hi ya nick/jim
On Tue, 3 Feb 2004, Nick Boyce wrote:
> On Mon, 2 Feb 2004 18:28:31 -0800 (PST), Alvin Oga wrote:
>
> >On Mon, 2 Feb 2004, Johannes Graumann wrote:
> >
> >> > > Checking 'bindshell'... INFECTED [PORTS: 1524 31337]
> >> At this point I believe to be able to attribute this to port
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, 03 Feb 2004 03:50:06 +0100,
Alvin Oga <[EMAIL PROTECTED]> wrote:
>
> hi ya johannes
>
> On Mon, 2 Feb 2004, Johannes Graumann wrote:
>
>> > > Checking 'bindshell'... INFECTED [PORTS: 1524 31337]
>> At this point I believe to be able to attrib
hi ya nick/jim
On Tue, 3 Feb 2004, Nick Boyce wrote:
> On Mon, 2 Feb 2004 18:28:31 -0800 (PST), Alvin Oga wrote:
>
> >On Mon, 2 Feb 2004, Johannes Graumann wrote:
> >
> >> > > Checking 'bindshell'... INFECTED [PORTS: 1524 31337]
> >> At this point I believe to be able to attribute this to port
Noah Meyerhans wrote:
> Those ports are not showing up as open. 'Filtered' does not mean open.
> If you run 'iptables -A INPUT -p tcp --dport 1524 -j REJECT' you'll get
> this exact behavior, with nothing listening on these ports.
No, with REJECT they would show up as "closed". DROP produces
"f
On Mon, 2 Feb 2004 18:28:31 -0800 (PST), Alvin Oga wrote:
>On Mon, 2 Feb 2004, Johannes Graumann wrote:
>
>> > > Checking 'bindshell'... INFECTED [PORTS: 1524 31337]
>> At this point I believe to be able to attribute this to portsentry
>> running - '/etc/init.d/portsentry stop' makes it go away,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, 03 Feb 2004 03:50:06 +0100,
Alvin Oga <[EMAIL PROTECTED]> wrote:
>
> hi ya johannes
>
> On Mon, 2 Feb 2004, Johannes Graumann wrote:
>
>> > > Checking 'bindshell'... INFECTED [PORTS: 1524 31337]
>> At this point I believe to be able to attrib
Noah Meyerhans wrote:
> Those ports are not showing up as open. 'Filtered' does not mean open.
> If you run 'iptables -A INPUT -p tcp --dport 1524 -j REJECT' you'll get
> this exact behavior, with nothing listening on these ports.
No, with REJECT they would show up as "closed". DROP produces
"f
Your mail to 'devel' with the subject
hi
Is being held until the list moderator can review it for approval.
The reason it is being held:
Post by non-member to a members-only list
Either the message will get posted to the list, or you will receive
notification of the moderator's decisio
On Mon, 2 Feb 2004 18:28:31 -0800 (PST), Alvin Oga wrote:
>On Mon, 2 Feb 2004, Johannes Graumann wrote:
>
>> > > Checking 'bindshell'... INFECTED [PORTS: 1524 31337]
>> At this point I believe to be able to attribute this to portsentry
>> running - '/etc/init.d/portsentry stop' makes it go away,
hi ya johannes
On Mon, 2 Feb 2004, Johannes Graumann wrote:
> > > Checking 'bindshell'... INFECTED [PORTS: 1524 31337]
> At this point I believe to be able to attribute this to portsentry
> running - '/etc/init.d/portsentry stop' makes it go away,
> '/etc/init.d/portsentry start' makes it reapp
Your mail to 'devel' with the subject
hi
Is being held until the list moderator can review it for approval.
The reason it is being held:
Post by non-member to a members-only list
Either the message will get posted to the list, or you will receive
notification of the moderator's decisio
Hello again,
Here is what I make of my evidence at the end of a quite anxious day. I
would highly appreciate any comments on my conclusions!
> > Checking 'bindshell'... INFECTED [PORTS: 1524 31337]
At this point I believe to be able to attribute this to portsentry
running - '/etc/init.d/portsent
hi ya johannes
On Mon, 2 Feb 2004, Johannes Graumann wrote:
> > > Checking 'bindshell'... INFECTED [PORTS: 1524 31337]
> At this point I believe to be able to attribute this to portsentry
> running - '/etc/init.d/portsentry stop' makes it go away,
> '/etc/init.d/portsentry start' makes it reapp
On Mon, Feb 02, 2004 at 05:58:29PM -0500, Noah Meyerhans wrote:
>On Mon, Feb 02, 2004 at 02:54:33PM -0800, Alvin Oga wrote:
>> > If you run 'iptables -A INPUT -p tcp --dport 1524 -j REJECT' you'll get
>> > this exact behavior, with nothing listening on these ports.
