimes not. The firewall box is a small hardened Woody with 
security updates, the desktop a current SID installation.

As I haven't set up my mail dir to work with Mozilla and haven't 
bothered to find out how to make the black background of mutt lighter I 
am not reading the reports frequently - reports from programs I am 
slowly getting familiar with like snort, tiger.

Before the first crack I had ssh (and nothing else) open to the outside. 
In addition, maintenance of some proprietary custom tailored database 
program that I had acquired for another location made it necessary to 
open one of the higher ports for a few hours. Fiddeling with 
firestarter/iptables until port forwarding worked was when I shut off 
the firewall for minutes and once unfortunately a lot longer: I forgot 
to start iptables via firestarter again a few weeks ago over a period of 
a few hours after said situation - maybe this sealed my fate this time. 
I am paying dearly as even the laptop that for file synchronization I 
hook up to the switch now and then currently sports some unknown numeric 
group permissions for the home dir as reported by tiger later today.

I detected the first crack when chkrootkit reported a deletion in wted. 
For this crack (only after which I built the separate firewall box) I 
have the following explanation although I may have been to sloppy as 
well with restarting the firewall immediately after stopping it for 
whatever reason I had back then: I saw in the log that the time of the 
wted deletion was almost to the minute the time when I installed a 
freshly compiled kernel. The machine had locked up then and during 
installing I had thought that this was due to some module problem 
(running SID, as I said), and the second try worked so that I did not 
bother any more. But in retrospect it may have been the crack(er) who 
caused the crash.

What I wonder is whether it is potentially dangerous for me to have 
iptables starting quite slowly on my 133MHz firewall machine, it takes 
maybe 10 seconds to get all the modules loaded while ntp already picks 
up the time and a net connection has seemingly already been established. 
I power down my system almost daily to reduce risks and keep my power 
bill lower, so there is a certain window almost daily at startup. My IP 
address is a de facto fixed one from the cable provider.

And I now wonder whether a powerful thing like iptables is manageable by 
an amateur with some half knowledge when even professionals have their 
troubles. Or perhaps I am now in the process of learning the hard way 
that the good enough firewall has to be on at *all* times, no matter what.

I also wonder whether a stock Windows98 box is less of a hassle because 
a friend who is not so security conscious is customer of the same cable 
provider. Despite frequent hits on my firewall from the provider's 
subnet to which he must more or less be subjected too he has never 
reported anything problematic. Do Linux boxen attract the more skilled 
attackers? But perhaps his occasional reinstalls are not so much  due to 
fat havoc after dozens of lockups per month but signs of unrecognized 
security compromises... don't get me wrong, I see no alternative for me 
in this other OS, and I wonder what he'll be reporting after his current 
XP honeymoon.

So I guess it's all my fault, understimating what trouble already a few 
or no firewall hits per hour when traffic is low can mean without the 
firewall.

Andreas

PS will ook at Shrewall too

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: crack traces in /var ?

[Jamin W. Collins]

On Fri, Jul 25, 2003 at 07:49:13PM +0200, Andreas von Heydwolff wrote:

 What I wonder is whether it is potentially dangerous for me to have
 iptables starting quite slowly on my 133MHz firewall machine, it takes
 maybe 10 seconds to get all the modules loaded while ntp already picks
 up the time and a net connection has seemingly already been
 established.  I power down my system almost daily to reduce risks and
 keep my power bill lower, so there is a certain window almost daily at
 startup. My IP address is a de facto fixed one from the cable
 provider.

Why not put a basic firewall in place prior to the network startup?
With default policys set to DROP, and rules to allow only necessary
traffic in and out.  After the network connections are up, you can then
add any interface/ip specific rules that are neccessary.  This can
either be tacked on to the existing minimal ruleset or you could flush
the rules (leaving policy at DROP) and build all new rules.

-- 
Jamin W. Collins

This is the typical unix way of doing things: you string together lots
of very specific tools to accomplish larger tasks. -- Vineet Kumar


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: crack traces in /var ?

[David Fokkema]

First of all, thanks for your little essay, ;-)

On Fri, Jul 25, 2003 at 07:49:13PM +0200, Andreas von Heydwolff wrote:
 partitions. I run tiger and chkrootkit occasionally, i.e. once or twice 
 a week, sometimes not. The firewall box is a small hardened Woody with 
 security updates, the desktop a current SID installation.

