From owner-freebsd-security Sun Oct 11 15:36:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA28666 for freebsd-security-outgoing; Sun, 11 Oct 1998 15:36:13 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA28645 for ; Sun, 11 Oct 1998 15:36:06 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.1/8.9.1) id SAA21855; Sun, 11 Oct 1998 18:35:46 -0400 (EDT) (envelope-from wollman) Date: Sun, 11 Oct 1998 18:35:46 -0400 (EDT) From: Garrett Wollman Message-Id: <199810112235.SAA21855@khavrinen.lcs.mit.edu> To: security@FreeBSD.ORG Subject: PKCS#12 for SSLeay 0.9.0b Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've munged Stephen Henson's PKCS#12 implementation into SSLeay 0.9.0b. Unfortunately, the PKCS#12 code contains some crypto stuff. So, if you'd like a copy of the patch, send me an e-mail and swear on the Bible that you are a US national, etc., and I'll send it to you. It wasn't all that hard to do, but it was rather tedious. Disclaimer: I haven't actually tested the PKCS#12 functionality -- I've just made it compile. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, CRS, or NSA| - Susan Aglukark and Chad Irschick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 12 16:04:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA05116 for freebsd-security-outgoing; Mon, 12 Oct 1998 16:04:13 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from icarus.reshall.berkeley.edu (icarus.Reshall.Berkeley.EDU [169.229.87.90]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA05106 for ; Mon, 12 Oct 1998 16:04:04 -0700 (PDT) (envelope-from leonardc9@usa.net) Received: from [10.0.0.2] (power.leonard.com [10.0.0.2]) by icarus.reshall.berkeley.edu (8.8.8/8.8.8) with ESMTP id QAA09448 for ; Mon, 12 Oct 1998 16:14:02 -0700 (PDT) (envelope-from leonardc9@usa.net) Mime-Version: 1.0 X-Sender: leonardc@uclink4.berkeley.edu Message-Id: X-mailer: Eudora Pro 4.0.1 Macintosh Date: Mon, 12 Oct 1998 16:09:59 -0700 To: security@FreeBSD.ORG From: "Leonard C." Subject: URGENT! Need help determining scope of attack... Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 When I checked my system's daily report today, I found this: > pid 7081 (telnet), uid 0: exited on signal 3 (core dumped) > Connection attempt to UDP 169.229.87.xx:31337 from 169.229.93.66:1335 > Connection attempt to UDP 169.229.87.xx:31337 from 169.229.93.66:1335 > Connection attempt to UDP 169.229.87.xx:31337 from 169.229.93.66:1335 > Connection attempt to UDP 169.229.87.xx:31337 from 169.229.84.53:1896 With the core dump and then the attempted connections to port 31337, I'm suspecting that this is a script kiddy. What worries me is I'm unsure of the scope of the attack. In the logs, right after the attack, there was an su to root, but no new accounts have been added, nor any new uid 0 accounts. There are also no new setuid programs either. Netstat also doesn't report anything listening on any new ports. Right now, I've disabled all services except for ssh, but I'm not too sure what the next steps to take are. Also, I noticed that the attacks came from two seperate IPs. Everybody here on the internal network has to use a gateway in order to reach the outside network with a netmask of 255.255.255.0 (so, for me, it's 169.229.87.1). This gateway logs everybody's MAC address before activating the port, and partitions it if a different MAC address is later used. Can I be fairly certain then that the IPs that the attacks came from are the correct ones? What are the next steps from here? Is there anything I can do to prevent something like this from happening next time? Also, the core dump was from telnet and I haven't heard of any new exploits on that. Any ideas on what exactly happened? I know this is a lot of questions to throw at you, but I'm not really sure what to do next. Thanks in advance for all of your help, Leonard **************************** Note: The errors on the ed1 ethernet card are normal. I've tried to fudge with the IRQ's, to no avail, but I keep getting these messages. Other than errors, I've had no problems though. The power.leonard.com is a computer on my internal network (10.0.0.0), so errors from qpopper on that are mainly just me playing around with it. /var/log/messages: Oct 10 03:51:22 icarus /kernel: Connection attempt to UDP 169.229.87.90:31337 fr om 169.229.84.53:3039 Oct 10 04:27:03 icarus /kernel: ed1: NIC memory corrupt - invalid packet length 2297 Oct 10 04:39:10 icarus /kernel: ed1: device timeout Oct 10 11:02:04 icarus /kernel: Connection attempt to UDP 169.229.87.90:31337 fr om 169.229.84.53:3649 Oct 10 12:58:18 icarus afpd[5988]: afp_die: asp_shutdown: Operation timed out Oct 10 18:56:05 icarus /kernel: Connection attempt to UDP 169.229.87.90:31337 fr om 169.229.84.53:4035 Oct 10 21:59:48 icarus afpd[6475]: afp_die: asp_shutdown: Operation timed out Oct 11 00:42:40 icarus /kernel: Connection attempt to UDP 169.229.87.90:31337 fr om 169.229.84.53:1034 Oct 11 02:28:34 icarus su: leonard to root on /dev/ttyp0 Oct 11 02:45:58 icarus su: leonard to root on /dev/ttyp0 Oct 11 02:49:40 icarus syslogd: exiting on signal 15 Oct 11 02:51:13 icarus popper[7002]: @localhost.Berkeley.EDU: -ERR Unknown comma nd: "quyit". Oct 11 03:00:37 icarus syslogd: exiting on signal 15 Oct 11 03:01:43 icarus /kernel: pid 7081 (telnet), uid 0: exited on signal 3 (co re dumped) Oct 11 03:02:28 icarus popper[7090]: @localhost.Berkeley.EDU: -ERR Command "a;jf as;ldjfsdl;kjfsdl;akfjaslkd;f" (truncated) exceedes maximum permitted size. Oct 11 03:45:39 icarus popper[7152]: @power.leonard.com: -ERR Unknown command: " get". Oct 11 03:45:39 icarus popper[7152]: @power.leonard.com: -ERR Unknown command: " host:". Oct 11 03:45:39 icarus popper[7152]: @power.leonard.com: -ERR Too many arguments supplied. Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown command: " accept-language:". Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown command: " connection:". Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Too many arguments supplied. Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown command: " ua-os:". Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown command: " ua-cpu:". Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown command: " extension:". Oct 11 03:45:48 icarus popper[7152]: @power.leonard.com: -ERR POP EOF received Oct 11 03:56:45 icarus su: leonard to root on /dev/ttyp0 re dumped) Oct 11 03:02:28 icarus popper[7090]: @localhost.Berkeley.EDU: -ERR Command "a;jf as;ldjfsdl;kjfsdl;akfjaslkd;f" (truncated) exceedes maximum permitted size. Oct 11 03:45:39 icarus popper[7152]: @power.leonard.com: -ERR Unknown command: " get". Oct 11 03:45:39 icarus popper[7152]: @power.leonard.com: -ERR Unknown command: " host:". Oct 11 03:45:39 icarus popper[7152]: @power.leonard.com: -ERR Too many arguments supplied. Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown command: " accept-language:". Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown command: " connection:". Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Too many arguments supplied. Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown command: " ua-os:". Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown command: " ua-cpu:". Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown command: " extension:". Oct 11 03:45:48 icarus popper[7152]: @power.leonard.com: -ERR POP EOF received Oct 11 03:56:45 icarus su: leonard to root on /dev/ttyp0 Oct 11 09:18:04 icarus /kernel: Connection attempt to UDP 169.229.87.90:31337 fr om 169.229.93.66:1335 Oct 11 10:49:14 icarus /kernel: Connection attempt to UDP 169.229.87.90:31337 fr om 169.229.93.66:1335 Oct 11 11:20:32 icarus /kernel: Connection attempt to UDP 169.229.87.90:31337 fr om 169.229.93.66:1335 Oct 11 15:57:49 icarus /kernel: Connection attempt to UDP 169.229.87.90:31337 fr om 169.229.84.53:1896 Oct 11 20:05:48 icarus afpd[8149]: afp_die: asp_shutdown: Operation timed out Oct 11 21:14:00 icarus /kernel: ed1: NIC memory corrupt - invalid packet length 2301 Oct 11 21:14:12 icarus /kernel: ed1: NIC memory corrupt - invalid packet length 2203 Oct 11 21:14:41 icarus /kernel: ed1: NIC memory corrupt - invalid packet length 2179 Oct 11 22:32:58 icarus arpwatch: 0:40:5:68:1:7a sent bad hardware format 0xe Oct 12 00:13:59 icarus /kernel: ed1: NIC memory corrupt - invalid packet length 6016 Oct 12 00:38:38 icarus afpd[202]: atp_sreq: Network is unreachable Oct 12 00:38:59 icarus /kernel: ed1: device timeout Oct 12 00:39:08 icarus afpd[202]: atp_sreq: Network is unreachable Oct 12 00:39:55 icarus /kernel: ed1: NIC memory corrupt - invalid packet length 2122 Oct 12 00:40:23 icarus /kernel: ed1: NIC memory corrupt - invalid packet length 2342 Oct 12 00:43:51 icarus /kernel: ed1: NIC memory corrupt - invalid packet length 2062 Oct 12 00:44:10 icarus /kernel: ed1: NIC memory corrupt - invalid packet length 2128 Oct 12 00:45:38 icarus /kernel: Connection attempt to UDP 169.229.87.90:31337 fr om 169.229.84.53:3744 Oct 12 00:48:38 icarus /kernel: ed1: NIC memory corrupt - invalid packet length 2157 Oct 12 00:48:46 icarus /kernel: ed1: NIC memory corrupt - invalid packet length 2168 Oct 12 00:50:45 icarus /kernel: ed1: NIC memory corrupt - invalid packet length 2192 Oct 12 01:13:35 icarus /kernel: ed1: NIC memory corrupt - invalid packet length 2066 Oct 12 07:50:58 icarus /kernel: Connection attempt to UDP 169.229.87.90:31337 fr om 169.229.84.53:4216 Oct 12 10:08:51 icarus arpwatch: 0:e0:29:18:58:52 sent bad hardware format 0x800 f **************************** Daily security check output: checking setuid files and devices: checking for uids of 0: root 0 toor 0 icarus kernel log messages: > 2:2082 > pid 7081 (telnet), uid 0: exited on signal 3 (core dumped) > Connection attempt to UDP 169.229.87.90:31337 from 169.229.93.66:1335 > Connection attempt to UDP 169.229.87.90:31337 from 169.229.93.66:1335 > Connection attempt to UDP 169.229.87.90:31337 from 169.229.93.66:1335 > Connection attempt to UDP 169.229.87.90:31337 from 169.229.84.53:1896 > ed1: NIC memory corrupt - invalid packet length 2301 > ed1: NIC memory corrupt - invalid packet length 2203 > ed1: NIC memory corrupt - invalid packet length 2179 > ed1: NIC memory corrupt - invalid packet length 6016 > ed1: device timeout > ed1: NIC memory corrupt - invalid packet length 2122 > ed1: NIC memory corrupt - invalid packet length 2342 > ed1: NIC memory corrupt - invalid packet length 2062 > ed1: NIC memory corrupt - invalid packet length 2128 > Connection attempt to UDP 169.229.87.90:31337 from 169.229.84.53:3744 > ed1: NIC memory corrupt - invalid packet length 2157 > ed1: NIC memory corrupt - invalid packet length 2168 > ed1: NIC memory corrupt - invalid packet length 2192 > ed1: NIC memory corrupt - invalid packet length 2066 icarus login failures: icarus refused connections: - -- Support the Blue Ribbon Campaign for free speech online () http://www.eff.org/blueribbon.html /\ "Those who will not reason perish in the act. Those who will not act, perish for that reason." - W. H. Auden -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.0 for non-commercial use iQA/AwUBNiKMUOAvLUJUxjQXEQLN2QCgwR0ANRboI2jvyXMoMUvvbW8KO2IAn2w+ x6wRo16IjELRC9zoa7F6du35 =lqn5 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 12 17:31:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA18985 for freebsd-security-outgoing; Mon, 12 Oct 1998 17:31:59 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA18980 for ; Mon, 12 Oct 1998 17:31:57 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id SAA14170; Mon, 12 Oct 1998 18:31:41 -0600 (MDT) Message-Id: <4.1.19981012181921.066fe700@mail.