From owner-freebsd-security Sun Aug 9 11:15:29 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA06794 for freebsd-security-outgoing; Sun, 9 Aug 1998 11:15:29 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tok.qiv.com (tok.qiv.com [205.238.142.68]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA06789 for ; Sun, 9 Aug 1998 11:15:28 -0700 (PDT) (envelope-from jdn@acp.qiv.com) Received: (from uucp@localhost) by tok.qiv.com (8.8.8/8.8.5) with UUCP id NAA05539 for freebsd-security@freebsd.org; Sun, 9 Aug 1998 13:15:09 -0500 (CDT) Received: from localhost (jdn@localhost) by acp.qiv.com (8.8.8/8.8.8) with SMTP id NAA01144 for ; Sun, 9 Aug 1998 13:14:03 -0500 (CDT) (envelope-from jdn@acp.qiv.com) Date: Sun, 9 Aug 1998 13:14:03 -0500 (CDT) From: Jay Nelson To: freebsd-security@FreeBSD.ORG Subject: What are these connect attempts? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org These all seem to come from isi.net: Connection attempt to UDP 205.238.142.73:33505 from 195.8.97.66:38025 Connection attempt to UDP 205.238.142.73:33506 from 195.8.97.66:38025 Connection attempt to UDP 205.238.142.73:33507 from 195.8.97.66:38025 Connection attempt to UDP 205.238.142.73:33508 from 195.8.97.66:38025 Connection attempt to UDP 205.238.142.73:33509 from 195.8.97.66:38025 Connection attempt to UDP 205.238.142.73:33495 from 206.251.8.22:39946 Connection attempt to UDP 205.238.142.73:33515 from 205.216.163.23:56835 Connection attempt to UDP 205.238.142.73:33495 from 204.152.166.71:43908 Connection attempt to UDP 205.238.142.73:33496 from 206.251.8.22:39946 Connection attempt to UDP 205.238.142.73:33516 from 205.216.163.23:56835 Connection attempt to UDP 205.238.142.73:33496 from 204.152.166.71:43908 Connection attempt to UDP 205.238.142.73:33497 from 206.251.8.22:39946 Connection attempt to UDP 205.238.142.73:33517 from 205.216.163.23:56835 Connection attempt to UDP 205.238.142.73:33497 from 204.152.166.71:43908 Connection attempt to UDP 205.238.142.73:33498 from 206.251.8.22:39946 Connection attempt to UDP 205.238.142.73:33518 from 205.216.163.23:56835 Connection attempt to UDP 205.238.142.73:33498 from 204.152.166.71:43908 Connection attempt to UDP 205.238.142.73:33518 from 205.216.163.23:56835 Connection attempt to UDP 205.238.142.73:33498 from 204.152.166.71:43908 Connection attempt to UDP 205.238.142.73:33499 from 206.251.8.22:39946 Connection attempt to UDP 205.238.142.73:33519 from 205.216.163.23:56835 Connection attempt to UDP 205.238.142.73:33499 from 204.152.166.71:43908 I'm curious about the high port numbers, although I wonder if these are the only ones I'm seeing. What does this mean? Thanks -- Jay To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Aug 9 11:55:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA10200 for freebsd-security-outgoing; Sun, 9 Aug 1998 11:55:05 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id LAA10185 for ; Sun, 9 Aug 1998 11:54:57 -0700 (PDT) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 12558 invoked by uid 1001); 9 Aug 1998 18:54:36 +0000 (GMT) To: jdn@acp.qiv.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: What are these connect attempts? In-Reply-To: Your message of "Sun, 9 Aug 1998 13:14:03 -0500 (CDT)" References: X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Sun, 09 Aug 1998 20:54:36 +0200 Message-ID: <12556.902688876@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > These all seem to come from isi.net: > > Connection attempt to UDP 205.238.142.73:33505 from 195.8.97.66:38025 > Connection attempt to UDP 205.238.142.73:33506 from 195.8.97.66:38025 ... > I'm curious about the high port numbers, although I wonder if these > are the only ones I'm seeing. What does this mean? traceroute. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Aug 9 11:57:57 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA10486 for freebsd-security-outgoing; Sun, 9 Aug 1998 11:57:57 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from critter.freebsd.dk (critter.freebsd.dk [195.8.133.1] (may be forged)) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA10481 for ; Sun, 9 Aug 1998 11:57:53 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.8.7/8.8.5) with ESMTP id UAA00953; Sun, 9 Aug 1998 20:54:17 +0200 (CEST) To: Jay Nelson cc: freebsd-security@FreeBSD.ORG Subject: Re: What are these connect attempts? In-reply-to: Your message of "Sun, 09 Aug 1998 13:14:03 CDT." Date: Sun, 09 Aug 1998 20:54:17 +0200 Message-ID: <951.902688857@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org probably traceroute... In message , Jay Nelson wr ites: >These all seem to come from isi.net: > >Connection attempt to UDP 205.238.142.73:33505 from 195.8.97.66:38025 >Connection attempt to UDP 205.238.142.73:33506 from 195.8.97.66:38025 >Connection attempt to UDP 205.238.142.73:33507 from 195.8.97.66:38025 >Connection attempt to UDP 205.238.142.73:33508 from 195.8.97.66:38025 >Connection attempt to UDP 205.238.142.73:33509 from 195.8.97.66:38025 >Connection attempt to UDP 205.238.142.73:33495 from 206.251.8.22:39946 >Connection attempt to UDP 205.238.142.73:33515 from 205.216.163.23:56835 >Connection attempt to UDP 205.238.142.73:33495 from 204.152.166.71:43908 >Connection attempt to UDP 205.238.142.73:33496 from 206.251.8.22:39946 >Connection attempt to UDP 205.238.142.73:33516 from 205.216.163.23:56835 >Connection attempt to UDP 205.238.142.73:33496 from 204.152.166.71:43908 >Connection attempt to UDP 205.238.142.73:33497 from 206.251.8.22:39946 >Connection attempt to UDP 205.238.142.73:33517 from 205.216.163.23:56835 >Connection attempt to UDP 205.238.142.73:33497 from 204.152.166.71:43908 >Connection attempt to UDP 205.238.142.73:33498 from 206.251.8.22:39946 >Connection attempt to UDP 205.238.142.73:33518 from 205.216.163.23:56835 >Connection attempt to UDP 205.238.142.73:33498 from 204.152.166.71:43908 >Connection attempt to UDP 205.238.142.73:33518 from 205.216.163.23:56835 >Connection attempt to UDP 205.238.142.73:33498 from 204.152.166.71:43908 >Connection attempt to UDP 205.238.142.73:33499 from 206.251.8.22:39946 >Connection attempt to UDP 205.238.142.73:33519 from 205.216.163.23:56835 >Connection attempt to UDP 205.238.142.73:33499 from 204.152.166.71:43908 > >I'm curious about the high port numbers, although I wonder if these >are the only ones I'm seeing. What does this mean? > >Thanks > >-- Jay > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe security" in the body of the message > -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." "ttyv0" -- What UNIX calls a $20K state-of-the-art, 3D, hi-res color terminal To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Aug 9 12:02:25 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA11111 for freebsd-security-outgoing; Sun, 9 Aug 1998 12:02:25 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tok.qiv.com (tok.qiv.com [205.238.142.68]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA11092 for ; Sun, 9 Aug 1998 12:02:21 -0700 (PDT) (envelope-from jdn@acp.qiv.com) Received: (from uucp@localhost) by tok.qiv.com (8.8.8/8.8.5) with UUCP id OAA05729; Sun, 9 Aug 1998 14:01:58 -0500 (CDT) Received: from localhost (jdn@localhost) by acp.qiv.com (8.8.8/8.8.8) with SMTP id OAA01320; Sun, 9 Aug 1998 14:01:34 -0500 (CDT) (envelope-from jdn@acp.qiv.com) Date: Sun, 9 Aug 1998 14:01:33 -0500 (CDT) From: Jay Nelson To: sthaug@nethelp.no cc: freebsd-security@FreeBSD.ORG Subject: Re: What are these connect attempts? In-Reply-To: <12556.902688876@verdi.nethelp.no> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 9 Aug 1998 sthaug@nethelp.no wrote: >> These all seem to come from isi.net: >> >> Connection attempt to UDP 205.238.142.73:33505 from 195.8.97.66:38025 >> Connection attempt to UDP 205.238.142.73:33506 from 195.8.97.66:38025 >... >> I'm curious about the high port numbers, although I wonder if these >> are the only ones I'm seeing. What does this mean? > >traceroute. Did that. Except for the 195.8.97.66, which is ns5.isi.net, they all seen to come from shortcut.???.isi.net. They all trace back to a running machine. What are they looking for and what do they expect to find at those high port numbers? >Steinar Haug, Nethelp consulting, sthaug@nethelp.no > -- Jay To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Aug 9 12:09:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA12138 for freebsd-security-outgoing; Sun, 9 Aug 1998 12:09:18 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id MAA12133 for ; Sun, 9 Aug 1998 12:09:15 -0700 (PDT) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 12624 invoked by uid 1001); 9 Aug 1998 19:08:55 +0000 (GMT) To: jdn@acp.qiv.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: What are these connect attempts? In-Reply-To: Your message of "Sun, 9 Aug 1998 14:01:33 -0500 (CDT)" References: X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Sun, 09 Aug 1998 21:08:55 +0200 Message-ID: <12622.902689735@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > >traceroute. > > Did that. I guess I was a bit terse. What *you* are seeing is somebody running traceroute against your machine. > Except for the 195.8.97.66, which is ns5.isi.net, they all > seen to come from shortcut.???.isi.net. They all trace back to a > running machine. What are they looking for and what do they expect to > find at those high port numbers? That's precisely the point - they *don't* expect to find anything at those high port numbers on your machine. The high port numbers are used to minimize the probability that traceroute will collide with a running application. traceroute normally starts at port (32768 + 666) and runs up from there. Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Aug 9 12:30:56 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA14033 for freebsd-security-outgoing; Sun, 9 Aug 1998 12:30:56 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tok.qiv.com (tok.qiv.com [205.238.142.68]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA14023 for ; Sun, 9 Aug 1998 12:30:47 -0700 (PDT) (envelope-from jdn@acp.qiv.com) Received: (from uucp@localhost) by tok.qiv.com (8.8.8/8.8.5) with UUCP id OAA05795; Sun, 9 Aug 1998 14:30:24 -0500 (CDT) Received: from localhost (jdn@localhost) by acp.qiv.com (8.8.8/8.8.8) with SMTP id OAA01359; Sun, 9 Aug 1998 14:16:35 -0500 (CDT) (envelope-from jdn@acp.qiv.com) Date: Sun, 9 Aug 1998 14:16:34 -0500 (CDT) From: Jay Nelson To: sthaug@nethelp.no cc: freebsd-security@FreeBSD.ORG Subject: Re: What are these connect attempts? In-Reply-To: <12622.902689735@verdi.nethelp.no> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ahh.. I understand. Thanks. -- Jay On Sun, 9 Aug 1998 sthaug@nethelp.no wrote: >> >traceroute. >> >> Did that. > >I guess I was a bit terse. What *you* are seeing is somebody running >traceroute against your machine. > >> Except for the 195.8.97.66, which is ns5.isi.net, they all >> seen to come from shortcut.???.isi.net. They all trace back to a >> running machine. What are they looking for and what do they expect to >> find at those high port numbers? > >That's precisely the point - they *don't* expect to find anything at >those high port numbers on your machine. The high port numbers are used >to minimize the probability that traceroute will collide with a running >application. > >traceroute normally starts at port (32768 + 666) and runs up from there. > >Steinar Haug, Nethelp consulting, sthaug@nethelp.no > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Aug 9 13:35:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA20970 for freebsd-security-outgoing; Sun, 9 Aug 1998 13:35:54 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Mercury.unix.acs.cc.unt.edu (mercury.acs.unt.edu [129.120.220.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA20965 for ; Sun, 9 Aug 1998 13:35:52 -0700 (PDT) (envelope-from john@unt.edu) Received: from leonardo.cascss.unt.edu (leonardo.cascss.unt.edu [129.120.32.203]) by Mercury.unix.acs.cc.unt.edu (8.8.8/8.8.8) with ESMTP id PAA29025; Sun, 9 Aug 1998 15:35:31 -0500 (CDT) Received: (from john@localhost) by leonardo.cascss.unt.edu (8.8.8/8.6.9) id PAA05920; Sun, 9 Aug 1998 15:33:44 -0500 (CDT) From: john Message-Id: <199808092033.PAA05920@leonardo.cascss.unt.edu> Subject: Re: Network Watcher Program In-Reply-To: from Jesse at "Aug 9, 98 12:40:59 pm" To: j@lumiere.net (Jesse) Date: Sun, 9 Aug 1998 15:33:43 -0500 (CDT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Hi John, > > Could you email me the port of the netwatcher program as an attachment? > I can't get the one below to decode. Thanks! :) Ok, try ftp://www.cas.unt.edu/pub/unix/netwatcher.tgz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Aug 9 13:37:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA21178 for freebsd-security-outgoing; Sun, 9 Aug 1998 13:37:51 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Mercury.unix.acs.cc.unt.edu (mercury.acs.unt.edu [129.120.220.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA21172 for ; Sun, 9 Aug 1998 13:37:49 -0700 (PDT) (envelope-from john@unt.edu) Received: from leonardo.cascss.unt.edu (leonardo.cascss.unt.edu [129.120.32.203]) by Mercury.unix.acs.cc.unt.edu (8.8.8/8.8.8) with ESMTP id PAA29221 for ; Sun, 9 Aug 1998 15:37:29 -0500 (CDT) Received: (from john@localhost) by leonardo.cascss.unt.edu (8.8.8/8.6.9) id PAA05938 for freebsd-security@freebsd.org; Sun, 9 Aug 1998 15:35:42 -0500 (CDT) From: john Message-Id: <199808092035.PAA05938@leonardo.cascss.unt.edu> Subject: Re: What are these connect attempts? In-Reply-To: from Jay Nelson at "Aug 9, 98 02:16:34 pm" To: freebsd-security@FreeBSD.ORG Date: Sun, 9 Aug 1998 15:35:42 -0500 (CDT) X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > >> >traceroute. > >> > >> Did that. > > > >I guess I was a bit terse. What *you* are seeing is somebody running > >traceroute against your machine. > > > >traceroute normally starts at port (32768 + 666) and runs up from there. Some NFS traffic uses somewhat random port #'s as well. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Aug 10 01:56:37 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA04327 for freebsd-security-outgoing; Mon, 10 Aug 1998 01:56:37 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ifi.uio.no (ifi.uio.no [129.240.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA04310; Mon, 10 Aug 1998 01:56:32 -0700 (PDT) (envelope-from dag-erli@ifi.uio.no) Received: from hel.ifi.uio.no (2602@hel.ifi.uio.no [129.240.64.91]) by ifi.uio.no (8.8.8/8.8.7/ifi0.2) with ESMTP id KAA21585; Mon, 10 Aug 1998 10:55:19 +0200 (MET DST) Received: (from dag-erli@localhost) by hel.ifi.uio.no ; Mon, 10 Aug 1998 10:55:19 +0200 (MET DST) Mime-Version: 1.0 To: "Matthew D. Fuller" Cc: dg@root.com, FreeBSD-security@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: Does this mean we have another breakin? References: <199808072337.RAA13808@lariat.lariat.org> <199808080135.SAA00798@implode.root.com> <19980808013456.49685@futuresouth.com> Organization: University of Oslo, Department of Informatics X-url: http://www.stud.ifi.uio.no/~dag-erli/ X-other-addresses: 'finger dag-erli@ifi.uio.no' for a list X-disclaimer-1: The views expressed in this article are mine alone, and do X-disclaimer-2: not necessarily coincide with those of any organisation or X-disclaimer-3: company with which am or have been affiliated. X-Stop-Spam: http://www.cauce.org/ From: dag-erli@ifi.uio.no (Dag-Erling Coidan =?iso-8859-1?Q?Sm=F8rgrav?= ) Date: 10 Aug 1998 10:55:18 +0200 In-Reply-To: "Matthew D. Fuller"'s message of "Sat, 8 Aug 1998 01:34:56 -0500" Message-ID: Lines: 8 X-Mailer: Gnus v5.5/Emacs 19.34 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id BAA04313 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Matthew D. Fuller" writes: > On sendmail on one machine (sendmail -q run out of cron) and on Why do you do that? Doesn't 'sendmail -bd -qxx' do the job? DES -- Dag-Erling Smørgrav - dag-erli@ifi.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Aug 10 03:14:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA15687 for freebsd-security-outgoing; Mon, 10 Aug 1998 03:14:43 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gate.consol.de (gate.consol.de [194.162.127.130]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA15678 for ; Mon, 10 Aug 1998 03:14:39 -0700 (PDT) (envelope-from Michael.Elbel@consol.de) X-Envelope-Sender-Is: Michael.Elbel@consol.de (at relayer gate.consol.de) Received: from msgsrv.bb.consol.de (root@msgsrv [10.250.0.100]) by gate.consol.de (8.8.8/8.8.8) with ESMTP id MAA22441 for ; Mon, 10 Aug 1998 12:13:58 +0200 (CEST) Received: from fourier.int.consol.de (me@fourier.int.consol.de [10.0.1.17]) by msgsrv.bb.consol.de (8.8.8/8.8.8) with ESMTP id LAA11988 for ; Mon, 10 Aug 1998 11:14:38 +0200 Received: (from me@localhost) by fourier.int.consol.de (8.8.8/8.8.7) id MAA09930; Mon, 10 Aug 1998 12:13:57 +0200 (CEST) (envelope-from me) Date: Mon, 10 Aug 1998 12:13:57 +0200 (CEST) From: Michael Elbel Message-Id: <199808101013.MAA09930@fourier.int.consol.de> To: security@FreeBSD.ORG Subject: Re: Does this mean we have another breakin? Newsgroups: lists.freebsd.security References: <199808080403.VAA05702@burka.rdy.com> Reply-To: me@FreeBSD.ORG X-Newsreader: NN version 6.5.0 CURRENT #123 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In lists.freebsd.security you write: >David Greenman writes: [...] >> Corruption is probably not the right word. There might be a bug where a >> page is seen as modified when it isn't, causing the modify date to get >> updated. The only way to be certain is to compare the binary with your >> backup (e.g. if installed from CDROM, then with the copy on the CDROM). I >> haven't personally seen this happen in more than a year, so if the bug is >> still there, it must be fairly rare. >We usually get this bug once in two weeks. But since file by itself >stays the same and machine doesn't crash, fixing/finding the problem >wasn't in out TODO list. Same here. I've seen it twice in the last four weeks on one of two absolutely identical machines we use as firewall bastions running -STABLE from end of April. Michael -- \|/ -O- Michael Elbel, ConSol* GmbH, - me@consol.de - 089 / 45841-128 /|\ Fermentation fault (coors dumped) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Aug 10 04:27:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA25539 for freebsd-security-outgoing; Mon, 10 Aug 1998 04:27:13 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org ([206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA25533 for ; Mon, 10 Aug 1998 04:27:10 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id FAA04099; Mon, 10 Aug 1998 05:26:29 -0600 (MDT) Message-Id: <199808101126.FAA04099@lariat.lariat.org> X-Sender: brett@127.0.0.1 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Mon, 10 Aug 1998 05:26:12 -0600 To: security@FreeBSD.ORG From: Brett Glass Subject: When does login exit with sig 3? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Just saw these in the log. Are these just timeouts? Or a sign of an attack? > pid 27338 (login), uid 0: exited on signal 3 > pid 2123 (login), uid 0: exited on signal 3 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Aug 10 05:22:27 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA02172 for freebsd-security-outgoing; Mon, 10 Aug 1998 05:22:27 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from relay.ucb.crimea.ua (relay.ucb.crimea.ua [194.93.177.113]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA01988 for ; Mon, 10 Aug 1998 05:21:22 -0700 (PDT) (envelope-from ru@ucb.crimea.ua) Received: (from ru@localhost) by relay.ucb.crimea.ua (8.8.8/8.8.8) id PAA05086; Mon, 10 Aug 1998 15:20:30 +0300 (EEST) (envelope-from ru) Message-ID: <19980810152029.A4948@ucb.crimea.ua> Date: Mon, 10 Aug 1998 15:20:29 +0300 From: Ruslan Ermilov To: Brett Glass , security@FreeBSD.ORG Subject: Re: When does login exit with sig 3? Mail-Followup-To: Brett Glass , security@FreeBSD.ORG References: <199808101126.FAA04099@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91i In-Reply-To: <199808101126.FAA04099@lariat.lariat.org>; from Brett Glass on Mon, Aug 10, 1998 at 05:26:12AM -0600 X-Operating-System: FreeBSD 2.2.7-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Aug 10, 1998 at 05:26:12AM -0600, Brett Glass wrote: > Just saw these in the log. Are these just timeouts? Or a sign of an attack? > > > pid 27338 (login), uid 0: exited on signal 3 > > pid 2123 (login), uid 0: exited on signal 3 > This was fixed by Bruce Evance on Friday, July 31, 1998 in revision 1.12.2.11 of src/usr.bin/login/login.c Please take a look at the following problem report: http://www.freebsd.org/cgi/query-pr.cgi?pr=7444 HTH, -- Ruslan Ermilov Sysadmin and DBA of the ru@ucb.crimea.ua United Commercial Bank +380.652.247.647 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Aug 10 07:03:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA13407 for freebsd-security-outgoing; Mon, 10 Aug 1998 07:03:51 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA13400 for ; Mon, 10 Aug 1998 07:03:49 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id HAA29131; Mon, 10 Aug 1998 07:03:15 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Mon, 10 Aug 1998 07:03:15 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: Jay Nelson cc: freebsd-security@FreeBSD.ORG Subject: Re: What are these connect attempts? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is traceroute packets IHMO. Safe to ignore. -- Yan Jan Koum www.best.com/~jkb jkb@best.com | "Turn up the lights; I don't want www.FreeBSD.org -- The Power to Serve | to go home in the dark." "Write longer sentences - they are paying us a lot of money" On Sun, 9 Aug 1998, Jay Nelson wrote: >These all seem to come from isi.net: > >Connection attempt to UDP 205.238.142.73:33505 from 195.8.97.66:38025 >Connection attempt to UDP 205.238.142.73:33506 from 195.8.97.66:38025 >Connection attempt to UDP 205.238.142.73:33507 from 195.8.97.66:38025 >Connection attempt to UDP 205.238.142.73:33508 from 195.8.97.66:38025 >Connection attempt to UDP 205.238.142.73:33509 from 195.8.97.66:38025 >Connection attempt to UDP 205.238.142.73:33495 from 206.251.8.22:39946 >Connection attempt to UDP 205.238.142.73:33515 from 205.216.163.23:56835 >Connection attempt to UDP 205.238.142.73:33495 from 204.152.166.71:43908 >Connection attempt to UDP 205.238.142.73:33496 from 206.251.8.22:39946 >Connection attempt to UDP 205.238.142.73:33516 from 205.216.163.23:56835 >Connection attempt to UDP 205.238.142.73:33496 from 204.152.166.71:43908 >Connection attempt to UDP 205.238.142.73:33497 from 206.251.8.22:39946 >Connection attempt to UDP 205.238.142.73:33517 from 205.216.163.23:56835 >Connection attempt to UDP 205.238.142.73:33497 from 204.152.166.71:43908 >Connection attempt to UDP 205.238.142.73:33498 from 206.251.8.22:39946 >Connection attempt to UDP 205.238.142.73:33518 from 205.216.163.23:56835 >Connection attempt to UDP 205.238.142.73:33498 from 204.152.166.71:43908 >Connection attempt to UDP 205.238.142.73:33518 from 205.216.163.23:56835 >Connection attempt to UDP 205.238.142.73:33498 from 204.152.166.71:43908 >Connection attempt to UDP 205.238.142.73:33499 from 206.251.8.22:39946 >Connection attempt to UDP 205.238.142.73:33519 from 205.216.163.23:56835 >Connection attempt to UDP 205.238.142.73:33499 from 204.152.166.71:43908 > >I'm curious about the high port numbers, although I wonder if these >are the only ones I'm seeing. What does this mean? > >Thanks > >-- Jay > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Aug 10 09:08:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA25297 for freebsd-security-outgoing; Mon, 10 Aug 1998 09:08:39 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell.futuresouth.com (mail.futuresouth.com [198.78.58.19]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA25292 for ; Mon, 10 Aug 1998 09:08:31 -0700 (PDT) (envelope-from fullermd@futuresouth.com) Received: (from fullermd@localhost) by shell.futuresouth.com (8.8.8/8.8.8) id LAA08830; Mon, 10 Aug 1998 11:08:00 -0500 (CDT) Message-ID: <19980810110800.21231@futuresouth.com> Date: Mon, 10 Aug 1998 11:08:00 -0500 From: "Matthew D. Fuller" To: =?iso-8859-1?Q?Dag-Erling_Coidan_Sm=F8rgrav?= Cc: FreeBSD-security@FreeBSD.ORG Subject: Re: Does this mean we have another breakin? References: <199808072337.RAA13808@lariat.lariat.org> <199808080135.SAA00798@implode.root.com> <19980808013456.49685@futuresouth.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.88 In-Reply-To: =?iso-8859-1?Q?=3Cxzpn29dkyh5=2Efsf=40hel=2Eifi=2Euio=2Eno=3E=3B_from_Da?= =?iso-8859-1?Q?g-Erling_Coidan_Sm=F8rgrav__on_Mon=2C_Aug_10=2C_1998_at_1?= =?iso-8859-1?Q?0=3A55=3A18AM_+0200?= Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org (trimm'd to security, let's leave SOME bandwidth for watching RealVideo streams ;) On Mon, Aug 10, 1998 at 10:55:18AM +0200, Dag-Erling Coidan Smørgrav woke me up to tell me: > "Matthew D. Fuller" writes: > > On sendmail on one machine (sendmail -q run out of cron) and on > > Why do you do that? Doesn't 'sendmail -bd -qxx' do the job? Not when the machine isn't running sendmail, no. *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* | FreeBSD; the way computers were meant to be | * "The only reason I'm burning my candle at both ends, is * | that I haven't figured out how to light the middle yet."| * fullermd@futuresouth.com :-} MAtthew Fuller * | http://keystone.westminster.edu/~fullermd | *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Aug 10 17:01:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA24335 for freebsd-security-outgoing; Mon, 10 Aug 1998 17:01:06 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from leaf.lumiere.net (leaf.lumiere.net [207.218.152.15]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA24308 for ; Mon, 10 Aug 1998 17:00:53 -0700 (PDT) (envelope-from j@leaf.lumiere.net) Received: (from j@localhost) by leaf.lumiere.net (8.9.1/8.9.1) id RAA08232; Mon, 10 Aug 1998 17:00:35 -0700 (PDT) Date: Mon, 10 Aug 1998 17:00:35 -0700 (PDT) From: Jesse To: freebsd-security@FreeBSD.ORG Subject: ipfw log limits by connection vs. rule Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I was wondering if anyone knew/came up with some way of setting an ipfw log limit that tracked by unique connection instead of by the ipfw rule. That's probably not very clear, so I'll give an example of what I mean. Currently, if I have the rule 55000 deny log tcp from any to any setup and my ipfw log limit is 50, then if stranger.someplace.com sends 50 packets to fbsd.mydomain.comport 23, I'll hit that log limit. Then he can portscan all my other ports, without being logged. Also, if stranger2.somewhere.org comes along, nothing from him will be logged (under the same rule). I'd like to make it so that after 10 packets or so, connections from stranger.someplace.com to my port 23 are no longer logged, however packets to different ports, or from different hosts are logged. That way, instead of just seeing my counter increase, I can still keep track of what kind of activity is going on without being spammed by a single person. Keep in mind, this setup might not work on extremely active servers, but it'd be nice in many smaller situations. Thanks, :) --- Jesse http://www.lumiere.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Aug 10 19:15:10 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA13243 for freebsd-security-outgoing; Mon, 10 Aug 1998 19:15:10 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA13236 for ; Mon, 10 Aug 1998 19:15:07 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id OAA04342; Tue, 11 Aug 1998 14:12:47 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Tue, 11 Aug 1998 14:12:47 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Jesse cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw log limits by connection vs. rule In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 10 Aug 1998, Jesse wrote: > I was wondering if anyone knew/came up with some way of setting an ipfw > log limit that tracked by unique connection instead of by the ipfw rule. > That's probably not very clear, so I'll give an example of what I mean. > > Currently, if I have the rule > > 55000 deny log tcp from any to any setup > > and my ipfw log limit is 50, then if stranger.someplace.com sends 50 > packets to fbsd.mydomain.comport 23, I'll hit that log limit. Then he can > portscan all my other ports, without being logged. Also, if > stranger2.somewhere.org comes along, nothing from him will be logged > (under the same rule). You can set syslog.conf so that all messages from ipfw get piped to a script. I've had this in mind for a while, but not yet had the time to write it. Has anyone got a script set up to summarise this stuff as it comes in? Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 11 07:11:32 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA04619 for freebsd-security-outgoing; Tue, 11 Aug 1998 07:11:32 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Mercury.unix.acs.cc.unt.edu (mercury.acs.unt.edu [129.120.220.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA04611 for ; Tue, 11 Aug 1998 07:11:27 -0700 (PDT) (envelope-from john@unt.edu) Received: from leonardo.cascss.unt.edu (leonardo.cascss.unt.edu [129.120.32.203]) by Mercury.unix.acs.cc.unt.edu (8.8.8/8.8.8) with ESMTP id JAA22383 for ; Tue, 11 Aug 1998 09:11:03 -0500 (CDT) Received: (from john@localhost) by leonardo.cascss.unt.edu (8.8.8/8.6.9) id JAA22080 for freebsd-security@freebsd.org; Tue, 11 Aug 1998 09:09:11 -0500 (CDT) From: john Message-Id: <199808111409.JAA22080@leonardo.cascss.unt.edu> Subject: Trivial netwatcher source problem. To: freebsd-security@FreeBSD.ORG Date: Tue, 11 Aug 1998 09:09:11 -0500 (CDT) X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is kind of embarrassing. The first line of the source coded had the letter r at the beginning of the source. To just get the corrected version goto ftp://www.cas.unt.edu/pub/unix/netwatcher.tgz Sorry for any inconvenience To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 11 11:16:34 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA11089 for freebsd-security-outgoing; Tue, 11 Aug 1998 11:16:34 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA11082 for ; Tue, 11 Aug 1998 11:16:31 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id MAA18952; Tue, 11 Aug 1998 12:16:07 -0600 (MDT) Message-Id: <199808111816.MAA18952@lariat.lariat.org> X-Sender: brett@127.0.0.1 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1.0.44 (Beta) Date: Tue, 11 Aug 1998 12:13:06 -0600 To: security@FreeBSD.ORG From: Brett Glass Subject: DOS exploit in Apache Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org All recent versions of Apache can be made to demand virtually unlimited amounts of memory if they are fed large numbers of HTML request headers. I haven't seen a fix for FreeBSD yet; have the published package and port been patched yet? --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 11 13:34:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA29565 for freebsd-security-outgoing; Tue, 11 Aug 1998 13:34:59 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gateway.cybernet.com (gateway.cybernet.com [192.245.33.