Hmmm... I run woody for a few months now, but I have _never_ run tiger
or chkrootkit. I will do so immediately...

Tiger returns clean.
Chkrootkit returns clean.
;-))

 open one of the higher ports for a few hours. Fiddeling with 
 firestarter/iptables until port forwarding worked was when I shut off 
 the firewall for minutes and once unfortunately a lot longer: I forgot 

I use shorewall, as others have already recommended. I looked into a few
other programs, fwbuilder, ferm, plain iptables... I liked shorewall
best. It guards you from making (stupid) mistakes when scripting your own
firewall, while allowing you to use your favourite text editor to add or
comment out a single rule. No hassles, just protection.

 What I wonder is whether it is potentially dangerous for me to have 
 iptables starting quite slowly on my 133MHz firewall machine, it takes 
 maybe 10 seconds to get all the modules loaded while ntp already picks 
 up the time and a net connection has seemingly already been established. 
 I power down my system almost daily to reduce risks and keep my power 
 bill lower, so there is a certain window almost daily at startup. My IP 
 address is a de facto fixed one from the cable provider.

I have wondered about this too...

Hmmm... Shorewall's default is to start it _way_ after network
services... Anyone knows the debian way to deal with this? Otherwise
I'll probably add a iptables -P DROP in my /etc/network/interfaces. Is
this correct?

 PS will ook at Shrewall too

Yes, please do, :-)

David


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: crack traces in /var ?

[Jaldhar H. Vyas]

On Fri, 25 Jul 2003, David Fokkema wrote:

 Hmmm... Shorewall's default is to start it _way_ after network
 services... Anyone knows the debian way to deal with this?

Report it as a bug.  A pretty major one I would say.


-- 
Jaldhar H. Vyas [EMAIL PROTECTED]
La Salle Debain - http://www.braincells.com/debian/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: crack traces in /var ?

[Andreas von Heydwolff]

Jamin W. Collins wrote:
On Fri, Jul 25, 2003 at 04:14:58PM -0400, Jaldhar H. Vyas wrote:

On Fri, 25 Jul 2003, David Fokkema wrote:


Hmmm... Shorewall's default is to start it _way_ after network
services... Anyone knows the debian way to deal with this?
Report it as a bug.  A pretty major one I would say.


Should start prior to networking if at all possible or just after
(potentially even via an if-up.d script).
On my small network when I started the desktop machine with its own 
iptables fw before the fw box itself was up, the startup process 
stopped, waiting for timeouts. I wonder if this had only to do with ntp 
on the desktop machine not being able to connect to the internet 
timeserver or actually its iptables not being able to load before the fw 
box offered a net connection.

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: crack traces in /var ?

[Andreas von Heydwolff]

Jamin W. Collins wrote:
On Fri, Jul 25, 2003 at 04:14:58PM -0400, Jaldhar H. Vyas wrote:

On Fri, 25 Jul 2003, David Fokkema wrote:


Hmmm... Shorewall's default is to start it _way_ after network
services... Anyone knows the debian way to deal with this?
Report it as a bug.  A pretty major one I would say.


Should start prior to networking if at all possible or just after
(potentially even via an if-up.d script).
On my small network when I started the desktop machine with its own 
iptables fw before the fw box itself was up, the startup process 
stopped, waiting for timeouts. I wonder if this had only to do with ntp 
on the desktop machine not being able to connect to the internet 
timeserver or actually its iptables not being able to load before the fw 
box offered a net connection.

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: crack traces in /var ?

[Paul Johnson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Fri, Jul 25, 2003 at 11:24:12AM -0400, Greg Folkert wrote:
 On Fri, 2003-07-25 at 02:54, Andreas von Heydwolff wrote:
  Err, and one more: Should I buy a hardware firewall/router instead of 
  fiddeling around with iptables as an amateur?
 
 Well, if you dare run Testing or Unstable... (Don;t know if it is
 available for Woody) there is a VERY nice package that is called:
 
 fwbuilder

Even easier:  ipmasq

- -- 
 .''`. Paul Johnson [EMAIL PROTECTED]
: :'  :proud Debian admin and user
`. `'`
  `-  Debian - when you have better things to do than fix a system
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/IgIhJ5vLSqVpK2kRApw3AJ9eBmomaUPQXQwTZsbEeaowWNWZHwCfRW/I
fHQlV5r7Q+mqN/Acf/ufC4I=
=7g7/
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: crack traces in /var ?