>>
>> and am wondering, why expl
Hello again,
Here is what I make of my evidence at the end of a quite anxious day. I
would highly appreciate any comments on my conclusions!
> > Checking 'bindshell'... INFECTED [PORTS: 1524 31337]
At this point I believe to be able to attribute this to portsentry
running - '/etc/init.d/portsent
On Mon, Feb 02, 2004 at 05:58:29PM -0500, Noah Meyerhans wrote:
>On Mon, Feb 02, 2004 at 02:54:33PM -0800, Alvin Oga wrote:
>> > If you run 'iptables -A INPUT -p tcp --dport 1524 -j REJECT' you'll get
>> > this exact behavior, with nothing listening on these ports.
>>
>> and am wondering, why expl
hi ya noah
On Mon, 2 Feb 2004, Noah Meyerhans wrote:
> On Mon, Feb 02, 2004 at 02:54:33PM -0800, Alvin Oga wrote:
> > > If you run 'iptables -A INPUT -p tcp --dport 1524 -j REJECT' you'll get
> > > this exact behavior, with nothing listening on these ports.
> >
> > and am wondering, why explici
On Mon, Feb 02, 2004 at 10:59:11PM +0100, Andreas Schmidt wrote:
> >> =-=-=-=-=-=-=-=-=-=-=-=-=-
> >> Feb 2 06:33:11 server_name su[16863]: + ??? root:nobody
> >
That's normal, its been discussed here before. It just needs to be added to
logcheck patterns, a bug should be filed.
> >'tiger' also
hi ya noah
On Mon, 2 Feb 2004, Noah Meyerhans wrote:
> On Mon, Feb 02, 2004 at 02:06:41PM -0800, Alvin Oga wrote:
> > > > 'nmap' to those ports gives me:
> > > >
> > > >>PORT STATESERVICE
> > > >>1524/tcp filtered ingreslock
> > > >>31337/tcp filtered Elite
> >
> > turn off those por
hi ya noah
On Mon, 2 Feb 2004, Noah Meyerhans wrote:
> On Mon, Feb 02, 2004 at 02:54:33PM -0800, Alvin Oga wrote:
> > > If you run 'iptables -A INPUT -p tcp --dport 1524 -j REJECT' you'll get
> > > this exact behavior, with nothing listening on these ports.
> >
> > and am wondering, why explici
On Tue, 3 Feb 2004 09:55:04 +1300 (NZDT)
"TiM" <[EMAIL PROTECTED]> wrote:
>
> > Hello,
> >
> > As of this morning two of my machines - which are regularly
> > contacted trough ssh from each other - showed this message upon
> > 'chkrootkit':
> >> Checking 'bindshell'... INFECTED [PORTS: 1524 3133
On Mon, Feb 02, 2004 at 02:54:33PM -0800, Alvin Oga wrote:
> > If you run 'iptables -A INPUT -p tcp --dport 1524 -j REJECT' you'll get
> > this exact behavior, with nothing listening on these ports.
>
> and am wondering, why explicitly reject those ports and not
> explicity reject other ports that
On Mon, Feb 02, 2004 at 10:59:11PM +0100, Andreas Schmidt wrote:
> >> =-=-=-=-=-=-=-=-=-=-=-=-=-
> >> Feb 2 06:33:11 server_name su[16863]: + ??? root:nobody
> >
That's normal, its been discussed here before. It just needs to be added to
logcheck patterns, a bug should be filed.
> >'tiger' also
===
As you are not a member of this email list (parablenet@jesusyouth.org)
you cannot post a message to the list.
Your message will not be forwarded to the list.
Kindly bear with the incovenience.