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA29559 for ; Tue, 11 Aug 1998 13:34:57 -0700 (PDT) (envelope-from mtaylor@cybernet.com) Received: from spiffy.cybernet.com (spiffy.cybernet.com [192.245.33.55]) by gateway.cybernet.com (8.8.5/8.8.5) with ESMTP id QAA12750 for ; Tue, 11 Aug 1998 16:53:52 -0400 (EDT) Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Date: Tue, 11 Aug 1998 16:38:22 -0400 (EDT) Reply-To: mtaylor@cybernet.com Organization: Cybernet Systems From: "Mark J. Taylor" To: freebsd-security@FreeBSD.ORG Subject: Possible security "risk" in ftp client Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The neat-o FTP client program in FreeBSD "/usr/bin/ftp" has a cool but horrible feature: you can specify the user name and password to use via the command line (in the URL), as in: /usr/bin/ftp ftp://myname@mypass/ftp.freebsd.org/ This is actually quite bad: any "ps -ax" will show the username and password. Using setproctitle(3) would be an attempt to close this, but it would create a race condition. The program "/usr/bin/fetch" does it better: use the environment variables FTP_LOGIN and FTP_PASSWORD. SAMBA's smbclient does it both ways: using the command-line param "-Uusername%password" or using the USER environment variable. It will even parse the password from the USER environment variable if there is a "%" in it. Is there any possibility of making a man page annotation that lists this "hole"? And of getting in a patch that uses the environment? I can do the work, unless someone else would rather do it... -------------------------------------------------------------------- Mark J. Taylor Networking Research Cybernet Systems mtaylor@cybernet.com 727 Airport Blvd. PHONE (734) 668-2567 Ann Arbor, MI 48108 FAX (734) 668-8780 -------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 11 13:45:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA01239 for freebsd-security-outgoing; Tue, 11 Aug 1998 13:45:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from redfish.go2net.com (redfish.go2net.com [207.178.55.5]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id NAA01230 for ; Tue, 11 Aug 1998 13:45:14 -0700 (PDT) (envelope-from marcs@go2net.com) Received: from marcs by redfish.go2net.com with smtp (Exim 1.82 #2) id 0z6LHB-0005XJ-00; Tue, 11 Aug 1998 13:44:13 -0700 Date: Tue, 11 Aug 1998 13:44:12 -0700 (PDT) From: Marc Slemko X-Sender: marcs@redfish To: "Mark J. Taylor" cc: freebsd-security@FreeBSD.ORG Subject: Re: Possible security "risk" in ftp client In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 11 Aug 1998, Mark J. Taylor wrote: > > The neat-o FTP client program in FreeBSD "/usr/bin/ftp" has a > cool but horrible feature: you can specify the user name and > password to use via the command line (in the URL), as in: > /usr/bin/ftp ftp://myname@mypass/ftp.freebsd.org/ > > This is actually quite bad: any "ps -ax" will show the username > and password. Using setproctitle(3) would be an attempt to close > this, but it would create a race condition. > > The program "/usr/bin/fetch" does it better: use the environment > variables FTP_LOGIN and FTP_PASSWORD. Naw, that is worse since you can just use ps to grab it; the reason it is worse is because it tends to lead to people leaving it set when they aren't actually using the program. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 11 14:45:04 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA11205 for freebsd-security-outgoing; Tue, 11 Aug 1998 14:45:04 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gizmo.dimension.net (gizmo.dimension.net [209.12.7.20]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA11195 for ; Tue, 11 Aug 1998 14:44:52 -0700 (PDT) (envelope-from jaitken@dimension.net) Received: (from jaitken@localhost) by gizmo.dimension.net (8.8.8/8.8.8) id RAA24145; Tue, 11 Aug 1998 17:43:34 -0400 (EDT) From: Jeff Aitken Message-Id: <199808112143.RAA24145@gizmo.dimension.net> Subject: Re: Possible security "risk" in ftp client In-Reply-To: from "Mark J. Taylor" at "Aug 11, 98 04:38:22 pm" To: mtaylor@cybernet.com Date: Tue, 11 Aug 1998 17:43:34 -0400 (EDT) Cc: freebsd-security@FreeBSD.ORG Reply-to: jaitken@dimension.net X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mark J. Taylor writes: > The program "/usr/bin/fetch" does it better: use the environment > variables FTP_LOGIN and FTP_PASSWORD. How is this better? Try a ps -auxgwwee. --Jeff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 11 15:27:14 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA17240 for freebsd-security-outgoing; Tue, 11 Aug 1998 15:27:14 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from pluto.plutotech.com (mail.plutotech.com [206.168.67.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA17233 for ; Tue, 11 Aug 1998 15:27:12 -0700 (PDT) (envelope-from kelly@plutotech.com) Received: from plutotech.com (tampopo.plutotech.com [206.168.67.161]) by pluto.plutotech.com (8.8.7/8.8.5) with ESMTP id QAA26705; Tue, 11 Aug 1998 16:26:45 -0600 (MDT) Message-ID: <35D0C525.870A110A@plutotech.com> Date: Tue, 11 Aug 1998 16:26:45 -0600 From: Sean Kelly Organization: Pluto Technologies X-Mailer: Mozilla 4.04 [en] (X11; I; FreeBSD 3.0-CURRENT i386) MIME-Version: 1.0 To: mtaylor@cybernet.com CC: freebsd-security@FreeBSD.ORG Subject: Re: Possible security "risk" in ftp client References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > The program "/usr/bin/fetch" does it better: use the environment > variables FTP_LOGIN and FTP_PASSWORD. ps -e --Sean To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 11 15:55:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA21833 for freebsd-security-outgoing; Tue, 11 Aug 1998 15:55:05 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA21821 for ; Tue, 11 Aug 1998 15:55:03 -0700 (PDT) (envelope-from archie@whistle.com) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id PAA18418; Tue, 11 Aug 1998 15:54:36 -0700 (PDT) Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3) id sma018416; Tue Aug 11 15:54:29 1998 Received: (from archie@localhost) by bubba.whistle.com (8.8.7/8.6.12) id PAA24554; Tue, 11 Aug 1998 15:54:29 -0700 (PDT) From: Archie Cobbs Message-Id: <199808112254.PAA24554@bubba.whistle.com> Subject: Re: Possible security "risk" in ftp client In-Reply-To: from "Mark J. Taylor" at "Aug 11, 98 04:38:22 pm" To: mtaylor@cybernet.com Date: Tue, 11 Aug 1998 15:54:29 -0700 (PDT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mark J. Taylor writes: > The neat-o FTP client program in FreeBSD "/usr/bin/ftp" has a > cool but horrible feature: you can specify the user name and > password to use via the command line (in the URL), as in: > /usr/bin/ftp ftp://myname@mypass/ftp.freebsd.org/ > > This is actually quite bad: any "ps -ax" will show the username > and password. Using setproctitle(3) would be an attempt to close > this, but it would create a race condition. IMHO, a stern warning in the man page is warranted, but nothing more... -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 11 16:11:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA24193 for freebsd-security-outgoing; Tue, 11 Aug 1998 16:11:35 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA24176 for ; Tue, 11 Aug 1998 16:11:32 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id LAA17117; Wed, 12 Aug 1998 11:09:30 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Wed, 12 Aug 1998 11:09:29 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: "Mark J. Taylor" cc: freebsd-security@FreeBSD.ORG Subject: Re: Possible security "risk" in ftp client In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 11 Aug 1998, Mark J. Taylor wrote: > The neat-o FTP client program in FreeBSD "/usr/bin/ftp" has a > cool but horrible feature: you can specify the user name and > password to use via the command line (in the URL), as in: > /usr/bin/ftp ftp://myname@mypass/ftp.freebsd.org/ Why on earth doesn't it use standard URL syntax? ftp://username:pass@host/dir/dir/file > This is actually quite bad: any "ps -ax" will show the username > and password. Using setproctitle(3) would be an attempt to close > this, but it would create a race condition. Also, it would not remove the password from ~/.history. > The program "/usr/bin/fetch" does it better: use the environment > variables FTP_LOGIN and FTP_PASSWORD. Environment variables are not private. > Is there any possibility of making a man page annotation that lists > this "hole"? And of getting in a patch that uses the environment? > I can do the work, unless someone else would rather do it... Passwords and other secure data should never appear on the command line or in environment variables. Mentioning this for every possible client is a bit beside the point. If you need to pass passwords to a program and you don't want the shell to see, and probably leak that information, you'll have to do it via stdin or a file. Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 11 16:14:48 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA24696 for freebsd-security-outgoing; Tue, 11 Aug 1998 16:14:48 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from opus.cts.cwu.edu (opus.cts.cwu.edu [198.104.92.71]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA24688 for ; Tue, 11 Aug 1998 16:14:46 -0700 (PDT) (envelope-from skynyrd@opus.cts.cwu.edu) Received: from localhost (skynyrd@localhost) by opus.cts.cwu.edu (8.9.1/8.9.1) with SMTP id QAA04317 for ; Tue, 11 Aug 1998 16:14:23 -0700 (PDT) Date: Tue, 11 Aug 1998 16:14:22 -0700 (PDT) From: Chris Timmons To: freebsd-security@FreeBSD.ORG Subject: FreeBSD unmentioned: CERT CA-98.10 Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Anybody know why FreeBSD is not mentioned at all in this advisory? (Did they not ask or did we choose not to respond?) -Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 11 16:20:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA25787 for freebsd-security-outgoing; Tue, 11 Aug 1998 16:20:39 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA25754 for ; Tue, 11 Aug 1998 16:20:33 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id LAA17196; Wed, 12 Aug 1998 11:18:19 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Wed, 12 Aug 1998 11:18:19 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Brett Glass cc: security@FreeBSD.ORG Subject: Re: DOS exploit in Apache In-Reply-To: <199808111816.MAA18952@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 11 Aug 1998, Brett Glass wrote: > All recent versions of Apache can be made to demand virtually unlimited > amounts of memory if they are fed large numbers of HTML request headers. I > haven't seen a fix for FreeBSD yet; have the published package and port > been patched yet? Contrary to the original bug report, the bug relates to multiple instances of the same header key, not to lots of different headers. Or rather lots of header requests would cause memory consumption to increase linearly, whereas lots of the same header would cause memory consumption to increase as ( 1/2 * n^2 ). An unofficial source patch came out on Bugtraq. Can someone point me to the official one? Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 11 16:37:08 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA28421 for freebsd-security-outgoing; Tue, 11 Aug 1998 16:37:08 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA28409 for ; Tue, 11 Aug 1998 16:37:04 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.8.8/8.8.8) id TAA14070; Tue, 11 Aug 1998 19:36:09 -0400 (EDT) (envelope-from wollman) Date: Tue, 11 Aug 1998 19:36:09 -0400 (EDT) From: Garrett Wollman Message-Id: <199808112336.TAA14070@khavrinen.lcs.mit.edu> To: andrew@squiz.co.nz Cc: "Mark J. Taylor" , freebsd-security@FreeBSD.ORG Subject: Re: Possible security "risk" in ftp client In-Reply-To: References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: >> The program "/usr/bin/fetch" does it better: use the environment >> variables FTP_LOGIN and FTP_PASSWORD. > Environment variables are not private. > If you need to pass passwords to a program and you don't want the shell > to see, and probably leak that information, you'll have to do it via stdin > or a file. As the HTTP implementation in fetch(1) will in fact do. I did not think it worth the (five minutes') effort to implement it for FTP. (But I should go back and implement the MD5-based password authentication mode for HTTP....) -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 11 16:39:34 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA28776 for freebsd-security-outgoing; Tue, 11 Aug 1998 16:39:34 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA28741 for ; Tue, 11 Aug 1998 16:39:25 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.8.8/8.8.8) id TAA14075; Tue, 11 Aug 1998 19:38:57 -0400 (EDT) (envelope-from wollman) Date: Tue, 11 Aug 1998 19:38:57 -0400 (EDT) From: Garrett Wollman Message-Id: <199808112338.TAA14075@khavrinen.lcs.mit.edu> To: Marc Slemko Cc: "Mark J. Taylor" , freebsd-security@FreeBSD.ORG Subject: Re: Possible security "risk" in ftp client In-Reply-To: References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > Naw, that is worse since you can just use ps to grab it; the reason it is > worse is because it tends to lead to people leaving it set when they > aren't actually using the program. I think there are good reasons (and this is one of them) to disable the environment-dumping option of ps. Unfortunately it is probably too well-entrenched to kill. I had totally forgotten about it until this discussion began. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 11 16:44:48 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA00212 for freebsd-security-outgoing; Tue, 11 Aug 1998 16:44:48 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from redfish.go2net.com (redfish.go2net.com [207.178.55.5]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id QAA00182 for ; Tue, 11 Aug 1998 16:44:43 -0700 (PDT) (envelope-from marcs@go2net.com) Received: from marcs by redfish.go2net.com with smtp (Exim 1.82 #2) id 0z6O48-0007MR-00; Tue, 11 Aug 1998 16:42:56 -0700 Date: Tue, 11 Aug 1998 16:42:56 -0700 (PDT) From: Marc Slemko X-Sender: marcs@redfish To: Garrett Wollman cc: freebsd-security@FreeBSD.ORG Subject: Re: Possible security "risk" in ftp client In-Reply-To: <199808112338.TAA14075@khavrinen.lcs.mit.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 11 Aug 1998, Garrett Wollman wrote: > < said: > > > Naw, that is worse since you can just use ps to grab it; the reason it is > > worse is because it tends to lead to people leaving it set when they > > aren't actually using the program. > > I think there are good reasons (and this is one of them) to disable > the environment-dumping option of ps. Unfortunately it is probably > too well-entrenched to kill. I had totally forgotten about it until > this discussion began. It is a useful option. I routinely use it to exploit security holes. I also do use it sometimes for debugging. What may be worth considering is doing what Linux (and perhaps others...) do; ie. not allowing you to see the environment of other UIDs, just of your own processes. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 11 16:51:30 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA01861 for freebsd-security-outgoing; Tue, 11 Aug 1998 16:51:30 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from redfish.go2net.com (redfish.go2net.com [207.178.55.5]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id QAA01856 for ; Tue, 11 Aug 1998 16:51:28 -0700 (PDT) (envelope-from marcs@go2net.com) Received: from marcs by redfish.go2net.com with smtp (Exim 1.82 #2) id 0z6O9e-0007PW-00; Tue, 11 Aug 1998 16:48:38 -0700 Date: Tue, 11 Aug 1998 16:48:38 -0700 (PDT) From: Marc Slemko X-Sender: marcs@redfish To: Andrew McNaughton cc: Brett Glass , security@FreeBSD.ORG Subject: Re: DOS exploit in Apache In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 12 Aug 1998, Andrew McNaughton wrote: > An unofficial source patch came out on Bugtraq. Can someone point me to > the official one? There is no official patch available at this time. When there is, it will be announced on bugtraq I guess and available at http://www.apache.org/dist/patches/apply_to_1.3.1/ There are some larger issues involved with doing a proper fix and getting a proper fix is more important than getting a release out within hours with a quick patch (which would have been easy to do) then having to deal with any problems with it, and make a new one anyway later. The patch Ben Laurie posted to bugtraq is fine as a temporary patch. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 11 17:41:49 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA10258 for freebsd-security-outgoing; Tue, 11 Aug 1998 17:41:49 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail1.its.rpi.edu (mail1.its.rpi.edu [128.113.100.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA10228 for ; Tue, 11 Aug 1998 17:41:38 -0700 (PDT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail1.its.rpi.edu (8.8.8/8.8.6) with ESMTP id UAA24998; Tue, 11 Aug 1998 20:41:22 -0400 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Sender: drosih@pop1.rpi.edu Message-Id: In-Reply-To: Date: Tue, 11 Aug 1998 20:45:13 -0400 To: mtaylor@cybernet.com, freebsd-security@FreeBSD.ORG From: Garance A Drosihn Subject: Re: Possible security "risk" in ftp client Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 4:38 PM -0400 8/11/98, Mark J. Taylor wrote: > This is actually quite bad: any "ps -ax" will show the username > and password. Using setproctitle(3) would be an attempt to close > this, but it would create a race condition. > > The program "/usr/bin/fetch" does it better: use the environment > variables FTP_LOGIN and FTP_PASSWORD. I guess you haven't tried 'ps -axeww' very often... At the very least, it does sound like a good idea to have the ftp client call setproctitle (or whatever) to reduce the security exposure of the current behavior, but changing it to use environment variables would be a step backwards... --- Garance Alistair Drosehn = gad@eclipse.its.rpi.edu Senior Systems Programmer or drosih@rpi.edu Rensselaer Polytechnic Institute To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 11 18:10:29 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA15650 for freebsd-security-outgoing; Tue, 11 Aug 1998 18:10:29 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from stennis.ca.sandia.gov (stennis.ca.sandia.gov [146.246.243.44]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA15635 for ; Tue, 11 Aug 1998 18:10:27 -0700 (PDT) (envelope-from bmah@stennis.ca.sandia.gov) Received: (from bmah@localhost) by stennis.ca.sandia.gov (8.9.1/8.9.1) id SAA14483; Tue, 11 Aug 1998 18:10:00 -0700 (PDT) Message-Id: <199808120110.SAA14483@stennis.ca.sandia.gov> X-Mailer: exmh version 2.0.2 2/24/98 To: freebsd-security@FreeBSD.ORG Cc: bmah@CA.Sandia.GOV Subject: UDP port 31337 From: bmah@CA.Sandia.GOV (Bruce A. Mah) Reply-To: bmah@CA.Sandia.GOV X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Url: http://www.ca.sandia.gov/~bmah/ Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_-1520316248P"; micalg=pgp-md5; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Tue, 11 Aug 1998 18:10:00 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --==_Exmh_-1520316248P Content-Type: text/plain; charset=us-ascii A marginally off-topic question: Can anyone tell me what service uses UDP port 31337? I have a FreeBSD box that has received and logged three packets on this port in the last 24 hours: Aug 11 04:41:35 hornet /kernel: Connection attempt to UDP WW.XX.YY.ZZ:31337 from AA.BB.CC.DD:1190 Give prior experience on the target machine, I wouldn't be surprised if it's part of a portscan, but I don't know what such a scan would be probing for. Thanks in advance, Bruce. --==_Exmh_-1520316248P Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: 2.6.2 iQCVAwUBNdDrZ6jOOi0j7CY9AQGr/wP+PT6KTFAOCs+FRrQOQ6w3N4FOAvE8CxDA ImsgJreVFu+msEeI/8ea9lq84VFwLSVBPmihUX3aBSRy78H6nJdguAj1kaKFemre eeiGd/PfzxEFgKcVdK1CZY0LuJYFtL9eVhkuh07HinB9Cnjq+7UcIKAm5J4KZ+af eMcO1663oGc= =vJtV -----END PGP MESSAGE----- --==_Exmh_-1520316248P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 11 18:19:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA17474 for freebsd-security-outgoing; Tue, 11 Aug 1998 18:19:18 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from echonyc.com (echonyc.com [198.67.15.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA17463 for ; Tue, 11 Aug 1998 18:19:15 -0700 (PDT) (envelope-from benedict@echonyc.com) Received: from localhost (benedict@localhost) by echonyc.com (8.8.7/8.8.7) with SMTP id VAA10803; Tue, 11 Aug 1998 21:18:47 -0400 (EDT) Date: Tue, 11 Aug 1998 21:18:47 -0400 (EDT) From: Snob Art Genre Reply-To: ben@rosengart.com To: "Bruce A. Mah" cc: freebsd-security@FreeBSD.ORG Subject: Re: UDP port 31337 In-Reply-To: <199808120110.SAA14483@stennis.ca.sandia.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org 31337 spells ELEET if you squint hard enough. On Tue, 11 Aug 1998, Bruce A. Mah wrote: > A marginally off-topic question: Can anyone tell me what service uses UDP > port 31337? I have a FreeBSD box that has received and logged three packets > on this port in the last 24 hours: > > Aug 11 04:41:35 hornet /kernel: Connection attempt to UDP WW.XX.YY.ZZ:31337 > from AA.BB.CC.DD:1190 > > Give prior experience on the target machine, I wouldn't be surprised if it's > part of a portscan, but I don't know what such a scan would be probing for. > > Thanks in advance, > > Bruce. > > > > > Ben "You have your mind on computers, it seems." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 11 18:29:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA19083 for freebsd-security-outgoing; Tue, 11 Aug 1998 18:29:15 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from brooklyn.slack.net (brooklyn.slack.net [206.41.21.102]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA19078 for ; Tue, 11 Aug 1998 18:29:12 -0700 (PDT) (envelope-from andrewr@brooklyn.slack.net) Received: from localhost (andrewr@localhost) by brooklyn.slack.net (8.8.7/8.8.7) with SMTP id VAA12310; Tue, 11 Aug 1998 21:36:19 -0400 (EDT) Date: Tue, 11 Aug 1998 21:36:19 -0400 (EDT) From: andrewr To: Garrett Wollman cc: Marc Slemko , "Mark J. Taylor" , freebsd-security@FreeBSD.ORG Subject: Re: Possible security "risk" in ftp client In-Reply-To: <199808112338.TAA14075@khavrinen.lcs.mit.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 11 Aug 1998, Garrett Wollman wrote: > > I think there are good reasons (and this is one of them) to disable > the environment-dumping option of ps. Unfortunately it is probably > too well-entrenched to kill. I had totally forgotten about it until > this discussion began. > > -GAWollman For awhile now, I've been wanting to change alot of things dealing with ps and proc. What I mean is, privacy. I believe there should be an option on install or perhaps a patch to ps(1), w(1), and who knows what others, that will not allow normal users to view the processes of other normal users (or superusers for that matter). However, /proc is a way for a normal user to view what programs are being run for what id, and the uid is easy enough see (ls -l), (thanks jtb). Don't you think this should be an optional patch? Andrew > > -- > Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same > wollman@lcs.mit.edu | O Siem / The fires of freedom > Opinions not those of| Dance in the burning flame > MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 11 19:12:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA26223 for freebsd-security-outgoing; Tue, 11 Aug 1998 19:12:54 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA26211 for ; Tue, 11 Aug 1998 19:12:40 -0700 (PDT) (envelope-from mike@sentex.net) Received: from ospf-mdt.sentex.net (ospf-mdt.sentex.net [205.211.164.81]) by granite.sentex.net (8.8.6/8.6.9) with SMTP id WAA25044; Tue, 11 Aug 1998 22:09:49 -0400 (EDT) From: mike@sentex.net (Mike Tancsa) To: bmah@CA.Sandia.GOV Cc: freebsd-security@FreeBSD.ORG Subject: Re: UDP port 31337 Date: Wed, 12 Aug 1998 02:09:02 GMT Message-ID: <35d0f921.13102350@mail.sentex.net> References: <199808120110.SAA14483@stennis.ca.sandia.gov> In-Reply-To: <199808120110.SAA14483@stennis.ca.sandia.gov> X-Mailer: Forte Agent .99e/32.227 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 11 Aug 1998 18:10:00 -0700, in sentex.lists.freebsd.misc you wrote: >--==_Exmh_-1520316248P >Content-Type: text/plain; charset=us-ascii > >A marginally off-topic question: Can anyone tell me what service uses UDP >port 31337? I have a FreeBSD box that has received and logged three packets >on this port in the last 24 hours: > >Aug 11 04:41:35 hornet /kernel: Connection attempt to UDP WW.XX.YY.ZZ:31337 >from AA.BB.CC.DD:1190 > >Give prior experience on the target machine, I wouldn't be surprised if it's >part of a portscan, but I don't know what such a scan would be probing for. >--==_Exmh_-1520316248P >Content-Type: text/plain; charset=us-ascii > >A marginally off-topic question: Can anyone tell me what service uses UDP >port 31337? I have a FreeBSD box that has received and logged three packets >on this port in the last 24 hours: > >Aug 11 04:41:35 hornet /kernel: Connection attempt to UDP WW.XX.YY.ZZ:31337 >from AA.BB.CC.DD:1190 > >Give prior experience on the target machine, I wouldn't be surprised if it's >part of a portscan, but I don't know what such a scan would be probing for. There is a 'neato' trojan program called 'Cult of the Dead Cow Back Orifice Backdoor' (no, I am not joking)... Out of curiosity, I added the rule log udp from any to any 31337 in recv fxp0 and whamo... My dialups are getting scanned big time every day for the past few days... Basically, I see patterns like Aug 11 21:11:40 iolite /kernel: ipfw: 4500 Unreach UDP 209.47.158.17:2890 209.112.4.215:31337 in via fxp0 Aug 11 21:11:40 iolite /kernel: ipfw: 4500 Unreach UDP 209.47.158.17:2890 209.112.4.216:31337 in via fxp0 Aug 11 21:11:40 iolite /kernel: ipfw: 4500 Unreach UDP 209.47.158.17:2890 209.112.4.217:31337 in via fxp0 Aug 11 21:11:40 iolite /kernel: ipfw: 4500 Unreach UDP Where the luser in this case at 209.47.158.17 is looking for people with infected machines. Here is one reference to it http://www.security.mci.net Synopsis: A hacker group known as the Cult of the Dead Cow has released a Windows 95/98 backdoor named 'Back Orifice' (BO). Once installed this backdoor allows unauthorized users to execute privileged operations on the affected machine. Back Orifice leaves evidence of its existence and can be detected and removed. The communications protocol and encryption used by this backdoor has been broken by ISS X-Force. Description: A backdoor is a program that is designed to hide itself inside a target host in order to allow the installing user access to the system at a later time without using normal authorization or vulnerability exploitation. Functionality: The BO program is a backdoor designed for Windows 95/98. Once installed it allows anyone who knows the listening port number and BO password to remotely control the host. Intruders access the BO server using either a text or graphics based client. The server allows intruders to execute commands, list files, start silent services, share directories, upload and download files, manipulate the registry, kill processes, list processes, as well as other options. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 11 19:20:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA27189 for freebsd-security-outgoing; Tue, 11 Aug 1998 19:20:33 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from thuule.pair.com (thuule.pair.com [209.68.1.107]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA27167 for ; Tue, 11 Aug 1998 19:20:30 -0700 (PDT) (envelope-from asr@millburn.net) Received: from localhost (asr@localhost) by thuule.pair.com (8.9.0/8.6.12) with SMTP id WAA14482; Tue, 11 Aug 1998 22:20:00 -0400 (EDT) X-Envelope-To: freebsd-security@FreeBSD.ORG Date: Tue, 11 Aug 1998 22:19:59 -0400 (EDT) From: Adam Rothschild X-Sender: asr@thuule.pair.com To: ben@rosengart.com cc: "Bruce A. Mah" , freebsd-security@FreeBSD.ORG Subject: Re: UDP port 31337 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I believe udp port 31337 is also what BackOrifice uses by default... On Tue, 11 Aug 1998, Snob Art Genre wrote: > 31337 spells ELEET if you squint hard enough. > > On Tue, 11 Aug 1998, Bruce A. Mah wrote: > > > A marginally off-topic question: Can anyone tell me what service uses UDP > > port 31337? I have a FreeBSD box that has received and logged three packets > > on this port in the last 24 hours: > > > > Aug 11 04:41:35 hornet /kernel: Connection attempt to UDP WW.XX.YY.ZZ:31337 > > from AA.BB.CC.DD:1190 > > > > Give prior experience on the target machine, I wouldn't be surprised if it's > > part of a portscan, but I don't know what such a scan would be probing for. > > > > Thanks in advance, > > > > Bruce. > > > > > > > > > > > > > > Ben > > "You have your mind on computers, it seems." > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 11 19:29:44 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA28643 for freebsd-security-outgoing; Tue, 11 Aug 1998 19:29:44 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.kt.rim.or.jp (mail.kt.rim.or.jp [202.247.130.53]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA28593 for ; Tue, 11 Aug 1998 19:29:26 -0700 (PDT) (envelope-from daniel@kt.rim.or.jp) Received: from periscope (ppp174.kt.rim.or.jp [202.247.139.174]) by mail.kt.rim.or.jp (8.8.5/3.6W-RIMNET-98-06-09) with SMTP id LAA13802; Wed, 12 Aug 1998 11:28:50 +0900 (JST) Message-ID: <004101bdc599$2c6f9420$4100a8c0@periscope.digital-canvas.com> Reply-To: "Daniel Minoru Saito" From: "Daniel Minoru Saito" To: , "Bruce A. Mah" Cc: Subject: Re: UDP port 31337 Date: Wed, 12 Aug 1998 11:30:28 +0900 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-2022-jp" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Funny that you see this right now.. Although you might want to trace where you see this originating from. Its the infamous Back Oriface by cDc. It utilizes port 31337. It basically a virus that someone can fully control a win95/98 box remotely. more information is at the cDc Site: http://www.cultdeadcow.com/tools/ dan -----Original Message----- From: Snob Art Genre To: Bruce A. Mah Cc: freebsd-security@FreeBSD.ORG Date: Wednesday, August 12, 1998 11:23 AM Subject: Re: UDP port 31337 >31337 spells ELEET if you squint hard enough. > >On Tue, 11 Aug 1998, Bruce A. Mah wrote: > >> A marginally off-topic question: Can anyone tell me what service uses UDP >> port 31337? I have a FreeBSD box that has received and logged three packets >> on this port in the last 24 hours: >> >> Aug 11 04:41:35 hornet /kernel: Connection attempt to UDP WW.XX.YY.ZZ:31337 >> from AA.BB.CC.DD:1190 >> >> Give prior experience on the target machine, I wouldn't be surprised if it's >> part of a portscan, but I don't know what such a scan would be probing for. >> >> Thanks in advance, >> >> Bruce. >> >> >> >> >> > > > > Ben > >"You have your mind on computers, it seems." > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 11 19:48:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA02924 for freebsd-security-outgoing; Tue, 11 Aug 1998 19:48:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA02909 for ; Tue, 11 Aug 1998 19:48:05 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id TAA25226; Tue, 11 Aug 1998 19:47:42 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Tue, 11 Aug 1998 19:47:41 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: "Bruce A. Mah" cc: freebsd-security@FreeBSD.ORG Subject: Re: UDP port 31337 In-Reply-To: <199808120110.SAA14483@stennis.ca.sandia.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org HAHAHAHAHAHAHAHAHA. We are going to see a lot of them. You see, someone from cDc made this thingie called Back Orifice: www.cultdeadcow.com for more info. It is basically a tool which backdoors Win95/98 systems and allows you manipulate them remotely: sniff keyboard, capture screen, shutdown, start apps, use speakers.. basically, your average windows crap. By default it uses UDP and yes, it run on port 31337. Since you are running UDP, you have nothing to worry about. I am however curios how lame it will get and how soon someone will get pissed and create a winnuked running on port 31337 for someone trying to connect to you on port 31337 via UDP. *sigh* -- Yan www.best.com/~jkb/ Unix users of the world unite: www.{free,open,net}bsd.org | www.linux.org | www.apache.org | www.perl.com "Turn up the lights, I don't want to go home in the dark." On Tue, 11 Aug 1998, Bruce A. Mah wrote: >A marginally off-topic question: Can anyone tell me what service uses UDP >port 31337? I have a FreeBSD box that has received and logged three packets >on this port in the last 24 hours: > >Aug 11 04:41:35 hornet /kernel: Connection attempt to UDP WW.XX.YY.ZZ:31337 >from AA.BB.CC.DD:1190 > >Give prior experience on the target machine, I wouldn't be surprised if it's >part of a portscan, but I don't know what such a scan would be probing for. > >Thanks in advance, > >Bruce. > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 11 19:55:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA04040 for freebsd-security-outgoing; Tue, 11 Aug 1998 19:55:35 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from echonyc.com (echonyc.com [198.67.15.