[Paul Johnson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Fri, Jul 25, 2003 at 07:49:13PM +0200, Andreas von Heydwolff wrote:
 What I wonder is whether it is potentially dangerous for me to have 
 iptables starting quite slowly on my 133MHz firewall machine, 

Nope, not really.

 And I now wonder whether a powerful thing like iptables is manageable by 
 an amateur with some half knowledge when even professionals have their 
 troubles.

Of course it is.  Not all professionals know what they're doing.

 Or perhaps I am now in the process of learning the hard way 
 that the good enough firewall has to be on at *all* times, no matter what.

No, however, a firewall is not the end-all, be-all of security.  You
don't have a really weak root password or something, do you?

 I also wonder whether a stock Windows98 box is less of a hassle because 
 a friend who is not so security conscious is customer of the same cable 
 provider. 

Oh, hell no.  You think iptables is hard, just *try* securing a
Windows box.  It can't be done.  Windows exists exclusively to live on
firewalled networks.  Microsoft even says this somewhere in thier
support knowledge base, trustworthy computing be damned.

 Despite frequent hits on my firewall from the provider's 
 subnet to which he must more or less be subjected too he has never 
 reported anything problematic.

Of course you're going to see traffic on your subnet.  I *really,
really* hate windows-based personal firewalls for instilling the
idea that normal traffic somehow constitutes an attack (and that a
windows box with a program listening on *every* port is somehow more
secure than just shutting off listening services, or the idea that
Windows can be secured from within at all).  Other people use that
subnet, too, and other people need to send broadcasts for DHCP, ARP
and what not...

 Do Linux boxen attract the more skilled attackers?

Yes, but for every skilled attacker, there's thirty of fourty script
kiddies waiting to nail Windows hosts.

- -- 
 .''`. Paul Johnson [EMAIL PROTECTED]
: :'  :proud Debian admin and user
`. `'`
  `-  Debian - when you have better things to do than fix a system
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/Ign8J5vLSqVpK2kRAgi6AKCW6iTJqeb2C4WS3cwn74MzooZ1+wCgtgT6
X5Yi16KxjQ+fBd54ytyaZUg=
=ZLyg
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: crack traces in /var ?

[Paul Johnson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Fri, Jul 25, 2003 at 11:36:58PM -0500, Jesse Meyer wrote:
 Your goal is to be able to scan your machine (via nmap), and find 
 no unnecessary service listening to the outside interface.  

You're going to want to run nmap from a foreign host to test yourself.

- -- 
 .''`. Paul Johnson [EMAIL PROTECTED]
: :'  :proud Debian admin and user
`. `'`
  `-  Debian - when you have better things to do than fix a system
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/Ig2zJ5vLSqVpK2kRAgBvAJ4xzzv707xMqCqu+nsWtcUNcSsb0gCcDgAi
gE5SvHoNzTzlskrDb+8/F3s=
=aV5h
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

crack traces in /var ?

[Andreas von Heydwolff]

Hi all,

Google didn't yield anything specific, so does anyone know what sort of 
crack my desktop machine (NAT behind an up to date woody stable iptables 
firewall) seems to have suffered? Symptoms are

a dir named /var/bobsdata, containing admin.pwd with a string like 
$1$WmspYkT9$POV... and subdirs current/process, containing cmdloop and 
check_loop. I also found a crontab entry

0-59/5 * * * * root /var/bobsdata/current/process/check_loop

My firewall sometimes displays packets to ports that are used by trin00 
and subseven with a DST address of my internal network.

chkrootkit reported nothing unusual.

Tiger gives me about 30 messages about standard binaries such as

--WARN-- [sig004w] None of the following versions of /usr/bin/passwd
 (-rwsr-xr-x) matched the /usr/bin/passwd on this machine.
  Linux 2.0.35
Therefore I cleaned the deb cache, did an apt-get install --reinstall of 
all mentioned packages and still am getting this set of warnings. 
Considering earlier experiences with tiger I wonder if this is a 
Debian-specific tiger problem and a false positive just as the 
complaints about

--FAIL-- [pass009e] Login daemon has a user id of 1.
--FAIL-- [pass009e] Login daemon has a group id of 1.
(Debian default, no?)

and a trace of Hylafax:

--FAIL-- [pass009e] Login faxmaster has more than 8 characters.
--FAIL-- [pass009e] Group faxmaster has more than 8 characters.
Would you think with deleting the /var/bobsdata dir, the crontab entry 
and my --reinstall I have stopped being a DDoS client and can skip a new 
install of my machine? Any ideas appreciated...