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Mon, 12 Oct 1998 18:29:21 -0600 To: "Leonard C." , security@FreeBSD.ORG From: Brett Glass Subject: Re: URGENT! Need help determining scope of attack... In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This guy could habe been trying LOTS of exploits, but the key ones are the Qualcomm QPopper hole and Back Orifice (he's searching for a server). He may have su'ed successfully to root. (What version of QPopper are you running? Telnet to Port 110 on the machine to find out if it's one that can be compromised.) The IP addresses are fairly likely to be accurate because they are in the same general range. (Those who forge IP addresses usually scatter them all over the map.) Looks like you're being hit by a kid in a dorm at UC Berkeley. Perhaps you should contact the admins there. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 12 17:51:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA22003 for freebsd-security-outgoing; Mon, 12 Oct 1998 17:51:45 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ifi.uio.no (ifi.uio.no [129.240.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA21997 for ; Mon, 12 Oct 1998 17:51:43 -0700 (PDT) (envelope-from dag-erli@ifi.uio.no) Received: from hrotti.ifi.uio.no (2602@hrotti.ifi.uio.no [129.240.64.15]) by ifi.uio.no (8.8.8/8.8.7/ifi0.2) with ESMTP id CAA26551; Tue, 13 Oct 1998 02:51:28 +0200 (MET DST) Received: (from dag-erli@localhost) by hrotti.ifi.uio.no ; Tue, 13 Oct 1998 02:51:27 +0200 (MET DST) Mime-Version: 1.0 To: "Leonard C." Cc: security@FreeBSD.ORG Subject: Re: URGENT! Need help determining scope of attack... References: Organization: University of Oslo, Department of Informatics X-url: http://www.stud.ifi.uio.no/~dag-erli/ X-other-addresses: 'finger dag-erli@ifi.uio.no' for a list X-disclaimer-1: The views expressed in this article are mine alone, and do X-disclaimer-2: not necessarily coincide with those of any organisation or X-disclaimer-3: company with which I am or have been affiliated. X-Stop-Spam: http://www.cauce.org/ From: dag-erli@ifi.uio.no (Dag-Erling C. =?iso-8859-1?Q?Sm=F8rgrav?= ) Date: 13 Oct 1998 02:51:26 +0200 In-Reply-To: "Leonard C."'s message of "Mon, 12 Oct 1998 16:09:59 -0700" Message-ID: Lines: 50 X-Mailer: Gnus v5.5/Emacs 19.34 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id RAA21999 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Leonard C." writes: > When I checked my system's daily report today, I found this: > > > pid 7081 (telnet), uid 0: exited on signal 3 (core dumped) > > Connection attempt to UDP 169.229.87.xx:31337 from 169.229.93.66:1335 > > Connection attempt to UDP 169.229.87.xx:31337 from 169.229.93.66:1335 > > Connection attempt to UDP 169.229.87.xx:31337 from 169.229.93.66:1335 > > Connection attempt to UDP 169.229.87.xx:31337 from 169.229.84.53:1896 > > With the core dump and then the attempted connections to port 31337, I'm > suspecting that this is a script kiddy. What worries me is I'm unsure of > the scope of the attack. In the logs, right after the attack, there was an > su to root, but no new accounts have been added, nor any new uid 0 > accounts. There are also no new setuid programs either. Relax. Some idiot scanned your box for BO, which won't do him much good since you're running FreeBSD. Check your /var/log/messages to see how long after the core dump that was. I'm pretty sure the core dump was unrelated; check /var/log/messages and find out how much time passed between them. The same idiot tried to root you through qpopper, but it seems you have an up-to-date version and he didn't have a clue anyway. Seems he was working by hand, not running scripts: he made typos while talking to qpopper. Next time something like this happens, you should do a better job of masking your hostname and IP address before mailing your logs to a public forum. Black hats read mailing lists too. Oh, and if I were you I'd get in touch with UCB and send your logs to whoever is in charge over there. Teach some idiot freshman a lesson. finrod@niobe ~$ nslookup 169.229.84.53 Server: localhost.ewox.org Address: 127.0.0.1 Name: ehr-84-53.Reshall.Berkeley.EDU Address: 169.229.84.53 You have mail in /var/mail/finrod finrod@niobe ~$ nslookup 169.229.93.66 Server: localhost.ewox.org Address: 127.0.0.1 Name: pri-93-66.Reshall.Berkeley.EDU Address: 169.229.93.66 DES -- Dag-Erling Smørgrav - dag-erli@ifi.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 12 18:48:27 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA01161 for freebsd-security-outgoing; Mon, 12 Oct 1998 18:48:27 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.kt.rim.or.jp (mail.kt.rim.or.jp [202.247.130.53]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA01135 for ; Mon, 12 Oct 1998 18:48:20 -0700 (PDT) (envelope-from daniel@kt.rim.or.jp) Received: from periscope (ppp150.kt.rim.or.jp [202.247.139.150]) by mail.kt.rim.or.jp (8.8.5/3.6W-RIMNET-98-06-09) with SMTP id KAA01686; Tue, 13 Oct 1998 10:47:56 +0900 (JST) Message-ID: <000e01bdf64b$106ad9a0$4200a8c0@periscope.digital-canvas.com> From: "Daniel Minoru Saito" To: "Leonard C." Cc: Subject: Re: URGENT! Need help determining scope of attack... Date: Tue, 13 Oct 1998 10:44:46 +0900 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Cute UC Berkeley. :) I wouldn't worry too much as well. Although a good practice that might be of help is to talk to the system administrator at the resident halls. As for your Qpopper attack. There are bruteforce ways to do it.. in the "Generic Script Kiddie Rootkit" but by looking at your logs and mentioned before in the emails - he made typos. Granted he was probably reading instructions off of rootshell.com. As for your BO attack I am sure your "script kiddie" was searching the segment rather than your specific IP. So if he hit yours unsuccessfully -- but then how many did he his "successfully". You would be doing others a favor by turning the little punk in.. Daniel -----Original Message----- From: Dag-Erling C. Smørgrav Subject: Re: URGENT! Need help determining scope of attack... "Leonard C." writes: > When I checked my system's daily report today, I found this: > > > pid 7081 (telnet), uid 0: exited on signal 3 (core dumped) > > Connection attempt to UDP 169.229.87.xx:31337 from 169.229.93.66:1335 > > Connection attempt to UDP 169.229.87.xx:31337 from 169.229.93.66:1335 > > Connection attempt to UDP 169.229.87.xx:31337 from 169.229.93.66:1335 > > Connection attempt to UDP 169.229.87.xx:31337 from 169.229.84.53:1896 > > With the core dump and then the attempted connections to port 31337, I'm > suspecting that this is a script kiddy. What worries me is I'm unsure of > the scope of the attack. In the logs, right after the attack, there was an > su to root, but no new accounts have been added, nor any new uid 0 > accounts. There are also no new setuid programs either. >Relax. Some idiot scanned your box for BO, which won't do him much >good since you're running FreeBSD. Check your /var/log/messages to see >how long after the core dump that was. I'm pretty sure the core dump >was unrelated; check /var/log/messages and find out how much time >passed between them. The same idiot tried to root you through qpopper, >but it seems you have an up-to-date version and he didn't have a clue >anyway. Seems he was working by hand, not running scripts: he made >typos while talking to qpopper. > >Next time something like this happens, you should do a better job of >masking your hostname and IP address before mailing your logs to a >public forum. Black hats read mailing lists too. > >Oh, and if I were you I'd get in touch with UCB and send your logs to >whoever is in charge over there. Teach some idiot freshman a lesson. > >finrod@niobe ~$ nslookup 169.229.84.53 >Server: localhost.ewox.org >Address: 127.0.0.1 > >Name: ehr-84-53.Reshall.Berkeley.EDU >Address: 169.229.84.53 > >You have mail in /var/mail/finrod >finrod@niobe ~$ nslookup 169.229.93.66 >Server: localhost.ewox.org >Address: 127.0.0.1 > >Name: pri-93-66.Reshall.Berkeley.EDU >Address: 169.229.93.66 > > >DES >-- >Dag-Erling Smørgrav - dag-erli@ifi.uio.no > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 12 19:00:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id TAA03283 for freebsd-security-outgoing; Mon, 12 Oct 1998 19:00:46 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from phoenix (phoenix.aye.net [206.185.8.134]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id TAA03275 for ; Mon, 12 Oct 1998 19:00:44 -0700 (PDT) (envelope-from brich@aye.net) Received: (qmail 26509 invoked by uid 7506); 13 Oct 1998 01:52:43 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 13 Oct 1998 01:52:42 -0000 Date: Mon, 12 Oct 1998 21:52:42 -0400 (EDT) From: Barrett Richardson To: "Leonard C." cc: security@FreeBSD.ORG Subject: Re: URGENT! Need help determining scope of attack... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It's difficult to tell much other attempted connections to the ports mentioned. Are you sure the su to root entries aren't yours? May be worthwhile to find the core dump for telnet -- but it is a signal 3 (like when you ctrl-\) as opposed to a SIGSEGV (which is common when the stack gets munged). The telnet was also for uid 0 which means it was initiated by root. If an attacker already had root access, then he would likely be mucking around with other things than figuring out how to get root access (which he already has) -- unless he wants to camp out there a while and wants more than one means to come and go undetected. When syslogd exited on signal 15, do you know why? Was the machine running a good while without any syslogging? If you can find the core dump, do a 'strings telnet.core' and see if it shows anything that looks like entries from /etc/spwd.db. Normal system activity by admins may explain some of things in your syslog. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 12 21:27:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA23855 for freebsd-security-outgoing; Mon, 12 Oct 1998 21:27:45 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns.nternet.net (ns.nternet.net [206.154.20.