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA04017 for ; Tue, 11 Aug 1998 19:55:29 -0700 (PDT) (envelope-from benedict@echonyc.com) Received: from localhost (benedict@localhost) by echonyc.com (8.8.7/8.8.7) with SMTP id WAA07869; Tue, 11 Aug 1998 22:54:54 -0400 (EDT) Date: Tue, 11 Aug 1998 22:54:54 -0400 (EDT) From: Snob Art Genre Reply-To: ben@rosengart.com To: Adam Rothschild cc: ben@rosengart.com, "Bruce A. Mah" , freebsd-security@FreeBSD.ORG Subject: Re: UDP port 31337 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 11 Aug 1998, Adam Rothschild wrote: > I believe udp port 31337 is also what BackOrifice uses by default... > On Tue, 11 Aug 1998, Snob Art Genre wrote: > > > 31337 spells ELEET if you squint hard enough. That's probably why they picked it. Ben "You have your mind on computers, it seems." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 11 20:17:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA06984 for freebsd-security-outgoing; Tue, 11 Aug 1998 20:17:13 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from iq.org (polysynaptic.iq.org [203.4.184.222]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id UAA06977 for ; Tue, 11 Aug 1998 20:17:09 -0700 (PDT) (envelope-from proff@iq.org) Received: (qmail 27725 invoked by uid 110); 12 Aug 1998 03:16:29 -0000 To: bmah@CA.Sandia.GOV Cc: freebsd-security@FreeBSD.ORG Subject: Re: UDP port 31337 References: <199808120110.SAA14483@stennis.ca.sandia.gov> From: Julian Assange Date: 12 Aug 1998 13:16:29 +1000 In-Reply-To: bmah@CA.Sandia.GOV's message of "Tue, 11 Aug 1998 18:10:00 -0700" Message-ID: Lines: 24 X-Mailer: Gnus v5.6.23/XEmacs 20.4 - "Emerald" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org bmah@CA.Sandia.GOV (Bruce A. Mah) writes: > [1 ] > A marginally off-topic question: Can anyone tell me what service uses UDP > port 31337? I have a FreeBSD box that has received and logged three packets > on this port in the last 24 hours: > > Aug 11 04:41:35 hornet /kernel: Connection attempt to UDP WW.XX.YY.ZZ:31337 > from AA.BB.CC.DD:1190 > > Give prior experience on the target machine, I wouldn't be surprised if it's > part of a portscan, but I don't know what such a scan would be probing for. > > Thanks in advance, > > Bruce. > Remember 31337 (eleet) is prime. It's sprobably a scan for Back Orifice, which uses that port, but don't bet the farm on it. Julian. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 11 21:01:38 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA13080 for freebsd-security-outgoing; Tue, 11 Aug 1998 21:01:38 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id VAA13073 for ; Tue, 11 Aug 1998 21:01:35 -0700 (PDT) (envelope-from imp@village.org) Received: from harmony [10.0.0.6] by rover.village.org with esmtp (Exim 1.71 #1) id 0z6S5x-0004bv-00; Tue, 11 Aug 1998 22:01:05 -0600 Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.8.8/8.8.3) with ESMTP id WAA04333; Tue, 11 Aug 1998 22:02:30 -0600 (MDT) Message-Id: <199808120402.WAA04333@harmony.village.org> To: andrewr Subject: Re: Possible security "risk" in ftp client Cc: freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Tue, 11 Aug 1998 21:36:19 EDT." References: Date: Tue, 11 Aug 1998 22:02:30 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org My biggest complaint about ps is that if someone does a ps while our PPP server is dialing up the remote host, then they get to see what our phone number and password are... :-( I would welcome privacy enhancements in this area. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 11 21:14:36 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA15149 for freebsd-security-outgoing; Tue, 11 Aug 1998 21:14:36 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from stennis.ca.sandia.gov (stennis.ca.sandia.gov [146.246.243.44]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA15133 for ; Tue, 11 Aug 1998 21:14:17 -0700 (PDT) (envelope-from bmah@stennis.ca.sandia.gov) Received: (from bmah@localhost) by stennis.ca.sandia.gov (8.9.1/8.9.1) id VAA15199; Tue, 11 Aug 1998 21:13:52 -0700 (PDT) Message-Id: <199808120413.VAA15199@stennis.ca.sandia.gov> X-Mailer: exmh version 2.0.2 2/24/98 To: freebsd-security@FreeBSD.ORG Cc: bmah@california.sandia.gov Subject: Re: UDP port 31337 In-Reply-To: Your message of "Wed, 12 Aug 1998 02:09:02 GMT." <35d0f921.13102350@mail.sentex.net> From: bmah@CA.Sandia.GOV (Bruce A. Mah) Reply-To: bmah@CA.Sandia.GOV X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Url: http://www.ca.sandia.gov/~bmah/ Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_-1081410437P"; micalg=pgp-md5; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Tue, 11 Aug 1998 21:13:52 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --==_Exmh_-1081410437P Content-Type: text/plain; charset=us-ascii Thanks to everyone who pointed me towards the Back Orifice trojan horse as a likely target for UDP packets bound for port 31337, as well as those who recognized 31337 as being warez doodz-speak for "elite". Time for me to go have a few, er, words with some network administrators... Bruce. --==_Exmh_-1081410437P Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: 2.6.2 iQCVAwUBNdEWf6jOOi0j7CY9AQGcRAP+OB5XVEsuKhjXbFoaXBFflvCPGjYprdUS 3SZfbQyKmKWBTiDdSfXEdizVQWkuXiTZ4pOPcnXj2BJvczcHz8y3rjaUhZgxB9Ha 68Zc6gHNkLaM089WVNOkzjxdDa74e2FDhnbyscWpY/AqchDL02sVscquGXrB7dIi d+HWEbSw8h8= =E+2W -----END PGP MESSAGE----- --==_Exmh_-1081410437P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 11 21:33:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA16742 for freebsd-security-outgoing; Tue, 11 Aug 1998 21:33:15 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA16730 for ; Tue, 11 Aug 1998 21:33:08 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id QAA20787; Wed, 12 Aug 1998 16:29:56 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Wed, 12 Aug 1998 16:29:55 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Daniel Minoru Saito cc: ben@rosengart.com, "Bruce A. Mah" , freebsd-security@FreeBSD.ORG Subject: Re: UDP port 31337 In-Reply-To: <004101bdc599$2c6f9420$4100a8c0@periscope.digital-canvas.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 12 Aug 1998, Daniel Minoru Saito wrote: > Date: Wed, 12 Aug 1998 11:30:28 +0900 > From: Daniel Minoru Saito > To: ben@rosengart.com, "Bruce A. Mah" > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: UDP port 31337 > > Funny that you see this right now.. > Although you might want to trace where you see this originating from. > > Its the infamous Back Oriface by cDc. It utilizes port 31337. It basically > a virus that someone can fully control a win95/98 box remotely. > > > more information is at the cDc Site: http://www.cultdeadcow.com/tools/ > > dan Or it's traceroute of course. How hard would it be to arrange for a reply to be sent that would cause a back orifice client to send more and distinguish itself from a traceroute? Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 11 22:39:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA22773 for freebsd-security-outgoing; Tue, 11 Aug 1998 22:39:35 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from beeblebrox.cc.jyu.fi (beeblebrox.cc.jyu.fi [130.234.41.34]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA22767 for ; Tue, 11 Aug 1998 22:39:30 -0700 (PDT) (envelope-from kallio@beeblebrox.cc.jyu.fi) Received: (from kallio@localhost) by beeblebrox.cc.jyu.fi (8.8.7/8.8.7) id IAA03333; Wed, 12 Aug 1998 08:43:35 +0300 Message-ID: <19980812084335.G605@beeblebrox.cc.jyu.fi> Date: Wed, 12 Aug 1998 08:43:35 +0300 From: Seppo Kallio To: bmah@CA.Sandia.GOV, freebsd-security@FreeBSD.ORG Subject: Re: UDP port 31337 References: <199808120110.SAA14483@stennis.ca.sandia.gov> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91.1 In-Reply-To: <199808120110.SAA14483@stennis.ca.sandia.gov>; from Bruce A. Mah on Tue, Aug 11, 1998 at 06:10:00PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Aug 11, 1998 at 06:10:00PM -0700, Bruce A. Mah wrote: > A marginally off-topic question: Can anyone tell me what service uses UDP > port 31337? I have a FreeBSD box that has received and logged three packets > on this port in the last 24 hours: BO has same udp port: ---------------------------------------cut---------------------------- ISS Security Alert Advisory August 6th, 1998 Cult of the Dead Cow Back Orifice Backdoor Synopsis: A hacker group known as the Cult of the Dead Cow has released a Windows 95/98 backdoor named 'Back Orifice' (BO). Once installed this backdoor allows unauthorized users to execute privileged operations on the affected machine. ... * The server will begin listening on UDP port 31337, or a UDP port specified by the installer. You can configure RealSecure to monitor for network traffic on the default UDP 31337 port for possible warning signs. In order to determine if you are vulnerable: 1. Start the regedit program (c:\windows\regedit.exe). 2. Access the key ... ----------------------------------------------------------------------- -- Seppo Kallio kallio@cc.jyu.fi http://www.jyu.fi/~kallio To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 11 22:52:14 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA23741 for freebsd-security-outgoing; Tue, 11 Aug 1998 22:52:14 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from banshee.cs.uow.edu.au (banshee.cs.uow.edu.au [130.130.188.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA23736 for ; Tue, 11 Aug 1998 22:52:10 -0700 (PDT) (envelope-from ncb05@banshee.cs.uow.edu.au) Received: (from ncb05@localhost) by banshee.cs.uow.edu.au (8.9.1/8.9.1) id PAA28613; Wed, 12 Aug 1998 15:51:31 +1000 (EST) Date: Wed, 12 Aug 1998 15:51:31 +1000 (EST) From: Nicholas Charles Brawn X-Sender: ncb05@banshee.cs.uow.edu.au To: "Bruce A. Mah" cc: freebsd-security@FreeBSD.ORG Subject: Re: UDP port 31337 In-Reply-To: <199808120110.SAA14483@stennis.ca.sandia.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 11 Aug 1998, Bruce A. Mah wrote: > A marginally off-topic question: Can anyone tell me what service uses UDP > port 31337? I have a FreeBSD box that has received and logged three packets > on this port in the last 24 hours: > > Aug 11 04:41:35 hornet /kernel: Connection attempt to UDP WW.XX.YY.ZZ:31337 > >from AA.BB.CC.DD:1190 > > Give prior experience on the target machine, I wouldn't be surprised if it's > part of a portscan, but I don't know what such a scan would be probing for. > > Thanks in advance, > > Bruce. > I'm guessing that it's a scan to see whether anyone has installed BO (Back Orifice) on machines in your subnet. By default the port this program listens on is UDP port 31337. However, if you aren't already aware, Back Orifice only affects Windows 95 and 98 machines, with an NT version in the works. There has been some discussion on Bugtraq and other security forums about detecting an installation of BO on your 95/98 networks, have a look in the relevant archives. Nick -- Email: ncb05@uow.edu.au - http://rabble.uow.edu.au/~nick Key fingerprint = DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A "When in doubt, ask someone wiser than yourself..." -unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 01:25:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA18817 for freebsd-security-outgoing; Wed, 12 Aug 1998 01:25:15 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ocean.campus.luth.se (ocean.campus.luth.se [130.240.194.116]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA18802 for ; Wed, 12 Aug 1998 01:25:09 -0700 (PDT) (envelope-from karpen@ocean.campus.luth.se) Received: (from karpen@localhost) by ocean.campus.luth.se (8.8.8/8.8.8) id KAA03393; Wed, 12 Aug 1998 10:14:24 +0200 (CEST) (envelope-from karpen) From: Mikael Karpberg Message-Id: <199808120814.KAA03393@ocean.campus.luth.se> Subject: Re: Possible security "risk" in ftp client In-Reply-To: <199808120402.WAA04333@harmony.village.org> from Warner Losh at "Aug 11, 98 10:02:30 pm" To: imp@village.org (Warner Losh) Date: Wed, 12 Aug 1998 10:14:24 +0200 (CEST) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Warner Losh: > My biggest complaint about ps is that if someone does a ps while our > PPP server is dialing up the remote host, then they get to see what > our phone number and password are... :-( I would welcome privacy > enhancements in this area. Instead of changing "ftp", would it not be better to change ppp and ftp as has been mentioned before? (Make them call setproctitle(3), IIRC?) /Mikael To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 02:32:07 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA28685 for freebsd-security-outgoing; Wed, 12 Aug 1998 02:32:07 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from www.scancall.no (www.scancall.no [195.139.183.5]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id CAA28632 for ; Wed, 12 Aug 1998 02:31:50 -0700 (PDT) (envelope-from Marius.Bendiksen@scancall.no) Received: from super2.langesund.scancall.no [195.139.183.29] by www with smtp id HHMFKVUK; Wed, 12 Aug 98 09:31:23 GMT (PowerWeb version 4.04r6) Message-Id: <3.0.5.32.19980812112915.0092ead0@mail.scancall.no> X-Sender: Marius@mail.scancall.no X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Wed, 12 Aug 1998 11:29:15 +0200 To: andrew@squiz.co.nz From: Marius Bendiksen Subject: Re: UDP port 31337 Cc: freebsd-security@FreeBSD.ORG In-Reply-To: References: <004101bdc599$2c6f9420$4100a8c0@periscope.digital-canvas.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Or it's traceroute of course. Not very likely? Wouldn't a traceroute connect to several ports that high up? >How hard would it be to arrange for a reply to be sent that would cause a >back orifice client to send more and distinguish itself from a traceroute? I got a potentially interesting idea; Imagine a backorificed running on Unix machines, pretending to be a 'legitimate' Back Orifice installation, fully configurable, etc... ? :) --- Marius Bendiksen, IT-Trainee, ScanCall AS To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 03:36:24 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA07544 for freebsd-security-outgoing; Wed, 12 Aug 1998 03:36:24 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ocean.campus.luth.se (ocean.campus.luth.se [130.240.194.116]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA07537 for ; Wed, 12 Aug 1998 03:36:21 -0700 (PDT) (envelope-from karpen@ocean.campus.luth.se) Received: (from karpen@localhost) by ocean.campus.luth.se (8.8.8/8.8.8) id MAA03730; Wed, 12 Aug 1998 12:25:36 +0200 (CEST) (envelope-from karpen) From: Mikael Karpberg Message-Id: <199808121025.MAA03730@ocean.campus.luth.se> Subject: Re: Possible security "risk" in ftp client In-Reply-To: <199808120814.KAA03393@ocean.campus.luth.se> from Mikael Karpberg at "Aug 12, 98 10:14:24 am" To: karpen@ocean.campus.luth.se (Mikael Karpberg) Date: Wed, 12 Aug 1998 12:25:36 +0200 (CEST) Cc: imp@village.org, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Mikael Karpberg: > Instead of changing "ftp", would it not be better to change ppp and ftp > as has been mentioned before? (Make them call setproctitle(3), IIRC?) Er... duh. Connect brain to fingers before typing: s/"ftp"/"ps"/ /Mikael To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 03:36:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA07593 for freebsd-security-outgoing; Wed, 12 Aug 1998 03:36:39 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from eri.erinet.com (console.erinet.com [207.0.229.28]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA07583 for ; Wed, 12 Aug 1998 03:36:36 -0700 (PDT) (envelope-from richard@eri.erinet.com) Received: from localhost (richard@localhost) by eri.erinet.com (8.8.8/8.8.8) with SMTP id GAA21577 for ; Wed, 12 Aug 1998 06:33:11 -0400 (EDT) Date: Wed, 12 Aug 1998 06:33:11 -0400 (EDT) From: Richard Stanaford To: freebsd-security@FreeBSD.ORG Subject: Re: UDP port 31337 In-Reply-To: <3.0.5.32.19980812112915.0092ead0@mail.scancall.no> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org LOL.. Oh man that is devious. >:) It's almost worth the effort of coding it just to see those lusers scratch their head wondering why it doesn't work quite the way it's supposed to. Muahaha!!! ;) - Richard. On Wed, 12 Aug 1998, Marius Bendiksen wrote: > Imagine a backorificed running on Unix machines, pretending to be a > 'legitimate' Back Orifice installation, fully configurable, etc... ? :) > > --- > Marius Bendiksen, IT-Trainee, ScanCall AS To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 03:40:12 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA08178 for freebsd-security-outgoing; Wed, 12 Aug 1998 03:40:12 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from eri.erinet.com (console.erinet.com [207.0.229.28]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA08173 for ; Wed, 12 Aug 1998 03:40:11 -0700 (PDT) (envelope-from richard@eri.erinet.com) Received: from localhost (richard@localhost) by eri.erinet.com (8.8.8/8.8.8) with SMTP id GAA21597; Wed, 12 Aug 1998 06:36:30 -0400 (EDT) Date: Wed, 12 Aug 1998 06:36:29 -0400 (EDT) From: Richard Stanaford To: Julian Assange cc: freebsd-security@FreeBSD.ORG Subject: Re: UDP port 31337 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I am curious. By 'prime' are you referring to not evenly divisable by anything other than '1' or itself? If so, what does being prime have to do with it? Just wondering. :-) - Richard. On 12 Aug 1998, Julian Assange wrote: > Remember 31337 (eleet) is prime. > > It's sprobably a scan for Back Orifice, which uses that port, but don't bet > the farm on it. > > Julian. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 03:50:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA09758 for freebsd-security-outgoing; Wed, 12 Aug 1998 03:50:45 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from www.scancall.no (www.scancall.no [195.139.183.5]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id DAA09751 for ; Wed, 12 Aug 1998 03:50:40 -0700 (PDT) (envelope-from Marius.Bendiksen@scancall.no) Received: from super2.langesund.scancall.no [195.139.183.29] by www with smtp id HHMYSCVK; Wed, 12 Aug 98 10:50:06 GMT (PowerWeb version 4.04r6) Message-Id: <3.0.5.32.19980812124758.0092ead0@mail.scancall.no> X-Sender: Marius@mail.scancall.no X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Wed, 12 Aug 1998 12:47:58 +0200 To: Richard Stanaford From: Marius Bendiksen Subject: Re: UDP port 31337 Cc: freebsd-security@FreeBSD.ORG In-Reply-To: References: <3.0.5.32.19980812112915.0092ead0@mail.scancall.no> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > LOL.. Oh man that is devious. >:) It's almost worth the effort of >coding it just to see those lusers scratch their head wondering why it >doesn't work quite the way it's supposed to. Muahaha!!! ;) Me and Jay Tribick are on it. Wanna help out? :) --- Marius Bendiksen, IT-Trainee, ScanCall AS To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 04:12:40 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA14527 for freebsd-security-outgoing; Wed, 12 Aug 1998 04:12:40 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA14506 for ; Wed, 12 Aug 1998 04:12:35 -0700 (PDT) (envelope-from netadmin@fastnet.co.uk) Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22]) by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id MAA07463; Wed, 12 Aug 1998 12:12:07 +0100 (BST) Received: from localhost (localhost [127.0.0.1]) by bofh.fast.net.uk (8.8.8/8.8.5) with SMTP id MAA05892; Wed, 12 Aug 1998 12:12:08 +0100 (BST) Date: Wed, 12 Aug 1998 12:12:08 +0100 (BST) From: Jay Tribick X-Sender: netadmin@bofh.fast.net.uk To: Richard Stanaford cc: freebsd-security@FreeBSD.ORG Subject: Re: UDP port 31337 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org | > Imagine a backorificed running on Unix machines, pretending to be a | > 'legitimate' Back Orifice installation, fully configurable, etc... ? :) | LOL.. Oh man that is devious. >:) It's almost worth the effort of | coding it just to see those lusers scratch their head wondering why it | doesn't work quite the way it's supposed to. Muahaha!!! ;) I wonder if it's possible to get a Cisco to redirect anything to port 31337 on the internal network to another IP. :) That way if anyone strobed your users they'd think they all had back orifice installed Bwahahaha.. You could even be really intelligent about it and make it only respond sporadically so that it'd look like just a few users have it installed :) Regards, Jay Tribick -- [| Network Administrator | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact information |] [| T: +44 (0)1273 677633 F: +44 (0)1273 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 04:14:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA14888 for freebsd-security-outgoing; Wed, 12 Aug 1998 04:14:51 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA14880 for ; Wed, 12 Aug 1998 04:14:46 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id XAA24797; Wed, 12 Aug 1998 23:12:22 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Wed, 12 Aug 1998 23:12:22 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Marius Bendiksen cc: freebsd-security@FreeBSD.ORG Subject: Re: UDP port 31337 In-Reply-To: <3.0.5.32.19980812112915.0092ead0@mail.scancall.no> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 12 Aug 1998, Marius Bendiksen wrote: > >Or it's traceroute of course. > > Not very likely? Wouldn't a traceroute connect to several ports that high up? I realised just a bit after I posted. The 'what are these three 30K port UDP packets on a port I don't have anything on' combined with the fake traceroute thread headed me off in the wrong direction. I decided against answering my own post. I do think that mimicking traceroute would have been a lot cooler than the eleet reference though. > >How hard would it be to arrange for a reply to be sent that would cause a > >back orifice client to send more and distinguish itself from a traceroute? > > I got a potentially interesting idea; > > Imagine a backorificed running on Unix machines, pretending to be a > 'legitimate' > Back Orifice installation, fully configurable, etc... ? :) I thought about this too, after i realised my own mistake. It would be a silly cracker (perhaps your average scripted attack) that couldn't spot that. It would be more interesting to see what happened with a fake version of a server you'd normally run made available to people connecting from an invalid location, but for most purposes more trouble than it's worth for an individual site. Fake network services are an interesting idea. They're not going to be viable for most users, but how many of these systems need to be scattered around the net and monitored to provide an effective deterrent to scan based attacks? Would this be a role for organizations like CERT? The Apache config (commented out) for phf attacks come to mind. Perhaps if people published simple stats gatherers which sent info on attacks of various kinds to a centralized authority a significant dent in scanning might occur? It seems plausible that this might be introduced to the culture of internet bug reports, but it would be entirely dependent on some organization setting up a centralised monitoring facility. Probably it would be also be dependent on a standardized attack report protocol that obviated the need for new software to be set up to record information on each new bug being reported. Probably improbable. Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 04:40:21 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA17314 for freebsd-security-outgoing; Wed, 12 Aug 1998 04:40:21 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from iq.org (polysynaptic.iq.org [203.4.184.222]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id EAA17308 for ; Wed, 12 Aug 1998 04:40:15 -0700 (PDT) (envelope-from proff@iq.org) From: proff@iq.org Received: (qmail 1936 invoked by uid 110); 12 Aug 1998 11:39:33 -0000 Message-ID: <19980812113933.1934.qmail@iq.org> Subject: Re: UDP port 31337 In-Reply-To: from Richard Stanaford at "Aug 12, 98 06:36:29 am" To: richard@erinet.com (Richard Stanaford) Date: Wed, 12 Aug 1998 21:39:33 +1000 (EST) Cc: proff@iq.org, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL28 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Just one of those wonders of the world. > > I am curious. By 'prime' are you referring to not evenly divisable by > anything other than '1' or itself? If so, what does being prime have to > do with it? Just wondering. :-) > > - Richard. > > > > On 12 Aug 1998, Julian Assange wrote: > > > Remember 31337 (eleet) is prime. > > > > It's sprobably a scan for Back Orifice, which uses that port, but don't bet > > the farm on it. > > > > Julian. > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 05:23:25 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA21372 for freebsd-security-outgoing; Wed, 12 Aug 1998 05:23:25 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from proxy.atos-ods.com ([195.53.23.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA21361 for ; Wed, 12 Aug 1998 05:23:21 -0700 (PDT) (envelope-from LSaiz@atos-ods.com) Received: from CALIXTO by proxy.atos-ods.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1458.49) id QWJ9R4SM; Wed, 12 Aug 1998 14:14:56 +0200 Received: from asoria87 by calixto.atos-ods.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.0.1460.8) id Q3NLCY11; Wed, 12 Aug 1998 14:14:34 +0200 Message-ID: <35D188EB.A03975A4@atos-ods.com> Date: Wed, 12 Aug 1998 14:22:04 +0200 From: Luis Saiz Organization: Atos ODS X-Mailer: Mozilla 4.04 [en] (Win95; I) MIME-Version: 1.0 To: andrew@squiz.co.nz CC: Marius Bendiksen , freebsd-security@FreeBSD.ORG Subject: Re: UDP port 31337 References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Andrew McNaughton wrote: > On Wed, 12 Aug 1998, Marius Bendiksen wrote: > [...] > > > Fake network services are an interesting idea. They're not going to be > viable for most users, but how many of these systems need to be scattered > around the net and monitored to provide an effective deterrent to scan > based attacks? .... That's the idea Cheswick exposes in the clasical "Firewalls and Internet Security, Repelling the Wily Hacker". He created a "jail" simulating a real system "on the fly" after discovering an attack. [...] > Andrew > Luis Saiz To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 05:38:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA22922 for freebsd-security-outgoing; Wed, 12 Aug 1998 05:38:18 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA22904 for ; Wed, 12 Aug 1998 05:38:13 -0700 (PDT) (envelope-from netadmin@fastnet.co.uk) Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22]) by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id NAA11976; Wed, 12 Aug 1998 13:37:46 +0100 (BST) Received: from localhost (localhost [127.0.0.1]) by bofh.fast.net.uk (8.8.8/8.8.5) with SMTP id NAA06218; Wed, 12 Aug 1998 13:37:48 +0100 (BST) Date: Wed, 12 Aug 1998 13:37:48 +0100 (BST) From: Jay Tribick X-Sender: netadmin@bofh.fast.net.uk To: Luis Saiz cc: andrew@squiz.co.nz, Marius Bendiksen , freebsd-security@FreeBSD.ORG Subject: Re: UDP port 31337 In-Reply-To: <35D188EB.A03975A4@atos-ods.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org | > Fake network services are an interesting idea. They're not going to be | > viable for most users, but how many of these systems need to be scattered | > around the net and monitored to provide an effective deterrent to scan | > based attacks? .... | | That's the idea Cheswick exposes in the clasical "Firewalls and Internet Security, | Repelling the Wily Hacker". He created a "jail" simulating a real system "on the | fly" after discovering an attack. An interesting idea, create a duplicate of your filesystem within a subdirectory and chroot them into that directory. Would it be possible to fool things like 'ps' that read /proc using this method? Regards, Jay Tribick -- [| Network Administrator | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact information |] [| T: +44 (0)1273 677633 F: +44 (0)1273 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 07:59:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA07232 for freebsd-security-outgoing; Wed, 12 Aug 1998 07:59:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from stennis.ca.sandia.gov (stennis.ca.sandia.gov [146.246.243.44]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA07223 for ; Wed, 12 Aug 1998 07:59:13 -0700 (PDT) (envelope-from bmah@stennis.ca.sandia.gov) Received: (from bmah@localhost) by stennis.ca.sandia.gov (8.9.1/8.9.1) id HAA17389; Wed, 12 Aug 1998 07:58:10 -0700 (PDT) Message-Id: <199808121458.HAA17389@stennis.ca.sandia.gov> X-Mailer: exmh version 2.0.2 2/24/98 To: andrew@squiz.co.nz Cc: Marius Bendiksen , freebsd-security@FreeBSD.ORG Subject: Re: UDP port 31337 In-Reply-To: Your message of "Wed, 12 Aug 1998 23:12:22 +1200." From: bmah@CA.Sandia.GOV (Bruce A. Mah) Reply-To: bmah@CA.Sandia.GOV X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Url: http://www.ca.sandia.gov/~bmah/ Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_676043472P"; micalg=pgp-md5; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Wed, 12 Aug 1998 07:58:10 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --==_Exmh_676043472P Content-Type: text/plain; charset=us-ascii If memory serves me right, Andrew McNaughton wrote: [fake network services] > It seems plausible that this might be introduced to the culture of > internet bug reports, but it would be entirely dependent on some > organization setting up a centralised monitoring facility. Probably it > would be also be dependent on a standardized attack report protocol that > obviated the need for new software to be set up to record information on > each new bug being reported. Probably improbable. I haven't seen the words "Internet" and "centralised" (for me that would be "centralized") in the same sentence for awhile. :-) Anyways, I'm just put in mind of an incident a couple years ago, when some nameless ISP was worried about people telnetting into their servers. Their security consultant (who shall also remain nameless) set up a script on TCP port 23 that, when it detected a connection attempt, would automatically send a complaint letter to the perceived ISP of the source, as well as to CERT. Probably in retaliation, someone spammed USENET with promises of many wonderful things (I remember "a program to break PGP encryption" being one of them), which could all be had for free, by telnetting to a certain IP address...well, you get the picture. I don't think you were suggesting this, but this story points out the need to be careful with completely automated attack reporting systems. Bruce. --==_Exmh_676043472P Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: 2.6.2 iQCVAwUBNdGtgqjOOi0j7CY9AQFALwP/fIX3n6wQsnJ+UjGHD7htOo+MFbHIawnp kppJ24rfkEdjP1Q/7wwiQ86r1dUxY8tAJjln716ZHvPqq3V+Ek+ELehccFYxaPRK zQVmr8Eo6HgEeTErSHgBTYnAv4IhbRQd6WABsQN3tJPi5cUkRGOjv6fqL9/J28bG vY89b89rBU4= =J80D -----END PGP MESSAGE----- --==_Exmh_676043472P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 08:15:34 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA09471 for freebsd-security-outgoing; Wed, 12 Aug 1998 08:15:34 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from www.scancall.no (www.scancall.no [195.139.183.5]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id IAA09463 for ; Wed, 12 Aug 1998 08:15:30 -0700 (PDT) (envelope-from Marius.Bendiksen@scancall.no) Received: from super2.langesund.scancall.no [195.139.183.29] by www with smtp id HHPNCOFJ; Wed, 12 Aug 98 15:15:01 GMT (PowerWeb version 4.04r6) Message-Id: <3.0.5.32.19980812171253.00964bc0@mail.scancall.no> X-Sender: Marius@mail.scancall.no X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Wed, 12 Aug 1998 17:12:53 +0200 To: bmah@CA.Sandia.GOV From: Marius Bendiksen Subject: Re: UDP port 31337 Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <199808121458.HAA17389@stennis.ca.sandia.gov> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >I haven't seen the words "Internet" and "centralised" (for me that would be >"centralized") in the same sentence for awhile. :-) How come that doesn't surprise me? ;) >I don't think you were suggesting this, but this story points out the need to >be careful with completely automated attack reporting systems. Yeah... :) We wouldn't want that. But, as you pointed out, I didn't suggest this. What I suggested was simulating the presence of exploitable features in the system, and logging attempts to use such exploits. For starters, a daemon to emulate the presence of Back Orifice, which would have configurable attack-report levels and responses. If someone is trying to do the BO equivalent of rm -rf / on your system, they're attacking. I will *not* be convinced that they actually tried such a thing as _that_ to get a free PGP cracker ;) I can, of course, see the problems associated with setting up something which is too sensitive, as a port 23 connection detector of course would be. --- Marius Bendiksen, IT-Trainee, ScanCall AS To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 08:23:14 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA10349 for freebsd-security-outgoing; Wed, 12 Aug 1998 08:23:14 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gilgamesch.bik-gmbh.de (gilgamesch.bik-gmbh.de [194.233.237.91]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA10341 for ; Wed, 12 Aug 1998 08:23:11 -0700 (PDT) (envelope-from cracauer@gilgamesch.bik-gmbh.de) Received: (from cracauer@localhost) by gilgamesch.bik-gmbh.de (8.8.8/8.7.3) id RAA15921; Wed, 12 Aug 1998 17:24:34 +0200 (MET DST) Message-ID: <19980812172433.A15544@cons.org> Date: Wed, 12 Aug 1998 17:24:33 +0200 From: Martin Cracauer To: Brett Glass , security@FreeBSD.ORG Subject: Re: DOS exploit in Apache References: <199808111816.MAA18952@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.1i In-Reply-To: <199808111816.MAA18952@lariat.lariat.org>; from Brett Glass on Tue, Aug 11, 1998 at 12:13:06PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In <199808111816.MAA18952@lariat.lariat.org>, Brett Glass wrote: > All recent versions of Apache can be made to demand virtually unlimited > amounts of memory if they are fed large numbers of HTML request headers. I > haven't seen a fix for FreeBSD yet; have the published package and port > been patched yet? This is one of the (rare, IHMO) cases where FreeBSD's conservative resource limit defaults do something good. So on FreeBSD you can't launch a denial-of-service attack for the whole machine this way. Martin -- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Martin Cracauer http://www.cons.org/cracauer BSD User Group Hamburg, Germany http://www.bsdhh.