Andreas

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: crack traces in /var ?

[Paul Johnson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, Jul 24, 2003 at 04:19:46PM +0200, Andreas von Heydwolff wrote:
 Would you think with deleting the /var/bobsdata dir, the crontab entry 
 and my --reinstall I have stopped being a DDoS client and can skip a new 
 install of my machine? Any ideas appreciated...

You've been pretty nicely cracked.  It's time to mkfs over everything
and start from scratch.  Restore /home from the last backup that you
know for sure was made before this started, anything backed up after
that is garbage and shouldn't be used anymore.  Good luck.

- -- 
 .''`. Paul Johnson [EMAIL PROTECTED]
: :'  :proud Debian admin and user
`. `'`
  `-  Debian - when you have better things to do than fix a system
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/IK0rJ5vLSqVpK2kRAkyQAJ99UOytcN93cMJ4kG9PqZ0xrmAAlwCeKWoD
NmAxU+JdZSfMHW5z17z0h/A=
=f+wm
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

/var/bobsdata - ein Crack?

[Andreas von Heydwolff]

Habe auf meiner aktuellen SID Maschine (Kabelmodem) unlängst ein 
Verzeichnis /var/bobsdata entdeckt, das ich im Leben nicht angelegt 
habe. Inhalte sind eine Datei admin.pwd mit einem String wie 
$1$WmspYkT9$POV...  sowie sub-Verzeichnisse current/process, darin 
Dateien cmdloop und check_loop

Crontab hatte:

0-59/5 * * * * root /var/bobsdata/current/process/check_loop

Sieht mir natürlich nach einem Crack aus, aber in der Regel sitzt die 
Maschine hinter einer gehärteten firewall auf stable-Basis und auch auf 
der Maschine selbst läuft i.d.R. die Firewall. Allerdings zeigt die 
Firewal manchmal trin00 und subseven-Pakete, die als DST die interne 
Netzwerkadresse haben.

Tiger läuft nicht regelmäßig, hat aber für ein Dutzend oder mehr 
Systemdateien falsche md5chksums gefunden (nicht Debian 2.0.35 oder 
höher oder so ähnlich). Allerdings habe ich dieselben Meldungen auch 
nach einem apt-get clean und --reinstall der betreffenden Pakete 
bekommen. Chkrootkit ist nicht beunruhigt.

Logins um die Zeit des Anlegens des Verzeichnisses sind unauffällig.

Habe länger herumgegooglet und nichts zu diesem speziellen Fall 
gefunden. Kennt jemand solche Symptome?

Gruß aus Wien

Andreas v. Heydwolff

--
Haeufig gestellte Fragen und Antworten (FAQ): 
http://www.de.debian.org/debian-user-german-FAQ/

Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED]
mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)

Re: /var/bobsdata - ein Crack?

[Philipp Meier]

On Tue, Jul 22, 2003 at 06:55:44PM +0200, Andreas von Heydwolff wrote:
 Habe auf meiner aktuellen SID Maschine (Kabelmodem) unlängst ein 
 Verzeichnis /var/bobsdata entdeckt, das ich im Leben nicht angelegt 
 habe. Inhalte sind eine Datei admin.pwd mit einem String wie 
 $1$WmspYkT9$POV...  sowie sub-Verzeichnisse current/process, darin 
 Dateien cmdloop und check_loop

[...]

 Tiger läuft nicht regelmäßig, hat aber für ein Dutzend oder mehr 
 Systemdateien falsche md5chksums gefunden (nicht Debian 2.0.35 oder 
 höher oder so ähnlich). Allerdings habe ich dieselben Meldungen auch 
 nach einem apt-get clean und --reinstall der betreffenden Pakete 
 bekommen. Chkrootkit ist nicht beunruhigt.

Vergleiche auch heutigen thread zum ähnlichen Thema. Hast Du die
Überprüfung der checksummen vom laufenden System aus gemacht? Sollte ein
rootkit installiert sein, so kann dieses eventuell seine Entdeckung
durch manipulierte binaries oder sogar den kernel verhindern. Du
solltest das zur Sicherheit mal von einer Boot-CD aus checken.