==
On Mon, Feb 02, 2004 at 02:06:41PM -0800, Alvin Oga wrote:
> > > 'nmap' to those ports gives me:
> > >
> > >>PORT STATESERVICE
> > >>1524/tcp filtered ingreslock
> > >>31337/tcp filtered Elite
>
> turn off those ports ... kill ingress and whatever uses elite
>
> and keep poking around
hi ya Johannes
if you ( a debian box?? ) have been hacked .. other hosts are equally
susceptable .. finding out what is going on is important
On Sun, 1 Feb 2004, Eric Nelson wrote:
> Yep, it definately looks like you're hacked with those ports open unless
hummm... i'm not as sure .. so i'd l
hi ya noah
On Mon, 2 Feb 2004, Noah Meyerhans wrote:
> On Mon, Feb 02, 2004 at 02:06:41PM -0800, Alvin Oga wrote:
> > > > 'nmap' to those ports gives me:
> > > >
> > > >>PORT STATESERVICE
> > > >>1524/tcp filtered ingreslock
> > > >>31337/tcp filtered Elite
> >
> > turn off those por
On Tue, 3 Feb 2004 09:55:04 +1300 (NZDT)
"TiM" <[EMAIL PROTECTED]> wrote:
>
> > Hello,
> >
> > As of this morning two of my machines - which are regularly
> > contacted trough ssh from each other - showed this message upon
> > 'chkrootkit':
> >> Checking 'bindshell'... INFECTED [PORTS: 1524 3133
On Mon, Feb 02, 2004 at 02:54:33PM -0800, Alvin Oga wrote:
> > If you run 'iptables -A INPUT -p tcp --dport 1524 -j REJECT' you'll get
> > this exact behavior, with nothing listening on these ports.
>
> and am wondering, why explicitly reject those ports and not
> explicity reject other ports that
On 2004.02.02 21:08, Johannes Graumann wrote:
Hello,
Checksecurity reports this:
> Security Violations for su
> =-=-=-=-=-=-=-=-=-=-=-=-=-
> Feb 2 06:33:11 server_name su[16863]: + ??? root:nobody
'tiger' also reports - while performing signature check of system
binaries, that /bin/ping, /usr/
===
As you are not a member of this email list ([EMAIL PROTECTED])
you cannot post a message to the list.
Your message will not be forwarded to the list.
Kindly bear with the incovenience.
==
On Mon, Feb 02, 2004 at 02:06:41PM -0800, Alvin Oga wrote:
> > > 'nmap' to those ports gives me:
> > >
> > >>PORT STATESERVICE
> > >>1524/tcp filtered ingreslock
> > >>31337/tcp filtered Elite
>
> turn off those ports ... kill ingress and whatever uses elite
>
> and keep poking around
Yep, it definately looks like you're hacked with those ports open unless
you've installed something that uses them. I'd look into those hidden
processes also but I know there's a problem with procfs or something
that causes some hidden pid's 2-5 or something.
check out http://www.soohrt.org/st
hi ya Johannes
if you ( a debian box?? ) have been hacked .. other hosts are equally
susceptable .. finding out what is going on is important
On Sun, 1 Feb 2004, Eric Nelson wrote:
> Yep, it definately looks like you're hacked with those ports open unless
hummm... i'm not as sure .. so i'd l
On 2004.02.02 21:08, Johannes Graumann wrote:
Hello,
Checksecurity reports this:
> Security Violations for su
> =-=-=-=-=-=-=-=-=-=-=-=-=-
> Feb 2 06:33:11 server_name su[16863]: + ??? root:nobody
'tiger' also reports - while performing signature check of system
binaries, that /bin/ping, /usr/bin
Hi,
I have written the following mail to the debian-gnome-gtk mailing list,
but I got no answere. I hope that I have more luck at the
debian-security list ;)
> I have a really annoying problem with GnuPG and Gnome2/GTK2. I think,
> but I'm not sure, that since I have upgraded from Gnome2.2 to Gn
im soroush
i live iran
im need information about telnet for complete project
univercity
please help me
thanks
godbye
__
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/
Yep, it definately looks like you're hacked with those ports open unless
you've installed something that uses them. I'd look into those hidden
processes also but I know there's a problem with procfs or something
that causes some hidden pid's 2-5 or something.
check out http://www.soohrt.org/stu
Hello,
As of this morning two of my machines - which are regularly contacted
trough ssh from each other - showed this message upon 'chkrootkit':
> Checking 'bindshell'... INFECTED [PORTS: 1524 31337]
> Checking 'lkm'... You have 4 processes hidden for ps command
The latter happened to me before a
Hi,
I have written the following mail to the debian-gnome-gtk mailing list,
but I got no answere. I hope that I have more luck at the
debian-security list ;)
> I have a really annoying problem with GnuPG and Gnome2/GTK2. I think,
> but I'm not sure, that since I have upgraded from Gnome2.2 to Gn
im soroush
i live iran
im need information about telnet for complete project
univercity
please help me
thanks
godbye
__
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/
--
To UNSUBSCRIBE, email to
Hello,
As of this morning two of my machines - which are regularly contacted
trough ssh from each other - showed this message upon 'chkrootkit':
> Checking 'bindshell'... INFECTED [PORTS: 1524 31337]
> Checking 'lkm'... You have 4 processes hidden for ps command
The latter happened to me before a
* Quoting Maria Rodriguez ([EMAIL PROTECTED]):
> That appears to be klecker.debian.org which isn't currently responding to
> pings, which in itself isn't scary, but it looks as though it may have been
> inaccessible for a few days now.