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 08:36:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA12179 for freebsd-security-outgoing; Wed, 12 Aug 1998 08:36:06 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from stennis.ca.sandia.gov (stennis.ca.sandia.gov [146.246.243.44]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA12120 for ; Wed, 12 Aug 1998 08:36:04 -0700 (PDT) (envelope-from bmah@stennis.ca.sandia.gov) Received: (from bmah@localhost) by stennis.ca.sandia.gov (8.9.1/8.9.1) id IAA17703; Wed, 12 Aug 1998 08:35:30 -0700 (PDT) Message-Id: <199808121535.IAA17703@stennis.ca.sandia.gov> X-Mailer: exmh version 2.0.2 2/24/98 To: Marius Bendiksen Cc: bmah@california.sandia.gov, freebsd-security@FreeBSD.ORG Subject: Re: UDP port 31337 In-Reply-To: Your message of "Wed, 12 Aug 1998 17:12:53 +0200." <3.0.5.32.19980812171253.00964bc0@mail.scancall.no> From: bmah@CA.Sandia.GOV (Bruce A. Mah) Reply-To: bmah@CA.Sandia.GOV X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Url: http://www.ca.sandia.gov/~bmah/ Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_808271632P"; micalg=pgp-md5; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Wed, 12 Aug 1998 08:35:30 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --==_Exmh_808271632P Content-Type: text/plain; charset=us-ascii If memory serves me right, Marius Bendiksen wrote: > But, as you pointed out, I didn't suggest this. What I suggested was > simulating > the presence of exploitable features in the system, and logging attempts to > use > such exploits. Presumably with humans in the loop at some level, was my main point here, that was all. [snip] > ich would have configurable attack-report levels and responses. If > someone is > trying to do the BO equivalent of rm -rf / on your system, they're > attacking. I > will *not* be convinced that they actually tried such a thing as _that_ to > get > a free PGP cracker ;) Or they were tricked into it by another Trojan horse. But you're quite right, I'm *much* less likely to believe that someone apparently trying a BO attack was "just testing" or some nonsense like that, compared to someone doing a telnet. Cheers, Bruce. --==_Exmh_808271632P Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: 2.6.2 iQCVAwUBNdG2QqjOOi0j7CY9AQFpwAP/ZubW0GWqvcQXDbCuPZjyU6aNiFjVbP3P D5gUKrsRRoKfuK+HLHGVieV5X2d3c7v5tMnw931W6MuCbmVO82rQDGkoJ1NLFWuy ds+yOSdzhCA4qu2ZY4N+ayMpNaX77aFhzYrqVW7cwnRdcj53TaZlFZTaVk1EylR3 e1/pkFeGSmQ= =ti1m -----END PGP MESSAGE----- --==_Exmh_808271632P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 08:47:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA14196 for freebsd-security-outgoing; Wed, 12 Aug 1998 08:47:52 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.ftf.dk (mail.ftf.dk [129.142.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA14176 for ; Wed, 12 Aug 1998 08:47:49 -0700 (PDT) (envelope-from regnauld@deepo.prosa.dk) Received: from mail.prosa.dk ([192.168.100.254]) by mail.ftf.dk (8.8.8/8.8.8/gw-ftf-1.0) with ESMTP id RAA28038; Wed, 12 Aug 1998 17:52:36 +0200 (CEST) (envelope-from regnauld@deepo.prosa.dk) Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.8/8.8.5/prosa-1.1) with ESMTP id RAA17000; Wed, 12 Aug 1998 17:54:33 +0200 (CEST) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.8/8.8.5/prosa-1.1) id RAA28043; Wed, 12 Aug 1998 17:52:29 +0200 (CEST) Message-ID: <19980812175228.41295@deepo.prosa.dk> Date: Wed, 12 Aug 1998 17:52:28 +0200 From: Philippe Regnauld To: Reidar Bratsberg Cc: security@FreeBSD.ORG Subject: Re: Where are your logs? Methods of logging? References: <3.0.32.19980731162500.00869ce0@trost.ravn.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.88e In-Reply-To: <3.0.32.19980731162500.00869ce0@trost.ravn.no>; from Reidar Bratsberg on Fri, Jul 31, 1998 at 04:25:00PM +0200 X-Operating-System: FreeBSD 2.2.6-RELEASE i386 Phone: +45 3336 4148 Address: Ahlefeldtsgade 16, 1359 Copenhagen K, Denmark Organization: PROSA Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [catching up on a lot of mail] Reidar Bratsberg writes: > > Other options: Let syslog log to a serial port, and set up an > old machine with MS-DOS (or whatever) to receive them. As mentioned later, TP with transmit cut doesn't seem to work -- to improve on your above solution, put an old DX33 back to back with the firewall/critical host using PPP or PLIP -- and syslog everyting to that box (run Swatch or Logsurfer on it). It's more complicated than above (and you can't afford to cut the TX wire on the RS-232 with PPP!), but you can eventually do more with that box, like stick a modem on it. Think I'll write up something and add it to the security Howto... -- -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- The Internet is busy. Please try again later. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 09:15:55 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA19861 for freebsd-security-outgoing; Wed, 12 Aug 1998 09:15:55 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.ftf.dk (mail.ftf.dk [129.142.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA19847 for ; Wed, 12 Aug 1998 09:15:53 -0700 (PDT) (envelope-from regnauld@deepo.prosa.dk) Received: from mail.prosa.dk ([192.168.100.254]) by mail.ftf.dk (8.8.8/8.8.8/gw-ftf-1.0) with ESMTP id SAA28567; Wed, 12 Aug 1998 18:20:15 +0200 (CEST) (envelope-from regnauld@deepo.prosa.dk) Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.8/8.8.5/prosa-1.1) with ESMTP id SAA17038; Wed, 12 Aug 1998 18:22:12 +0200 (CEST) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.8/8.8.5/prosa-1.1) id SAA28265; Wed, 12 Aug 1998 18:20:09 +0200 (CEST) Message-ID: <19980812182008.54286@deepo.prosa.dk> Date: Wed, 12 Aug 1998 18:20:08 +0200 From: Philippe Regnauld To: Jay Tribick Cc: Richard Stanaford , freebsd-security@FreeBSD.ORG Subject: Re: UDP port 31337 References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.88e In-Reply-To: ; from Jay Tribick on Wed, Aug 12, 1998 at 12:12:08PM +0100 X-Operating-System: FreeBSD 2.2.6-RELEASE i386 Phone: +45 3336 4148 Address: Ahlefeldtsgade 16, 1359 Copenhagen K, Denmark Organization: PROSA Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jay Tribick writes: > > I wonder if it's possible to get a Cisco to redirect anything to > port 31337 on the internal network to another IP. :) That way > if anyone strobed your users they'd think they all had back > orifice installed Bwahahaha.. More fun... Point it back at the source address :-)) i.e.: warez.eu.org -- -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- The Internet is busy. Please try again later. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 09:21:27 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA20532 for freebsd-security-outgoing; Wed, 12 Aug 1998 09:21:27 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shamash3.shamash.org (shamash3.shamash.org [207.244.122.42]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id JAA20520 for ; Wed, 12 Aug 1998 09:21:22 -0700 (PDT) (envelope-from k@shamash.org) Received: (qmail 2835 invoked by uid 65544); 12 Aug 1998 16:21:10 -0000 Message-ID: <19980812122110.A1446@yt.to> Date: Wed, 12 Aug 1998 12:21:10 -0400 From: Louis Theran To: freebsd-security@FreeBSD.ORG Subject: Re: Possible security "risk" in ftp client Mail-Followup-To: freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93i In-Reply-To: ; from Mark J. Taylor on Tue, Aug 11, 1998 at 04:38:22PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Aug 11, 1998 at 04:38:22PM -0400, Mark J. Taylor wrote: > > The neat-o FTP client program in FreeBSD "/usr/bin/ftp" has a > cool but horrible feature: you can specify the user name and > password to use via the command line (in the URL), as in: > /usr/bin/ftp ftp://myname@mypass/ftp.freebsd.org/ > > This is actually quite bad: any "ps -ax" will show the username > and password. Using setproctitle(3) would be an attempt to close > this, but it would create a race condition. > > The program "/usr/bin/fetch" does it better: use the environment > variables FTP_LOGIN and FTP_PASSWORD. That is even worse, since you can still use ps axeww to see the environment, and people tend to leave the env vars set all the time. ^L -- Louis Theran "Te occidere possunt, sed te edere non possunt nefas quo est." PGP welcome; key at: k-pgpkey@yt.to To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 10:01:30 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA25838 for freebsd-security-outgoing; Wed, 12 Aug 1998 10:01:30 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA25821 for ; Wed, 12 Aug 1998 10:01:27 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id LAA00346; Wed, 12 Aug 1998 11:00:59 -0600 (MDT) Message-Id: <199808121700.LAA00346@lariat.lariat.org> X-Sender: brett@127.0.0.1 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1.0.44 (Beta) Date: Wed, 12 Aug 1998 11:00:53 -0600 To: freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: UDP port 31337 In-Reply-To: References: <3.0.5.32.19980812112915.0092ead0@mail.scancall.no> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If someone's trying to BO you, they deserve worse. How about a daemon that sends fatal packets back TO the machine running BO? I'm sure that these punks haven't protected their code adequately against buffer overflows, etc. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 10:40:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA04826 for freebsd-security-outgoing; Wed, 12 Aug 1998 10:40:06 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from www.scancall.no (www.scancall.no [195.139.183.5]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id KAA04729 for ; Wed, 12 Aug 1998 10:39:56 -0700 (PDT) (envelope-from Marius.Bendiksen@scancall.no) Received: from super2.langesund.scancall.no [195.139.183.29] by www with smtp id HHQWOFNJ; Wed, 12 Aug 98 17:39:08 GMT (PowerWeb version 4.04r6) Message-Id: <3.0.5.32.19980812193700.0092f220@mail.scancall.no> X-Sender: Marius@mail.scancall.no X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Wed, 12 Aug 1998 19:37:00 +0200 To: Brett Glass From: Marius Bendiksen Subject: Re: UDP port 31337 Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <199808121735.LAA00738@lariat.lariat.org> References: <3.0.5.32.19980812192128.0097a2a0@mail.scancall.no> <199808121700.LAA00346@lariat.lariat.org> <3.0.5.32.19980812112915.0092ead0@mail.scancall.no> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Oh. In other words, "the wrong person" would just happen to be running the >Back Orifice program and attempting to break into your system? Not bloody >likely. Ever heard of IP spoofing? In any case, as I said, it's principally wrong to escalate a conflict by retaliation. Besides which, it's illegal too. --- Marius Bendiksen, IT-Trainee, ScanCall AS To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 10:43:10 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA05295 for freebsd-security-outgoing; Wed, 12 Aug 1998 10:43:10 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from anne.crossfields.com (anne.crossfields.com [205.241.85.170]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA05288 for ; Wed, 12 Aug 1998 10:43:09 -0700 (PDT) (envelope-from pparri@crossfields.com) Received: from [207.43.27.33] (dial3.brazoria.tgn.net [207.43.27.33]) by anne.crossfields.com (8.8.8/8.8.5) with SMTP id MAA01337 for ; Wed, 12 Aug 1998 12:53:48 -0500 (CDT) Message-Id: <199808121753.MAA01337@anne.crossfields.com> Subject: Re: UDP port 31337 Date: Wed, 12 Aug 98 12:46:42 -0500 x-mailer: Claris Emailer 1.1 From: Pat Parrinello cc: Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Larry Kink Live! Good morning Mr. Gates. Bill: "Microsoft takes security seriously!" Larry Kink: Is that why you rip off every programmer you can? Bill: Of course, once I've... uh.. we, Microsoft has control of every piece of software in the universe our only concern will be package design. Larry Kink: You did see Elvis then. I knew he was alive, but why did he change his name to Steve Jobs? (Commercial): Your network is safe with NT servers. ==================================================== On July 21, a self-described hacker group known as the Cult of the Dead Cow released a tool called BackOrifice, and suggested that Windows users were at risk from unauthorized attacks. Actually, we released it on August 3rd. Incidentally, it's been downloaded at least 35,000 times as of 11:55pm, August 7th. Microsoft takes security seriously, and has issued this bulletin to advise customers that Windows95 and Windows98 users following safe computing practices are not at risk... This is simply false. Our view is no degree of "safe computing practices" can compensate for the security bugs and lack of functionality in Windows95 98....and WindowsNT users are not threatened in any way by this tool. The Claims About BackOrifice For the present. But remember that the tool has been around for less than a week. According to its creators, BackOrifice is "a self-contained, self-installing utility which allows the user to control and monitor computers running the Windows operating system over a network". The authors claim that the program can be used to remotely control a Windows computer, read everything that the user types at the keyboard, capture images that are displayed on the monitor, upload and download files remotely, and redirect information to a remote internet site. Back Orifice does not do anything that the Windows95/98 operating system was not intended to do. It does not take advantage of any bugs in the operating system or use any undocumented or internal APIs. It uses documented calls built into Windows to do such things as:Reveal all cached passwords. This includes passwords for web sites, dialup connections, network drives and printers, and the passwords of any application that stores user passwords in the operating system. (This Windows feature was implemented apparently so the user won't be inconvenienced by having to remember his passwords every time he uses his computer.) Create shares hidden to the user and list the passwords of existing shares. Make itself mostly invisible. Back Orifice does not appear in the control-alt-delete list of running programs, and can only be killed by a low level process viewer which Windows95 does not ship with. To their credit, Windows98 does ship with a process viewer, but it is not installed by default. The Truth About BackOrifice BackOrifice does not expose or exploit any security issue with the Windows platform or the BackOffice suite of products. Back Orifice has nothing to do, at all, with the Back Office suite. In fact, the Back Office suite only runs on NT, which isn't even supported by Back Orifice yet. Apples and Oranges. BackOrifice does not compromise the security of a Windows network. cDc would like to know where exactly Microsoft is getting its definition of 'compromise the security'.Instead, it relies on the user to install it... Back Orifice does not rely on the user in install it. To install it, it simply needs to be run. Thanks to some actual exploits, there are several ways a program could be run on a windows computer, not only without the user's approval, but without the user's knowledge....and, once installed, has only the rights and privileges that the user has on the computer. This is correct. Once installed, Back Orifice can only do what the user sitting at the computer could do, if he has programs that do everything that Back Orifice does. This includes:seeing what's on the screen seeing what's typed into the keyboard installing software uninstalling software rebooting the computer viewing stored passwords viewing and editing the system registry connecting and disconnecting the machine to other network hosts using anyone's username password running arbitrary plugins or programs, which of course could employ any manner of exploit or attack For a BackOrifice attack to succeed, a chain of very specific events must happen:The user must deliberately install, or be tricked into installing the program Not at all.Thanks to various security bugs and common system misconfigurations, there are often ways to deliver and execute arbitrary code on a Windows machine. Even lacking such an exploit, it's easy enough to provide the average Windows users a reason for downloading installing programs from untrusted sources. It happens all the time. The attacker must know the user's IP address. Untrue. Back Orifice can sweep a range of IP addresses and network blocks to hunt for installations of its server software. The attacker must be able to directly address the user's computer; e.g., there must not be a firewall between the attacker and the user. Incorrect.The mere presence of a firewall or proxy server is not in itself a complete solution. For good, reliable protection for Windows machines on the internet, the cDc can recommend nothing better than a good, properly configured firewall. However, a firewall that permits ANY traffic is still a potential risk. Back Orifice can communicate over any available port. Therefore, if the firewall lets through any UDP packets at all, two-way communication can be established. As for file transfers originating at the remote machine, Back Orifice can use TCP to send data out through the firewall. Not to mention the hundreds of thousands of Windows95 and 98 boxes connected to the internet via a dialed connection through their local or national isp. For mass ip vendors like those, a firewall simply isn't reasonable. Most of the internet simply wouldn't be accessible anymore. What Does This Mean for Customers Running Windows95 and Windows98?BackOrifice is unlikely to pose a threat to the vast majority of Windows95 or Windows98 users, especially those who follow safe internet computing practices. Windows95 and Windows98 offer a set of security features that will in general allow users to safely use their computers at home or on the Internet. Like any other program, BackOrifice must be installed before it can run. Clearly, users should prevent this installation by following good practices like not downloading unsigned executables, and by insulating themselves from direct connection to the Internet with Proxy Servers and/or firewalls wherever possible. cDc remembers a day when PC software was written by anyone who had a creative idea for a cute, useful, interesting, or even just plain silly program and being able to share that program with friends who might also enjoy the program. It is unfortunate that the only software we're allowed to run now is written by large companies. It's a good thing we can still trust them not to do something unwanted to our computer! Generally, computers running Windows95 and Windows98 are not vulnerable if:The computer is not connected to the outside worldUnless someone on the inside wants control of your machine. Perhaps your employer is using B.O. to keep track of its human resources. (As a matter of fact, in most states this would be entirely legal.) Or suppose one of your coworkers is just plain nosy. In these circumstances, it doesn't matter if your computer is on the internet. The computer is connected to the Internet through an Internet service provider that dynamically assigns IP addresses - as the vast majority of ISPs already do.Unless the dynamic address assigned is always in the same subnet, (as the vast majority of ISPs do). In which case, B.O. can scan a range of IP addresses to find your machine at its new address. The computer is on a network with a firewall or proxy server between it and the attacker.See above ("firewalls"). What Does This Mean For Customers Running WindowsNT?There is no threat to WindowsNT Workstation or WindowsNT Server customers; the program does not run on the WindowsNT platform. BackOrifice's authors don't claim that their product poses any threat to WindowsNT. WindowsNT Workstation and Server offer a comprehensive set of security features that make it the best choice for business users' mission-critical applications. Don't go upgrade to WindowsNT just yet. We will be releasing a WindowsNT version as soon as we get around to installing that OS. What Customers Should doCustomers do not need to take any special precautions against this program. However, all of the normal precautions regarding safe computing apply: Customers should keep their software up to date and should never install or run software from unknown sources -- this applies to both software available on the Internet and sent via e-mail. Reputable software vendors digitally sign their software to verify its authenticity and safety. Companies should use the security features provided by Microsoft products, to prevent the introduction of this and other malicious software, and should monitor network usage to prevent insider attacks. Rather than having to abstain from using non-big company "Reputable Vendor" software, how about providing some protection? How about the ability to monitor and even prevent disk and registry access so people can run software with confidence, so that even if the author has malicious intent, the software has become infected with an unknown virus or trojan, or there is a bug or malfunction, there is no damage it can do. Incidentally, Microsoft is also falsely claiming that they tried to contact us regarding BO. On the contrary, Microsoft has repeatedly shown little interest when contacted about security holes in their products in the past. In general, they have needed to have their noses rubbed in it before acknowledging any problems. cDc issued a preliminary press release about Back Orifice more than a month before releasing the software. A wider-distribution Press Release was issued on July 21st, more than a week before the demonstration at DefCon VI... and again, nothing from Microsoft. Other than issuing silly statements to the press, among other things calling us irresponsible and comparing BO to Satan (again, apples and oranges), they have never contacted us. For over 3 days at Defcon, no one from Microsoft introduced or identified themselves to us. Immediately following our presentation, we were swarmed by the media and the curious... but no one from Microsoft. It wasn't until August 4 that Scott Culp, Security Product Manager for WindowsNT Server contacted us in e-mail: Date: Tue, 4 Aug 1998 11:41:53 -0700 From: Scott Culp <scottcu@microsoft.com> To: "'veggie@cultdeadcow.com'" <veggie@cultdeadcow.com> Subject: BackOrifice I recently received report of your BackOrifice tool, and would welcome an opportunity to talk with you about the tool and the security vulnerabilities you believe it exploits. Microsoft is interested in making our products as secure as possible for our customers, and I'd look forward to talking with you about this issue. We immediately called him back. He was interested in learning about every vulnerability we knew of. "The biggest one we know of is Windows95/98 itself," to which he agreed. Later that same day, Microsoft issued another statement -- this time mentioning that they had tried to contact us and had gotten no response. The goliath doth protest too much, methinks.The fact remains that Back Orifice is only as dangerous as Microsoft's security is deficient. How about a for-instance? Win95/98 caches frequently-used passwords in clear-text, which BO has access to. This often includes passwords users use for their ISPs. But if one is to believe the missives which issue from the Microsoft Marketing Department, ISPs have nothing to worry about. Either that or ISPs across the globe should encourage all their customers to upgrade to NT? Is Windows95/98 the platform on which you perform 'secure' transactions? Is a Windows95/98 platform an endpoint of your corporate VPN? If so, maybe you should be worried. Back Orifice is a Rorschach for Microsoft credibility. Microsoft's own official response to us was issued as a marketing bulletin! Does anybody else besides cDc find it disturbing that the Marketing Department is running the show over there? Oh, never mind. Forget we ever mentioned it. Listen to Microsoft; don't worry, be happy. Everything will be all right. Move along, there's nothing to see here. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 10:57:10 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA07551 for freebsd-security-outgoing; Wed, 12 Aug 1998 10:57:10 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from anne.crossfields.com (anne.crossfields.com [205.241.85.170]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA07538 for ; Wed, 12 Aug 1998 10:57:04 -0700 (PDT) (envelope-from pparri@crossfields.com) Received: from [207.43.27.33] (dial3.brazoria.tgn.net [207.43.27.33]) by anne.crossfields.com (8.8.8/8.8.5) with SMTP id NAA01660 for ; Wed, 12 Aug 1998 13:07:51 -0500 (CDT) Message-Id: <199808121807.NAA01660@anne.crossfields.com> Subject: Re: UDP port 31337 Date: Wed, 12 Aug 98 13:00:44 -0500 x-mailer: Claris Emailer 1.1 From: Pat Parrinello cc: Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ___________________________________________________________________________ _ _ _ MORALITY ALERT ((___)) MORALITY ALERT [ x x ] \ / (' ') (U) ____________________________www.cultdeadcow.com____________________________ _ ST. PAUL, BACK DOOR BOOM BOOM, AND ALL THE TEA IN CHINA [San Francisco, August 6] Almost two thousand years ago St. Paul made an abrupt about face on the road to Tarsus. The CULT OF THE DEAD COW is not sure which road Microsoft is travelling, but they have just made a series of one hundred and eighty degree turns that would shock the apostle. What could account for Redmond's rapid reversals, and more importantly, does it point towards some deeper problems? After releasing Back Orifice - our remote Windows 9x administration tool - the CULT OF THE DEAD COW was by turns publicly mocked or dismissed by Microsoft flunkies. A useless tool, they droned, users have nothing to worry about, the constellations still spin around our mighty OS. What a load. But the point is, in the space of a few short days Microsoft is now puling that Back Orifice is a dangerous weapon. And to add insult to injury, not only do they slam us in public, privately they're asking for our help to patch up _their_ mess. However, this does raise an interesting question. Was releasing Back Orifice to the public immoral? Microsoft would love for their customers to believe that we're the bad guys and that they - as vendors of a digital sieve - bear no responsibility whatever. But questions of morality are more often relative than absolute. So to make things easier, we'll frame our culture and actions against their's and let the public determine which one of us looks better in black. We'd like to ask Microsoft, or more to the point, we'd like to ask Bill Gates why he stood shoulder to shoulder in 1996 with China's president and head of the Communist Party to denounce any discussion of China's human rights record at the annual meeting of the United Nations Commission on Human Rights in Geneva? Was the decision to cozy up to the world's largest totalitarian state based on some superior moral position, or was it just more convenient to trample human decency underfoot and go for even more money? Call us crazy, but we think that Microsoft has about as much right to condescend to the CULT OF THE DEAD COW as Li Peng does to lecture anyone who raises the issue of human rights abuses in China - a point of view that Bill Gates shares. Now let's return to Back Orifice. Would it be immoral to use this tool for untoward purposes on Windows networks? Would it be immoral for Back Orifice to find its way to China and cause a lot of dry heaving in Microsoft's largest target market? Should hacktivists use Back Orifice as a form of protest against multinationals who share Microsoft's position of dollars before dignity? It's a short life and we're all going to be judged by our actions. So, whether or not we've done the right thing is a matter for history and human conscience to decide. But if the gods want to curse us for bringing fire down from the mountain, we'll take a seat with Prometheus and deal with the heat. At the end of the day, the CULT OF THE DEAD COW doesn't think that the world was meant to be a dark place. -- For background information on this whole damn kerfuffle, the public may consult the following documents: 1) Our technical rebuttal to... [http://www.cultdeadcow.com/news/rebuttal.txt] 2) Microsoft marketing's spin-control job on Back Orifice [http://www.microsoft.com/security/mktBackOrifice.htm] 3) Back Orifice Press Release [http://www.cultdeadcow.com/news/back_orifice.txt] 4) BO homepage [http://www.cultdeadcow.com/tools/] 5) To learn more about cDc's stance on the PRC... [http://www.cultdeadcow.com/cDc_files/cDc-0356.html] For further details or lucrative film offers, please contact: The Deth Vegetable Minister of Propoganda CULT OF THE DEAD COW veggie@cultdeadcow.com ........................................................................... . The CULT OF THE DEAD COW (cDc) is the most influential group of hackers in the world. Formed in 1984, the cDc has done everything from publish the longest running e-zine on the Internet to diddling military networks around the globe. We could go on, but who's got the time. Journalists can check out the Medialist link on our Web site for more background information. Cheerio. "cDc. It's alla'bout style, jackass." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 11:12:38 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA10631 for freebsd-security-outgoing; Wed, 12 Aug 1998 11:12:38 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA10626 for ; Wed, 12 Aug 1998 11:12:36 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id MAA01183; Wed, 12 Aug 1998 12:12:02 -0600 (MDT) Message-Id: <199808121812.MAA01183@lariat.lariat.org> X-Sender: brett@127.0.0.1 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1.0.44 (Beta) Date: Wed, 12 Aug 1998 12:04:54 -0600 To: Marius Bendiksen From: Brett Glass Subject: Re: UDP port 31337 Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <3.0.5.32.19980812193700.0092f220@mail.scancall.no> References: <199808121735.LAA00738@lariat.lariat.org> <3.0.5.32.19980812192128.0097a2a0@mail.scancall.no> <199808121700.LAA00346@lariat.lariat.org> <3.0.5.32.19980812112915.0092ead0@mail.scancall.no> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If no one was listening, it wouldn't be a problem. Only an attacker who INTENDED to invade your systems would be subject to crashes due to the response. And would deserve it. --Brett At 07:37 PM 8/12/98 +0200, Marius Bendiksen wrote: >>Oh. In other words, "the wrong person" would just happen to be running the >>Back Orifice program and attempting to break into your system? Not bloody >>likely. > >Ever heard of IP spoofing? > >In any case, as I said, it's principally wrong to escalate a conflict by >retaliation. Besides which, it's illegal too. >--- >Marius Bendiksen, IT-Trainee, ScanCall AS > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 11:13:01 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA10713 for freebsd-security-outgoing; Wed, 12 Aug 1998 11:13:01 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Mercury.unix.acs.cc.unt.edu (mercury.acs.unt.edu [129.120.220.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA10706 for ; Wed, 12 Aug 1998 11:12:58 -0700 (PDT) (envelope-from john@unt.edu) Received: from leonardo.cascss.unt.edu (leonardo.cascss.unt.edu [129.120.32.203]) by Mercury.unix.acs.cc.unt.edu (8.8.8/8.8.8) with ESMTP id NAA12167; Wed, 12 Aug 1998 13:11:33 -0500 (CDT) Received: (from john@localhost) by leonardo.cascss.unt.edu (8.8.8/8.6.9) id NAA03047; Wed, 12 Aug 1998 13:09:37 -0500 (CDT) From: john Message-Id: <199808121809.NAA03047@leonardo.cascss.unt.edu> Subject: Re: UDP port 31337 In-Reply-To: <199808121753.MAA01337@anne.crossfields.com> from Pat Parrinello at "Aug 12, 98 12:46:42 pm" To: pparri@crossfields.com (Pat Parrinello) Date: Wed, 12 Aug 1998 13:09:37 -0500 (CDT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Um..this looks like it belongs on freebsd-chat, not security. > Larry Kink Live! > > Good morning Mr. Gates. > > Bill: "Microsoft takes security seriously!" other junk deleted. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 11:25:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA13206 for freebsd-security-outgoing; Wed, 12 Aug 1998 11:25:45 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from anne.crossfields.com (anne.crossfields.com [205.241.85.170]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA13177 for ; Wed, 12 Aug 1998 11:25:29 -0700 (PDT) (envelope-from pparri@crossfields.com) Received: from [207.43.27.33] (dial3.brazoria.tgn.net [207.43.27.33]) by anne.crossfields.com (8.8.8/8.8.5) with SMTP id NAA01947; Wed, 12 Aug 1998 13:36:12 -0500 (CDT) Message-Id: <199808121836.NAA01947@anne.crossfields.com> Subject: Um..this looks like it belongs on freebsd-chat, not security. Date: Wed, 12 Aug 98 13:29:06 -0500 x-mailer: Claris Emailer 1.1 From: Pat Parrinello To: "john" , Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Um..this looks like it belongs on freebsd-chat, not security." You are an excellent judge of security issues, John. You work for Microsoft? Yeah, you are right. Chat. Not security. From the "chat" on freebsd-security@FreeBSD.ORG I would surmise the following also belongs on freebsd-chat. I got it from the bovine. Er.. grape vine. ___________________________________________________________________________ _ _ _ SECURITY ALERT ((___)) SECURITY ALERT [ x x ] \ / (' ') (U) ____________________________www.cultdeadcow.com____________________________ _ RUNNING A MICROSOFT OPERATING SYSTEM ON A NETWORK? OUR CONDOLENCES. [July 21, San Francisco] The CULT OF THE DEAD COW (cDc) will release Back Orifice, a remote MS Windows Administration tool at Defcon VI in Las Vegas (www.defcon.org) on August 1. Programmed by Sir Dystic [cDc], Back Orifice is a self-contained, self-installing utility which allows the user to control and monitor computers running the Windows operating system over a network. Sir Dystic sounded like an overworked sysadmin when he said, "The two main legitimate purposes for BO are, remote tech support aid and employee monitoring and administering [of a Windows network]." Back Orifice is going to be made available to anyone who takes the time to download it. So what does that mean for anyone who's bought into Microsoft's Swiss cheese approach to security? Plenty according to Mike Bloom, Chief Technical Officer for Gomi Media in Toronto. "The current path of learning I see around me is to learn what you have to to cover your ass, go home and watch Jerry. Microsoft has capitalized on this at the cost of production value which translates down to security. A move like releasing [Back Orifice] means that the lowest common denominator of user will have to come to understand the threat, and that it is not from [Sir Dystic] writing an app that [potentially] turns Win32 security on its ear, but that Microsoft has leveraged itself into a position where anyone who wants to can download an app [or write their own!] and learn a few tricks and make serious shit happen." None of this is lost on Microsoft. But then again, they don't care. Security is way down on their list of priorities. But regardless of which side of the firewall you sit on, you can't afford not to have a copy of Back Orifice. Here are the specs: Back Orifice (BO) allows the user to remotely control almost all parts of the operating system, including: File system Registry System Passwords Network Processes * BO contains extensive multimedia control, allowing images to be captured from the server machine's screen, or from any video input device attached to the machine. * BO has an integrated HTTP server, allowing uploads and downloads of files to and from a machine on any port using any http client. * BO has an integrated packet sniffer, allowing easy monitoring of network traffic. * BO has an integrated keyboard monitor, allowing the easy logging of keystrokes to a log file. * BO allows connection redirection, allowing connections to be bounced off a machine to any other machine on the Internet. * BO allows application redirection, allowing text based applications running on the server machine to be controlled via a simple telnet session. Even open a remote shell. * BO has a simple plugin interface, allowing additional modules to be written by third parties, and executed in Back Orifice's hidden system process. * BO is EASY TO INSTALL! Simply run the server, and it installs itself, and removes the executable it was originally run from, or it can be attached to any other Windows executable, which will run normally after installing the Back Orifice server. * BO is TRANSPARENT! Back Orifice does not show up in the task list, or even the Close Programs dialog, it is automatically restarted each time the computer boots, and does not affect the operation of any other applications. * BO is CONFIGURABLE! The filename that Back Orifice installs itself as, the port Back Orifice communicates on, and the encryption key are all configurable before the server is installed. * BO is ENCRYPTED! Communication packets used by Back Orifice are encrypted with a user definable key, so only the intended client can control the server. * BO is FREE! All the functionality mentioned above AND MORE is available in the 120k server, along with an easy to use text based or GUI client, Back Orifice comes with everything you need to distribute and control any number of machines. * BO is GROWING! New features, increased efficiency, new plugins, and more support are being added to Back Orifice every day. After August 3, Back Orifice will be available from www.cultdeadcow.com free of charge. For further details or lucrative film offers, please contact: The Deth Vegetable Minister of Propaganda CULT OF THE DEAD COW veggie@cultdeadcow.com ........................................................................... . The CULT OF THE DEAD COW (cDc) is the most influential group of hackers in the world. Formed in 1984, the cDc has done everything from publish the longest running e-zine on the Internet to diddling military networks around the globe. We could go on, but who's got the time. Journalists can check out the Medialist link on our Web site for more background information. Cheerio. "cDc. It's alla'bout style, jackass." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 11:55:49 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA19481 for freebsd-security-outgoing; Wed, 12 Aug 1998 11:55:49 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from anne.crossfields.com (anne.crossfields.com [205.241.85.170]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA19472 for ; Wed, 12 Aug 1998 11:55:39 -0700 (PDT) (envelope-from pparri@crossfields.com) Received: from [207.43.27.33] (dial3.brazoria.tgn.net [207.43.27.33]) by anne.crossfields.com (8.8.8/8.8.5) with SMTP id OAA02223; Wed, 12 Aug 1998 14:06:22 -0500 (CDT) Message-Id: <199808121906.OAA02223@anne.crossfields.com> Subject: Re: UDP port 31337 Date: Wed, 12 Aug 98 13:59:14 -0500 x-mailer: Claris Emailer 1.1 From: Pat Parrinello To: "Brett Glass" , Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >If someone's trying to BO you, they deserve worse. > >How about a daemon that sends fatal packets back TO the machine running BO? >I'm sure that these punks haven't protected their code adequately against >buffer overflows, etc. > >--Brett Yeah, right. "a daemon that sends fatal packets back TO the machine running BO" And now that BO is available for unix... your daemon is a great idea. Care to write one? :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 12:13:40 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA23054 for freebsd-security-outgoing; Wed, 12 Aug 1998 12:13:40 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from www0d.netaddress.usa.net (www0d.netaddress.usa.net [204.68.24.33]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id MAA23046 for ; Wed, 12 Aug 1998 12:13:32 -0700 (PDT) (envelope-from netsecur@netscape.net) Received: (qmail 10558 invoked by uid 60001); 12 Aug 1998 19:13:02 -0000 Message-ID: <19980812191302.10557.qmail@www0d.netaddress.usa.net> Received: from 193.252.202.160 by webmail.netscape.com via web-mailer(3.1) on Wed Aug 12 19:13:02 GMT 1998 Date: 12 Aug 98 21:13:02 MET DST From: rien rien To: freebsd-security@FreeBSD.ORG Subject: somes questions ... Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hi i have some questions about the security on bsd 2.2.6 i would to know how to secure the max the system. i access to a ip network, without other protocols. i have have a ftp, tftp and http server on bsd, and no other access from the network. what can i do to maximise the security of the server ?? thanks nico ____________________________________________________________________ More than just email--Get your FREE Netscape WebMail account today at http://home.netscape.com/netcenter/mail To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 12:42:26 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA28089 for freebsd-security-outgoing; Wed, 12 Aug 1998 12:42:26 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA28083 for ; Wed, 12 Aug 1998 12:42:24 -0700 (PDT) (envelope-from jkh@time.cdrom.com) Received: from time.cdrom.com (jkh@localhost.cdrom.com [127.0.0.1]) by time.cdrom.com (8.8.8/8.8.8) with ESMTP id MAA15002; Wed, 12 Aug 1998 12:39:46 -0700 (PDT) (envelope-from jkh@time.cdrom.com) To: Pat Parrinello cc: "john" , freebsd-security@FreeBSD.ORG Subject: Re: Um..this looks like it belongs on freebsd-chat, not security. In-reply-to: Your message of "Wed, 12 Aug 1998 13:29:06 CDT." <199808121836.NAA01947@anne.crossfields.com> Date: Wed, 12 Aug 1998 12:39:45 -0700 Message-ID: <14999.902950785@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > "Um..this looks like it belongs on freebsd-chat, not security." Actually, this is clearly for -chat. If you have a FREEBSD RELATED security issue to discuss, then freebsd-security is indeed the place. If it's concerning Windows or some other OS, as these postings do, it is indeed -chat material. Please cease and desist from posting these sorts of messages to freebsd-security. Thank you. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 12:52:01 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA28932 for freebsd-security-outgoing; Wed, 12 Aug 1998 12:52:01 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from critter.freebsd.dk (critter.freebsd.dk [195.8.133.1] (may be forged)) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA28895 for ; Wed, 12 Aug 1998 12:51:56 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.8.7/8.8.5) with ESMTP id VAA00998 for ; Wed, 12 Aug 1998 21:48:28 +0200 (CEST) Date: Wed, 12 Aug 1998 21:48:27 +0200 Message-ID: <992.902951307.1@critter.freebsd.dk> From: Poul-Henning Kamp Subject: Re: Um..this looks like it belongs on freebsd-chat, not security. MIME-Version: 1.0 Content-Type: multipart/digest; boundary="----- =_aaaaaaaaaa" Content-Description: Blind Carbon Copy Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org To: undisclosed-recipients:; ------- =_aaaaaaaaaa Content-Type: message/rfc822 Content-Description: Original Message To: Pat Parrinello cc: freebsd-chat@FreeBSD.ORG Subject: Re: Um..this looks like it belongs on freebsd-chat, not security. In-reply-to: Your message of "Wed, 12 Aug 1998 13:29:06 CDT." <199808121836.NAA01947@anne.crossfields.com> Date: Wed, 12 Aug 1998 21:48:27 +0200 Message-ID: <992.902951307@critter.freebsd.dk> From: Poul-Henning Kamp In message <199808121836.NAA01947@anne.crossfields.com>, Pat Parrinello writes: > "Um..this looks like it belongs on freebsd-chat, not security." > > You are an excellent judge of security issues, John. You work > for Microsoft? > > Yeah, you are right. Chat. Not security. > > From the "chat" on freebsd-security@FreeBSD.ORG I would surmise > the following also belongs on freebsd-chat. This does indeed belong in -chat, if anywhere around here. There is nothing FreeBSD related in it at all. -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." "ttyv0" -- What UNIX calls a $20K state-of-the-art, 3D, hi-res color terminal ------- =_aaaaaaaaaa-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 12:55:01 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA29287 for freebsd-security-outgoing; Wed, 12 Aug 1998 12:55:01 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA29266 for ; Wed, 12 Aug 1998 12:54:53 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id HAA00455; Thu, 13 Aug 1998 07:52:28 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Thu, 13 Aug 1998 07:52:28 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Brett Glass cc: Marius Bendiksen , freebsd-security@FreeBSD.ORG Subject: Re: UDP port 31337 In-Reply-To: <199808121812.MAA01183@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 12 Aug 1998, Brett Glass wrote: > Date: Wed, 12 Aug 1998 12:04:54 -0600 > From: Brett Glass > To: Marius Bendiksen > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: UDP port 31337 > > If no one was listening, it wouldn't be a problem. > > Only an attacker who INTENDED to invade your systems would be subject to > crashes due to the response. And would deserve it. Every so often I get a couple of packet fragments arive from from some location or other to an apparently randomn port. Could be I'm wrong, and there could be more pattern to it than I've noted, but so far I've assumed that this is a damaged packet, and wasn't necessarily supposed to go to where it did. I haven't looked at packet contents. If this is the likely explanation (feedback welcome) then it underlines the need for a reasonably robust trigger for any action that has potentially dangerous consequences. If the retaliation was an exploit of a bug in the BO client though then I could be tempted to run it. Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 13:00:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA00254 for freebsd-security-outgoing; Wed, 12 Aug 1998 13:00:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA00242 for ; Wed, 12 Aug 1998 13:00:28 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id NAA25617; Wed, 12 Aug 1998 13:00:01 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Wed, 12 Aug 1998 13:00:00 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: rien rien cc: freebsd-security@FreeBSD.ORG Subject: Re: somes questions ... In-Reply-To: <19980812191302.10557.qmail@www0d.netaddress.usa.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 12 Aug 1998, rien rien wrote: >hi > >i have some questions about the security on bsd 2.2.6 CVSup to 2.2.7 or 2.2-STABLE > >i would to know how to secure the max the system. i access to a ip network, >without other protocols. i have have a ftp, tftp and http server on bsd, and >no other access from the network. > >what can i do to maximise the security of the server ?? www.best.com/~jkb/howto.txt > >thanks > > >nico > >____________________________________________________________________ >More than just email--Get your FREE Netscape WebMail account today at http://home.netscape.com/netcenter/mail > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 13:20:07 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA03987 for freebsd-security-outgoing; Wed, 12 Aug 1998 13:20:07 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from anne.crossfields.com (anne.crossfields.com [205.241.85.170]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA03894 for ; Wed, 12 Aug 1998 13:19:59 -0700 (PDT) (envelope-from pparri@crossfields.com) Received: from [207.43.27.33] (dial3.brazoria.tgn.net [207.43.27.33]) by anne.crossfields.com (8.8.8/8.8.5) with SMTP id PAA02830; Wed, 12 Aug 1998 15:30:27 -0500 (CDT) Message-Id: <199808122030.PAA02830@anne.crossfields.com> Subject: Re: UDP port 31337 Date: Wed, 12 Aug 98 15:23:18 -0500 x-mailer: Claris Emailer 1.1 From: Pat Parrinello To: "Brett Glass" , "Marius Bendiksen" cc: Mime-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >If no one was listening, it wouldn't be a problem. > >Only an attacker who INTENDED to invade your systems would be subject to >crashes due to the response. And would deserve it. Brett, :) Think again. I do not think you are wanting security as much as revenge. Listen again to Marcus here... He makes the best sense of all. >>In any case, as I said, it's principally wrong to escalate a conflict by >>retaliation. Besides which, it's illegal too. >>--- >>Marius Bendiksen, IT-Trainee, ScanCall AS >> The reason I posted on this subject at all was to inject a little reality, albeit in a humor mode which I take it some here are in no mood for, but alas I will pass once my advice and for what it's worth... you can take it or leave it. Security is observing and taking action. That action should be defensive not offensive. Hold your friends close, but hold your enemies even closer. Know, don't guess the reaction to an action. Use common sense, it has been tried and tested for over 10,000 years and found reliable. Test. One good test is worth a thousand expert opinions. Strength is in silence. | Mathological | | | | | ~Pat~ / / | | /|\ / | / | | |/ | |\ \ | | | | | | | ? | |\|\ | | | | |\|\|\|\ | | | | |\ | | | | | | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 13:50:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA08844 for freebsd-security-outgoing; Wed, 12 Aug 1998 13:50:47 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Kitten.mcs.com (Kitten.mcs.com [192.160.127.90]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA08816 for ; Wed, 12 Aug 1998 13:50:31 -0700 (PDT) (envelope-from jrs@Mars.mcs.net) Received: from Mars.mcs.net (jrs@Mars.mcs.net [192.160.127.85]) by Kitten.mcs.com (8.8.7/8.8.2) with ESMTP id PAA20278; Wed, 12 Aug 1998 15:50:02 -0500 (CDT) Received: from localhost (jrs@localhost) by Mars.mcs.net (8.8.7/8.8.2) with SMTP id PAA04486; Wed, 12 Aug 1998 15:50:02 -0500 (CDT) Date: Wed, 12 Aug 1998 15:50:02 -0500 (CDT) From: "J.R.S. II" To: rien rien cc: freebsd-security@FreeBSD.ORG Subject: Re: somes questions ... In-Reply-To: <19980812191302.10557.qmail@www0d.netaddress.usa.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org disable un-needed stuff in etc/rc.conf On 12 Aug 1998, rien rien wrote: > Date: 12 Aug 98 21:13:02 MET DST > From: rien rien > To: freebsd-security@FreeBSD.ORG > Subject: somes questions ... > > hi > > i have some questions about the security on bsd 2.2.6 > > i would to know how to secure the max the system. i access to a ip network, > without other protocols. i have have a ftp, tftp and http server on bsd, and > no other access from the network. > > what can i do to maximise the security of the server ?? > > thanks > > > nico > > ____________________________________________________________________ > More than just email--Get your FREE Netscape WebMail account today at http://home.netscape.com/netcenter/mail > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > ********************************* * Elocin Solutions * * Providing Tomorrows * * Solutions Today * * Johnathan Raymond Sconiers II * * jrs@elocin.com * ********************************* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 13:50:53 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA08863 for freebsd-security-outgoing; Wed, 12 Aug 1998 13:50:53 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA08834 for ; Wed, 12 Aug 1998 13:50:39 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id OAA02921; Wed, 12 Aug 1998 14:49:59 -0600 (MDT) Message-Id: <199808122049.OAA02921@lariat.lariat.org> X-Sender: brett@127.0.0.1 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1.0.44 (Beta) Date: Wed, 12 Aug 1998 14:49:56 -0600 To: Pat Parrinello , "Marius Bendiksen" From: Brett Glass Subject: Re: UDP port 31337 Cc: In-Reply-To: <199808122030.PAA02830@anne.crossfields.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 03:23 PM 8/12/98 -0500, Pat Parrinello wrote: > Security is observing and taking action. I agree. However, not everyone agrees on what type of action should be taken. I say there's nothing like a good watchdog. With teeth. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 14:44:10 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA18330 for freebsd-security-outgoing; Wed, 12 Aug 1998 14:44:10 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Tyr.office.EFN.org ([204.214.99.45]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA18324 for ; Wed, 12 Aug 1998 14:44:08 -0700 (PDT) (envelope-from spy@tyr.office.efn.org) Received: from Tyr.office.EFN.org (IDENT:spy@Tyr.office.EFN.org [204.214.99.45]) by Tyr.office.EFN.org (8.9.1/8.9.1) with SMTP id OAA21026; Wed, 12 Aug 1998 14:42:26 -0700 (PDT) Date: Wed, 12 Aug 1998 14:42:25 -0700 (PDT) From: Ben Reply-To: ben@efn.org To: andrewr cc: Garrett Wollman , Marc Slemko , "Mark J. Taylor" , freebsd-security@FreeBSD.ORG Subject: Re: Possible security "risk" in ftp client In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 11 Aug 1998, andrewr wrote: > On Tue, 11 Aug 1998, Garrett Wollman wrote: > > > > > I think there are good reasons (and this is one of them) to disable > > the environment-dumping option of ps. Unfortunately it is probably > > too well-entrenched to kill. I had totally forgotten about it until > > this discussion began. > > > > -GAWollman > > For awhile now, I've been wanting to change alot of things dealing with ps > and proc. What I mean is, privacy. I believe there should be an option > on install or perhaps a patch to ps(1), w(1), and who knows what others, > that will not allow normal users to view the processes of other normal > users (or superusers for that matter). However, /proc is a way for a > normal user to view what programs are being run for what id, and the uid > is easy enough see (ls -l), (thanks jtb). Don't you think this should be > an optional patch? For ps I made a patch that allows only root(or wheel, you pick) to use the flag '-a', otherwise the user attempting to use '-a' only gets his/her proc's. Available at: http://www.efn.org/~ben/ps/diff.txt For the diff between the 2.2.7-RELEASE ps.c and mine. (/usr/src/bin/ps.c) http://www.efn.org/~ben/ps/results.txt Demonstration of it in action. http://www.efn.org/~ben/ps/ps.c http://www.efn.org/~ben/ps/ps.old.c My ps.c and the old ps.c. http://www.efn.org/~ben/ps/ps.root.gz http://www.efn.org/~ben/ps/ps.wheel.gz Binaries for 2.2.7 that allow only root, or wheel to use the -a flag correctly. > > Andrew -ben@efn.org EFN News Administrator. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 14:56:42 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA20073 for freebsd-security-outgoing; Wed, 12 Aug 1998 14:56:42 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA20067 for ; Wed, 12 Aug 1998 14:56:38 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id OAA20638; Wed, 12 Aug 1998 14:55:59 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Wed, 12 Aug 1998 14:55:59 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: Marius Bendiksen cc: Brett Glass , freebsd-security@FreeBSD.ORG Subject: Re: UDP port 31337 In-Reply-To: <3.0.5.32.19980812193700.0092f220@mail.scancall.no> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org AFAIK IP spoofing is "blind" - you can't be doing spoofing IP during a portscan. Hence, if someone to portscan class B for udp port 31337, the ought to do it from the real IP. Now the fact that this IP might belong to someone else (cracked account, etc) is another matter. -- Yan www.best.com/~jkb/ Unix users of the world unite: www.{free,open,net}bsd.org | www.linux.org | www.apache.org | www.perl.com "Turn up the lights, I don't want to go home in the dark." On Wed, 12 Aug 1998, Marius Bendiksen wrote: >>Oh. In other words, "the wrong person" would just happen to be running the >>Back Orifice program and attempting to break into your system? Not bloody >>likely. > >Ever heard of IP spoofing? > >In any case, as I said, it's principally wrong to escalate a conflict by >retaliation. Besides which, it's illegal too. >--- >Marius Bendiksen, IT-Trainee, ScanCall AS > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 15:00:14 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA20479 for freebsd-security-outgoing; Wed, 12 Aug 1998 15:00:14 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA20423 for ; Wed, 12 Aug 1998 15:00:01 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id OAA21201; Wed, 12 Aug 1998 14:59:30 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Wed, 12 Aug 1998 14:59:30 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: Pat Parrinello cc: freebsd-security@FreeBSD.ORG Subject: Please take to ntbugraq (Was: Re: UDP port 31337) In-Reply-To: <199808121753.MAA01337@anne.crossfields.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello!!! This is Freebsd, NOT win95 security. All the original poster was asking is what uses UDP port 31337. Please let this thread die!!! -- Yan www.best.com/~jkb/ Unix users of the world unite: www.{free,open,net}bsd.org | www.linux.org | www.apache.org | www.perl.com "Turn up the lights, I don't want to go home in the dark." On Wed, 12 Aug 1998, Pat Parrinello wrote: >Larry Kink Live! > > Good morning Mr. Gates. > >Bill: "Microsoft takes security seriously!" > >Larry Kink: Is that why you rip off every programmer you can? > >Bill: Of course, once I've... uh.. we, Microsoft has control >of every piece of software in the universe our only >concern will be package design. > >Larry Kink: You did see Elvis then. I knew he was alive, >but why did he change his name to Steve Jobs? [20 page security advisory from MS snipped] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 16:15:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA01960 for freebsd-security-outgoing; Wed, 12 Aug 1998 16:15:45 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tyche.credo.net (tyche.credo.net [199.107.168.8]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA01955 for ; Wed, 12 Aug 1998 16:15:43 -0700 (PDT) (envelope-from steve@zoneoftrust.com) Received: from alectrona.credo.net (alectrona.credo.net [199.107.168.9]) by tyche.credo.net (8.9.0/8.9.0) with SMTP id QAA00514; Wed, 12 Aug 1998 16:15:02 -0700 (PDT) Message-Id: <3.0.32.19980812161249.00692e8c@tyche> Received: from steve.credo.net by alectrona.credo.net via smtpd (for mail.credo.net [199.107.168.8]) with SMTP; 12 Aug 1998 23:14:22 UT X-Sender: steve@tyche X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Wed, 12 Aug 1998 16:12:50 -0700 To: "J.R.S. II" , rien rien From: Steve McBride Subject: Re: somes questions ... Cc: freebsd-security@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'd probably also rip just about everything out of inetd, install tcp wrappers, watch file permissions real closely, possibly chroot your FTP/TFTP environment, do everything you can to make sure that programs don't run as root/suid... And for God's sake, make sure your passwords are decent! Steve McBride At 03:50 PM 8/12/98 -0500, J.R.S. II wrote: >disable un-needed stuff in etc/rc.conf > >On 12 Aug 1998, rien rien wrote: > >> i would to know how to secure the max the system. i access to a ip network, >> without other protocols. i have have a ftp, tftp and http server on bsd, and >> no other access from the network. >> >> what can i do to maximise the security of the server ?? >> >> thanks >> >> >> nico >> >> ____________________________________________________________________ >> More than just email--Get your FREE Netscape WebMail account today at http://home.netscape.com/netcenter/mail >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe security" in the body of the message >> > >********************************* >* Elocin Solutions * >* Providing Tomorrows * >* Solutions Today * >* Johnathan Raymond Sconiers II * >* jrs@elocin.com * >********************************* > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 16:59:42 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA08542 for freebsd-security-outgoing; Wed, 12 Aug 1998 16:59:42 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA08531 for ; Wed, 12 Aug 1998 16:59:34 -0700 (PDT) (envelope-from netadmin@fastnet.co.uk) Received: from bofh.fast.net.uk (bofh.fast.net.uk [194.207.104.22]) by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id AAA11795 for ; Thu, 13 Aug 1998 00:59:08 +0100 (BST) Received: from kronus (na.nu.na.nu.na.nu [194.207.104.143]) by bofh.fast.net.uk (8.8.8/8.8.5) with SMTP id AAA08978 for ; Thu, 13 Aug 1998 00:59:04 +0100 (BST) Message-Id: <199808122359.AAA08978@bofh.fast.net.uk> X-Sender: netarc@bofh.fast.net.uk X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Thu, 13 Aug 1998 00:57:30 +0100 To: freebsd-security@FreeBSD.ORG From: Jay Tribick Subject: Re: somes questions ... In-Reply-To: <3.0.32.19980812161249.00692e8c@tyche> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi >>> i would to know how to secure the max the system. i access to a ip network, >>> without other protocols. i have have a ftp, tftp and http server on bsd, >>> and no other access from the network. >>> >>> what can i do to maximise the security of the server ?? >I'd probably also rip just about everything out of inetd, install tcp >wrappers, watch file permissions real closely, possibly chroot your >FTP/TFTP environment, do everything you can to make sure that programs >don't run as root/suid... And for God's sake, make sure your passwords are >decent! Don't forget the following: o Up your securelevel (`man init`) and set critical log files as append only (`man chflags`) o Put home on a seperate partition and quota it, same with /tmp o Mount /home as noexec so that users can't run their own uploaded programs (that's if you /have/ any users of course..) o Edit rc.firewall and customise to your needs, or alternatively roll your own firewall(tm) using ipfw. o Install the absolute minimum possible o Before deployment, try and gain root on your system as a normal user. o Monitor www.rootshell.com, bugtraq and freebsd-security *constantly*. o Install ssh and disabled all r[login|shell|cmd] services and telnetd if you can. o Check your system partitions / /var etc. for any files that are world writeable. o Run Satan, Saint, Cops, Tiger etc. etc. on your system to test for obvious exploitable holes. o Install a traffic shaper that will limit incoming icmp packets or alternatively just deny them completely at router level or filter them using ipfw. o I /would/ have said install Abacus sentry but there is a supposed bug in it recently that can lead to a DoS attack if misconfigured (ne: Abacus sentry detects port scans and blocks the host in realtime and can page a sysadmin) o Install tripwire and periodically check that all files have their CRC's etc. intact and are verbatim copies of the ones stored on write-protected media (e.g. CD-ROM) o Encase in concrete, remove all power, network cables, light, aural stimuli and anything else that someone could use to break into your machine (including pick-axes, hammers, screwdrivers etc.) Oh no, wait.. that's Microsofts C2 security specification creeping in there ;) Well.. you did say maximum security ;) Can't think of any more right now.. time for slZZZZZzzzzzzzzzzzz...... Regards, Jay Tribick [| Network Administrator | FastNet International | http://fast.net.uk |] [| Finger netadmin@fastnet.co.uk for contact information |] [| T: +44 (0)1273 677633 F: +44 (0)1273 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 17:52:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA12815 for freebsd-security-outgoing; Wed, 12 Aug 1998 17:52:19 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from banshee.cs.uow.edu.au (banshee.cs.uow.edu.au [130.130.188.