-billy.

-- 
Meisterbohne   Meisterbohne GbR, Küfner, Mekle, Meier   Tel: +49-731-399 499-0
   eLösungen   Söflinger Straße 100 Fax: +49-731-399 499-9
   89077 Ulm   http://www.meisterbohne.de/


-- 
Haeufig gestellte Fragen und Antworten (FAQ): 
http://www.de.debian.org/debian-user-german-FAQ/

Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED]
mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)

Re: [OT] half-life won crack

[thecrow]

[EMAIL PROTECTED] wrote:
 
 Alguien sabe de algun WON-crack para half-life 1.0.0.8.
 
 gracias/saludos
 
 --
 egargiulo(at)ingdesi(dot)net|com
 GnuPG key-id: 1024D / 0x874564ED
 
 --
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Que morro tienen algunos...

[OT] half-life won crack

[eduardo . gargiulo]

Alguien sabe de algun WON-crack para half-life 1.0.0.8.

gracias/saludos

-- 
egargiulo(at)ingdesi(dot)net|com
GnuPG key-id: 1024D / 0x874564ED

crack and MD5

[Benjamin Pharr]

I'm running potato with MD5 password hashing enabled.  Crack works fine 
when used on a system that uses standard crypt().  I would like to run 
crack to test my users passwords.  I changed the Crack script to gcc 
settings and moved and copied the files I was supposed to for MD5.  When I 
did a ./Crack -makeonly it gives me the following errors (paraphrased):


elcid.c:139: undefined reference to crypt
collect2: ld returned 1 exit status
../run/bin/linux-2-unknown/stdlib-cracker] Error 1
../run/bin/linux-2-unknown/cracker] Error 2
make: *** [utils] Error 1

If anyone out there is familiar with crack, please give me a hand. Thanks!

Ben Pharr

Re: crack and MD5

[Ethan Benson]

On Sun, Jan 21, 2001 at 06:23:26PM -0600, Benjamin Pharr wrote:
 I'm running potato with MD5 password hashing enabled.  Crack works fine 
 when used on a system that uses standard crypt().  I would like to run 
 crack to test my users passwords.  I changed the Crack script to gcc 
 settings and moved and copied the files I was supposed to for MD5.  When I 
 did a ./Crack -makeonly it gives me the following errors (paraphrased):
 
 elcid.c:139: undefined reference to crypt
 collect2: ld returned 1 exit status
 ../run/bin/linux-2-unknown/stdlib-cracker] Error 1
 ../run/bin/linux-2-unknown/cracker] Error 2
 make: *** [utils] Error 1
 
 If anyone out there is familiar with crack, please give me a hand. Thanks!

im not familier with crack, but it looks like you need to add -lcrypt
to the compile time arguments.  

or try john the ripper.  

-- 
Ethan Benson
http://www.alaska.net/~erbenson/


pgp3GBCBCSo56.pgp
Description: PGP signature

crack?

[Ethan Pierce]

Hi all, I wanted to test out crack on my /etc/passwd file...someone told me it 
takes 6 days to run for good passwords.  While my root password is non 
dictionary, will crack work?  Im very curious about how much a user can gain if 
he/she is able to cat my /etc/passwd

Re: crack?

[Bolan Meek]

Ethan Pierce wrote:
 
 Hi all, I wanted to test out crack on my /etc/passwd file...
 someone told me it takes 6 days to run for good passwords.
 While my root password is non dictionary, will crack work?

If it _really_ is non-dictionary, probably not, but I can't
answer for sure without studying if crack will go on from
intelligent cracking methods to the brute force of trying
everything, whether tracked-pseudo-randomly, or in order,
but I doubt so, since that should, theoretically and
statistically speaking, take _much_ longer than only six days.

You'll just have to try it out.

 Im very curious about how much a user can gain if he/she is
 able to cat my /etc/passwd

The same ability to run crack on it as you do, without having
to guess at login names, as it would be without it.  Plus the
ability to see if any logins have no password, some of which,
if not all, being so, present vulnerabilities.

-- 
[EMAIL PROTECTED] 972-729-5387
[EMAIL PROTECTED] (home phone on request)
http://www.koyote.com/users/bolan
RE: xmailtool http://www.koyote.com/users/bolan/xmailtool/index.html
I am the ILOVEGNU signature virus. Just copy me to your signature.
This email was infected under the terms of the GNU General Public
License.

locate/updatedb on crack

[Pat Mahoney]

Locate has been acting strangely lately, please have a look:
I just ran updatedb two minutes ago; updatedb.conf appears below.