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA23849 for ; Mon, 12 Oct 1998 21:27:44 -0700 (PDT) (envelope-from grimace@ns.nternet.net) Received: from localhost (grimace@localhost) by ns.nternet.net (8.8.8/8.8.7) with SMTP id AAA26069 for ; Tue, 13 Oct 1998 00:44:40 -0400 (EDT) Date: Tue, 13 Oct 1998 00:44:40 -0400 (EDT) From: grimace To: security@FreeBSD.ORG Subject: Spoofed connections on port 13223?? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello all, I have investigated to the best of my ability yet have not been able to determine the nature of this attack. Any assistance in helping to diagnose the following will be greatly appreciated. On several occasions, I have experienced spoofed TCP connections to port 13223 on a laptop, running FreeBSD-2.2.6-RELEASE. These connections were logged with the clog package from the ports collection. What really baffles me, is that these attacks are clearly intentional, but I've been unable to determine the significance of port 13223. On one occasion, this attack went on for almost 2 hours, with a pattern of 4 every 2 minutes. I've completely reinstalled FreeBSD, but the same attacks occurred both before and after the reinstall, so I'm reasonably sure I have not been compromised. I've attached the applicable log entries for the latest attacks and the reponse from one ISP whom confirms the attack was spoofed. TIMEZONE: ADT TCP Activity: (with clog) Jul 30 04:43|24.231.16.72|1046|rhsyts12c45.nbnet.nb.ca|13223 Jul 30 04:43|24.231.16.72|1046|rhsyts12c45.nbnet.nb.ca|13223 Jul 30 04:43|24.231.16.72|1046|rhsyts12c45.nbnet.nb.ca|13223 Jul 30 04:43|24.231.16.72|1046|rhsyts12c45.nbnet.nb.ca|13223 ICMP Activity: (with icmpinfo) Jul 30 05:01:44 ICMP_Dest_Unreachable[Port] < 24.231.16.72 > 24.231.16.72 sp=57218 dp=33477 seq=0x00140000 sz=36(+20) Jul 30 05:01:46 ICMP_Dest_Unreachable[Port] < 24.231.16.72 > 24.231.16.72 sp=57218 dp=33478 seq=0x00140000 sz=36(+20) Jul 30 05:01:48 ICMP_Dest_Unreachable[Port] < 24.231.16.72 > 24.231.16.72 sp=57218 dp=33479 seq=0x00140000 sz=36(+20) >Date sent: Fri, 31 Jul 1998 06:58:50 -0300 (ADT) >From: someone >To: abuse@spoofedhost.org >Subject: Security Concern... >> Hello, >> >> I wish to report a possible security concernn from what appears >> to be one of your users. I have seen the following on several >> occasions, each time from a different IP. This fact, and as the >> following alludes to, makes me suspect that the attack was >> spoofed. I would GREATLY appreciate it, if you could confim/deny >> the following in a timely manner. > Sorry for the delay as I was on vacation and the abuse box did not > forward correctly. I have examined this and it is definitly a spoof. I > will make some further inquires on Monday to find this person(s). >> TCP Activity: >> >> Jul 30 04:43|24.231.16.72|1046|rhsyts12c45.nbnet.nb.ca|13223 >This is definitly spoofed. The most recent attack occurred on October 10. Sep 04 21:30|209.154.73.24|3959|207.179.147.47|13223 Sep 04 21:30|209.154.73.24|3959|207.179.147.47|13223 Sep 04 21:30|209.154.73.24|3959|207.179.147.47|13223 . Sep 04 22:03|209.154.73.24|4353|207.179.147.47|13223 Sep 04 22:03|209.154.73.24|4353|207.179.147.47|13223 Sep 04 22:03|209.154.73.24|4353|207.179.147.47|13223 Sep 04 22:03|209.154.73.24|4353|207.179.147.47|13223 Oct 03 21:37|147.72.123.113|1427|207.179.180.103|13223 Oct 03 21:37|147.72.123.113|1427|207.179.180.103|13223 Oct 03 21:37|147.72.123.113|1427|207.179.180.103|13223 Oct 03 21:37|147.72.123.113|1427|207.179.180.103|13223 Oct 10 02:40|198.164.98.96|4085|207.179.165.61|13223 Oct 10 02:40|198.164.98.96|4085|207.179.165.61|13223 Oct 10 02:40|198.164.98.96|4085|207.179.165.61|13223 Oct 10 02:40|198.164.98.96|4085|207.179.165.61|13223 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 13 03:24:04 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA05005 for freebsd-security-outgoing; Tue, 13 Oct 1998 03:24:04 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.224.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA04862 for ; Tue, 13 Oct 1998 03:24:00 -0700 (PDT) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199810131024.DAA04862@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA192864211; Tue, 13 Oct 1998 20:23:31 +1000 From: Darren Reed Subject: Re: Spoofed connections on port 13223?? To: grimace@ns.nternet.net (grimace) Date: Tue, 13 Oct 1998 20:23:31 +1000 (EST) Cc: security@FreeBSD.ORG In-Reply-To: from "grimace" at Oct 13, 98 00:44:40 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org People, I can understand wanting to bring it to an informal forum, but if you seriously think you are under attack then you should contact the relevant CERT and talk with them about it. It may be that what you're seeing is part of a "bigger picture" that you can't see. Darren In some mail from grimace, sie said: > > Hello all, > > I have investigated to the best of my ability yet have not been able to > determine the nature of this attack. Any assistance in helping to diagnose > the following will be greatly appreciated. > > On several occasions, I have experienced spoofed TCP connections to port 13223 > on a laptop, running FreeBSD-2.2.6-RELEASE. These connections were logged with > the clog package from the ports collection. What really baffles me, is that > these attacks are clearly intentional, but I've been unable to determine the > significance of port 13223. > > On one occasion, this attack went on for almost 2 hours, with a pattern of 4 > every 2 minutes. I've completely reinstalled FreeBSD, but the same > attacks occurred both before and after the reinstall, so I'm reasonably sure > I have not been compromised. I've attached the applicable log entries for the > latest attacks and the reponse from one ISP whom confirms the attack was > spoofed. > > TIMEZONE: ADT > > TCP Activity: > (with clog) > > Jul 30 04:43|24.231.16.72|1046|rhsyts12c45.nbnet.nb.ca|13223 > Jul 30 04:43|24.231.16.72|1046|rhsyts12c45.nbnet.nb.ca|13223 > Jul 30 04:43|24.231.16.72|1046|rhsyts12c45.nbnet.nb.ca|13223 > Jul 30 04:43|24.231.16.72|1046|rhsyts12c45.nbnet.nb.ca|13223 > > ICMP Activity: > (with icmpinfo) > > Jul 30 05:01:44 ICMP_Dest_Unreachable[Port] < 24.231.16.72 > 24.231.16.72 sp=57218 dp=33477 seq=0x00140000 sz=36(+20) > Jul 30 05:01:46 ICMP_Dest_Unreachable[Port] < 24.231.16.72 > 24.231.16.72 sp=57218 dp=33478 seq=0x00140000 sz=36(+20) > Jul 30 05:01:48 ICMP_Dest_Unreachable[Port] < 24.231.16.72 > 24.231.16.72 sp=57218 dp=33479 seq=0x00140000 sz=36(+20) > > > >Date sent: Fri, 31 Jul 1998 06:58:50 -0300 (ADT) > >From: someone > >To: abuse@spoofedhost.org > >Subject: Security Concern... > > >> Hello, > >> > >> I wish to report a possible security concernn from what appears > >> to be one of your users. I have seen the following on several > >> occasions, each time from a different IP. This fact, and as the > >> following alludes to, makes me suspect that the attack was > >> spoofed. I would GREATLY appreciate it, if you could confim/deny > >> the following in a timely manner. > > > Sorry for the delay as I was on vacation and the abuse box did not > > forward correctly. I have examined this and it is definitly a spoof. I > > will make some further inquires on Monday to find this person(s). > > >> TCP Activity: > >> > >> Jul 30 04:43|24.231.16.72|1046|rhsyts12c45.nbnet.nb.ca|13223 > > >This is definitly spoofed. > > The most recent attack occurred on October 10. > > Sep 04 21:30|209.154.73.24|3959|207.179.147.47|13223 > Sep 04 21:30|209.154.73.24|3959|207.179.147.47|13223 > Sep 04 21:30|209.154.73.24|3959|207.179.147.47|13223 > . > Sep 04 22:03|209.154.73.24|4353|207.179.147.47|13223 > Sep 04 22:03|209.154.73.24|4353|207.179.147.47|13223 > Sep 04 22:03|209.154.73.24|4353|207.179.147.47|13223 > Sep 04 22:03|209.154.73.24|4353|207.179.147.47|13223 > Oct 03 21:37|147.72.123.113|1427|207.179.180.103|13223 > Oct 03 21:37|147.72.123.113|1427|207.179.180.103|13223 > Oct 03 21:37|147.72.123.113|1427|207.179.180.103|13223 > Oct 03 21:37|147.72.123.113|1427|207.179.180.103|13223 > Oct 10 02:40|198.164.98.96|4085|207.179.165.61|13223 > Oct 10 02:40|198.164.98.96|4085|207.179.165.61|13223 > Oct 10 02:40|198.164.98.96|4085|207.179.165.61|13223 > Oct 10 02:40|198.164.98.96|4085|207.179.165.61|13223 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 13 09:11:14 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA10188 for freebsd-security-outgoing; Tue, 13 Oct 1998 09:11:14 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA10181 for ; Tue, 13 Oct 1998 09:11:11 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id KAA20266; Tue, 13 Oct 1998 10:10:32 -0600 (MDT) Message-Id: <4.1.19981013100624.041b8760@mail.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Tue, 13 Oct 1998 10:06:58 -0600 To: Darren Reed , grimace@ns.nternet.net (grimace) From: Brett Glass Subject: Re: Spoofed connections on port 13223?? Cc: security@FreeBSD.ORG In-Reply-To: <199810131024.DAA04862@hub.freebsd.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org CERT? Don't bother. They'll respond several months after it's too late and say, "Oh, dear." --Brett At 08:23 PM 10/13/98 +1000, Darren Reed wrote: >People, I can understand wanting to bring it to an informal forum, but >if you seriously think you are under attack then you should contact the >relevant CERT and talk with them about it. It may be that what you're >seeing is part of a "bigger picture" that you can't see. > >Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 13 11:29:32 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA26944 for freebsd-security-outgoing; Tue, 13 Oct 1998 11:29:32 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gvr.gvr.org (gvr.gvr.org [194.151.74.97]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA26927; Tue, 13 Oct 1998 11:29:24 -0700 (PDT) (envelope-from security-officer@freebsd.org) Received: (from guido@localhost) by gvr.gvr.org (8.8.8/8.8.5) id UAA06115; Tue, 13 Oct 1998 20:29:07 +0200 (MET DST) Date: Tue, 13 Oct 1998 20:29:07 +0200 (MET DST) Message-Id: <199810131829.UAA06115@gvr.gvr.org> From: FreeBSD Security Officer Subject: FreeBSD Security Advisory: FreeBSD-SA-98:07.rst Reply-To: security-officer@FreeBSD.ORG To: undisclosed-recipients:; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-98:07 Security Advisory FreeBSD, Inc. Topic: TCP RST denial of sevice Category: core Module: kernel Announced: 1998-10-13 Affects: FreeBSD 2.2.