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA12807 for ; Wed, 12 Aug 1998 17:52:14 -0700 (PDT) (envelope-from ncb05@banshee.cs.uow.edu.au) Received: (from ncb05@localhost) by banshee.cs.uow.edu.au (8.9.1/8.9.1) id KAA21832; Thu, 13 Aug 1998 10:51:28 +1000 (EST) Date: Thu, 13 Aug 1998 10:51:28 +1000 (EST) From: Nicholas Charles Brawn X-Sender: ncb05@banshee.cs.uow.edu.au To: Brett Glass cc: freebsd-security@FreeBSD.ORG Subject: Re: UDP port 31337 In-Reply-To: <199808121700.LAA00346@lariat.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 12 Aug 1998, Brett Glass wrote: > If someone's trying to BO you, they deserve worse. > > How about a daemon that sends fatal packets back TO the machine running BO? > I'm sure that these punks haven't protected their code adequately against > buffer overflows, etc. > > --Brett The company formerly known as SNI (now integrated into NAI) wrote a paper on Intrusion Detection Systems a while ago which discouraged this attitude. Their argument focused on the fact that what if someone *knows* that this is the response that will be sent if your daemon detects a connection attempt. Don't forget how easily udp packets can be forged... Nick -- Email: ncb05@uow.edu.au - http://rabble.uow.edu.au/~nick Key fingerprint = DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A "When in doubt, ask someone wiser than yourself..." -unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 17:53:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA12962 for freebsd-security-outgoing; Wed, 12 Aug 1998 17:53:58 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from brooklyn.slack.net (brooklyn.slack.net [206.41.21.102]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA12953 for ; Wed, 12 Aug 1998 17:53:56 -0700 (PDT) (envelope-from andrewr@brooklyn.slack.net) Received: from localhost (andrewr@localhost) by brooklyn.slack.net (8.8.7/8.8.7) with SMTP id VAA01265; Wed, 12 Aug 1998 21:01:15 -0400 (EDT) Date: Wed, 12 Aug 1998 21:01:15 -0400 (EDT) From: andrewr To: ben@efn.org cc: Garrett Wollman , Marc Slemko , "Mark J. Taylor" , freebsd-security@FreeBSD.ORG Subject: Re: Possible security "risk" in ftp client In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 12 Aug 1998, Ben wrote: > For ps I made a patch that allows only root(or wheel, you pick) to use the > flag '-a', otherwise the user attempting to use '-a' only gets his/her proc's. Did you patch the kernel as well? Caue if you didn't, it's useless. > > Available at: > http://www.efn.org/~ben/ps/diff.txt > For the diff between the 2.2.7-RELEASE ps.c and mine. > (/usr/src/bin/ps.c) > http://www.efn.org/~ben/ps/results.txt > Demonstration of it in action. > http://www.efn.org/~ben/ps/ps.c > http://www.efn.org/~ben/ps/ps.old.c > My ps.c and the old ps.c. > http://www.efn.org/~ben/ps/ps.root.gz > http://www.efn.org/~ben/ps/ps.wheel.gz > Binaries for 2.2.7 that allow only root, or wheel to use the > -a flag correctly. > > > > > Andrew > > -ben@efn.org EFN News Administrator. > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 19:27:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA23494 for freebsd-security-outgoing; Wed, 12 Aug 1998 19:27:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Tyr.office.EFN.org ([204.214.99.45]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA23487 for ; Wed, 12 Aug 1998 19:27:06 -0700 (PDT) (envelope-from spy@tyr.office.efn.org) Received: from Tyr.office.EFN.org (IDENT:spy@Tyr.office.EFN.org [204.214.99.45]) by Tyr.office.EFN.org (8.9.1/8.9.1) with SMTP id TAA22685; Wed, 12 Aug 1998 19:26:23 -0700 (PDT) Date: Wed, 12 Aug 1998 19:26:23 -0700 (PDT) From: Ben Reply-To: ben@efn.org To: andrewr cc: ben@efn.org, freebsd-security@FreeBSD.ORG Subject: Re: Possible security "risk" in ftp client In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Maybe I'm mistaken, but ps(1) get's the info from /dev/kmem and /dev/mem and formats them according to /kernel, what would I need to patch? On Wed, 12 Aug 1998, andrewr wrote: > > > On Wed, 12 Aug 1998, Ben wrote: > > > For ps I made a patch that allows only root(or wheel, you pick) to use the > > flag '-a', otherwise the user attempting to use '-a' only gets his/her proc's. > > Did you patch the kernel as well? Caue if you didn't, it's useless. -ben@efn.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 19:46:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA25421 for freebsd-security-outgoing; Wed, 12 Aug 1998 19:46:45 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from nexus.astro.psu.edu (nexus.astro.psu.edu [128.118.147.20]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id TAA25416 for ; Wed, 12 Aug 1998 19:46:43 -0700 (PDT) (envelope-from mph@astro.psu.edu) Received: from mstar.astro.psu.edu by nexus.astro.psu.edu (4.1/Nexus-1.3) id AA12652; Wed, 12 Aug 98 22:46:20 EDT Received: by mstar.astro.psu.edu (SMI-8.6/Client-1.3) id WAA09021; Wed, 12 Aug 1998 22:46:14 -0400 Message-Id: <19980812224614.B8987@astro.psu.edu> Date: Wed, 12 Aug 1998 22:46:14 -0400 From: Matthew Hunt To: "Jan B. Koum " , Marius Bendiksen Cc: Brett Glass , freebsd-security@FreeBSD.ORG Subject: Re: UDP port 31337 References: <3.0.5.32.19980812193700.0092f220@mail.scancall.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93i In-Reply-To: ; from Jan B. Koum on Wed, Aug 12, 1998 at 02:55:59PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Aug 12, 1998 at 02:55:59PM -0700, Jan B. Koum wrote: > AFAIK IP spoofing is "blind" - you can't be doing spoofing IP > during a portscan. Hence, if someone to portscan class B for udp port > 31337, the ought to do it from the real IP. Now the fact that this IP > might belong to someone else (cracked account, etc) is another matter. At least one (quite effective) port scanner supports IP spoofing. True, the user doesn't get the results. The purpose is to get somebody else in trouble for port scanning. -- Matthew Hunt * Inertia is a property of matter. http://www.pobox.com/~mph/pgp.key for PGP public key 0x67203349. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 19:59:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA26702 for freebsd-security-outgoing; Wed, 12 Aug 1998 19:59:13 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA26689 for ; Wed, 12 Aug 1998 19:59:10 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id UAA06194; Wed, 12 Aug 1998 20:58:35 -0600 (MDT) Message-Id: <199808130258.UAA06194@lariat.lariat.org> X-Sender: brett@127.0.0.1 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1.0.44 (Beta) Date: Wed, 12 Aug 1998 20:52:27 -0600 To: ben@efn.org, andrewr From: Brett Glass Subject: Re: Possible security "risk" in ftp client Cc: Garrett Wollman , Marc Slemko , "Mark J. Taylor" , freebsd-security@FreeBSD.ORG In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Commit this, sez I. It looks good. --Brett At 02:42 PM 8/12/98 -0700, Ben wrote: >For ps I made a patch that allows only root(or wheel, you pick) to use the >flag '-a', otherwise the user attempting to use '-a' only gets his/her proc's. > >Available at: >http://www.efn.org/~ben/ps/diff.txt > For the diff between the 2.2.7-RELEASE ps.c and mine. > (/usr/src/bin/ps.c) >http://www.efn.org/~ben/ps/results.txt > Demonstration of it in action. >http://www.efn.org/~ben/ps/ps.c >http://www.efn.org/~ben/ps/ps.old.c > My ps.c and the old ps.c. >http://www.efn.org/~ben/ps/ps.root.gz >http://www.efn.org/~ben/ps/ps.wheel.gz > Binaries for 2.2.7 that allow only root, or wheel to use the > -a flag correctly. > >> >> Andrew > > -ben@efn.org EFN News Administrator. > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 20:08:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA28115 for freebsd-security-outgoing; Wed, 12 Aug 1998 20:08:45 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from echonyc.com (echonyc.com [198.67.15.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA28104 for ; Wed, 12 Aug 1998 20:08:41 -0700 (PDT) (envelope-from benedict@echonyc.com) Received: from localhost (benedict@localhost) by echonyc.com (8.8.7/8.8.7) with SMTP id XAA09229; Wed, 12 Aug 1998 23:07:53 -0400 (EDT) Date: Wed, 12 Aug 1998 23:07:53 -0400 (EDT) From: Snob Art Genre Reply-To: ben@rosengart.com To: "Jan B. Koum " cc: Marius Bendiksen , Brett Glass , freebsd-security@FreeBSD.ORG Subject: Re: UDP port 31337 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 12 Aug 1998, Jan B. Koum wrote: > AFAIK IP spoofing is "blind" - you can't be doing spoofing IP > during a portscan. If you can spoof from one machine and watch the network status on another (not necessarily compromised) machine, you can spoof a portscan. Ben "You have your mind on computers, it seems." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 20:31:25 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA01122 for freebsd-security-outgoing; Wed, 12 Aug 1998 20:31:25 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from brooklyn.slack.net (brooklyn.slack.net [206.41.21.102]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA01117 for ; Wed, 12 Aug 1998 20:31:23 -0700 (PDT) (envelope-from andrewr@brooklyn.slack.net) Received: from localhost (andrewr@localhost) by brooklyn.slack.net (8.8.7/8.8.7) with SMTP id XAA01716; Wed, 12 Aug 1998 23:38:48 -0400 (EDT) Date: Wed, 12 Aug 1998 23:38:48 -0400 (EDT) From: andrewr To: ben@efn.org cc: freebsd-security@FreeBSD.ORG Subject: Re: Possible security "risk" in ftp client In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 12 Aug 1998, Ben wrote: > Maybe I'm mistaken, but ps(1) get's the info from /dev/kmem and /dev/mem and > formats them according to /kernel, what would I need to patch? su to a normal user, and: cd /proc ls -al cd cat status > > On Wed, 12 Aug 1998, andrewr wrote: > > > > > > > On Wed, 12 Aug 1998, Ben wrote: > > > > > For ps I made a patch that allows only root(or wheel, you pick) to use the > > > flag '-a', otherwise the user attempting to use '-a' only gets his/her proc's. > > > > Did you patch the kernel as well? Caue if you didn't, it's useless. > > -ben@efn.org > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 20:41:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA02666 for freebsd-security-outgoing; Wed, 12 Aug 1998 20:41:52 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA02654 for ; Wed, 12 Aug 1998 20:41:44 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id VAA06765; Wed, 12 Aug 1998 21:41:10 -0600 (MDT) Message-Id: <199808130341.VAA06765@lariat.lariat.org> X-Sender: brett@127.0.0.1 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1.0.44 (Beta) Date: Wed, 12 Aug 1998 21:41:06 -0600 To: andrewr From: Brett Glass Subject: Re: Possible security "risk" in ftp client Cc: ben@efn.org, Garrett Wollman , Marc Slemko , "Mark J. Taylor" , freebsd-security@FreeBSD.ORG In-Reply-To: References: <199808130258.UAA06194@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What fix to the kernel would be required? Since ps runs setuid, isn't a restriction in ps sufficient? (It should be able to keep you from seeing anything it doesn't want you to see, unless the parent process can grab its file descriptors and do nasty things with them.) --Brett At 11:43 PM 8/12/98 -0400, andrewr wrote: > > >On Wed, 12 Aug 1998, Brett Glass wrote: > >> Commit this, sez I. It looks good. > >Not so fast. Must fix kernel first, then do a patch to ps(1), which I >have already done (including, testing to see if a pid is owned by the user >checking, etc etc etc). I know someone that patched their kernel to fix >this. I'll speak to them about a patch. > >Andrew > > > >> >> --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 12 22:30:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA11898 for freebsd-security-outgoing; Wed, 12 Aug 1998 22:30:15 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Tyr.office.EFN.org ([204.214.99.45]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA11891 for ; Wed, 12 Aug 1998 22:30:13 -0700 (PDT) (envelope-from spy@tyr.office.efn.org) Received: from Tyr.office.EFN.org (IDENT:spy@Tyr.office.EFN.org [204.214.99.45]) by Tyr.office.EFN.org (8.9.1/8.9.1) with SMTP id WAA24008; Wed, 12 Aug 1998 22:29:41 -0700 (PDT) Date: Wed, 12 Aug 1998 22:29:41 -0700 (PDT) From: Ben Reply-To: ben@efn.org To: andrewr cc: ben@efn.org, freebsd-security@FreeBSD.ORG Subject: Re: Possible security "risk" in ftp client In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Why do you have /proc mounted if you care at all about user's sniffing around? -ben@efn.org On Wed, 12 Aug 1998, andrewr wrote: > > On Wed, 12 Aug 1998, Ben wrote: > > > Maybe I'm mistaken, but ps(1) get's the info from /dev/kmem and /dev/mem and > > formats them according to /kernel, what would I need to patch? > > su to a normal user, and: > cd /proc > ls -al > cd > cat status > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Aug 13 03:14:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA04134 for freebsd-security-outgoing; Thu, 13 Aug 1998 03:14:15 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.ftf.dk (mail.ftf.dk [129.142.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA04119 for ; Thu, 13 Aug 1998 03:14:10 -0700 (PDT) (envelope-from regnauld@deepo.prosa.dk) Received: from mail.prosa.dk ([192.168.100.254]) by mail.ftf.dk (8.8.8/8.8.8/gw-ftf-1.0) with ESMTP id MAA22079; Thu, 13 Aug 1998 12:18:41 +0200 (CEST) (envelope-from regnauld@deepo.prosa.dk) Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.8/8.8.5/prosa-1.1) with ESMTP id MAA18294; Thu, 13 Aug 1998 12:20:47 +0200 (CEST) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.8/8.8.5/prosa-1.1) id MAA03523; Thu, 13 Aug 1998 12:18:46 +0200 (CEST) Message-ID: <19980813121846.33945@deepo.prosa.dk> Date: Thu, 13 Aug 1998 12:18:46 +0200 From: Philippe Regnauld To: Brett Glass Cc: Marius Bendiksen , freebsd-security@FreeBSD.ORG Subject: Re: UDP port 31337 References: <199808121735.LAA00738@lariat.lariat.org> <3.0.5.32.19980812192128.0097a2a0@mail.scancall.no> <199808121700.LAA00346@lariat.lariat.org> <3.0.5.32.19980812112915.0092ead0@mail.scancall.no> <3.0.5.32.19980812193700.0092f220@mail.scancall.no> <199808121812.MAA01183@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.88e In-Reply-To: <199808121812.MAA01183@lariat.lariat.org>; from Brett Glass on Wed, Aug 12, 1998 at 12:04:54PM -0600 X-Operating-System: FreeBSD 2.2.6-RELEASE i386 Phone: +45 3336 4148 Address: Ahlefeldtsgade 16, 1359 Copenhagen K, Denmark Organization: PROSA Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett Glass writes: > If no one was listening, it wouldn't be a problem. > > Only an attacker who INTENDED to invade your systems would be subject to > crashes due to the response. And would deserve it. ... provided he hadn't spoofed his source address... i.e.: you might be retaliating against some poor guy who didn't ask for it. (I could for example spoof a source address of 206.100.185.2). The rare occasions where I've taken down the host at the other end, was in cases of _unmistakable_ spammers, as they were sending their junk, from dialup Whinedoze machines. (And then again it takes time to figure out who's the the real culprit). -- -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- The Internet is busy. Please try again later. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Aug 13 03:18:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA04487 for freebsd-security-outgoing; Thu, 13 Aug 1998 03:18:19 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA04482 for ; Thu, 13 Aug 1998 03:18:18 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id EAA09424; Thu, 13 Aug 1998 04:17:43 -0600 (MDT) Message-Id: <199808131017.EAA09424@lariat.lariat.org> X-Sender: brett@127.0.0.1 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1.0.44 (Beta) Date: Thu, 13 Aug 1998 04:17:42 -0600 To: Philippe Regnauld From: Brett Glass Subject: Re: UDP port 31337 Cc: Marius Bendiksen , freebsd-security@FreeBSD.ORG In-Reply-To: <19980813121846.33945@deepo.prosa.dk> References: <199808121812.MAA01183@lariat.lariat.org> <199808121735.LAA00738@lariat.lariat.org> <3.0.5.32.19980812192128.0097a2a0@mail.scancall.no> <199808121700.LAA00346@lariat.lariat.org> <3.0.5.32.19980812112915.0092ead0@mail.scancall.no> <3.0.5.32.19980812193700.0092f220@mail.scancall.no> <199808121812.MAA01183@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 12:18 PM 8/13/98 +0200, Philippe Regnauld wrote: >Brett Glass writes: >> If no one was listening, it wouldn't be a problem. >> >> Only an attacker who INTENDED to invade your systems would be subject to >> crashes due to the response. And would deserve it. > > ... provided he hadn't spoofed his source address... > > i.e.: you might be retaliating against some poor guy who didn't ask > for it. (I could for example spoof a source address of 206.100.185.2). You're clearly not listening. Again, the counterattack would do nothing unless it arrived at the system which was actually being used to conduct the attack. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Aug 13 09:44:26 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA24250 for freebsd-security-outgoing; Thu, 13 Aug 1998 09:44:26 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA24039 for ; Thu, 13 Aug 1998 09:43:36 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id JAA04396; Thu, 13 Aug 1998 09:42:53 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Thu, 13 Aug 1998 09:42:52 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: Matthew Hunt cc: Marius Bendiksen , Brett Glass , freebsd-security@FreeBSD.ORG Subject: Re: UDP port 31337 In-Reply-To: <19980812224614.B8987@astro.psu.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Uhm.. duh. Of course you can spoof port scan, but the point of the port scan is to know what port are open. There are many other ways to get someone in trouble. Now this thread is officially dead. :) -- Yan www.best.com/~jkb/ Unix users of the world unite: www.{free,open,net}bsd.org | www.linux.org | www.apache.org | www.perl.com "Turn up the lights, I don't want to go home in the dark." On Wed, 12 Aug 1998, Matthew Hunt wrote: >On Wed, Aug 12, 1998 at 02:55:59PM -0700, Jan B. Koum wrote: > >> AFAIK IP spoofing is "blind" - you can't be doing spoofing IP >> during a portscan. Hence, if someone to portscan class B for udp port >> 31337, the ought to do it from the real IP. Now the fact that this IP >> might belong to someone else (cracked account, etc) is another matter. > >At least one (quite effective) port scanner supports IP spoofing. >True, the user doesn't get the results. The purpose is to get >somebody else in trouble for port scanning. > >-- >Matthew Hunt * Inertia is a property of matter. >http://www.pobox.com/~mph/pgp.key for PGP public key 0x67203349. > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Aug 13 10:41:55 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA05635 for freebsd-security-outgoing; Thu, 13 Aug 1998 10:41:55 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail001.mediacity.com (mail001.mediacity.com [205.216.172.9]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id KAA05618 for ; Thu, 13 Aug 1998 10:41:53 -0700 (PDT) (envelope-from nicole@mediacity.com) Received: (qmail 15419 invoked from network); 13 Aug 1998 17:42:20 -0000 Received: from dhcp101.mediacity.com (HELO mobil1.mediacity.com) (208.138.36.101) by mail001.mediacity.com with SMTP; 13 Aug 1998 17:42:20 -0000 Date: Thu, 13 Aug 1998 10:52:15 -0800 From: Nicole Harrington Subject: Re: Possible security "risk" in ftp client To: andrewr , ben@efn.org Cc: ben@efn.org, freebsd-security@FreeBSD.ORG X-Mailer: Z-Mail Pro 6.1 (Win32 - 021297), NetManage Inc. X-Priority: 3 (Normal) References: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=ISO-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Maybe I'm mistaken, but ps(1) get's the info from /dev/kmem and /dev/mem and > formats them according to /kernel, what would I need to patch? > It's rather amazing the amount of info you can get by doing strings /dev/mem Nicole > On Wed, 12 Aug 1998, andrewr wrote: > > > > > > > On Wed, 12 Aug 1998, Ben wrote: > > > > > For ps I made a patch that allows only root(or wheel, you pick) to use the > > > flag '-a', otherwise the user attempting to use '-a' only gets his/her proc's. > > > > Did you patch the kernel as well? Caue if you didn't, it's useless. > > -ben@efn.org > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > ---------------End of Original Message----------------- |\ __ /| (`\ | o_o |__ ) ) // \\ Nicole Harrington | SR Systems Administrator -------------------(((---(((----------------------- nicole@mediacity.com - nicole@ispchannel.com www.mediacity.com - www.ispchannel.com Phone: 650-237-1464 - Pager: 415-301-2482 Powered By Coca-Cola and FreeBSD Why do doctors call what they do practice? Microsoft: What bug would you like today? ---------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Aug 13 14:06:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA16302 for freebsd-security-outgoing; Thu, 13 Aug 1998 14:06:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from stage1.thirdage.com (stage1.ThirdAge.com [204.74.82.151]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA16295 for ; Thu, 13 Aug 1998 14:06:14 -0700 (PDT) (envelope-from jal@ThirdAge.com) Received: from gigi (budd.ThirdAge.com [204.74.82.199]) by stage1.thirdage.com (8.8.5/8.8.5) with SMTP id OAA10748; Thu, 13 Aug 1998 14:01:00 -0700 (PDT) Message-Id: <3.0.5.32.19980813140328.00a9f700@204.74.82.151> X-Sender: jal@204.74.82.151 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Thu, 13 Aug 1998 14:03:28 -0700 To: Nicholas Charles Brawn , Brett Glass From: Jamie Lawrence Subject: Re: UDP port 31337 Cc: freebsd-security@FreeBSD.ORG In-Reply-To: References: <199808121700.LAA00346@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:51 AM 8/13/98 +1000, Nicholas Charles Brawn wrote: >On Wed, 12 Aug 1998, Brett Glass wrote: [Attack software musings deleted] >The company formerly known as SNI (now integrated into NAI) wrote a >paper on Intrusion Detection Systems a while ago which discouraged this >attitude. Their argument focused on the fact that what if someone >*knows* that this is the response that will be sent if your daemon >detects a connection attempt. Don't forget how easily udp packets can be >forged... Automated attack software is a very bad idea. Not only can it be used against bystanders, it can also be tripped accidentally by someone completely innocent. Traps which are intended to defend property in the physical world are illegal in most countries for a very good reason: they have no way of knowing intent, and strike blindly. The same goes for software. Arguments along the lines of "they wouldn't be attaching to port 31337 for any other reason", etc. are silly, if you think about it. Security software, IMO, should only ever log, notify, and (in some situations) disable services. If an admin thinks an counter-attack is appropriate, they should do it manually (after thinking it over very, very carefully). -j To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Aug 13 15:24:10 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA29881 for freebsd-security-outgoing; Thu, 13 Aug 1998 15:24:10 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Tyr.office.EFN.org ([204.214.99.45]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA29810 for ; Thu, 13 Aug 1998 15:23:35 -0700 (PDT) (envelope-from spy@tyr.office.efn.org) Received: from Tyr.office.EFN.org (IDENT:spy@Tyr.office.EFN.org [204.214.99.45]) by Tyr.office.EFN.org (8.9.1/8.9.1) with SMTP id PAA29382; Thu, 13 Aug 1998 15:22:40 -0700 (PDT) Date: Thu, 13 Aug 1998 15:22:39 -0700 (PDT) From: Ben Reply-To: ben@efn.org To: Nicole Harrington cc: andrewr , ben@efn.org, freebsd-security@FreeBSD.ORG Subject: Re: Possible security "risk" in ftp client In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org 15:29.root@ben.v0(0)[/usr/src/usr.bin/fstat]759# ls -l /dev/mem 1129 0 crw-r----- 1 root kmem 2, 0 Mar 24 17:56:50 1998 /dev/mem It's also amazing when people forget when they are logged in as root. -ben@efn.org On Thu, 13 Aug 1998, Nicole Harrington wrote: > > > Maybe I'm mistaken, but ps(1) get's the info from /dev/kmem and /dev/mem and > > formats them according to /kernel, what would I need to patch? > > > > It's rather amazing the amount of info you can get by doing strings /dev/mem > > Nicole > > > > On Wed, 12 Aug 1998, andrewr wrote: > > > > > > > > > > > On Wed, 12 Aug 1998, Ben wrote: > > > > > > > For ps I made a patch that allows only root(or wheel, you pick) to use the > > > > flag '-a', otherwise the user attempting to use '-a' only gets his/her proc's. > > > > > > Did you patch the kernel as well? Caue if you didn't, it's useless. > > > > -ben@efn.org > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe security" in the body of the message > > > > ---------------End of Original Message----------------- > > > |\ __ /| (`\ > | o_o |__ ) ) > // \\ > Nicole Harrington | SR Systems Administrator > -------------------(((---(((----------------------- > > nicole@mediacity.com - nicole@ispchannel.com > www.mediacity.com - www.ispchannel.com > Phone: 650-237-1464 - Pager: 415-301-2482 > > Powered By Coca-Cola and FreeBSD > > Why do doctors call what they do practice? > Microsoft: What bug would you like today? > ---------------------------------------------------- > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Aug 13 15:41:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA02068 for freebsd-security-outgoing; Thu, 13 Aug 1998 15:41:35 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from obie.softweyr.com ([204.68.178.33]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA02053 for ; Thu, 13 Aug 1998 15:41:32 -0700 (PDT) (envelope-from wes@obie.softweyr.com) Received: (from wes@localhost) by obie.softweyr.com (8.8.8/8.8.8) id QAA18545; Thu, 13 Aug 1998 16:40:52 -0600 (MDT) (envelope-from wes) From: Wes Peters Message-Id: <199808132240.QAA18545@obie.softweyr.com> Subject: Re: UDP port 31337 In-Reply-To: <19980813121846.33945@deepo.prosa.dk> from Philippe Regnauld at "Aug 13, 98 12:18:46 pm" To: regnauld@deepo.prosa.dk (Philippe Regnauld) Date: Thu, 13 Aug 1998 16:40:52 -0600 (MDT) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Brett Glass writes: > > If no one was listening, it wouldn't be a problem. > > > > Only an attacker who INTENDED to invade your systems would be subject to > > crashes due to the response. And would deserve it. > > ... provided he hadn't spoofed his source address... > > i.e.: you might be retaliating against some poor guy who didn't ask > for it. (I could for example spoof a source address of 206.100.185.2). > > The rare occasions where I've taken down the host at the other > end, was in cases of _unmistakable_ spammers, as they were sending > their junk, from dialup Whinedoze machines. (And then again it > takes time to figure out who's the the real culprit). You (again) missed the obvous point: Brett's proprosal was to find and exploit a security hold in BackOrifice itself. If the user is spoofing address b.b.b.b, your coutner-attack would not take down b.b.b.b unless b.b.b.b happened to be running BackOrifice, in which case he deserves to get taken down anyhow. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.softweyr.com/~softweyr wes@softweyr.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Aug 13 18:05:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA21959 for freebsd-security-outgoing; Thu, 13 Aug 1998 18:05:39 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shamash3.shamash.org (shamash3.shamash.org [207.244.122.42]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id SAA21951 for ; Thu, 13 Aug 1998 18:05:36 -0700 (PDT) (envelope-from k@shamash.org) Received: (qmail 24539 invoked by uid 65544); 14 Aug 1998 01:05:23 -0000 Message-ID: <19980813210523.B14234@yt.to> Date: Thu, 13 Aug 1998 21:05:23 -0400 From: Louis Theran To: freebsd-security@FreeBSD.ORG Subject: Re: Possible security "risk" in ftp client Mail-Followup-To: freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93i In-Reply-To: ; from Ben on Wed, Aug 12, 1998 at 07:26:23PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Aug 12, 1998 at 07:26:23PM -0700, Ben wrote: > Maybe I'm mistaken, but ps(1) get's the info from /dev/kmem and /dev/mem and > formats them according to /kernel, what would I need to patch? The code for procfs, I believe. Anyway, the whole attitude of "fix ps and procfs and anything else that might expose argv or environ" is silly. There are plenty of ways for applications to get sensitive information such as passwords other than the command line or environment. There is no need to break ps or procfs. Fix the broken applications instead. > > On Wed, 12 Aug 1998, Ben wrote: > > > > > For ps I made a patch that allows only root(or wheel, you pick) to use the > > > flag '-a', otherwise the user attempting to use '-a' only gets his/her proc's. ^L -- Louis Theran "Te occidere possunt, sed te edere non possunt nefas quo est." PGP welcome; key at: k-pgpkey@yt.to To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Aug 13 18:12:08 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA22943 for freebsd-security-outgoing; Thu, 13 Aug 1998 18:12:08 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA22860 for ; Thu, 13 Aug 1998 18:12:01 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.1/8.9.1) id VAA02156; Thu, 13 Aug 1998 21:11:31 -0400 (EDT) (envelope-from wollman) Date: Thu, 13 Aug 1998 21:11:31 -0400 (EDT) From: Garrett Wollman Message-Id: <199808140111.VAA02156@khavrinen.lcs.mit.edu> To: security@FreeBSD.ORG Subject: Sendmail greeting Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It's widely understood that giving detailed version information away to attackers is a Bad Idea. Why does the default sendmail.cf leave the default sendmail greeting? I just updated my desktop machine after nine months of stasis, and one of the first things I did when migrating my .mc file over was to add the following: define(`confSMTP_LOGIN_MSG', `$j server ready at $b')dnl This gives a greeting like: 220 khavrinen.lcs.mit.edu ESMTP server ready at Thu, 13 Aug 1998 21:10:03 -0400 (EDT) ...which doesn't leak any version information at all. (BTW, having sendmail/cf in contrib sucks rocks. Now my domain file is totally separate from my mc files.) -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Aug 14 00:15:36 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA08020 for freebsd-security-outgoing; Fri, 14 Aug 1998 00:15:36 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gjp.erols.com (alex-va-n008c079.moon.jic.com [206.156.18.89]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA08011 for ; Fri, 14 Aug 1998 00:15:34 -0700 (PDT) (envelope-from gjp@gjp.erols.com) Received: from gjp.erols.com (gjp@localhost.erols.com [127.0.0.1]) by gjp.erols.com (8.8.8/8.8.7) with ESMTP id DAA00452; Fri, 14 Aug 1998 03:15:02 -0400 (EDT) (envelope-from gjp@gjp.erols.com) X-Mailer: exmh version 2.0.1 12/23/97 To: Garrett Wollman cc: security@FreeBSD.ORG From: "Gary Palmer" Subject: Re: Sendmail greeting In-reply-to: Your message of "Thu, 13 Aug 1998 21:11:31 EDT." <199808140111.VAA02156@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 14 Aug 1998 03:15:02 -0400 Message-ID: <448.903078902@gjp.erols.