[EMAIL PROTECTED]:~$ locate /usr/include/libgimp/gimpintl.h
/usr/include/libgimp/gimpintl.h  # ok, it found it

[EMAIL PROTECTED]:~$ locate gimpinit.h   # but not this time?

[EMAIL PROTECTED]:~$ locate /libgimp/gimpintl.h  # good
/usr/include/libgimp/gimpintl.h

[EMAIL PROTECTED]:~$ locate /gimpintl.h  # again
/usr/include/libgimp/gimpintl.h

[EMAIL PROTECTED]:~$ locate gimpintl.h   # ok, now why does it work 
here?
/usr/include/libgimp/gimpintl.h

[EMAIL PROTECTED]:~$ locate gimpintl.h   # again?
/usr/include/libgimp/gimpintl.h


I'm using two Eterms.  Now it's working in one of them (the one above),
but not the other.  Both seem to work fine except for the other one
now with gimpinitl.h.

The other found gimp.h, which is in the same dir as gimpinit.h.  But
it still can't locate gimpinitl.h.

/etc/updatedb.conf:

# This file sets environment variables which are used by updatedb

# filesystems which are pruned from updatedb database
PRUNEFS=NFS nfs afs proc smbfs autofs auto iso9660 ncpfs coda
export PRUNEFS
# paths which are pruned from updatedb database
PRUNEPATHS=/tmp /usr/tmp /var/tmp /afs /amd /alex /var/spool
export PRUNEPATHS
# netpaths which are added
NETPATHS=
export NETPATHS
 
### end of updatedb.conf ##
-- 
Pat Mahoney  [EMAIL PROTECTED]


I cannot overemphasize the importance of good grammar.
.
What a crock.  I could easily overemphasize the importance of good
grammar.  For example, I could say: Bad grammar is the leading cause
of slow, painful death in North America, or Without good grammar, the
United States would have lost World War II.
-- Dave Barry, An Utterly Absurd Look at Grammar

Re: locate/updatedb on crack

[Pat Mahoney]

  now with gimpinitl.h.
 
 gimpintl.h != gimpinit.h
 
  The other found gimp.h, which is in the same dir as gimpinit.h.  But
  it still can't locate gimpinitl.h.

Well, that's embarassing.  Stupid typos...  Maybe I'm dyslexic (is
that spelled right?, ispell flags it, no suggestions though, and I
can't think of anything else)... Yeah, that's it.  To partially save
face, I confused gimpintl.h with gimpinitl.h, not gimpintl.h and
gimpinit.h, although it might not look like that...

-- 
Pat Mahoney  [EMAIL PROTECTED]


I had no shoes and I pitied myself.  Then I met a man who had no feet,
so I took his shoes.
-- Dave Barry

Compiling Crack 5.0a in hamm

[Norbert Veber]

Hi..

Today I decided to test the strength of my /etc/passwd, so I went and got
the crack 5.0 source, but it wouldnt compile.  It gave me the following
error:

cracker.c: In function ogger':
cracker.c:108: warning: implicit declaration of function ime'
date  ../../run/bin/linux-2-unknown/libdes-cracker
make[2]: Leaving directory /root/c50a/src/util'
gcc -g -O2 -Wall -DUSE_STRING_H -DUSE_STDLIB_H -DUSE_SIGNAL_H
-DUSE_SYS_TYPES_H -DUSE_UNISTD_H -DUSE_PWD_H -I../lib -o
../../run/bin/linux-2-unknown/dictfilt dictfilt.c elcid.o
../../run/bin/linux-2-unknown/libc5.a 
elcid.o: In function lcid_test':
/root/c50a/src/util/elcid.c:159: undefined reference to rypt'
make[1]: *** [../../run/bin/linux-2-unknown/dictfilt] Error 1
make[1]: Leaving directory /root/c50a/src/util'
make: *** [utils] Error 1

It did compile fine under slackware, so maybe this is a glibc issue, or
maybe I'm missing some *-dev package.