* (before 2.2.8R), FreeBSD-stable and FreeBSD-current before the correction date. Corrected: FreeBSD-current as of 1998/09/11 FreeBSD-stable as of 1998/09/16 FreeBSD only: Yes Patches: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-98:07/ Vulnerable: I. Background TCP/IP connections are controlled through a series of packets that are receieved by the two computers involved in the connection. Old, stale connections are reset with a packet called a RST packet. The RST packets have a sequence number in them that must be valid according to certain rules in the standards. II. Problem Description A denail of service attack can be launched against FreeBSD systems running without one of the patches supplied later in this message. Using a flaw in the interpreation of sequence numbers in the RST packet, malicious users can terminate connections of other users at will. III. Impact Some TCP connections will be broken. This can range from a minor inconvenience to a major problem depending on the nature of the attackers and what they attack. This attack requires knowledge of the TCP connection 4-tuple (source IP, source port, destination IP and destination port). If even one of these items is unknown, then the attack will not succeed. Users without priviledge of the destination machine, however, can find the source IP and source port numbers with the netstat command and can effect this attack. Also, intruders that are able to capture raw network traffic on the network the target machine resides will also have enough information to launch this attack. It is also possible for an attacker to send a huge flood of packets, hoping that they will get lucky just once (which is all they need to attack a specific connection). This vulnerability has been discussed in the security list called BUGTRAQ and exploit programs are circulating to take advantage of this flaw. This attack has been reported most often as being used against people connected to irc servers. IV. Workaround None. V. Solution Here is the patch that will apply to 2.2-stable systems from before September 16, 1998. -stable systems after that date do not suffer from this problem. It will also apply to FreeBSD 2.2.6 and 2.2.7. Index: tcp_input.c =================================================================== RCS file: /home/cvsup/freebsd/CVS/src/sys/netinet/tcp_input.c,v retrieving revision 1.54.2.10 retrieving revision 1.54.2.11 diff -u -r1.54.2.10 -r1.54.2.11 --- tcp_input.c 1998/05/18 17:12:44 1.54.2.10 +++ tcp_input.c 1998/09/16 17:35:17 1.54.2.11 @@ -972,17 +972,99 @@ /* * States other than LISTEN or SYN_SENT. - * First check timestamp, if present. + * First check the RST flag and sequence number since reset segments + * are exempt from the timestamp and connection count tests. This + * fixes a bug introduced by the Stevens, vol. 2, p. 960 bugfix + * below which allowed reset segments in half the sequence space + * to fall though and be processed (which gives forged reset + * segments with a random sequence number a 50 percent chance of + * killing a connection). + * Then check timestamp, if present. * Then check the connection count, if present. * Then check that at least some bytes of segment are within * receive window. If segment begins before rcv_nxt, * drop leading data (and SYN); if nothing left, just ack. * + * + * If the RST bit is set, check the sequence number to see + * if this is a valid reset segment. + * RFC 793 page 37: + * In all states except SYN-SENT, all reset (RST) segments + * are validated by checking their SEQ-fields. A reset is + * valid if its sequence number is in the window. + * Note: this does not take into account delayed ACKs, so + * we should test against last_ack_sent instead of rcv_nxt. + * Also, it does not make sense to allow reset segments with + * sequence numbers greater than last_ack_sent to be processed + * since these sequence numbers are just the acknowledgement + * numbers in our outgoing packets being echoed back at us, + * and these acknowledgement numbers are monotonically + * increasing. + * If we have multiple segments in flight, the intial reset + * segment sequence numbers will be to the left of last_ack_sent, + * but they will eventually catch up. + * In any case, it never made sense to trim reset segments to + * fit the receive window since RFC 1122 says: + * 4.2.2.12 RST Segment: RFC-793 Section 3.4 + * + * A TCP SHOULD allow a received RST segment to include data. + * + * DISCUSSION + * It has been suggested that a RST segment could contain + * ASCII text that encoded and explained the cause of the + * RST. No standard has yet been established for such + * data. + * + * If the reset segment passes the sequence number test examine + * the state: + * SYN_RECEIVED STATE: + * If passive open, return to LISTEN state. + * If active open, inform user that connection was refused. + * ESTABLISHED, FIN_WAIT_1, FIN_WAIT2, CLOSE_WAIT STATES: + * Inform user that connection was reset, and close tcb. + * CLOSING, LAST_ACK, TIME_WAIT STATES + * Close the tcb. + * TIME_WAIT state: + * Drop the segment - see Stevens, vol. 2, p. 964 and + * RFC 1337. + */ + if (tiflags & TH_RST) { + if (tp->last_ack_sent == ti->ti_seq) { + switch (tp->t_state) { + + case TCPS_SYN_RECEIVED: + so->so_error = ECONNREFUSED; + goto close; + + case TCPS_ESTABLISHED: + case TCPS_FIN_WAIT_1: + case TCPS_FIN_WAIT_2: + case TCPS_CLOSE_WAIT: + so->so_error = ECONNRESET; + close: + tp->t_state = TCPS_CLOSED; + tcpstat.tcps_drops++; + tp = tcp_close(tp); + break; + + case TCPS_CLOSING: + case TCPS_LAST_ACK: + tp = tcp_close(tp); + break; + + case TCPS_TIME_WAIT: + break; + } + } + goto drop; + } + + /* * RFC 1323 PAWS: If we have a timestamp reply on this segment * and it's less than ts_recent, drop it. */ - if ((to.to_flag & TOF_TS) != 0 && (tiflags & TH_RST) == 0 && - tp->ts_recent && TSTMP_LT(to.to_tsval, tp->ts_recent)) { + if ((to.to_flag & TOF_TS) != 0 && tp->ts_recent && + TSTMP_LT(to.to_tsval, tp->ts_recent)) { /* Check to see if ts_recent is over 24 days old. */ if ((int)(tcp_now - tp->ts_recent_age) > TCP_PAWS_IDLE) { @@ -1013,10 +1095,19 @@ * RST segments do not have to comply with this. */ if ((tp->t_flags & (TF_REQ_CC|TF_RCVD_CC)) == (TF_REQ_CC|TF_RCVD_CC) && - ((to.to_flag & TOF_CC) == 0 || tp->cc_recv != to.to_cc) && - (tiflags & TH_RST) == 0) + ((to.to_flag & TOF_CC) == 0 || tp->cc_recv != to.to_cc)) goto dropafterack; + /* + * In the SYN-RECEIVED state, validate that the packet belongs to + * this connection before trimming the data to fit the receive + * window. Check the sequence number versus IRS since we know + * the sequence numbers haven't wrapped. This is a partial fix + * for the "LAND" DoS attack. + */ + if (tp->t_state == TCPS_SYN_RECEIVED && SEQ_LT(ti->ti_seq, tp->irs)) + goto dropwithreset; + todrop = tp->rcv_nxt - ti->ti_seq; if (todrop > 0) { if (tiflags & TH_SYN) { @@ -1128,40 +1219,6 @@ } /* - * If the RST bit is set examine the state: - * SYN_RECEIVED STATE: - * If passive open, return to LISTEN state. - * If active open, inform user that connection was refused. - * ESTABLISHED, FIN_WAIT_1, FIN_WAIT2, CLOSE_WAIT STATES: - * Inform user that connection was reset, and close tcb. - * CLOSING, LAST_ACK, TIME_WAIT STATES - * Close the tcb. - */ - if (tiflags&TH_RST) switch (tp->t_state) { - - case TCPS_SYN_RECEIVED: - so->so_error = ECONNREFUSED; - goto close; - - case TCPS_ESTABLISHED: - case TCPS_FIN_WAIT_1: - case TCPS_FIN_WAIT_2: - case TCPS_CLOSE_WAIT: - so->so_error = ECONNRESET; - close: - tp->t_state = TCPS_CLOSED; - tcpstat.tcps_drops++; - tp = tcp_close(tp); - goto drop; - - case TCPS_CLOSING: - case TCPS_LAST_ACK: - case TCPS_TIME_WAIT: - tp = tcp_close(tp); - goto drop; - } - - /* * If a SYN is in the window, then this is an * error and we send an RST and drop the connection. */ @@ -1667,9 +1724,22 @@ /* * Generate an ACK dropping incoming segment if it occupies * sequence space, where the ACK reflects our state. - */ - if (tiflags & TH_RST) - goto drop; + * + * We can now skip the test for the RST flag since all + * paths to this code happen after packets containing + * RST have been dropped. + * + * In the SYN-RECEIVED state, don't send an ACK unless the + * segment we received passes the SYN-RECEIVED ACK test. + * If it fails send a RST. This breaks the loop in the + * "LAND" DoS attack, and also prevents an ACK storm + * between two listening ports that have been sent forged + * SYN segments, each with the source address of the other. + */ + if (tp->t_state == TCPS_SYN_RECEIVED && (tiflags & TH_ACK) && + (SEQ_GT(tp->snd_una, ti->ti_ack) || + SEQ_GT(ti->ti_ack, tp->snd_max)) ) + goto dropwithreset; #ifdef TCPDEBUG if (so->so_options & SO_DEBUG) tcp_trace(TA_DROP, ostate, tp, &tcp_saveti, 0); Here is the patch to apply to 3.0-current systems from before September 11, 1998. This patch is known to apply to systems just before this date, but as you move farther back in the 3.0-current branch, it may become more difficult for this patch to apply. Index: tcp_input.c =================================================================== RCS file: /home/cvsup/freebsd/CVS/src/sys/netinet/tcp_input.c,v retrieving revision 1.80 retrieving revision 1.81 diff -u -r1.80 -r1.81 --- tcp_input.c 1998/08/24 07:47:39 1.80 +++ tcp_input.c 1998/09/11 16:04:03 1.81 @@ -979,17 +979,99 @@ /* * States other than LISTEN or SYN_SENT. - * First check timestamp, if present. + * First check the RST flag and sequence number since reset segments + * are exempt from the timestamp and connection count tests. This + * fixes a bug introduced by the Stevens, vol. 2, p. 960 bugfix + * below which allowed reset segments in half the sequence space + * to fall though and be processed (which gives forged reset + * segments with a random sequence number a 50 percent chance of + * killing a connection). + * Then check timestamp, if present. * Then check the connection count, if present. * Then check that at least some bytes of segment are within * receive window. If segment begins before rcv_nxt, * drop leading data (and SYN); if nothing left, just ack. * + * + * If the RST bit is set, check the sequence number to see + * if this is a valid reset segment. + * RFC 793 page 37: + * In all states except SYN-SENT, all reset (RST) segments + * are validated by checking their SEQ-fields. A reset is + * valid if its sequence number is in the window. + * Note: this does not take into account delayed ACKs, so + * we should test against last_ack_sent instead of rcv_nxt. + * Also, it does not make sense to allow reset segments with + * sequence numbers greater than last_ack_sent to be processed + * since these sequence numbers are just the acknowledgement + * numbers in our outgoing packets being echoed back at us, + * and these acknowledgement numbers are monotonically + * increasing. + * If we have multiple segments in flight, the intial reset + * segment sequence numbers will be to the left of last_ack_sent, + * but they will eventually catch up. + * In any case, it never made sense to trim reset segments to + * fit the receive window since RFC 1122 says: + * 4.2.2.12 RST Segment: RFC-793 Section 3.4 + * + * A TCP SHOULD allow a received RST segment to include data. + * + * DISCUSSION + * It has been suggested that a RST segment could contain + * ASCII text that encoded and explained the cause of the + * RST. No standard has yet been established for such + * data. + * + * If the reset segment passes the sequence number