>
> Does anyone know what's going on?
http://lists.debian.
On Mon, 2004-02-02 at 09:51, Maria Rodriguez wrote:
> Am I the only one who is having difficulties reaching security.debian.org? I
> manage a few Debian machines here in Florida as well as Southern Georgia and
> all of them seem to be timing out when trying to reach that server:
>
> Err http://
004 http://www.debian.org/News/2004/20040202
Security Host Downtime
Yesterday around 15:00 UTC we the host klecker.debian.org crashed.
Unfortunately, it didn't react on the serial console and to a remotely
issued pow
On Mon, Feb 02, 2004 at 09:51:02AM -0800, Maria Rodriguez wrote:
> Does anyone know what's going on?
http://lists.debian.org/debian-news/debian-news-2004/msg5.html
regards
fEnIo
--
_ Bartosz Feński aka fEnIo | mailto:[EMAIL PROTECTED] |
pgp:0x13fefc40
_|_|_32-050 Skawina -
Am I the only one who is having difficulties reaching security.debian.org? I
manage a few Debian machines here in Florida as well as Southern Georgia and
all of them seem to be timing out when trying to reach that server:
Err http://security.debian.org woody/updates/main Packages
Could not co
* Quoting Maria Rodriguez ([EMAIL PROTECTED]):
> That appears to be klecker.debian.org which isn't currently responding to pings,
> which in itself isn't scary, but it looks as though it may have been inaccessible
> for a few days now.
>
> Does anyone know what's going on?
http://lists.debian.
On Mon, 2004-02-02 at 09:51, Maria Rodriguez wrote:
> Am I the only one who is having difficulties reaching security.debian.org? I manage
> a few Debian machines here in Florida as well as Southern Georgia and all of them
> seem to be timing out when trying to reach that server:
>
> Err http://
004 http://www.debian.org/News/2004/20040202
Security Host Downtime
Yesterday around 15:00 UTC we the host klecker.debian.org crashed.
Unfortunately, it didn't react on the serial console and to a remotely
issued pow
On Mon, Feb 02, 2004 at 09:51:02AM -0800, Maria Rodriguez wrote:
> Does anyone know what's going on?
http://lists.debian.org/debian-news/debian-news-2004/msg5.html
regards
fEnIo
--
_ Bartosz Feński aka fEnIo | mailto:[EMAIL PROTECTED] | pgp:0x13fefc40
_|_|_32-050 Skawina -
Am I the only one who is having difficulties reaching security.debian.org? I manage a
few Debian machines here in Florida as well as Southern Georgia and all of them seem
to be timing out when trying to reach that server:
Err http://security.debian.org woody/updates/main Packages
Could not co
unsubscribe
unsubscribe
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Hans Spaans wrote:
> 'dig . ns @ > /etc/bind/db.root' can give you a new db.root
> file for your nameserver. If its wise? Yes and no, your db.root must
> contain valid data, but to take a random nameserver, that is not wise.
Most resolvers return an empty additional section anyway, which limits
> Is there some way to override this? :-)
You can edit packets on your firewall ( something along the lines of
iptables -t mangle -p tcp --dport 22 -j TOS --set-tos Minimize-Delay ),
but in general it's not a good idea ( you don't want your bulk traffic
eating your interactive sessions ).
--
Da
Hans Spaans wrote:
> 'dig . ns @ > /etc/bind/db.root' can give you a new db.root
> file for your nameserver. If its wise? Yes and no, your db.root must
> contain valid data, but to take a random nameserver, that is not wise.
Most resolvers return an empty additional section anyway, which limits
> Is there some way to override this? :-)
You can edit packets on your firewall ( something along the lines of
iptables -t mangle -p tcp --dport 22 -j TOS --set-tos Minimize-Delay ),
but in general it's not a good idea ( you don't want your bulk traffic
eating your interactive sessions ).
--
Da
58 matches
Mail list logo