Also what are some thoughts on packaging this beast?  I assume its not
included with debian as it is considered to be evil.. :)


pgpSrZIuvZEcN.pgp
Description: PGP signature

Re: Compiling Crack 5.0a in hamm

[Norbert Veber]

On Fri, May 29, 1998 at 01:04:09AM -0400, Norbert Veber wrote:
 Hi..
 
 Today I decided to test the strength of my /etc/passwd, so I went and got
 the crack 5.0 source, but it wouldnt compile.  It gave me the following
 error:
 

I got it to work with the help of #linuxos people, the fix is:
change /src/util/Makefile line 12 to:
CFLAGS= $(XCFLAGS) -I../lib -lcrypt

(just letting you know incase others have had the same problem)


pgp1gDYsLKV5p.pgp
Description: PGP signature

good crack program

[Paul]

Hello everybody, is there a good crack program.  I can't seem to find
qcrack.  Can somebody tell me where to find qcrack.
thanks
Paul



--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to
[EMAIL PROTECTED] . 
Trouble?  e-mail to [EMAIL PROTECTED] .

Re: Crack and cops

[Joe Emenaker]

 
  Pardon my ignorance but what exactly are crak and cops?
 
 Cops: security checker.

Cops does some cute things. First off, it checks for some obvious things
like, say, your /var/spool/cron/crontabs dir being world-writable or your
hosts.equiv file being world writable, etc

It's got one really *cute* feature called kuwang, I think. Basically, it's
supposed to find ways that a user can gain root access through a *process*.

For example, let's we've got three users on the system: A, B, and root.
Let's also say that A's primary group is X but it's also in Z. B's
primary group is Z and is also in the root group.

Further, let us assume that B was careless enough to turn on group write
permissions for his/her .profile. So, we've got something like this:

% ls -l /home/B/.profile
-rwxrwxr-x BZ1534  Jan 17  12:34   .profile

And let us assume the same of root:

% ls -l /root/.profile
-rwxrwxr-x root root 2543  Feb 23 16:32.profile

Well, now, it's possible for user A to gain root privledges. A will be able
to write to Bs .profile and, hence, will be able to run anything as B.
This means that A (while running something as B) will be able to write
to roots .profile and will be able to run anything as root.

I know this seems preposterous... like you need this impossible conspiracy of
little misconfigurations to allow for a security hole of this nature... but
it's really not that impossible. Imagine, for example, if you put a certain
user in the www group to allow them to maintain a portion of your web
site. Also imagine that you've added www to the root group so that 
certain CGI scripts will be able access some files that www doesn't normally
have access to. Well, now you're more than half way there... and you
got there by doing two things that, in themselves, didn't seem as all that
unreasonable.

So, to keep a long story from getting any longer, that is what kuwang is
supposed to do. I'm not sure if it really *does*, since it's never found
a hole like that on my machine yet.

- Joe

--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to
[EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED]

Re: Crack and cops

[Fabien Ninoles]

-BEGIN PGP SIGNED MESSAGE-

On Sun, 17 Nov 1996, CoB [EMAIL PROTECTED] (Joe Emenaker) wrote:

 
 I didn't notice crack or cops listed in the Debian 1.1 package listing.
 
 I ftp'd crack and had trouble compiling it, discovered many others did, too;
 found the glitch and fixed it.
 
 So, it brings me to an interesting question: Is there a reason why cops
 and crack aren't in a package yet, other than possibly not having a
 maintainer? I figured that people might not like making a package like
 crack quite so plug-n-play, lest the baddie baddies get wind of it.

qcrack is already in debian 1.2 (rex frozen), works well and has a
good dictionnary.

 
 If the only impediment is that they need a maintainer, what do I need to
 do to enlist? (Probably check the FAQ first, huh? Duh!)
 

Well, the FAQ about maintenance need was post lately... did you want a
copy? :)


- ---
 The trick isn't that free software are among the best,
  it's that commercial stuff aren't the best!
- ---
Fabien Ninoles aka Baffouille   || Running Debian-Linux
[EMAIL PROTECTED]|| Lover of MOO, mountains, 
http://www-edu.gel.usherb.ca/ninf01 || poetry and Freedom.
- ---