test examine + * the state: + * SYN_RECEIVED STATE: + * If passive open, return to LISTEN state. + * If active open, inform user that connection was refused. + * ESTABLISHED, FIN_WAIT_1, FIN_WAIT2, CLOSE_WAIT STATES: + * Inform user that connection was reset, and close tcb. + * CLOSING, LAST_ACK, TIME_WAIT STATES + * Close the tcb. + * TIME_WAIT state: + * Drop the segment - see Stevens, vol. 2, p. 964 and + * RFC 1337. + */ + if (tiflags & TH_RST) { + if (tp->last_ack_sent == ti->ti_seq) { + switch (tp->t_state) { + + case TCPS_SYN_RECEIVED: + so->so_error = ECONNREFUSED; + goto close; + + case TCPS_ESTABLISHED: + case TCPS_FIN_WAIT_1: + case TCPS_FIN_WAIT_2: + case TCPS_CLOSE_WAIT: + so->so_error = ECONNRESET; + close: + tp->t_state = TCPS_CLOSED; + tcpstat.tcps_drops++; + tp = tcp_close(tp); + break; + + case TCPS_CLOSING: + case TCPS_LAST_ACK: + tp = tcp_close(tp); + break; + + case TCPS_TIME_WAIT: + break; + } + } + goto drop; + } + + /* * RFC 1323 PAWS: If we have a timestamp reply on this segment * and it's less than ts_recent, drop it. */ - if ((to.to_flag & TOF_TS) != 0 && (tiflags & TH_RST) == 0 && - tp->ts_recent && TSTMP_LT(to.to_tsval, tp->ts_recent)) { + if ((to.to_flag & TOF_TS) != 0 && tp->ts_recent && + TSTMP_LT(to.to_tsval, tp->ts_recent)) { /* Check to see if ts_recent is over 24 days old. */ if ((int)(tcp_now - tp->ts_recent_age) > TCP_PAWS_IDLE) { @@ -1020,10 +1102,19 @@ * RST segments do not have to comply with this. */ if ((tp->t_flags & (TF_REQ_CC|TF_RCVD_CC)) == (TF_REQ_CC|TF_RCVD_CC) && - ((to.to_flag & TOF_CC) == 0 || tp->cc_recv != to.to_cc) && - (tiflags & TH_RST) == 0) + ((to.to_flag & TOF_CC) == 0 || tp->cc_recv != to.to_cc)) goto dropafterack; + /* + * In the SYN-RECEIVED state, validate that the packet belongs to + * this connection before trimming the data to fit the receive + * window. Check the sequence number versus IRS since we know + * the sequence numbers haven't wrapped. This is a partial fix + * for the "LAND" DoS attack. + */ + if (tp->t_state == TCPS_SYN_RECEIVED && SEQ_LT(ti->ti_seq, tp->irs)) + goto dropwithreset; + todrop = tp->rcv_nxt - ti->ti_seq; if (todrop > 0) { if (tiflags & TH_SYN) { @@ -1135,40 +1226,6 @@ } /* - * If the RST bit is set examine the state: - * SYN_RECEIVED STATE: - * If passive open, return to LISTEN state. - * If active open, inform user that connection was refused. - * ESTABLISHED, FIN_WAIT_1, FIN_WAIT2, CLOSE_WAIT STATES: - * Inform user that connection was reset, and close tcb. - * CLOSING, LAST_ACK, TIME_WAIT STATES - * Close the tcb. - */ - if (tiflags&TH_RST) switch (tp->t_state) { - - case TCPS_SYN_RECEIVED: - so->so_error = ECONNREFUSED; - goto close; - - case TCPS_ESTABLISHED: - case TCPS_FIN_WAIT_1: - case TCPS_FIN_WAIT_2: - case TCPS_CLOSE_WAIT: - so->so_error = ECONNRESET; - close: - tp->t_state = TCPS_CLOSED; - tcpstat.tcps_drops++; - tp = tcp_close(tp); - goto drop; - - case TCPS_CLOSING: - case TCPS_LAST_ACK: - case TCPS_TIME_WAIT: - tp = tcp_close(tp); - goto drop; - } - - /* * If a SYN is in the window, then this is an * error and we send an RST and drop the connection. */ @@ -1673,9 +1730,22 @@ /* * Generate an ACK dropping incoming segment if it occupies * sequence space, where the ACK reflects our state. - */ - if (tiflags & TH_RST) - goto drop; + * + * We can now skip the test for the RST flag since all + * paths to this code happen after packets containing + * RST have been dropped. + * + * In the SYN-RECEIVED state, don't send an ACK unless the + * segment we received passes the SYN-RECEIVED ACK test. + * If it fails send a RST. This breaks the loop in the + * "LAND" DoS attack, and also prevents an ACK storm + * between two listening ports that have been sent forged + * SYN segments, each with the source address of the other. + */ + if (tp->t_state == TCPS_SYN_RECEIVED && (tiflags & TH_ACK) && + (SEQ_GT(tp->snd_una, ti->ti_ack) || + SEQ_GT(ti->ti_ack, tp->snd_max)) ) + goto dropwithreset; #ifdef TCPDEBUG if (so->so_options & SO_DEBUG) tcp_trace(TA_DROP, ostate, tp, &tcp_saveti, 0); ============================================================================= FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org Security notifications: security-notifications@freebsd.org Security public discussion: freebsd-security@freebsd.org PGP Key: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBNiOat1UuHi5z0oilAQHd+gP/ejply8nSa1eZ4Fntvs7AI0J4+A00INa6 taew67WuQt2a6vMfjtqjYMjt09BCaxWgrKftWfb/sn9vF3WNIZ313xOf0NBpdLAm mTctCLssy/1fw1wmeNBrrA2XyhsmiobZ6KPDOzqKR+xHF9gLQh7ygDc8dBsXUQMp 3kejs4imNb4= =cP5N -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 13 13:18:39 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA14961 for freebsd-security-outgoing; Tue, 13 Oct 1998 13:18:39 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA14956 for ; Tue, 13 Oct 1998 13:18:36 -0700 (PDT) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id PAA03453; Tue, 13 Oct 1998 15:17:55 -0500 (CDT) Received: from harkol-2.isdn.mke.execpc.com(169.207.64.130) by peak.mountin.net via smap (V1.3) id sma003451; Tue Oct 13 15:17:41 1998 Message-Id: <3.0.3.32.19981013150653.01019394@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Tue, 13 Oct 1998 15:06:53 -0500 To: Brett Glass , Darren Reed , grimace@ns.nternet.net (grimace) From: "Jeffrey J. Mountin" Subject: Re: Spoofed connections on port 13223?? Cc: security@FreeBSD.ORG In-Reply-To: <4.1.19981013100624.041b8760@mail.lariat.org> References: <199810131024.DAA04862@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:06 AM 10/13/98 -0600, Brett Glass wrote to Darren Reed: >CERT? Don't bother. They'll respond several months after it's too late >and say, "Oh, dear." > >--Brett > > >At 08:23 PM 10/13/98 +1000, Darren Reed wrote: > >>People, I can understand wanting to bring it to an informal forum, but >>if you seriously think you are under attack then you should contact the >>relevant CERT and talk with them about it. It may be that what you're >>seeing is part of a "bigger picture" that you can't see. >> >>Darren While it may be true that they will take a while to get back to you, at least it will add to their infomation and may help others when summaries are issued. If you read what they have on: http://www.cert.org/tech_tips/incident_reporting.html ---- A.You may receive technical assistance. A primary part of our mission is to provide a reliable, trusted, 24-hour, single point of contact for security emergencies involving the Internet. We facilitate communication among experts working to solve security problems and serve as a central point for identifying and correcting vulnerabilities in computer systems. When you report an incident to us, we can provide pointers to technical documents, offer suggestions on recovering the security of your systems, and share information about recent intruder activity. In our role as a coordination center, we may have access to information that is not yet widely available to assist in responding to your incident. Unfortunately, our limited resources and the increasing number of incidents reported to us may prevent us from responding to each report individually. We must prioritize our responses to have the greatest impact on the Internet community. ---- Rather explicit, but then *they* are not responsible for the security of *your* system. I need to file a report for a recent probe, especially since there has been no response and it produced an unusal error in my SMTP daemon (custom). The activity stopped before the message was sent, but an explanation is in order. I for one don't expect any help, but whatever they did wasn't even close to compromizing the daemon. And the form: ftp://ftp.cert.org/pub/incident_reporting_form Time to file one. Jeff Mountin - Unix Systems TCP/IP networking jeff@mountin.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 13 13:59:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA22305 for freebsd-security-outgoing; Tue, 13 Oct 1998 13:59:45 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA22282 for ; Tue, 13 Oct 1998 13:59:37 -0700 (PDT) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) id NAA25005; Tue, 13 Oct 1998 13:58:27 -0700 (PDT) Message-ID: <19981013135826.A22942@best.com> Date: Tue, 13 Oct 1998 13:58:26 -0700 From: "Jan B. Koum " To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Spoofed connections on port 13223?? References: <199810131024.DAA04862@hub.freebsd.org> <4.1.19981013100624.041b8760@mail.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <4.1.19981013100624.041b8760@mail.lariat.org>; from Brett Glass on Tue, Oct 13, 1998 at 10:06:58AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Oct 13, 1998 at 10:06:58AM -0600, Brett Glass wrote: > CERT? Don't bother. They'll respond several months after it's too late > and say, "Oh, dear." > > --Brett > > > At 08:23 PM 10/13/98 +1000, Darren Reed wrote: > > >People, I can understand wanting to bring it to an informal forum, but > >if you seriously think you are under attack then you should contact the > >relevant CERT and talk with them about it. It may be that what you're > >seeing is part of a "bigger picture" that you can't see. > > > >Darren > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message I think what Darren was refering to was a situation where an attack means nothing to you, but if you contact CERT, they would say: Ohh yeah, we had another 239 calls - this is a large scale attack. However, I never delt with CERT and not really sure how things work when someone calls them. -- Yan I don't have the password .... + Jan Koum But the path is chainlinked .. | Spelled Jan, pronounced Yan. There. So if you've got the time .... | Web: http://www.best.com/~jkb Set the tone to sync ......... + OS: http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 13 14:32:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA00375 for freebsd-security-outgoing; Tue, 13 Oct 1998 14:32:23 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (COPLAND.CODA.CS.CMU.EDU [128.2.222.48]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA00368 for ; Tue, 13 Oct 1998 14:32:22 -0700 (PDT) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id RAA20151; Tue, 13 Oct 1998 17:31:17 -0400 (EDT) Date: Tue, 13 Oct 1998 17:31:16 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: Brett Glass cc: Darren Reed , grimace , security@FreeBSD.ORG, cert@cert.org Subject: Re: Spoofed connections on port 13223?? In-Reply-To: <4.1.19981013100624.041b8760@mail.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 13 Oct 1998, Brett Glass wrote: > CERT? Don't bother. They'll respond several months after it's too late > and say, "Oh, dear." > > --Brett This does not seem to meet with the experiences I have had with CERT. Last year someone attempted to attack one of my machines by corrupting DNS cache entries on a caching name server at another location -- when I reported this to CERT, they called me that evening and offered to manage communications between me and the other site being spoofed, etc. While they did not offer much in the way of technical advice, this was not a problem as I am fairly experienced in this area. My only real problem with the CERT process is their incredibly long form that must be submitted by email. It is inappropriate for use (or was last time I looked) in situations where more than one machine might be involved, or in situations where there is an ongoing attack but no successful breakin. A more flexible (and simple) form would go a long way. I am certain that there are far fewer reports to CERT because of the complexity of the reporting process. It is entirely possible that things have become far more simple since then -- for the sake of everyone, I hope they have :). The concept of 'CERT' is a very useful one. Robert Watson > > > At 08:23 PM 10/13/98 +1000, Darren Reed wrote: > > >People, I can understand wanting to bring it to an informal forum, but > >if you seriously think you are under attack then you should contact the > >relevant CERT and talk with them about it. It may be that what you're > >seeing is part of a "bigger picture" that you can't see. > > > >Darren > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 13 14:34:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA00860 for freebsd-security-outgoing; Tue, 13 Oct 1998 14:34:05 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.224.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA00672 for ; Tue, 13 Oct 1998 14:34:01 -0700 (PDT) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199810132134.OAA00672@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA244164386; Wed, 14 Oct 1998 07:33:06 +1000 From: Darren Reed Subject: Re: Spoofed connections on port 13223?? To: jkb@best.com (Jan B. Koum) Date: Wed, 14 Oct 1998 07:33:06 +1000 (EST) Cc: brett@lariat.org, security@FreeBSD.ORG In-Reply-To: <19981013135826.A22942@best.com> from "Jan B. Koum" at Oct 13, 98 01:58:26 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Jan B. Koum, sie said: > > On Tue, Oct 13, 1998 at 10:06:58AM -0600, Brett Glass wrote: > > CERT? Don't bother. They'll respond several months after it's too late > > and say, "Oh, dear." > > > > --Brett > > > > > > At 08:23 PM 10/13/98 +1000, Darren Reed wrote: > > > > >People, I can understand wanting to bring it to an informal forum, but > > >if you seriously think you are under attack then you should contact the > > >relevant CERT and talk with them about it. It may be that what you're > > >seeing is part of a "bigger picture" that you can't see. > > > > > >Darren > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > I think what Darren was refering to was a situation where an attack > means nothing to you, but if you contact CERT, they would say: Ohh > yeah, we had another 239 calls - this is a large scale attack. They don't say that, to you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 13 14:40:12 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA02113 for freebsd-security-outgoing; Tue, 13 Oct 1998 14:40:12 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from super-g.inch.com (super-g.com [207.240.140.161]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA02016 for ; Tue, 13 Oct 1998 14:40:01 -0700 (PDT) (envelope-from spork@super-g.com) Received: from localhost (localhost [127.0.0.1]) by super-g.inch.com (8.8.8/8.8.5) with SMTP id RAA15620 for ; Tue, 13 Oct 1998 17:39:36 -0400 (EDT) Date: Tue, 13 Oct 1998 17:39:36 -0400 (EDT) From: spork X-Sender: spork@super-g.inch.com To: freebsd-security@FreeBSD.ORG Subject: mountd exploit Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I saw in the annoucement posted to Bugtraq that FreeBSD post 2.2.6(?) was immune. Does anyone have data on whether earlier versions, especially 2.1.7.1, are vulnerable? Thanks, Charles --- Charles Sprickman spork@super-g.com --- "...there's no idea that's so good you can't ruin it with a few well-placed idiots." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 13 15:23:10 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA08776 for freebsd-security-outgoing; Tue, 13 Oct 1998 15:23:10 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA08770 for ; Tue, 13 Oct 1998 15:23:08 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id QAA23639; Tue, 13 Oct 1998 16:22:50 -0600 (MDT) Message-Id: <4.1.19981013162129.0475b390@mail.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Tue, 13 Oct 1998 16:22:45 -0600 To: "Jan B. Koum " From: Brett Glass Subject: Re: Spoofed connections on port 13223?? Cc: security@FreeBSD.ORG In-Reply-To: <19981013135826.A22942@best.com> References: <4.1.19981013100624.041b8760@mail.lariat.org> <199810131024.DAA04862@hub.freebsd.org> <4.1.19981013100624.041b8760@mail.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 01:58 PM 10/13/98 -0700, Jan B. Koum wrote: > However, I never delt with CERT and not really sure how things work > when someone calls them. When we had a machine rooted, they DIDN'T call back. They didn't even respond to the e-mail until a momth later. Their announcement of the security hole through which our machine was compromised came WEEKS after it was too late. In short, they're ineffectual except perhaps as archivists. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 13 16:20:49 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA18409 for freebsd-security-outgoing; Tue, 13 Oct 1998 16:20:49 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from tok.qiv.com (tok.qiv.com [205.238.142.68]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA18393 for ; Tue, 13 Oct 1998 16:20:45 -0700 (PDT) (envelope-from jdn@acp.qiv.com) Received: (from uucp@localhost) by tok.qiv.com (8.8.8/8.8.5) with UUCP id SAA03651; Tue, 13 Oct 1998 18:20:28 -0500 (CDT) Received: from localhost (jdn@localhost) by acp.qiv.com (8.8.8/8.8.8) with SMTP id SAA01367; Tue, 13 Oct 1998 18:12:41 -0500 (CDT) (envelope-from jdn@acp.qiv.com) Date: Tue, 13 Oct 1998 18:12:41 -0500 (CDT) From: Jay Nelson To: "Leonard C." cc: security@FreeBSD.ORG Subject: Re: URGENT! Need help determining scope of attack... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I had a similar experience. In my case, an "Admin" claimed he was checking his network for BO vulnerability (a different ISP than ours) and also checked all the "dial-in" ips of _our_ ISP since many of his users had accounts with our ISP. He apologized for his "mistake." A call to his ISP resolved the issue. I've seen a Linux box that was breached (through imap, I think) that substituted a number of trojaned binaries and added a line to inetd.conf for service 31336 that called telnetd (one of the trojaned binaries.) They put a script called "d" in /sbin that inventoried the machine and shipped all the relevant information off to an ftp server that had a 5 second timeout. They ended up installing a port bomb and sniffer in a directory with permission 000 and used it against other machines. The back doors they use are configurable as to which port they attach and they seem to like 3133[5-9] because of all the BO publicity. So I'm a little sensitive to anything touching those ports. I contact their administrators, hostmasters or whomever I can locate when I see anything like this. Others have suggested you do the same and I would agree. -- Jay On Mon, 12 Oct 1998, Leonard C. wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >When I checked my system's daily report today, I found this: > >> pid 7081 (telnet), uid 0: exited on signal 3 (core dumped) >> Connection attempt to UDP 169.229.87.xx:31337 from 169.229.93.66:1335 >> Connection attempt to UDP 169.229.87.xx:31337 from 169.229.93.66:1335 >> Connection attempt to UDP 169.229.87.xx:31337 from 169.229.93.66:1335 >> Connection attempt to UDP 169.229.87.xx:31337 from 169.229.84.53:1896 > >With the core dump and then the attempted connections to port 31337, I'm >suspecting that this is a script kiddy. What worries me is I'm unsure of >the scope of the attack. In the logs, right after the attack, there was an >su to root, but no new accounts have been added, nor any new uid 0 >accounts. There are also no new setuid programs either. > >Netstat also doesn't report anything listening on any new ports. > >Right now, I've disabled all services except for ssh, but I'm not too sure >what the next steps to take are. Also, I noticed that the attacks came >from two seperate IPs. Everybody here on the internal network has to use a >gateway in order to reach the outside network with a netmask of >255.255.255.0 (so, for me, it's 169.229.87.1). This gateway logs >everybody's MAC address before activating the port, and partitions it if a >different MAC address is later used. Can I be fairly certain then that the >IPs that the attacks came from are the correct ones? > >What are the next steps from here? Is there anything I can do to prevent >something like this from happening next time? Also, the core dump was from >telnet and I haven't heard of any new exploits on that. Any ideas on what >exactly happened? > >I know this is a lot of questions to throw at you, but I'm not really sure >what to do next. > >Thanks in advance for all of your help, > >Leonard > >**************************** >Note: The errors on the ed1 ethernet card are normal. I've tried to fudge >with the IRQ's, to no avail, but I keep getting these messages. Other than >errors, I've had no problems though. The power.leonard.com is a computer >on my internal network (10.0.0.0), so errors from qpopper on that are >mainly just me playing around with it. >/var/log/messages: > >Oct 10 03:51:22 icarus /kernel: Connection attempt to UDP >169.229.87.90:31337 fr >om 169.229.84.53:3039 >Oct 10 04:27:03 icarus /kernel: ed1: NIC memory corrupt - invalid packet length >2297 >Oct 10 04:39:10 icarus /kernel: ed1: device timeout >Oct 10 11:02:04 icarus /kernel: Connection attempt to UDP >169.229.87.90:31337 fr >om 169.229.84.53:3649 >Oct 10 12:58:18 icarus afpd[5988]: afp_die: asp_shutdown: Operation timed out >Oct 10 18:56:05 icarus /kernel: Connection attempt to UDP >169.229.87.90:31337 fr >om 169.229.84.53:4035 >Oct 10 21:59:48 icarus afpd[6475]: afp_die: asp_shutdown: Operation timed out >Oct 11 00:42:40 icarus /kernel: Connection attempt to UDP >169.229.87.90:31337 fr >om 169.229.84.53:1034 >Oct 11 02:28:34 icarus su: leonard to root on /dev/ttyp0 >Oct 11 02:45:58 icarus su: leonard to root on /dev/ttyp0 >Oct 11 02:49:40 icarus syslogd: exiting on signal 15 >Oct 11 02:51:13 icarus popper[7002]: @localhost.Berkeley.EDU: -ERR Unknown >comma >nd: "quyit". >Oct 11 03:00:37 icarus syslogd: exiting on signal 15 >Oct 11 03:01:43 icarus /kernel: pid 7081 (telnet), uid 0: exited on signal >3 (co >re dumped) >Oct 11 03:02:28 icarus popper[7090]: @localhost.Berkeley.EDU: -ERR Command >"a;jf >as;ldjfsdl;kjfsdl;akfjaslkd;f" (truncated) exceedes