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Garrett Wollman wrote in message ID <199808140111.VAA02156@khavrinen.lcs.mit.edu>: > It's widely understood that giving detailed version information away > to attackers is a Bad Idea. Why does the default sendmail.cf leave > the default sendmail greeting? Type `help' and see :) And yes, the machines I run locally have that turned off also... Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Aug 14 02:09:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA23262 for freebsd-security-outgoing; Fri, 14 Aug 1998 02:09:18 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA23257 for ; Fri, 14 Aug 1998 02:09:13 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id CAA07220; Fri, 14 Aug 1998 02:08:41 -0700 (PDT) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id CAA16906; Fri, 14 Aug 1998 02:08:40 -0700 (PDT) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id CAA23257; Fri, 14 Aug 1998 02:08:39 -0700 (PDT) From: Don Lewis Message-Id: <199808140908.CAA23257@salsa.gv.tsc.tdk.com> Date: Fri, 14 Aug 1998 02:08:39 -0700 In-Reply-To: Garrett Wollman "Sendmail greeting" (Aug 13, 9:11pm) X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95) To: Garrett Wollman , security@FreeBSD.ORG Subject: Re: Sendmail greeting Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Aug 13, 9:11pm, Garrett Wollman wrote: } Subject: Sendmail greeting } This gives a greeting like: } } 220 khavrinen.lcs.mit.edu ESMTP server ready at Thu, 13 Aug 1998 21:10:03 -0400 (EDT) } } ...which doesn't leak any version information at all. I like mine better: 220 gatekeeper.tsc.tdk.com ESMTP (NO UNSOLICITED BULK EMAIL!); Fri, 14 Aug 1998 02:05:54 -0700 (PDT) I'd like to make it a little more verbose, but if it's any longer it confuses Microsoft Exchange. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Aug 14 02:36:41 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA26866 for freebsd-security-outgoing; Fri, 14 Aug 1998 02:36:41 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from critter.freebsd.dk (obelix.trw.nl [195.193.64.5]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA26843 for ; Fri, 14 Aug 1998 02:36:36 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.8.7/8.8.5) with ESMTP id LAA00348; Fri, 14 Aug 1998 11:32:50 +0200 (CEST) To: Don Lewis cc: Garrett Wollman , security@FreeBSD.ORG Subject: Re: Sendmail greeting In-reply-to: Your message of "Fri, 14 Aug 1998 02:08:39 PDT." <199808140908.CAA23257@salsa.gv.tsc.tdk.com> Date: Fri, 14 Aug 1998 11:32:50 +0200 Message-ID: <346.903087170@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199808140908.CAA23257@salsa.gv.tsc.tdk.com>, Don Lewis writes: >On Aug 13, 9:11pm, Garrett Wollman wrote: >} Subject: Sendmail greeting > >} This gives a greeting like: >} >} 220 khavrinen.lcs.mit.edu ESMTP server ready at Thu, 13 Aug 1998 21:10:03 -0400 (EDT) >} >} ...which doesn't leak any version information at all. > >I like mine better: > >220 gatekeeper.tsc.tdk.com ESMTP (NO UNSOLICITED BULK EMAIL!); Fri, 14 Aug 1998 02:05:54 -0700 (PDT) > >I'd like to make it a little more verbose, but if it's any longer it confuses >Microsoft Exchange. I like mine even better: critter phk> telnet mailgate.cybercity.dk 25 Trying 195.8.135.242... Connected to mailgate.cybercity.dk. Escape character is '^]'. 220-cicero1.cybercity.dk ESMTP Sendmail 8.8.7/8.8.7; Fri, 14 Aug 1998 11:35:41 +0200 (CEST) 220- 220-Unsolicited mass emails will not be relayed. A handling fee of 220-USD3.00/DKR20.00 will be charged per intended recipient of such emails. 220-contact for more info. 220 -- Poul-Henning Kamp FreeBSD coreteam member phk@FreeBSD.ORG "Real hackers run -current on their laptop." "ttyv0" -- What UNIX calls a $20K state-of-the-art, 3D, hi-res color terminal To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Aug 14 03:28:10 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA01639 for freebsd-security-outgoing; Fri, 14 Aug 1998 03:28:10 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ifi.uio.no (ifi.uio.no [129.240.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA01634 for ; Fri, 14 Aug 1998 03:28:08 -0700 (PDT) (envelope-from dag-erli@ifi.uio.no) Received: from hrotti.ifi.uio.no (2602@hrotti.ifi.uio.no [129.240.64.15]) by ifi.uio.no (8.8.8/8.8.7/ifi0.2) with ESMTP id MAA19196; Fri, 14 Aug 1998 12:27:36 +0200 (MET DST) Received: (from dag-erli@localhost) by hrotti.ifi.uio.no ; Fri, 14 Aug 1998 12:27:35 +0200 (MET DST) Mime-Version: 1.0 To: Don Lewis Cc: Garrett Wollman , security@FreeBSD.ORG Subject: Re: Sendmail greeting References: <199808140908.CAA23257@salsa.gv.tsc.tdk.com> Organization: University of Oslo, Department of Informatics X-url: http://www.stud.ifi.uio.no/~dag-erli/ X-other-addresses: 'finger dag-erli@ifi.uio.no' for a list X-disclaimer-1: The views expressed in this article are mine alone, and do X-disclaimer-2: not necessarily coincide with those of any organisation or X-disclaimer-3: company with which I am or have been affiliated. X-Stop-Spam: http://www.cauce.org/ From: dag-erli@ifi.uio.no (Dag-Erling Coidan =?iso-8859-1?Q?Sm=F8rgrav?= ) Date: 14 Aug 1998 12:27:35 +0200 In-Reply-To: Don Lewis's message of "Fri, 14 Aug 1998 02:08:39 -0700" Message-ID: Lines: 28 X-Mailer: Gnus v5.5/Emacs 19.34 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id DAA01635 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Don Lewis writes: > 220 gatekeeper.tsc.tdk.com ESMTP (NO UNSOLICITED BULK EMAIL!); Fri, 14 Aug 1998 02:05:54 -0700 (PDT) I stumbled upon the following once while trying to VRFY a friend's user name: (helsinki.fi is the University of Helsinki, Finland) dag-erli@hrotti ~$ telnet kantti.helsinki.fi smtp Trying 128.214.205.12... Connected to kantti.helsinki.fi. Escape character is '^]'. 220 kantti.Helsinki.FI ESMTP Sendmail 8.8.8/8.8.5-SPAMmers-sod-off; Fri, 14 Aug 1998 13:23:41 +0300 (EET DST) helo hrotti.ifi.uio.no 250 kantti.Helsinki.FI Hello 2602@hrotti.ifi.uio.no [129.240.64.15], pleased to meet you, unless you are a SPAMmer quit 221 kantti.Helsinki.FI closing connection Connection closed by foreign host. He used to be slightly less polite, but apparently the suits must have found out. > I'd like to make it a little more verbose, but if it's any longer it confuses > Microsoft Exchange. I'd consider that a feature. DES -- Dag-Erling Smørgrav - dag-erli@ifi.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Aug 14 03:34:24 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA02280 for freebsd-security-outgoing; Fri, 14 Aug 1998 03:34:24 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.ftf.dk (mail.ftf.dk [129.142.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA02267 for ; Fri, 14 Aug 1998 03:34:22 -0700 (PDT) (envelope-from regnauld@deepo.prosa.dk) Received: from mail.prosa.dk ([192.168.100.254]) by mail.ftf.dk (8.8.8/8.8.8/gw-ftf-1.0) with ESMTP id MAA17244 for ; Fri, 14 Aug 1998 12:39:06 +0200 (CEST) (envelope-from regnauld@deepo.prosa.dk) Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.8/8.8.5/prosa-1.1) with ESMTP id MAA20454 for ; Fri, 14 Aug 1998 12:41:25 +0200 (CEST) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.8/8.8.5/prosa-1.1) id MAA06165; Fri, 14 Aug 1998 12:32:40 +0200 (CEST) Message-ID: <19980814123240.63855@deepo.prosa.dk> Date: Fri, 14 Aug 1998 12:32:40 +0200 From: Philippe Regnauld To: freebsd-security@FreeBSD.ORG Subject: Fwd: "Using capabilties aaginst shell code" Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.88e X-Operating-System: FreeBSD 2.2.6-RELEASE i386 Phone: +45 3336 4148 Address: Ahlefeldtsgade 16, 1359 Copenhagen K, Denmark Organization: PROSA Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org (see message below) Is this any form of restriction that can be implemented in *BSD systems ? I.e.: restricting system calls to certain classes of daemons ? As mentioned in the example below, why should POPd be allowed to exec() ? This seems like a very sane approach (of course, it implies knowledge/auditing of the code). Then we could have certain untrusted (i.e.: running as root) daemons launched in such an environment, on top of being chroot()ed. -----Forwarded message from Duncan Simpson ----- From: Duncan Simpson Subject: Using capabilties aaginst shell code To: BUGTRAQ@NETSPACE.ORG Date: Wed, 12 Aug 1998 21:33:51 +0200 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The development of capabilities with Linux (and some section of POSIX, if the header is to be believed) creates an opportunity for tightening security by sandboxing daemons---imapd and popd have no legitimate use for various system calls, for example. In particular exec is fundamental to most buffer overrun shellcode and not required by many daemons. [...] -----End of forwarded message----- -- -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- The Internet is busy. Please try again later. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Aug 14 06:16:36 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA22782 for freebsd-security-outgoing; Fri, 14 Aug 1998 06:16:36 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from acetylene.vapornet.net (acetylene.vapornet.net [209.100.218.11]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA22775 for ; Fri, 14 Aug 1998 06:16:34 -0700 (PDT) (envelope-from john@acetylene.vapornet.net) Received: from nitromethane.vapornet.net (vapornet.xnet.com. [205.243.141.107]) by acetylene.vapornet.net (8.9.1/VaporServer v3.3) with ESMTP id IAA10439; Fri, 14 Aug 1998 08:16:09 -0500 (CDT) (envelope-from john) Received: (from john@localhost) by nitromethane.vapornet.net (8.8.8/VaporClient-1.1) id IAA08396; Fri, 14 Aug 1998 08:16:13 -0500 (CDT) (envelope-from john) Date: Fri, 14 Aug 1998 08:16:13 -0500 (CDT) Message-Id: <199808141316.IAA08396@nitromethane.vapornet.net> From: John Preisler MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Don Lewis Cc: security@FreeBSD.ORG Subject: Re: Sendmail greeting In-Reply-To: <199808140908.CAA23257@salsa.gv.tsc.tdk.com> References: <199808140908.CAA23257@salsa.gv.tsc.tdk.com> X-Mailer: VM 6.34 under 20.3 "Vatican City" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org multi-line responses are rfc-compliant. 220-acetylene.vapornet.net ESMTP VaporServer v3.3 on Fri, 14 Aug 1998 08:15:08 -0500 (CDT) - Same thing we do every night, Pinky... 220- Unsolicited bulk email will not be tolerated at this site. 220- Any attempt to use VaporNet Inc.'s network or servers to accept, 220- relay, transmit, or otherwise distribute bulk email will be 220- prosecuted to the fullest extent under the law. 220 Find someplace else to dump your garbage. -j Don Lewis writes: > On Aug 13, 9:11pm, Garrett Wollman wrote: > } Subject: Sendmail greeting > > } This gives a greeting like: > } > } 220 khavrinen.lcs.mit.edu ESMTP server ready at Thu, 13 Aug 1998 21:10:03 -0400 (EDT) > } > } ...which doesn't leak any version information at all. > > I like mine better: > > 220 gatekeeper.tsc.tdk.com ESMTP (NO UNSOLICITED BULK EMAIL!); Fri, 14 Aug 1998 02:05:54 -0700 (PDT) > > I'd like to make it a little more verbose, but if it's any longer it confuses > Microsoft Exchange. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Aug 14 06:45:00 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA27969 for freebsd-security-outgoing; Fri, 14 Aug 1998 06:45:00 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns0.fast.net.uk (ns0.fast.net.uk [194.207.104.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA27956 for ; Fri, 14 Aug 1998 06:44:51 -0700 (PDT) (envelope-from netadmin@fastnet.co.uk) Received: from na.nu.na.nu (bofh.fast.net.uk [194.207.104.22]) by ns0.fast.net.uk (8.9.0/8.8.7) with ESMTP id OAA12393; Fri, 14 Aug 1998 14:44:18 +0100 (BST) Received: from na.nu.na.nu (bofh.fast.net.uk [194.207.104.22]) by na.nu.na.nu (8.8.8/8.8.8) with SMTP id OAA00927; Fri, 14 Aug 1998 14:44:38 +0100 (BST) (envelope-from netadmin@fastnet.co.uk) Date: Fri, 14 Aug 1998 14:44:38 +0100 (BST) From: Jay Tribick X-Sender: netadmin@na.nu.na.nu To: John Preisler cc: Don Lewis , security@FreeBSD.ORG Subject: Re: Sendmail greeting In-Reply-To: <199808141316.IAA08396@nitromethane.vapornet.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org | > } Subject: Sendmail greeting | > | > } This gives a greeting like: | > } | > } 220 khavrinen.lcs.mit.edu ESMTP server ready at Thu, 13 Aug 1998 21:10:03 -0400 (EDT) | > } | > } ...which doesn't leak any version information at all. | > | > I like mine better: | > | > 220 gatekeeper.tsc.tdk.com ESMTP (NO UNSOLICITED BULK EMAIL!); Fri, 14 Aug 1998 02:05:54 -0700 (PDT) | > | > I'd like to make it a little more verbose, but if it's any longer it confuses | > Microsoft Exchange. | > | > To Unsubscribe: send mail to majordomo@FreeBSD.org | > with "unsubscribe security" in the body of the message | > | multi-line responses are rfc-compliant. | | 220-acetylene.vapornet.net ESMTP VaporServer v3.3 on Fri, 14 Aug 1998 08:15:08 -0500 (CDT) - Same thing we do every night, Pinky... | 220- Unsolicited bulk email will not be tolerated at this site. | 220- Any attempt to use VaporNet Inc.'s network or servers to accept, | 220- relay, transmit, or otherwise distribute bulk email will be | 220- prosecuted to the fullest extent under the law. | 220 Find someplace else to dump your garbage. Yes, but in typical Microsoft coding style - Exchange isn't :) Regards, Jay Tribick -- [| Network Administrator | FastNet International | http://fast.net.uk/ |] [| Finger netadmin@fastnet.co.uk for contact information |] [| T: +44 (0)1273 677633 F: +44 (0)1273 621631 e: netadmin@fast.net.uk |] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Aug 14 08:21:04 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA10247 for freebsd-security-outgoing; Fri, 14 Aug 1998 08:21:04 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gjp.erols.com (alex-va-n008c079.moon.jic.com [206.156.18.89]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA10237 for ; Fri, 14 Aug 1998 08:20:56 -0700 (PDT) (envelope-from gjp@gjp.erols.com) Received: from gjp.erols.com (gjp@localhost.erols.com [127.0.0.1]) by gjp.erols.com (8.8.8/8.8.7) with ESMTP id LAA02690; Fri, 14 Aug 1998 11:19:41 -0400 (EDT) (envelope-from gjp@gjp.erols.com) X-Mailer: exmh version 2.0.1 12/23/97 To: Jay Tribick cc: John Preisler , Don Lewis , security@FreeBSD.ORG From: "Gary Palmer" Subject: Re: Sendmail greeting In-reply-to: Your message of "Fri, 14 Aug 1998 14:44:38 BST." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 14 Aug 1998 11:19:41 -0400 Message-ID: <2686.903107981@gjp.erols.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jay Tribick wrote in message ID : > Yes, but in typical Microsoft coding style - Exchange isn't :) Guess AOL doesn't care then: gjp@gjp:~> telnet a.mx.aol.com 25 Trying 198.81.19.83... Connected to a.mx.aol.com. Escape character is '^]'. 220-relay29.mx.aol.com ESMTP Sendmail 8.8.8/8.8.5/AOL-4.0.0; Fri, 14 Aug 1998 11:19:21 -0400 (EDT) 220-America Online (AOL) does not authorize the use of its proprietary 220-computers and computer network to accept, transmit or distribute 220 unsolicited bulk e-mail sent from the Internet. Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Aug 14 09:46:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA24136 for freebsd-security-outgoing; Fri, 14 Aug 1998 09:46:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.netcorps.com (ns1.netcorps.com [207.1.125.101]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA24116 for ; Fri, 14 Aug 1998 09:46:24 -0700 (PDT) (envelope-from satya@longshadows.com) Received: from localhost (satya@localhost) by ns1.netcorps.com (8.9.0/8.9.0) with SMTP id JAA22517; Fri, 14 Aug 1998 09:40:32 -0700 (PDT) X-Authentication-Warning: ns1.netcorps.com: satya owned process doing -bs Date: Fri, 14 Aug 1998 09:40:32 -0700 (PDT) From: Satya Palani X-Sender: satya@ns1.netcorps.com Reply-To: Satya Palani To: Garrett Wollman cc: security@FreeBSD.ORG Subject: Re: Sendmail greeting In-Reply-To: <199808140111.VAA02156@khavrinen.lcs.mit.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 13 Aug 1998, Garrett Wollman wrote: > I just updated my desktop machine after nine months of stasis, and one > of the first things I did when migrating my .mc file over was to add > the following: > > define(`confSMTP_LOGIN_MSG', `$j server ready at $b')dnl > > This gives a greeting like: > > 220 khavrinen.lcs.mit.edu ESMTP server ready at Thu, 13 Aug 1998 21:10:03 -0400 (EDT) > > ...which doesn't leak any version information at all. Of course, the version number is still being broadcast through the headers. Take this message, for example: Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.1/8.9.1) id VAA02156; Thu, 13 Aug 1998 21:11:31 -0400 (EDT) (envelope-from wollman) Whether you consider this a leak or not is up to you... -Satya To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Aug 14 10:00:34 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA26948 for freebsd-security-outgoing; Fri, 14 Aug 1998 10:00:34 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from smtp1.mailsrvcs.net (smtp1.gte.net [207.115.153.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA26942 for ; Fri, 14 Aug 1998 10:00:33 -0700 (PDT) (envelope-from orthoefe@gte.net) Received: from localhost (cracktown.com [208.226.218.140]) by smtp1.mailsrvcs.net with SMTP id LAA16029; Fri, 14 Aug 1998 11:59:30 -0500 (CDT) Date: Fri, 14 Aug 1998 00:04:29 -0400 (EDT) From: Joe Orthoefer X-Sender: orthoefe@localhost To: Philippe Regnauld cc: freebsd-security@FreeBSD.ORG Subject: Re: Fwd: "Using capabilties aaginst shell code" In-Reply-To: <19980814123240.63855@deepo.prosa.dk> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Secure Computing's Sidewinder firewall (built on top of BSDI 2.2) has something similar, they added an additional credential field (as near as I can tell) to processes in order to create role accounts in addition to the normal unix'y thing of user id's and group id's. You login as a user, under a certain role (web, mail, ftp,...), or you start up daemon's at boot (before going multiuser) running under certain roles. The entries to the system calls check to see if the role a process is running as has access to any particular system call. The set of ACL's is compiled into the kernel, with no way to easily change those ACL's once the machine is booted, to do major administration you boot into a different kernel with a lax set of ACL's and no network support. There use to be some white papers at TIS' old site that described similar modifications that they came up with in association with their "Trusted Mach" research. Joe Orthoefer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Aug 14 10:03:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA27658 for freebsd-security-outgoing; Fri, 14 Aug 1998 10:03:59 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA27645 for ; Fri, 14 Aug 1998 10:03:52 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.1/8.9.1) id NAA05937; Fri, 14 Aug 1998 13:03:18 -0400 (EDT) (envelope-from wollman) Date: Fri, 14 Aug 1998 13:03:18 -0400 (EDT) From: Garrett Wollman Message-Id: <199808141703.NAA05937@khavrinen.lcs.mit.edu> To: Satya Palani Cc: security@FreeBSD.ORG Subject: Re: Sendmail greeting In-Reply-To: References: <199808140111.VAA02156@khavrinen.lcs.mit.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: >> 220 khavrinen.lcs.mit.edu ESMTP server ready at Thu, 13 Aug 1998 21:10:03 -0400 (EDT) >> >> ...which doesn't leak any version information at all. > Of course, the version number is still being broadcast through the > headers. Take this message, for example: That doesn't bother me -- the attacker would have to find mail messages from me, which were archived without the usual header stripping. `mscan' doesn't know how to do this -- it might learn how to exploit future sendmail flaws. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Aug 14 11:24:48 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA12988 for freebsd-security-outgoing; Fri, 14 Aug 1998 11:24:48 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fluxnet.windsor.igs.net (fluxnet.windsor.igs.net [207.210.20.254]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA12920 for ; Fri, 14 Aug 1998 11:24:27 -0700 (PDT) (envelope-from freebsd@fluxnet.windsor.igs.net) From: freebsd@fluxnet.windsor.igs.net Received: from localhost (freebsd@localhost) by fluxnet.windsor.igs.net (8.9.0/8.8.7) with SMTP id OAA21151; Fri, 14 Aug 1998 14:20:51 -0400 Date: Fri, 14 Aug 1998 14:20:50 -0400 (EDT) X-Sender: freebsd@FluXNeT.on.ca To: Dag-Erling Coidan =?iso-8859-1?Q?Sm=F8rgrav?= cc: Don Lewis , Garrett Wollman , security@FreeBSD.ORG Subject: Re: Sendmail greeting In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by hub.freebsd.org id LAA12980 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mine is still the best! localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 fluxnet.windsor.igs.net ESMTP Sendmail 8.9.0/8.8.7; By sending mail to a user of this machine you agree that unsocialized email will 1) be returned to you at a ratio of 10 and 2) your ISP will be contacted QUIT 221 fluxnet.windsor.igs.net closing connection > Don Lewis writes: > > 220 gatekeeper.tsc.tdk.com ESMTP (NO UNSOLICITED BULK EMAIL!); Fri, 14 Aug 1998 02:05:54 -0700 (PDT) > > I stumbled upon the following once while trying to VRFY a friend's > user name: (helsinki.fi is the University of Helsinki, Finland) > > dag-erli@hrotti ~$ telnet kantti.helsinki.fi smtp > Trying 128.214.205.12... > Connected to kantti.helsinki.fi. > Escape character is '^]'. > 220 kantti.Helsinki.FI ESMTP Sendmail 8.8.8/8.8.5-SPAMmers-sod-off; Fri, 14 Aug 1998 13:23:41 +0300 (EET DST) > helo hrotti.ifi.uio.no > 250 kantti.Helsinki.FI Hello 2602@hrotti.ifi.uio.no [129.240.64.15], pleased to meet you, unless you are a SPAMmer > quit > 221 kantti.Helsinki.FI closing connection > Connection closed by foreign host. > > He used to be slightly less polite, but apparently the suits must have > found out. > > > I'd like to make it a little more verbose, but if it's any longer it confuses > > Microsoft Exchange. > > I'd consider that a feature. > > DES > -- > Dag-Erling Smørgrav - dag-erli@ifi.uio.no > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Aug 14 12:12:24 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA23037 for freebsd-security-outgoing; Fri, 14 Aug 1998 12:12:24 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ifi.uio.no (ifi.uio.no [129.240.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA23013 for ; Fri, 14 Aug 1998 12:12:16 -0700 (PDT) (envelope-from dag-erli@ifi.uio.no) Received: from hrotti.ifi.uio.no (2602@hrotti.ifi.uio.no [129.240.64.15]) by ifi.uio.no (8.8.8/8.8.7/ifi0.2) with ESMTP id VAA09439; Fri, 14 Aug 1998 21:11:41 +0200 (MET DST) Received: (from dag-erli@localhost) by hrotti.ifi.uio.no ; Fri, 14 Aug 1998 21:11:41 +0200 (MET DST) Mime-Version: 1.0 To: freebsd@fluxnet.windsor.igs.net Cc: "Dag-Erling Coidan =?iso-8859-1?Q?Sm=F8rgrav?= =?iso-8859-1?Q?=2C?= Don Lewis" , Garrett Wollman , security@FreeBSD.ORG Subject: Re: Sendmail greeting References: Organization: University of Oslo, Department of Informatics X-url: http://www.stud.ifi.uio.no/~dag-erli/ X-other-addresses: 'finger dag-erli@ifi.uio.no' for a list X-disclaimer-1: The views expressed in this article are mine alone, and do X-disclaimer-2: not necessarily coincide with those of any organisation or X-disclaimer-3: company with which I am or have been affiliated. X-Stop-Spam: http://www.cauce.org/ From: dag-erli@ifi.uio.no (Dag-Erling Coidan =?iso-8859-1?Q?Sm=F8rgrav?= ) Date: 14 Aug 1998 21:11:40 +0200 In-Reply-To: freebsd@fluxnet.windsor.igs.net's message of "Fri, 14 Aug 1998 14:20:50 -0400 (EDT)" Message-ID: Lines: 10 X-Mailer: Gnus v5.5/Emacs 19.34 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id MAA23027 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org freebsd@fluxnet.windsor.igs.net writes: > 220 fluxnet.windsor.igs.net ESMTP Sendmail 8.9.0/8.8.7; By sending mail to > a user of this machine you agree that unsocialized email will 1) be > returned to you at a ratio of 10 and 2) your ISP will be contacted ITYM "unsolicited". HTH. HAND. DES -- Dag-Erling Smørgrav - dag-erli@ifi.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Aug 14 12:13:55 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA23205 for freebsd-security-outgoing; Fri, 14 Aug 1998 12:13:55 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fluxnet.windsor.igs.net (fluxnet.windsor.igs.net [207.210.20.254]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA23193 for ; Fri, 14 Aug 1998 12:13:50 -0700 (PDT) (envelope-from freebsd@fluxnet.windsor.igs.net) From: freebsd@fluxnet.windsor.igs.net Received: from localhost (freebsd@localhost) by fluxnet.windsor.igs.net (8.9.0/8.8.7) with SMTP id PAA21342; Fri, 14 Aug 1998 15:12:12 -0400 Date: Fri, 14 Aug 1998 15:12:12 -0400 (EDT) X-Sender: freebsd@FluXNeT.on.ca To: Dag-Erling Coidan =?iso-8859-1?Q?Sm=F8rgrav?= cc: Garrett Wollman , security@FreeBSD.ORG Subject: Re: Sendmail greeting In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by hub.freebsd.org id MAA23199 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ARGH! Typo... > freebsd@fluxnet.windsor.igs.net writes: > > 220 fluxnet.windsor.igs.net ESMTP Sendmail 8.9.0/8.8.7; By sending mail to > > a user of this machine you agree that unsocialized email will 1) be > > returned to you at a ratio of 10 and 2) your ISP will be contacted > > ITYM "unsolicited". HTH. HAND. > > DES > -- > Dag-Erling Smørgrav - dag-erli@ifi.uio.no > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Aug 14 12:30:53 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA26073 for freebsd-security-outgoing; Fri, 14 Aug 1998 12:30:53 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from kjsl.com (Limpia.KJSL.COM [198.137.202.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA26045 for ; Fri, 14 Aug 1998 12:30:40 -0700 (PDT) (envelope-from javier@kjsl.com) Received: (from javier@localhost) by kjsl.com (8.8.5/8.8.5) id MAA12324; Fri, 14 Aug 1998 12:29:56 -0700 (PDT) Date: Fri, 14 Aug 1998 12:29:56 -0700 (PDT) Message-Id: <199808141929.MAA12324@kjsl.com> From: Javier Henderson MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: freebsd@fluxnet.windsor.igs.net Cc: Dag-Erling Coidan =?iso-8859-1?Q?Sm=F8rgrav?= , Don Lewis , Garrett Wollman , security@FreeBSD.ORG Subject: Re: Sendmail greeting In-Reply-To: References: X-Mailer: VM 6.33 under Emacs 19.34.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mine is still the best! >localhost 25 >Trying 127.0.0.1... >Connected to localhost. >Escape character is '^]'. >220 fluxnet.windsor.igs.net ESMTP Sendmail 8.9.0/8.8.7; By sending mail t= >o >a user of this machine you agree that unsocialized email will 1) be >returned to you at a ratio of 10 and 2) your ISP will be contacted >QUIT >221 fluxnet.windsor.igs.net closing connection Some of us don't even run sendmail (or qmail, etc.): bash-2.00$ telnet me 25 Trying 127.0.0.1... Connected to loopback.kjsl.com. Escape character is '^]'. 220-KJSL.COM Welcome to KJSL.COM 220 There are hackers here. help 214-Software Tools Mail System SMTP server. 214- 214-Supported commands are: 214 HELO MAIL RCPT DATA RSET SOML SAML HELP NOOP QUIT quit 221 KJSL.COM SMTP service complete. Have a good day. -jav To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Aug 14 15:12:30 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA25249 for freebsd-security-outgoing; Fri, 14 Aug 1998 15:12:30 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA25221 for ; Fri, 14 Aug 1998 15:12:20 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id KAA05433; Sat, 15 Aug 1998 10:09:30 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Sat, 15 Aug 1998 10:09:29 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Garrett Wollman cc: Satya Palani , security@FreeBSD.ORG Subject: Re: Sendmail greeting In-Reply-To: <199808141703.NAA05937@khavrinen.lcs.mit.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 14 Aug 1998, Garrett Wollman wrote: > > Of course, the version number is still being broadcast through the > > headers. Take this message, for example: > > That doesn't bother me -- the attacker would have to find mail > messages from me, which were archived without the usual header > stripping. `mscan' doesn't know how to do this -- it might learn how > to exploit future sendmail flaws. While mscan may not do this, it's probably not going to be dificult for a hacker to get your machine to mail a delivery report back to them. Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Aug 14 15:12:57 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA25322 for freebsd-security-outgoing; Fri, 14 Aug 1998 15:12:57 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from indigo.ie (ts02-002.dublin.indigo.ie [194.125.134.132]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA25279 for ; Fri, 14 Aug 1998 15:12:39 -0700 (PDT) (envelope-from rotel@indigo.ie) Received: (from nsmart@localhost) by indigo.ie (8.8.8/8.8.7) id XAA01115; Fri, 14 Aug 1998 23:06:38 +0100 (IST) (envelope-from rotel@indigo.ie) From: Niall Smart Message-Id: <199808142206.XAA01115@indigo.ie> Date: Fri, 14 Aug 1998 23:06:37 +0000 In-Reply-To: <199808140111.VAA02156@khavrinen.lcs.mit.edu>; Garrett Wollman Reply-To: rotel@indigo.ie X-Files: The truth is out there X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96) To: Garrett Wollman , security@FreeBSD.ORG Subject: Re: Sendmail greeting Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Aug 13, 9:11pm, Garrett Wollman wrote: } Subject: Sendmail greeting > It's widely understood that giving detailed version information away > to attackers is a Bad Idea. Why does the default sendmail.cf leave > the default sendmail greeting? Au contraire, as soon as any potential hacker sees that you are running sendmail he will at once accept defeat. Niall -- Niall Smart, rotel@indigo.ie. Amaze your friends and annoy your enemies: echo '#define if(x) if (!