-BEGIN PGP SIGNATURE-
Version: 2.6.3i
Charset: noconv

iQCVAwUBMpPPgFX6fc7jcjhFAQEEhwQAueQB/y0lJq05RPhunv5yrVyNKincER21
0ZiFVI6j4LjX1AMLg34VT7EUzMpySvQVAanfyMRIvWjog/FTlrAUNSbvQ+BZp9Rg
BmqpKippKT7J7poG2XfaJy26tigu2ffZ2Snqm7Kisgtv6ahFGHEtBqSFpgax90MH
0b7YHPSHd6o=
=ct7+
-END PGP SIGNATURE-

--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to
[EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED]

Re: Crack and cops

[Patrick J. Edwards]

On Sun, 17 Nov 1996, CoB SysAdmin wrote:

 
 I didn't notice crack or cops listed in the Debian 1.1 package listing.
Both packages would be more than welcome to Debian. However, COPS
would be more important since Debian 1.2 has qcrack (a high speed version of
crack using hashing files). Currently, COPS and Crack are in my to-do list
of packages to Debianize but if you feel a urgent need for them go ahead to
package them.
 
 I ftp'd crack and had trouble compiling it, discovered many others did, too;
 found the glitch and fixed it.
Yes, Crack is a pain but easily fixed.

 So, it brings me to an interesting question: Is there a reason why cops
 and crack aren't in a package yet, other than possibly not having a
 maintainer? I figured that people might not like making a package like
 crack quite so plug-n-play, lest the baddie baddies get wind of it.
It not a matter of Debian/Linux not accepting them, it matter of
time. Most package developers aren't paid for their time, so it takes awhile
for packages such as COPS and Crack to get packaged.

 If the only impediment is that they need a maintainer, what do I need to
 do to enlist? (Probably check the FAQ first, huh? Duh!)
You got it! :) And good luck should you take on this job COPS is
going to be a major pain in the *ss to debianize (in my opinion). Let me
know if you decide to take on either package so we don't duplicate our
efforts.

---
LEAR: Into her womb convey sterility!
   Dry up in her the organs on increase... (King Lear)
---
Patrick J. Edwards [EMAIL PROTECTED]
http://www.cs.usask.ca/undergrads/pje120/
http://hup1.usask.ca:8000/
finger [EMAIL PROTECTED] for my PGP Key
Key fingerprint =  9F 45 7D 6E C0 A4 B4 0D  48 C7 14 CA 23 B0 B4 F8

--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to
[EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED]

Re: Crack and cops

[Philippe Troin]

On Tue, 19 Nov 1996 17:04:52 EST Joe Feenin ([EMAIL PROTECTED]) 
wrote:

 Pardon my ignorance but what exactly are crak and cops?

Crack: password cracker.
Cops: security checker.

Phil.


--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to
[EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED]

Crack and cops

[Joe Emenaker]

I didn't notice crack or cops listed in the Debian 1.1 package listing.

I ftp'd crack and had trouble compiling it, discovered many others did, too;
found the glitch and fixed it.

So, it brings me to an interesting question: Is there a reason why cops
and crack aren't in a package yet, other than possibly not having a
maintainer? I figured that people might not like making a package like
crack quite so plug-n-play, lest the baddie baddies get wind of it.

If the only impediment is that they need a maintainer, what do I need to
do to enlist? (Probably check the FAQ first, huh? Duh!)

- Joe

--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to
[EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED]

Re: Crack and cops

[Rob Browning]

CoB SysAdmin (Joe Emenaker) [EMAIL PROTECTED] writes:

 If the only impediment is that they need a maintainer

Yes.

 , what do I need to do to enlist? (Probably check the FAQ first,
 huh? Duh!)

See the Work Needing and Prospective Packages document.  I'm not sure
where it it kept, but it's posted to one of the lists (debian-devel?)
on a regular basis.  There you can make sure someone else hasn't
claimed it, and can see how to become a maintainer.

Note that there is a new qcrack package.  I don't know how that
relates to crack.

--
Rob

--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to
[EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED]

anyone got Crack to work in Debian

[Gerry Jensen]

I recently downloaded Crack_4.1 from Sunsite (I couldn't find a Debian
version, there isn't one is there?). When I ran it, I got Version of
crypt() being used internally is not compatible with standard.
Terminating 

Is this true that Debian crypt() is non-standard? Has anyone got this to
work with Debian? It seemed like there might be other things that needed
to be changed to get it to run, but the crypt thing seemed like the most
serious. I did successfully run Crack a year or so ago on a Linux system.
Don't know what's changed since then.

Gerry
[EMAIL PROTECTED]

--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to
[EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED]