Re: AW: AW: [sqlite] SQLite website hacked

2004-06-25 Thread D. Richard Hipp 
Matthias Zirngibl wrote:
Arg!  "cvs -v" tells me 1.11.5, which is ancient.  I've been doing
   apt-get update
   apt-get upgrade
which I thought was suppose to keep me up to date with all 
security patches.  But I guess not

Anonymous CVS access has been disabled until I can get this fixed.
Somebody please instruct me on the proper way to get security 
updates for debian

Please post your /etc/apt/sources.list
Maybe your CVS package is "On Hold" in APT?

apt-upgrade is giving me the following error.  Can
anyone explain?
Setting up util-linux (2.11n-7) ...
dpkg: error processing util-linux (--configure):
 subprocess post-installation script returned error exit status 2
Errors were encountered while processing:
 util-linux
E: Sub-process /usr/bin/dpkg returned an error code (1)
--
D. Richard Hipp -- [EMAIL PROTECTED] -- 704.948.4565
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: AW: AW: [sqlite] SQLite website hacked

2004-06-25 Thread D. Richard Hipp 
Matthias Zirngibl wrote:
Arg!  "cvs -v" tells me 1.11.5, which is ancient.  I've been doing
   apt-get update
   apt-get upgrade
which I thought was suppose to keep me up to date with all 
security patches.  But I guess not

Anonymous CVS access has been disabled until I can get this fixed.
Somebody please instruct me on the proper way to get security 
updates for debian

Please post your /etc/apt/sources.list
Maybe your CVS package is "On Hold" in APT?


deb http://ftp.us.debian.org/debian/ stable main non-free
deb-src http://ftp.us.debian.org/debian/ stable main non-free
deb http://non-us.debian.org/debian-non-US stable/non-US main
deb-src http://non-us.debian.org/debian-non-US stable/non-US main
deb http://security.debian.org/ stable/updates main


--
D. Richard Hipp -- [EMAIL PROTECTED] -- 704.948.4565
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [sqlite] SQLite website hacked

2004-06-25 Thread D. Richard Hipp 
Cesare D'Amico wrote:
Did you update your kernel (and rebooted) recently? Various 
vulnerabilities have been discovered during the last months (debian 
network has been cracked too, some months ago).

Kernel version 2.4.26 up 26 days.  Attack was 3 days ago.
--
D. Richard Hipp -- [EMAIL PROTECTED] -- 704.948.4565
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [sqlite] SQLite website hacked

2004-06-25 Thread D. Richard Hipp 
Marco Bambini wrote:
On 25/giu/04, at 17:34, D. Richard Hipp wrote:
3 days ago, somebody broke into the SQLite website and
defaced the CVSTrac homepage.  (www.cvstrac.org and www.sqlite.org
share the same machine.)

You are not alone: 
http://www.zone-h.org/en/defacements/filter/filter_defacer=Russel-Aid/
Details at: 
http://www.zone-h.org/en/defacements/filter/filter_ip=64.5.53.192/

Unfortunately there is no information about the kind of attack...
The second link alerted me to another file that contained the
attack:  http://www.sqlite.org/index2.html
This supports my theory that the attack came in through CVS.
The main index page "index.html" is owned by root.  The attacker
could not overwrite it, so they created a alternative page at
index2.html.  So the boast that the machine was rooted, appears
to be just that - a boast.  In fact, the attacker was only able
to become the CVS user.
Who can help me move CVS into a chroot jail?
--
D. Richard Hipp -- [EMAIL PROTECTED] -- 704.948.4565
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

AW: AW: AW: [sqlite] SQLite website hacked

2004-06-25 Thread Matthias Zirngibl 
> apt-upgrade is giving me the following error.  Can anyone explain?
> 
> 
> Setting up util-linux (2.11n-7) ...
> dpkg: error processing util-linux (--configure):
>   subprocess post-installation script returned error exit 
> status 2 Errors were encountered while processing:
>   util-linux
> E: Sub-process /usr/bin/dpkg returned an error code (1)

Hard to tell what causes this. You could do set this package temporarily on
hold, so that at least the cvs is updated:
echo util-linux hold | dpkg --set-selections


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: AW: [sqlite] SQLite website hacked

2004-06-25 Thread Michael Roth 
D. Richard Hipp wrote:
Arg!  "cvs -v" tells me 1.11.5, which is ancient.  I've been doing
   apt-get update
   apt-get upgrade
which I thought was suppose to keep me up to date with all security
patches.  But I guess not
For Debian 'woody' the latest cvs is 1.11.1p1, for Debian 'sarge' the 
latest is 1.12.9.

Check out: http://www.debian.org/security/2004/dsa-519

Somebody please instruct me on the proper way to get security
updates for debian
For Debian 'woody' the config file /etc/apt/sources.list should contain:
deb http://security.debian.org/ woody/updates main contrib non-free
For Debian 'sarge':
deb http://security.debian.org/ sarge/updates main contrib non-free
For Debian 'sarge', please note the quote from:
http://www.debian.org/releases/index.en.html
"...the main disadvantage is that it's not completely tested and has no 
official support from Debian security team."

You really shouldn't install anything later as Debian 'woody' (3.0) on a 
public server on the internet, because that's a security risk...

cu
Michael

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: AW: [sqlite] SQLite website hacked

2004-06-25 Thread Derrell . Lipman 
"D. Richard Hipp" <[EMAIL PROTECTED]> writes:

> Somebody please instruct me on the proper way to get security
> updates for debian

Be sure you have the following line in /etc/apt/sources.list and prior to
doing "apt-get update ; apt-get upgrade"

  deb http://security.debian.org/ stable/updates main contrib non-free

If you already have that in your source.list file, then there's something more
seriously wrong (possibly it's "pinned" at the old version?)  Someone else
will have to tell you how to determine if you've inadvertently pinned cvs to
an old version, and how to unpin it; I don't recall how.

Derrell

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

AW: AW: [sqlite] SQLite website hacked

2004-06-25 Thread Matthias Zirngibl 
> Arg!  "cvs -v" tells me 1.11.5, which is ancient.  I've been doing
> 
> apt-get update
> apt-get upgrade
> 
> which I thought was suppose to keep me up to date with all 
> security patches.  But I guess not
> 
> Anonymous CVS access has been disabled until I can get this fixed.
> 
> Somebody please instruct me on the proper way to get security 
> updates for debian

Please post your /etc/apt/sources.list

Maybe your CVS package is "On Hold" in APT?


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[sqlite] SQLite website hacked

2004-06-25 Thread kenneth long 
I recall, recently the CVS website posting a "security
bulletin" They had to entirely rebuild their site.
This was because the pserver (cvs bacground server)
had a serious security flaw that allowed an attacker
to run commands on the host.  Here is a link to the
details!!!

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0396

Ken





__
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [sqlite] SQLite website hacked

2004-06-25 Thread Cesare D'Amico 
Alle 17:34, venerdì 25 giugno 2004, D. Richard Hipp ha scritto:
> Anybody have any clues how an attacker might have gotten in?
> Does anybody have any advice on how best to secure the system?

Did you update your kernel (and rebooted) recently? Various 
vulnerabilities have been discovered during the last months (debian 
network has been cracked too, some months ago).

-- 
Cesare D'Amico - Key on pgp.mit.edu, ID 92802693
http://cesaredamico.com  ~  http://phpday.it  ~  http://verona.linux.it/
Ho messo via un po' di consigli, dicono e` piu` facile,   | Liga, 
li ho messi via perche' a sbagliare sono bravissimo da me | Ho messo via

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

AW: [sqlite] SQLite website hacked

2004-06-25 Thread Matthias Zirngibl 
> On 25/giu/04, at 17:34, D. Richard Hipp wrote:
> 
> > 3 days ago, somebody broke into the SQLite website and defaced the 
> > CVSTrac homepage.  (www.cvstrac.org and www.sqlite.org 
> share the same 
> > machine.)
> 
> You are not alone: 
> http://www.zone-h.org/en/defacements/filter/filter_defacer=Russel-Aid/
> Details at: 
> http://www.zone-h.org/en/defacements/filter/filter_ip=64.5.53.192/
> 

If you look on this site you see this entry:
2004/06/24 Russel-Aid Hcvs.designcommunity.com FreeBSD 

Looks like an CVS-server. Besides that it's FreeBSD, so it is unlikely a
Linux flaw. Which version of CVS where you using at the time of the attack?


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [sqlite] SQLite website hacked

2004-06-25 Thread Marco Bambini 
On 25/giu/04, at 17:34, D. Richard Hipp wrote:
3 days ago, somebody broke into the SQLite website and
defaced the CVSTrac homepage.  (www.cvstrac.org and www.sqlite.org
share the same machine.)
You are not alone: 
http://www.zone-h.org/en/defacements/filter/filter_defacer=Russel-Aid/
Details at: 
http://www.zone-h.org/en/defacements/filter/filter_ip=64.5.53.192/

Unfortunately there is no information about the kind of attack...
Marco Bambini
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [sqlite] SQLite website hacked

2004-06-25 Thread Louis P. Santillan 
It looks like you were not the only person to have
their webserver hacked
.
 Since you are running an "atypical" web server,
chances are the cracker got in with either a Linux
root kit, a ssh flaw, or a CVS flaw (Linux and CVS
have security alerts that were sent out in the last 10
days or so).

The only other reference I found of Russel-l-Aid  was
this Italian site
.

Louis

--- "D. Richard Hipp" <[EMAIL PROTECTED]> wrote:
> 3 days ago, somebody broke into the SQLite website
> and
> defaced the CVSTrac homepage.  (www.cvstrac.org and
> www.sqlite.org
> share the same machine.)
> 
> I do not know how the attacker got in.  The message
> left
> on the homepage of www.cvstrac.org was "Rooted by
> Russel-Aid'.
> 
> www.sqlite.org runs a minimal Debian 3.0.  qmail is
> used for
> the mailing list.  CVS is running.  The web server
> is a custom
> implementation running in a chroot jail.  CVSTrac
> runs in a chroot
> jail.  And sshd is running.  There is a private chat
> server written
> in TCL running on an unpublished port. Nothing else.
> I keep the system
> updated at all times with the latest Debian security
> patches.
> In particular, the most recent CVS patches have been
> installed.
> 
> Anybody have any clues how an attacker might have
> gotten in?
> Does anybody have any advice on how best to secure
> the system?
> 
> I'm up to my eyeballs with SQLite version 3 right
> now.  Anybody
> with the time, skills, and inclination to help fix
> this is
> welcomed to volunteer by calling me at the phone
> number below.
> 
> Thanks.
> -- 
> D. Richard Hipp -- [EMAIL PROTECTED] -- 704.948.4565
> 
> 
>
-
> To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> For additional commands, e-mail:
> [EMAIL PROTECTED]
> 
> 




__
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[sqlite] SQLite website hacked

2004-06-25 Thread D. Richard Hipp 
3 days ago, somebody broke into the SQLite website and
defaced the CVSTrac homepage.  (www.cvstrac.org and www.sqlite.org
share the same machine.)
I do not know how the attacker got in.  The message left
on the homepage of www.cvstrac.org was "Rooted by Russel-Aid'.
www.sqlite.org runs a minimal Debian 3.0.  qmail is used for
the mailing list.  CVS is running.  The web server is a custom
implementation running in a chroot jail.  CVSTrac runs in a chroot
jail.  And sshd is running.  There is a private chat server written
in TCL running on an unpublished port. Nothing else. I keep the system
updated at all times with the latest Debian security patches.
In particular, the most recent CVS patches have been installed.
Anybody have any clues how an attacker might have gotten in?
Does anybody have any advice on how best to secure the system?
I'm up to my eyeballs with SQLite version 3 right now.  Anybody
with the time, skills, and inclination to help fix this is
welcomed to volunteer by calling me at the phone number below.
Thanks.
--
D. Richard Hipp -- [EMAIL PROTECTED] -- 704.948.4565
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]