(x))' >> /usr/include/stdio.h To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Aug 14 15:18:29 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA26863 for freebsd-security-outgoing; Fri, 14 Aug 1998 15:18:29 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from indigo.ie (ts02-002.dublin.indigo.ie [194.125.134.132]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA26782 for ; Fri, 14 Aug 1998 15:18:12 -0700 (PDT) (envelope-from rotel@indigo.ie) Received: (from nsmart@localhost) by indigo.ie (8.8.8/8.8.7) id XAA01134; Fri, 14 Aug 1998 23:12:12 +0100 (IST) (envelope-from rotel@indigo.ie) From: Niall Smart Message-Id: <199808142212.XAA01134@indigo.ie> Date: Fri, 14 Aug 1998 23:12:12 +0000 In-Reply-To: <19980814123240.63855@deepo.prosa.dk>; Philippe Regnauld Reply-To: rotel@indigo.ie X-Files: The truth is out there X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96) To: Philippe Regnauld , freebsd-security@FreeBSD.ORG Subject: Re: Fwd: "Using capabilties aaginst shell code" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Aug 14, 12:32pm, Philippe Regnauld wrote: } Subject: Fwd: "Using capabilties aaginst shell code" (see message below) > > Is this any form of restriction that can be implemented > in *BSD systems ? I.e.: restricting system calls to > certain classes of daemons ? I think Thomas Ptacek did something like this. As for the example mentioned (no execve for imapd), I'm not sure its at all useful. You'll have to have really fine grained control over what syscalls with which paramters are accessible. Just because someone can't execve doesn't mean they can't add an entry to /etc/passwd or modify roots or the sysadmins .login etc I think that a better solution is either an aclfs or a daemon which will accept requests from other processes for file descriptors/sockets etc meaning that the imapd could run as nobody. Even better is additionally make chroot secure and put it in there. Niall -- Niall Smart, rotel@indigo.ie. Amaze your friends and annoy your enemies: echo '#define if(x) if (!(x))' >> /usr/include/stdio.h To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Aug 14 21:42:34 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA14848 for freebsd-security-outgoing; Fri, 14 Aug 1998 21:42:34 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from roble.com (roble.com [207.5.40.50]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA14841 for ; Fri, 14 Aug 1998 21:42:30 -0700 (PDT) (envelope-from sendmail@roble.com) Received: from localhost (localhost [127.0.0.1]) by roble.com (Roble) with SMTP id VAA12395 for ; Fri, 14 Aug 1998 21:41:59 -0700 (PDT) Date: Fri, 14 Aug 1998 21:41:59 -0700 (PDT) From: Roger Marquis To: security@FreeBSD.ORG Subject: Scans to ports 1090 and 1080 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Has anyone heard of vulnerabilities on ports 1080 or 1090? These look like straight scans otherwise. Roger Marquis Roble Systems Consulting http://www.roble.com/ >Aug 13 04:40:37 local0 13 deny: TCP from 207.139.170.105.16028 to 205.7.40.2.1080 seq 626CE99, ack 0x0, win 512, SYN >Aug 13 04:40:37 local1 /kernel: Connection attempt to TCP 205.7.40.21:1080 from 207.139.170.105:16348 >Aug 13 04:40:37 local1 /kernel: Connection attempt to TCP 205.7.40.26:1080 from 207.139.170.105:16448 >Aug 13 04:40:37 local1 /kernel: Connection attempt to TCP 205.7.40.32:1080 from 207.139.170.105:16973 >Aug 13 04:40:37 local1 /kernel: Connection attempt to TCP 205.7.40.33:1080 from 207.139.170.105:17008 >Aug 13 04:40:37 local1 /kernel: Connection attempt to TCP 205.7.40.34:1080 from 207.139.170.105:17009 >Aug 13 04:40:37 local1 /kernel: Connection attempt to TCP 205.7.40.35:1080 from 207.139.170.105:17022 >Aug 13 04:40:37 local1 /kernel: Connection attempt to TCP 205.7.40.41:1080 from 207.139.170.105:17218 >Aug 13 04:40:39 local1 /kernel: Connection attempt to TCP 205.7.40.255:1080 from 207.139.170.105:20991 >Aug 14 21:17:54 local0 13 deny: TCP from 24.128.144.110.18556 to 205.7.40.2.1090 seq DFDFBE08, ack 0x0, win 512, SYN >Aug 14 21:17:55 local /kernel: Connection attempt to TCP 205.7.40.21:1090 from 24.128.144.110:18627 >Aug 14 21:17:55 local /kernel: Connection attempt to TCP 205.7.40.26:1090 from 24.128.144.110:18769 >Aug 14 21:17:55 local /kernel: Connection attempt to TCP 205.7.40.61:1090 from 24.128.144.110:19383 >Aug 14 21:17:55 local /kernel: Connection attempt to TCP 205.7.40.52:1090 from 24.128.144.110:19363 >Aug 14 21:19:49 local3 /kernel: Connection attempt to TCP 205.7.40.63:1090 from 24.128.144.110:19474 >Aug 14 21:17:55 local /kernel: Connection attempt to TCP 205.7.40.53:1090 from 24.128.144.110:19375 >Aug 14 21:17:55 local /kernel: Connection attempt to TCP 205.7.40.54:1090 from 24.128.144.110:19376 >Aug 14 21:17:55 local /kernel: Connection attempt to TCP 205.7.40.55:1090 from 24.128.144.110:19377 > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Aug 14 22:16:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA17697 for freebsd-security-outgoing; Fri, 14 Aug 1998 22:16:22 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from banshee.cs.uow.edu.au (banshee.cs.uow.edu.au [130.130.188.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA17692 for ; Fri, 14 Aug 1998 22:16:19 -0700 (PDT) (envelope-from ncb05@banshee.cs.uow.edu.au) Received: (from ncb05@localhost) by banshee.cs.uow.edu.au (8.9.1/8.9.1) id PAA20772; Sat, 15 Aug 1998 15:15:45 +1000 (EST) Date: Sat, 15 Aug 1998 15:15:45 +1000 (EST) From: Nicholas Charles Brawn X-Sender: ncb05@banshee.cs.uow.edu.au To: freebsd-security@FreeBSD.ORG Subject: /proc query Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What are the pros and cons of unmounting /proc? By itself it would appear to enhance security, in that it reduces the amount of information given out, but are there any functionality problems I should be aware of? Cheers, Nick -- Email: ncb05@uow.edu.au - http://rabble.uow.edu.au/~nick Key fingerprint = DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A "When in doubt, ask someone wiser than yourself..." -unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Aug 14 22:35:37 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA19550 for freebsd-security-outgoing; Fri, 14 Aug 1998 22:35:37 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from granite.sentex.net (granite.sentex.ca [199.212.134.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA19545 for ; Fri, 14 Aug 1998 22:35:36 -0700 (PDT) (envelope-from mike@sentex.net) Received: from ospf-mdt.sentex.net (ospf-mdt.sentex.net [205.211.164.81]) by granite.sentex.net (8.8.6/8.6.9) with SMTP id BAA21135; Sat, 15 Aug 1998 01:34:42 -0400 (EDT) From: mike@sentex.net (Mike Tancsa) To: marquis@roble.com (Roger Marquis) Cc: freebsd-security@FreeBSD.ORG Subject: Re: Scans to ports 1090 and 1080 Date: Sat, 15 Aug 1998 05:32:00 GMT Message-ID: <35d51c2b.284276748@mail.sentex.net> References: In-Reply-To: X-Mailer: Forte Agent .99e/32.227 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 14 Aug 1998 21:41:59 -0700 (PDT), in sentex.lists.freebsd.misc you wrote: >Has anyone heard of vulnerabilities on ports 1080 or 1090? These look >like straight scans otherwise. I see 1080 scans all the time.. Its IRC kiddies looking for an open SOCKS proxy to hide their location. I remember once installing SOCKS on a machine and I had it configured to be open for no more than perhaps 30min. Someone hit it in that interval and for months afterwards I would get a dozen hits on it a day. I guess it got published on some list somewhere... ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Aug 14 22:56:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA21389 for freebsd-security-outgoing; Fri, 14 Aug 1998 22:56:46 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from locnar.336.net (locnar.336.net [207.69.181.130]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA21368 for ; Fri, 14 Aug 1998 22:56:42 -0700 (PDT) (envelope-from sevn@336.net) Received: from locnar.336.net (sevn@locnar.336.net [207.69.181.130]) by locnar.336.net (8.8.8/8.8.8) with SMTP id BAA16131; Sat, 15 Aug 1998 01:55:01 -0400 (EDT) (envelope-from sevn@336.net) Date: Sat, 15 Aug 1998 01:55:01 -0400 (EDT) From: Scott To: Roger Marquis cc: security@FreeBSD.ORG Subject: Re: Scans to ports 1090 and 1080 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This would be script kiddies looking for an open wingate to exploit. Scott Malek's Law: Any simple idea will be worded in the most complicated way. On Fri, 14 Aug 1998, Roger Marquis wrote: > Has anyone heard of vulnerabilities on ports 1080 or 1090? These look > like straight scans otherwise. > > Roger Marquis > Roble Systems Consulting > http://www.roble.com/ > > >Aug 13 04:40:37 local0 13 deny: TCP from 207.139.170.105.16028 to 205.7.40.2.1080 seq 626CE99, ack 0x0, win 512, SYN > >Aug 13 04:40:37 local1 /kernel: Connection attempt to TCP 205.7.40.21:1080 from 207.139.170.105:16348 > >Aug 13 04:40:37 local1 /kernel: Connection attempt to TCP 205.7.40.26:1080 from 207.139.170.105:16448 > >Aug 13 04:40:37 local1 /kernel: Connection attempt to TCP 205.7.40.32:1080 from 207.139.170.105:16973 > >Aug 13 04:40:37 local1 /kernel: Connection attempt to TCP 205.7.40.33:1080 from 207.139.170.105:17008 > >Aug 13 04:40:37 local1 /kernel: Connection attempt to TCP 205.7.40.34:1080 from 207.139.170.105:17009 > >Aug 13 04:40:37 local1 /kernel: Connection attempt to TCP 205.7.40.35:1080 from 207.139.170.105:17022 > >Aug 13 04:40:37 local1 /kernel: Connection attempt to TCP 205.7.40.41:1080 from 207.139.170.105:17218 > >Aug 13 04:40:39 local1 /kernel: Connection attempt to TCP 205.7.40.255:1080 from 207.139.170.105:20991 > >Aug 14 21:17:54 local0 13 deny: TCP from 24.128.144.110.18556 to 205.7.40.2.1090 seq DFDFBE08, ack 0x0, win 512, SYN > >Aug 14 21:17:55 local /kernel: Connection attempt to TCP 205.7.40.21:1090 from 24.128.144.110:18627 > >Aug 14 21:17:55 local /kernel: Connection attempt to TCP 205.7.40.26:1090 from 24.128.144.110:18769 > >Aug 14 21:17:55 local /kernel: Connection attempt to TCP 205.7.40.61:1090 from 24.128.144.110:19383 > >Aug 14 21:17:55 local /kernel: Connection attempt to TCP 205.7.40.52:1090 from 24.128.144.110:19363 > >Aug 14 21:19:49 local3 /kernel: Connection attempt to TCP 205.7.40.63:1090 from 24.128.144.110:19474 > >Aug 14 21:17:55 local /kernel: Connection attempt to TCP 205.7.40.53:1090 from 24.128.144.110:19375 > >Aug 14 21:17:55 local /kernel: Connection attempt to TCP 205.7.40.54:1090 from 24.128.144.110:19376 > >Aug 14 21:17:55 local /kernel: Connection attempt to TCP 205.7.40.55:1090 from 24.128.144.110:19377 > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Aug 14 23:27:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA25766 for freebsd-security-outgoing; Fri, 14 Aug 1998 23:27:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gjp.erols.com (alex-va-n008c079.moon.jic.com [206.156.18.89]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA25760 for ; Fri, 14 Aug 1998 23:27:15 -0700 (PDT) (envelope-from gjp@gjp.erols.com) Received: from gjp.erols.com (gjp@localhost.erols.com [127.0.0.1]) by gjp.erols.com (8.8.8/8.8.7) with ESMTP id CAA04897; Sat, 15 Aug 1998 02:26:28 -0400 (EDT) (envelope-from gjp@gjp.erols.com) To: Roger Marquis cc: security@FreeBSD.ORG From: "Gary Palmer" Subject: Re: Scans to ports 1090 and 1080 In-reply-to: Your message of "Fri, 14 Aug 1998 21:41:59 PDT." Date: Sat, 15 Aug 1998 02:26:27 -0400 Message-ID: <4893.903162387@gjp.erols.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Roger Marquis wrote in message ID : > Has anyone heard of vulnerabilities on ports 1080 or 1090? These look > like straight scans otherwise. socks 1080/tcp pn-raproxy 1090/tcp #Progressive Networks RealAudio Proxy My guess was they were looking for proxies to hide their activities... Gary -- Gary Palmer FreeBSD Core Team Member FreeBSD: Turning PC's into workstations. See http://www.FreeBSD.ORG/ for info To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Aug 15 00:00:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA28550 for freebsd-security-outgoing; Sat, 15 Aug 1998 00:00:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from crack.x509.com (crack.x509.com [199.175.150.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA28543 for ; Sat, 15 Aug 1998 00:00:07 -0700 (PDT) (envelope-from tbaur@xcert.com) Received: from home-int.x509.com (home-int.x509.com [199.175.148.4]) by crack.x509.com (8.8.7/XCERT) with SMTP id XAA08656; Fri, 14 Aug 1998 23:59:08 -0700 (PDT) Date: Fri, 14 Aug 1998 23:59:45 -0700 (PDT) From: Tim Baur X-Sender: tbaur@home.x509.com To: Scott cc: Roger Marquis , security@FreeBSD.ORG Subject: Re: Scans to ports 1090 and 1080 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 15 Aug 1998, Scott wrote: > This would be script kiddies looking for an open wingate to exploit. FYI. Or servers checking for open wingates etc. For example, DALnet ircd, checks for open socks on port 1080 on connection. So depending on the host, it might not be what you think it is. -- Tim Baur xcert software inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Aug 15 00:53:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA01938 for freebsd-security-outgoing; Sat, 15 Aug 1998 00:53:39 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns.cityip.co.za (ns.cityip.co.za [196.25.223.140]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id AAA01933 for ; Sat, 15 Aug 1998 00:53:36 -0700 (PDT) (envelope-from wjv@cityip.co.za) Received: from wjv by ns.cityip.co.za with local (Exim 1.82 #2) id 0z7b7x-0002tw-00; Sat, 15 Aug 1998 09:51:53 +0200 Message-ID: <19980815095153.B11111@cityip.co.za> Date: Sat, 15 Aug 1998 09:51:53 +0200 From: Johann Visagie To: Scott , Roger Marquis Cc: security@FreeBSD.ORG Subject: Re: Scans to ports 1090 and 1080 References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91.1i In-Reply-To: ; from Scott on Sat, Aug 15, 1998 at 01:55:01AM -0400 X-PGP: ftp://ftp.cityip.co.za/users/wjv/pubkey.asc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 15 Aug 1998 at 01:55 SAT, Scott wrote: > > This would be script kiddies looking for an open wingate to exploit. The mscan README explicitly instructs script kiddies to look for open wingates first, and then goes ahead to show them exactly how to do it. It seems that many script kiddies take that README to be their bible. For instance, it tells them that many "3rd world countries" are rife with phf-exploitable web servers. So, soon after mscan came out, we here in South Africa noticed a hundredfold or more increase in scans for that particular vulnerability. Sad. (Sorry, going off-topic.) -- V Johann Visagie | Email: wjv@CityIP.co.za | Tel: +27 21 419-7878 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Aug 15 01:17:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA03531 for freebsd-security-outgoing; Sat, 15 Aug 1998 01:17:39 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA03525 for ; Sat, 15 Aug 1998 01:17:26 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id UAA03003; Sat, 15 Aug 1998 20:14:17 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Sat, 15 Aug 1998 20:14:17 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Tim Baur cc: Scott , Roger Marquis , security@FreeBSD.ORG Subject: Re: Scans to ports 1090 and 1080 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 14 Aug 1998, Tim Baur wrote: > Or servers checking for open wingates etc. For example, DALnet ircd, > checks for open socks on port 1080 on connection. So depending on the > host, it might not be what you think it is. As Wingate is so convenient for hackers wanting to anonymise their connections (and I've seen it happening a few times) I'd quite like to be able to refuse connections if the connecting machine is running an unsecured wingate. Does anyone have any suggestions as to how such a thing could be implemented under freebsd without modifying the daemons? It would need to run on selected ports only. Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Aug 15 01:28:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA04276 for freebsd-security-outgoing; Sat, 15 Aug 1998 01:28:43 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from crack.x509.com (crack.x509.com [199.175.150.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA04271 for ; Sat, 15 Aug 1998 01:28:42 -0700 (PDT) (envelope-from tbaur@xcert.com) Received: from home-int.x509.com (home-int.x509.com [199.175.148.4]) by crack.x509.com (8.8.7/XCERT) with SMTP id BAA10687; Sat, 15 Aug 1998 01:26:58 -0700 (PDT) Date: Sat, 15 Aug 1998 01:27:34 -0700 (PDT) From: Tim Baur X-Sender: tbaur@home.x509.com To: Andrew McNaughton cc: Scott , Roger Marquis , security@FreeBSD.ORG Subject: Re: Scans to ports 1090 and 1080 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 15 Aug 1998, Andrew McNaughton wrote: > As Wingate is so convenient for hackers wanting to anonymise their > connections (and I've seen it happening a few times) I'd quite like to be > able to refuse connections if the connecting machine is running an > unsecured wingate. > > Does anyone have any suggestions as to how such a thing could be > implemented under freebsd without modifying the daemons? It would need to > run on selected ports only. Well, it would be a programming effort. But could be done, something like TCPD. Incomming inetd connections could be routed via a script/program which would check for open socks, if found the connected would be refused. Prehaps even an extension to TCPD. Even tho TCPD isnt perfect, it could work. Since I am not a hard core programmer, the coding effort isnt in my field :> But I am sure there is many ways to go about doing something like this. -- Tim Baur xcert software inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Aug 15 04:11:29 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA17236 for freebsd-security-outgoing; Sat, 15 Aug 1998 04:11:29 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.ftf.dk (mail.ftf.dk [129.142.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA17231 for ; Sat, 15 Aug 1998 04:11:27 -0700 (PDT) (envelope-from regnauld@deepo.prosa.dk) Received: from mail.prosa.dk ([192.168.100.254]) by mail.ftf.dk (8.8.8/8.8.8/gw-ftf-1.0) with ESMTP id NAA12405; Sat, 15 Aug 1998 13:16:05 +0200 (CEST) (envelope-from regnauld@deepo.prosa.dk) Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.8/8.8.5/prosa-1.1) with ESMTP id NAA23462; Sat, 15 Aug 1998 13:18:37 +0200 (CEST) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.8/8.8.5/prosa-1.1) id NAA16199; Sat, 15 Aug 1998 13:09:56 +0200 (CEST) Message-ID: <19980815130955.44989@deepo.prosa.dk> Date: Sat, 15 Aug 1998 13:09:55 +0200 From: Philippe Regnauld To: Joe Orthoefer Cc: freebsd-security@FreeBSD.ORG Subject: Re: Fwd: "Using capabilties aaginst shell code" References: <19980814123240.63855@deepo.prosa.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.88e In-Reply-To: ; from Joe Orthoefer on Fri, Aug 14, 1998 at 12:04:29AM -0400 X-Operating-System: FreeBSD 2.2.6-RELEASE i386 Phone: +45 3336 4148 Address: Ahlefeldtsgade 16, 1359 Copenhagen K, Denmark Organization: PROSA Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Joe Orthoefer writes: > Secure Computing's Sidewinder firewall (built on top of BSDI 2.2) has [...] > The set of ACL's is compiled into > the kernel, with no way to easily change those ACL's once the machine is > booted, to do major administration you boot into a different kernel with a > lax set of ACL's and no network support. Sounds like what Borderware had -- but I think it was just that one kernel (runtime) had most dangerous syscalls removed, and the other (maintenance) had those syscalls, but network was disabled. -- -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- The Internet is busy. Please try again later. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Aug 15 04:14:42 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA17523 for freebsd-security-outgoing; Sat, 15 Aug 1998 04:14:42 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.ftf.dk (mail.ftf.dk [129.142.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA17516 for ; Sat, 15 Aug 1998 04:14:39 -0700 (PDT) (envelope-from regnauld@deepo.prosa.dk) Received: from mail.prosa.dk ([192.168.100.254]) by mail.ftf.dk (8.8.8/8.8.8/gw-ftf-1.0) with ESMTP id NAA12410; Sat, 15 Aug 1998 13:19:18 +0200 (CEST) (envelope-from regnauld@deepo.prosa.dk) Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.8/8.8.5/prosa-1.1) with ESMTP id NAA23469; Sat, 15 Aug 1998 13:21:50 +0200 (CEST) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.8/8.8.5/prosa-1.1) id NAA16225; Sat, 15 Aug 1998 13:13:09 +0200 (CEST) Message-ID: <19980815131309.14782@deepo.prosa.dk> Date: Sat, 15 Aug 1998 13:13:09 +0200 From: Philippe Regnauld To: rotel@indigo.ie Cc: freebsd-security@FreeBSD.ORG Subject: Re: Fwd: "Using capabilties aaginst shell code" References: <19980814123240.63855@deepo.prosa.dk> <199808142212.XAA01134@indigo.ie> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.88e In-Reply-To: <199808142212.XAA01134@indigo.ie>; from Niall Smart on Fri, Aug 14, 1998 at 11:12:12PM +0000 X-Operating-System: FreeBSD 2.2.6-RELEASE i386 Phone: +45 3336 4148 Address: Ahlefeldtsgade 16, 1359 Copenhagen K, Denmark Organization: PROSA Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Niall Smart writes: > > As for the example mentioned (no execve for imapd), I'm not sure > its at all useful. > Just because someone can't execve doesn't mean they can't add an entry > to /etc/passwd or modify roots or the sysadmins .login etc The point was to limit the number of outside attacks on priviledged network daemons. Once the system has been broken into, it's over... "Just keep people out" > Even better is additionally make chroot secure and put it in there. What do you call "making chroot secure" ? -- -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- The Internet is busy. Please try again later. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Aug 15 04:19:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA18279 for freebsd-security-outgoing; Sat, 15 Aug 1998 04:19:50 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.ftf.dk (mail.ftf.dk [129.142.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA18274 for ; Sat, 15 Aug 1998 04:19:48 -0700 (PDT) (envelope-from regnauld@deepo.prosa.dk) Received: from mail.prosa.dk ([192.168.100.254]) by mail.ftf.dk (8.8.8/8.8.8/gw-ftf-1.0) with ESMTP id NAA12434; Sat, 15 Aug 1998 13:24:20 +0200 (CEST) (envelope-from regnauld@deepo.prosa.dk) Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.8/8.8.5/prosa-1.1) with ESMTP id NAA23476; Sat, 15 Aug 1998 13:26:53 +0200 (CEST) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.8/8.8.5/prosa-1.1) id NAA16251; Sat, 15 Aug 1998 13:18:11 +0200 (CEST) Message-ID: <19980815131811.26237@deepo.prosa.dk> Date: Sat, 15 Aug 1998 13:18:11 +0200 From: Philippe Regnauld To: Nicholas Charles Brawn Cc: freebsd-security@FreeBSD.ORG Subject: Re: /proc query References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.88e In-Reply-To: ; from Nicholas Charles Brawn on Sat, Aug 15, 1998 at 03:15:45PM +1000 X-Operating-System: FreeBSD 2.2.6-RELEASE i386 Phone: +45 3336 4148 Address: Ahlefeldtsgade 16, 1359 Copenhagen K, Denmark Organization: PROSA Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nicholas Charles Brawn writes: > What are the pros and cons of unmounting /proc? By itself it would > appear to enhance security, in that it reduces the amount of information > given out, but are there any functionality problems I should be aware > of? ps's output will only give the process name, and "killall" won't work (off the top of my head -- there's more). -- -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- The Internet is busy. Please try again later. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Aug 15 06:58:17 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA29510 for freebsd-security-outgoing; Sat, 15 Aug 1998 06:58:17 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from indigo.ie (ts03-048.dublin.indigo.ie [194.125.148.58]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA29491 for ; Sat, 15 Aug 1998 06:58:06 -0700 (PDT) (envelope-from rotel@indigo.ie) Received: (from nsmart@localhost) by indigo.ie (8.8.8/8.8.7) id OAA00655; Sat, 15 Aug 1998 14:48:16 +0100 (IST) (envelope-from rotel@indigo.ie) From: Niall Smart Message-Id: <199808151348.OAA00655@indigo.ie> Date: Sat, 15 Aug 1998 14:48:11 +0000 In-Reply-To: <19980815131309.14782@deepo.prosa.dk>; Philippe Regnauld Reply-To: rotel@indigo.ie X-Files: The truth is out there X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96) To: Philippe Regnauld , rotel@indigo.ie Subject: Re: Fwd: "Using capabilties aaginst shell code" Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Aug 15, 1:13pm, Philippe Regnauld wrote: } Subject: Re: Fwd: "Using capabilties aaginst shell code" Niall Smart writes: > > > > As for the example mentioned (no execve for imapd), I'm not sure > > its at all useful. > > Just because someone can't execve doesn't mean they can't add an entry > > to /etc/passwd or modify roots or the sysadmins .login etc > > The point was to limit the number of outside attacks on > priviledged network daemons. Once the system has been broken > into, it's over... "Just keep people out" I'm not sure what you mean by this; disabling execve doesn't prevent outside attacks on network daemons. > > Even better is additionally make chroot secure and put it in there. > > What do you call "making chroot secure" ? Making sure that a chroot process can't escape the jail and can't directly affect processes outside the jail. Niall -- Niall Smart, rotel@indigo.ie. Amaze your friends and annoy your enemies: echo '#define if(x) if (!(x))' >> /usr/include/stdio.h To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Aug 15 07:06:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA00543 for freebsd-security-outgoing; Sat, 15 Aug 1998 07:06:59 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA00538 for ; Sat, 15 Aug 1998 07:06:57 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id CAA05656; Sun, 16 Aug 1998 02:04:23 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Sun, 16 Aug 1998 02:04:23 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Roger Marquis cc: security@FreeBSD.ORG Subject: Re: Scans to ports 1090 and 1080 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 14 Aug 1998, Roger Marquis wrote: > Has anyone heard of vulnerabilities on ports 1080 or 1090? These look > like straight scans otherwise. The question is answered, but since a few of these questions come up I thought I'd reccommend that searching www.findmail.com for 'scan port 1080' or similar seems to work pretty well for answering this sort of question. They carry archives of half a dozen or so firewall related mailing lists. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Aug 15 11:20:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA21390 for freebsd-security-outgoing; Sat, 15 Aug 1998 11:20:51 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fluxnet.windsor.igs.net (fluxnet.windsor.igs.net [207.210.20.254]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA21382 for ; Sat, 15 Aug 1998 11:20:46 -0700 (PDT) (envelope-from freebsd@fluxnet.windsor.igs.net) From: freebsd@fluxnet.windsor.igs.net Received: from localhost (freebsd@localhost) by fluxnet.windsor.igs.net (8.9.0/8.8.7) with SMTP id OAA04241; Sat, 15 Aug 1998 14:19:05 -0400 Date: Sat, 15 Aug 1998 14:19:05 -0400 (EDT) X-Sender: freebsd@FluXNeT.on.ca To: Roger Marquis cc: security@FreeBSD.ORG Subject: Re: Scans to ports 1090 and 1080 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Most likely a wingate scanner > Has anyone heard of vulnerabilities on ports 1080 or 1090? These look > like straight scans otherwise. > > Roger Marquis > Roble Systems Consulting > http://www.roble.com/ > > >Aug 13 04:40:37 local0 13 deny: TCP from 207.139.170.105.16028 to 205.7.40.2.1080 seq 626CE99, ack 0x0, win 512, SYN > >Aug 13 04:40:37 local1 /kernel: Connection attempt to TCP 205.7.40.21:1080 from 207.139.170.105:16348 > >Aug 13 04:40:37 local1 /kernel: Connection attempt to TCP 205.7.40.26:1080 from 207.139.170.105:16448 > >Aug 13 04:40:37 local1 /kernel: Connection attempt to TCP 205.7.40.32:1080 from 207.139.170.105:16973 > >Aug 13 04:40:37 local1 /kernel: Connection attempt to TCP 205.7.40.33:1080 from 207.139.170.105:17008 > >Aug 13 04:40:37 local1 /kernel: Connection attempt to TCP 205.7.40.34:1080 from 207.139.170.105:17009 > >Aug 13 04:40:37 local1 /kernel: Connection attempt to TCP 205.7.40.35:1080 from 207.139.170.105:17022 > >Aug 13 04:40:37 local1 /kernel: Connection attempt to TCP 205.7.40.41:1080 from 207.139.170.105:17218 > >Aug 13 04:40:39 local1 /kernel: Connection attempt to TCP 205.7.40.255:1080 from 207.139.170.105:20991 > >Aug 14 21:17:54 local0 13 deny: TCP from 24.128.144.110.18556 to 205.7.40.2.1090 seq DFDFBE08, ack 0x0, win 512, SYN > >Aug 14 21:17:55 local /kernel: Connection attempt to TCP 205.7.40.21:1090 from 24.128.144.110:18627 > >Aug 14 21:17:55 local /kernel: Connection attempt to TCP 205.7.40.26:1090 from 24.128.144.110:18769 > >Aug 14 21:17:55 local /kernel: Connection attempt to TCP 205.7.40.61:1090 from 24.128.144.110:19383 > >Aug 14 21:17:55 local /kernel: Connection attempt to TCP 205.7.40.52:1090 from 24.128.144.110:19363 > >Aug 14 21:19:49 local3 /kernel: Connection attempt to TCP 205.7.40.63:1090 from 24.128.144.110:19474 > >Aug 14 21:17:55 local /kernel: Connection attempt to TCP 205.7.40.53:1090 from 24.128.144.110:19375 > >Aug 14 21:17:55 local /kernel: Connection attempt to TCP 205.7.40.54:1090 from 24.128.144.110:19376 > >Aug 14 21:17:55 local /kernel: Connection attempt to TCP 205.7.40.55:1090 from 24.128.144.110:19377 > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Aug 15 21:20:50 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA28272 for freebsd-security-outgoing; Sat, 15 Aug 1998 21:20:50 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.224.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA28267 for ; Sat, 15 Aug 1998 21:20:47 -0700 (PDT) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199808160420.VAA28267@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA175391203; Sun, 16 Aug 1998 14:20:04 +1000 From: Darren Reed Subject: Re: Capturing IPFW denied packets To: kkennawa@physics.adelaide.edu.au (Kris Kennaway) Date: Sun, 16 Aug 1998 14:20:03 +1000 (EST) Cc: security@FreeBSD.ORG In-Reply-To: from "Kris Kennaway" at Aug 9, 98 03:03:59 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Kris Kennaway, sie said: [...] > Is there any way I can set things up to log the contents of the packets > which fail the ipfw filter? Can anyone think of legitimate reasons these > sites might want to know my identity or information about my DNS, other > than trying to harvest addresses for spammers? ipfilter which will run on freebsd can do the above. using ordinary rules, upto 128* data bytes from a packet will be logged or the blocked packet can be sent to another IP# (fake or real). e.g. block in log body proto udp from any to any port = 53 Darren * - this could be increased if you really wanted... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Aug 15 21:40:07 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA29743 for freebsd-security-outgoing; Sat, 15 Aug 1998 21:40:07 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.224.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA29668 for ; Sat, 15 Aug 1998 21:40:02 -0700 (PDT) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199808160440.VAA29668@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA178382322; Sun, 16 Aug 1998 14:38:42 +1000 From: Darren Reed Subject: Re: inetd enhancements (fwd) To: sthaug@nethelp.no Date: Sun, 16 Aug 1998 14:38:41 +1000 (EST) Cc: benedikt@devnull.ruhr.de, marcs@znep.com, ben@rosengart.com, security@FreeBSD.ORG In-Reply-To: <2983.901735734@verdi.nethelp.no> from "sthaug@nethelp.no" at Jul 29, 98 08:08:54 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org allowing different programs to bind to different IP addresses (on a multi-ip# box) is something inetd does not do and can't handle with packet filters and requires tcpd/fwtk type solution. however, I think that rather hacking that functionality into inetd, look at xinetd (which already has numerous additions) and leave inetd to be more standard... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message