maximum permitted size. >Oct 11 03:45:39 icarus popper[7152]: @power.leonard.com: -ERR Unknown >command: " >get". >Oct 11 03:45:39 icarus popper[7152]: @power.leonard.com: -ERR Unknown >command: " >host:". >Oct 11 03:45:39 icarus popper[7152]: @power.leonard.com: -ERR Too many >arguments > supplied. >Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown >command: " >accept-language:". >Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown >command: " >connection:". >Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Too many >arguments > supplied. >Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown >command: " >ua-os:". >Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown >command: " >ua-cpu:". >Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown >command: " >extension:". >Oct 11 03:45:48 icarus popper[7152]: @power.leonard.com: -ERR POP EOF received >Oct 11 03:56:45 icarus su: leonard to root on /dev/ttyp0 >re dumped) >Oct 11 03:02:28 icarus popper[7090]: @localhost.Berkeley.EDU: -ERR Command >"a;jf >as;ldjfsdl;kjfsdl;akfjaslkd;f" (truncated) exceedes maximum permitted size. >Oct 11 03:45:39 icarus popper[7152]: @power.leonard.com: -ERR Unknown >command: " >get". >Oct 11 03:45:39 icarus popper[7152]: @power.leonard.com: -ERR Unknown >command: " >host:". >Oct 11 03:45:39 icarus popper[7152]: @power.leonard.com: -ERR Too many >arguments > supplied. >Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown >command: " >accept-language:". >Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown >command: " >connection:". >Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Too many >arguments > supplied. >Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown >command: " >ua-os:". >Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown >command: " >ua-cpu:". >Oct 11 03:45:40 icarus popper[7152]: @power.leonard.com: -ERR Unknown >command: " >extension:". >Oct 11 03:45:48 icarus popper[7152]: @power.leonard.com: -ERR POP EOF received >Oct 11 03:56:45 icarus su: leonard to root on /dev/ttyp0 >Oct 11 09:18:04 icarus /kernel: Connection attempt to UDP >169.229.87.90:31337 fr >om 169.229.93.66:1335 >Oct 11 10:49:14 icarus /kernel: Connection attempt to UDP >169.229.87.90:31337 fr >om 169.229.93.66:1335 >Oct 11 11:20:32 icarus /kernel: Connection attempt to UDP >169.229.87.90:31337 fr >om 169.229.93.66:1335 >Oct 11 15:57:49 icarus /kernel: Connection attempt to UDP >169.229.87.90:31337 fr >om 169.229.84.53:1896 >Oct 11 20:05:48 icarus afpd[8149]: afp_die: asp_shutdown: Operation timed out >Oct 11 21:14:00 icarus /kernel: ed1: NIC memory corrupt - invalid packet length >2301 >Oct 11 21:14:12 icarus /kernel: ed1: NIC memory corrupt - invalid packet length >2203 >Oct 11 21:14:41 icarus /kernel: ed1: NIC memory corrupt - invalid packet length >2179 >Oct 11 22:32:58 icarus arpwatch: 0:40:5:68:1:7a sent bad hardware format 0xe >Oct 12 00:13:59 icarus /kernel: ed1: NIC memory corrupt - invalid packet length >6016 >Oct 12 00:38:38 icarus afpd[202]: atp_sreq: Network is unreachable >Oct 12 00:38:59 icarus /kernel: ed1: device timeout >Oct 12 00:39:08 icarus afpd[202]: atp_sreq: Network is unreachable >Oct 12 00:39:55 icarus /kernel: ed1: NIC memory corrupt - invalid packet length >2122 >Oct 12 00:40:23 icarus /kernel: ed1: NIC memory corrupt - invalid packet length >2342 >Oct 12 00:43:51 icarus /kernel: ed1: NIC memory corrupt - invalid packet length >2062 >Oct 12 00:44:10 icarus /kernel: ed1: NIC memory corrupt - invalid packet length >2128 >Oct 12 00:45:38 icarus /kernel: Connection attempt to UDP >169.229.87.90:31337 fr >om 169.229.84.53:3744 >Oct 12 00:48:38 icarus /kernel: ed1: NIC memory corrupt - invalid packet length >2157 >Oct 12 00:48:46 icarus /kernel: ed1: NIC memory corrupt - invalid packet length >2168 >Oct 12 00:50:45 icarus /kernel: ed1: NIC memory corrupt - invalid packet length >2192 >Oct 12 01:13:35 icarus /kernel: ed1: NIC memory corrupt - invalid packet length >2066 >Oct 12 07:50:58 icarus /kernel: Connection attempt to UDP >169.229.87.90:31337 fr >om 169.229.84.53:4216 >Oct 12 10:08:51 icarus arpwatch: 0:e0:29:18:58:52 sent bad hardware format >0x800 >f > >**************************** >Daily security check output: > >checking setuid files and devices: > > >checking for uids of 0: >root 0 >toor 0 > > >icarus kernel log messages: >> 2:2082 >> pid 7081 (telnet), uid 0: exited on signal 3 (core dumped) >> Connection attempt to UDP 169.229.87.90:31337 from 169.229.93.66:1335 >> Connection attempt to UDP 169.229.87.90:31337 from 169.229.93.66:1335 >> Connection attempt to UDP 169.229.87.90:31337 from 169.229.93.66:1335 >> Connection attempt to UDP 169.229.87.90:31337 from 169.229.84.53:1896 >> ed1: NIC memory corrupt - invalid packet length 2301 >> ed1: NIC memory corrupt - invalid packet length 2203 >> ed1: NIC memory corrupt - invalid packet length 2179 >> ed1: NIC memory corrupt - invalid packet length 6016 >> ed1: device timeout >> ed1: NIC memory corrupt - invalid packet length 2122 >> ed1: NIC memory corrupt - invalid packet length 2342 >> ed1: NIC memory corrupt - invalid packet length 2062 >> ed1: NIC memory corrupt - invalid packet length 2128 >> Connection attempt to UDP 169.229.87.90:31337 from 169.229.84.53:3744 >> ed1: NIC memory corrupt - invalid packet length 2157 >> ed1: NIC memory corrupt - invalid packet length 2168 >> ed1: NIC memory corrupt - invalid packet length 2192 >> ed1: NIC memory corrupt - invalid packet length 2066 > > >icarus login failures: > > >icarus refused connections: > >- -- >Support the Blue Ribbon Campaign for free speech online () >http://www.eff.org/blueribbon.html /\ >"Those who will not reason perish in the act. >Those who will not act, perish for that reason." - W. H. Auden > >-----BEGIN PGP SIGNATURE----- >Version: PGPfreeware 6.0 for non-commercial use > >iQA/AwUBNiKMUOAvLUJUxjQXEQLN2QCgwR0ANRboI2jvyXMoMUvvbW8KO2IAn2w+ >x6wRo16IjELRC9zoa7F6du35 >=lqn5 >-----END PGP SIGNATURE----- > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 13 17:52:29 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA04608 for freebsd-security-outgoing; Tue, 13 Oct 1998 17:52:29 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA04596 for ; Tue, 13 Oct 1998 17:52:18 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id SAA24971; Tue, 13 Oct 1998 18:51:55 -0600 (MDT) Message-Id: <4.1.19981013184727.00c3a620@mail.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Tue, 13 Oct 1998 18:48:56 -0600 To: Jay Nelson , "Leonard C." From: Brett Glass Subject: Re: URGENT! Need help determining scope of attack... Cc: security@FreeBSD.ORG In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 06:12 PM 10/13/98 -0500, Jay Nelson wrote: >The back doors they use are configurable as to which port >they attach and they seem to like 3133[5-9] because of all the BO >publicity. So I'm a little sensitive to anything touching those ports. In the name of safe computing, you should always use a firewall and make sure no one touches your private ports. (Sorry, couldn't resist.) --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 13 17:59:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA05868 for freebsd-security-outgoing; Tue, 13 Oct 1998 17:59:15 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from banshee.cs.uow.edu.au (banshee.cs.uow.edu.au [130.130.188.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA05852 for ; Tue, 13 Oct 1998 17:59:07 -0700 (PDT) (envelope-from ncb05@banshee.cs.uow.edu.au) Received: (from ncb05@localhost) by banshee.cs.uow.edu.au (8.9.1a/8.9.1) id KAA21082; Wed, 14 Oct 1998 10:58:33 +1000 (EST) Date: Wed, 14 Oct 1998 10:58:32 +1000 (EST) From: Nicholas Charles Brawn X-Sender: ncb05@banshee.cs.uow.edu.au To: Brett Glass cc: "Jan B. Koum " , security@FreeBSD.ORG Subject: Re: Spoofed connections on port 13223?? In-Reply-To: <4.1.19981013162129.0475b390@mail.lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 13 Oct 1998, Brett Glass wrote: > At 01:58 PM 10/13/98 -0700, Jan B. Koum wrote: > > > However, I never delt with CERT and not really sure how things work > > when someone calls them. > > When we had a machine rooted, they DIDN'T call back. They didn't even > respond to the e-mail until a momth later. Their announcement of the > security hole through which our machine was compromised came WEEKS > after it was too late. > > In short, they're ineffectual except perhaps as archivists. > > --Brett Brett, when you statements like that, be sure to "qualify" them and say something along the lines of "in my experience, they are ineffectual...", etc. Perhaps if you think about the security situation at the time, with potentially hundreds of machines being attacked as a result of the same bug you got rooted with, they have to set some sort of priority over who they handle first. From my limited interactions with them, they explicitly state they will deal with situations of life-threatening importance first, and then work their way down. Your network may not have been high on their list. You cannot fault them for this. Nick -- Email: ncb@poboxes.com - http://www.poboxes.com/ncb Key fingerprint = DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 13 18:06:54 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA07430 for freebsd-security-outgoing; Tue, 13 Oct 1998 18:06:54 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA07377 for ; Tue, 13 Oct 1998 18:06:39 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id TAA25069; Tue, 13 Oct 1998 19:06:00 -0600 (MDT) Message-Id: <4.1.19981013190522.00c4a200@mail.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Tue, 13 Oct 1998 19:05:56 -0600 To: Nicholas Charles Brawn From: Brett Glass Subject: Re: Spoofed connections on port 13223?? Cc: "Jan B. Koum " , security@FreeBSD.ORG In-Reply-To: References: <4.1.19981013162129.0475b390@mail.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:58 AM 10/14/98 +1000, Nicholas Charles Brawn wrote: >Brett, when you statements like that, be sure to "qualify" them and >say something along the lines of "in my experience, they are >ineffectual...", etc. Perhaps if you think about the security situation >at the time, with potentially hundreds of machines being attacked as a >result of the same bug you got rooted with, they have to set some sort >of priority over who they handle first. From my limited interactions >with them, they explicitly state they will deal with situations of >life-threatening importance first, and then work their way down. Your >network may not have been high on their list. You cannot fault them for >this. I asked about this. They did not indicate anything of the sort; just said they got a lot of mail. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 13 21:20:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA03471 for freebsd-security-outgoing; Tue, 13 Oct 1998 21:20:13 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from stennis.ca.sandia.gov (stennis.ca.sandia.gov [146.246.243.44]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA03463 for ; Tue, 13 Oct 1998 21:20:08 -0700 (PDT) (envelope-from bmah@stennis.ca.sandia.gov) Received: (from bmah@localhost) by stennis.ca.sandia.gov (8.9.1/8.9.1) id VAA08258; Tue, 13 Oct 1998 21:19:52 -0700 (PDT) Message-Id: <199810140419.VAA08258@stennis.ca.sandia.gov> X-Mailer: exmh version 2.0.2 2/24/98 To: security@FreeBSD.ORG Cc: bmah@ca.sandia.gov Subject: Re: Spoofed connections on port 13223?? In-Reply-To: Your message of "Tue, 13 Oct 1998 19:05:56 MDT." <4.1.19981013190522.00c4a200@mail.lariat.org> From: bmah@ca.sandia.gov (Bruce A. Mah) Reply-To: bmah@ca.sandia.gov X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Url: http://www.ca.sandia.gov/~bmah/ Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_713879808P"; micalg=pgp-md5; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Tue, 13 Oct 1998 21:19:52 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --==_Exmh_713879808P Content-Type: text/plain; charset=us-ascii If memory serves me right, Brett Glass wrote: > At 10:58 AM 10/14/98 +1000, Nicholas Charles Brawn wrote: [snip] > >From my limited interactions > >with them, they explicitly state they will deal with situations of > >life-threatening importance first, and then work their way down. Your > >network may not have been high on their list. You cannot fault them for > >this. > > I asked about this. They did not indicate anything of the sort; just said > they got a lot of mail. My (also limited) experience with CERT was consistent with Nick's. They do read their email...I had the interesting experience of a CERT representative phone me after I reported several (unsuccessful) attacks. He wanted to clarify some information in my emails. Two interesting things that I remember from this conversation: 1. As Brett said, they get a lot of mail. They use it to spot out trends. In fact, John Howard, one of my colleagues, did an analysis of some of this data for his PhD dissertation. 2. It's helpful to them if you explicitly tell them what you want, if you need assistance. Usually, what I send to them are CCs of complaints I send to other people, with a notation at the top "CERT: FYI". (I know, this procedure doesn't use their form, which I found cumbersome, but it has all the useful information.) Cheers, Bruce. --==_Exmh_713879808P Content-Type: application/pgp-signature -----BEGIN PGP MESSAGE----- Version: 2.6.2 iQCVAwUBNiQmZ6jOOi0j7CY9AQGREgP+Pgyfa/SospV36NuKyIJWIOv28fd/RRDm g3GvOyj/H7uVeQBbsqNkzRHmcX67aey2I0eRkjTf68e1zh9xpeHWgCRp21DgW++5 8kZQBWvM8Fh0eAsrFzCrjahk4W/d1mTKZ1iKGfd1scbyJZ19HfcfUpQaKuw8ldNJ n3pTYRDcsig= =miHS -----END PGP MESSAGE----- --==_Exmh_713879808P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 14 05:18:55 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA16960 for freebsd-security-outgoing; Wed, 14 Oct 1998 05:18:55 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.seidata.com (ns1.seidata.com [208.10.211.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA16955 for ; Wed, 14 Oct 1998 05:18:53 -0700 (PDT) (envelope-from mike@seidata.com) From: mike@seidata.com Received: from localhost (mike@localhost) by ns1.seidata.com (8.8.8/8.8.5) with ESMTP id IAA13763; Wed, 14 Oct 1998 08:16:18 -0400 (EDT) Date: Wed, 14 Oct 1998 08:16:18 -0400 (EDT) To: Nicholas Charles Brawn cc: Brett Glass , "Jan B. Koum " , security@FreeBSD.ORG Subject: Re: Spoofed connections on port 13223?? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 14 Oct 1998, Nicholas Charles Brawn wrote: > > In short, they're ineffectual except perhaps as archivists. > > life-threatening importance first, and then work their way down. Your > network may not have been high on their list. You cannot fault them for > this. Can I agree with both sides, or is that being a yellow-bellied coward? Oh, wait! I'm a sysadmin, I don't care what people think about me. ;) I can see Brett's point... I know of many admins (myself definately included) that have 'written CERT off' to some point in the past. This is mostly due to the untimely fashion that CERT announcements are made to public forums such as Bugtraq. Qpopper comes to mind... As I recall, it was weeks after FreeBSD lists and Bugtraq had already addressed the Qpopper overflow and provided patches for it before CERT even announced it as a problem. I also see Nick's point... CERT does do a *lot* of good. Even if it was only archiving as Brett mentions, it would still be highly valuable. CERT's announcements are sometimes more in-depth than those released by others (gee, maybe the reason their announcemetns take longer to make it 'to the press' is because they're doing more research than everyone else). Some sort of immediate-response forum is definately needed to minimize damage to networks and computers (i.e. the security lists relating to your specific OS), but an in-depth perspective is valuable as well (such as that provided by CERT), imco. Also, I find the first paragraph of www.cert.org quite enlightening, "The CERT* Coordination Center studies Internet security vulnerabilities, provides incident response services to sites that have been victims of attack, publishes a variety of security alerts, researches security and survivability in wide-area-networked computing, and develops information to help you improve security a your site." Assuming an insitution of CERT's caliber would be prone to logical thought (not always true, I know, but I believe it is in this case), the progression of this paragraph should tell us a lot. Their first goal is study of Internet security vulnerabilities - not beating everyone else to the press - but studying the how's and why's of security situations. Also, I notice this is a lot for *any* insitution to undertake. I'm sure they get everything from 'Our 200,000 node WAN was seriously compromised this AM' to 'Someone on IRC rooted my linux box' (not a crack at Linux, just an example). Some sort of delegation obviously *has* to take place for CERT to be effective at all, and, as Nick mentions, they must categorize their responses. In short, I've had disagreements with CERT in the past (it's natural for every admin to feel *their* network is the *most* important ;), but I do feel they're here to help us when they can. It's not a light task they've taken on, and perhaps rather than griping that they don't respond quickly enough, etc. we should be asking how we can help. Later, -mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 14 07:20:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA27938 for freebsd-security-outgoing; Wed, 14 Oct 1998 07:20:22 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hotmail.com (f95.hotmail.com [207.82.250.201]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id HAA27933 for ; Wed, 14 Oct 1998 07:20:21 -0700 (PDT) (envelope-from madrapour@hotmail.com) Received: (qmail 22105 invoked by uid 0); 14 Oct 1998 14:20:06 -0000 Message-ID: <19981014142006.22104.qmail@hotmail.com> Received: from 195.96.144.18 by www.hotmail.com with HTTP; Wed, 14 Oct 1998 07:20:05 PDT X-Originating-IP: [195.96.144.18] From: "N. N.M" To: freebsd-security@FreeBSD.ORG Subject: Again logging! Content-Type: text/plain Date: Wed, 14 Oct 1998 07:20:05 PDT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi everybody, I have still some problems with logging. I'd be pleased if anyone could help me [sorry in advance if the problems are so irrelevant): 1- I installed TCP Wrapper in the way that I moved the real daemons to another directory and copied "tcpd" instead of real daemons. I don't know how I can get it's logs. I add a line to log the messages from "tcpd" to a file. But it didn't work. 2- I don't know the difference between running "inetd" with switch "-l" and without it. 3- Will it affect the system performance if I activate the logging of TCP and UDP connections by setting the following kernel variables?: net.inet.tcp.log_in_vain=1 net.inet.udp.log_in_vain=1 Nazila N. ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 14 08:27:11 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA06639 for freebsd-security-outgoing; Wed, 14 Oct 1998 08:27:11 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.seidata.com (ns1.seidata.com [208.10.211.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA06630 for ; Wed, 14 Oct 1998 08:27:06 -0700 (PDT) (envelope-from mike@seidata.com) From: mike@seidata.com Received: from localhost (mike@localhost) by ns1.seidata.com (8.8.8/8.8.5) with ESMTP id LAA18932; Wed, 14 Oct 1998 11:26:24 -0400 (EDT) Date: Wed, 14 Oct 1998 11:26:24 -0400 (EDT) To: "N. N.M" cc: freebsd-security@FreeBSD.ORG Subject: Re: Again logging! In-Reply-To: <19981014142006.22104.qmail@hotmail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 14 Oct 1998, N. N.M wrote: > 1- I installed TCP Wrapper in the way that I moved the real daemons to > another directory and copied "tcpd" instead of real daemons. I don't > know how I can get it's logs. I add a line to log the messages from > "tcpd" to a file. But it didn't work. Default install dumps to /var/log/messages for me - what do you mean by 'get it's logs'? > 2- I don't know the difference between running "inetd" with switch "-l" > and without it. Assuming 'man inetd' is correct: "When given the -l option inetd will log an entry to syslog each time an accept(2) is made, which notes the service selected and the IP-number of the remote requestor." > 3- Will it affect the system performance if I activate the logging of > TCP and UDP connections by setting the following kernel variables?: > net.inet.tcp.log_in_vain=1 > net.inet.udp.log_in_vain=1 Not sure, I don't do this. First guess would be, "Yes." I'm sure others here will have definate answers for this. Later, -mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 14 09:25:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA16114 for freebsd-security-outgoing; Wed, 14 Oct 1998 09:25:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from socrates.i-pi.com (socrates.i-pi.com [198.49.217.5]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA16106 for ; Wed, 14 Oct 1998 09:25:27 -0700 (PDT) (envelope-from ingham@i-pi.com) Received: (from ingham@localhost) by socrates.i-pi.com (8.8.8/8.8.7) id JAA02196; Wed, 14 Jan 1998 09:21:55 -0700 (MST) (envelope-from ingham) Message-ID: <19980114092154.B449@i-pi.com> Date: Wed, 14 Jan 1998 09:21:54 -0700 From: Kenneth Ingham To: "N. N.M" , freebsd-security@FreeBSD.ORG Subject: Re: Again logging! References: <19981014142006.22104.qmail@hotmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.1i In-Reply-To: <19981014142006.22104.qmail@hotmail.com>; from N. N.M on Wed, Oct 14, 1998 at 07:20:05AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > 3- Will it affect the system performance if I activate the logging of > TCP and UDP connections by setting the following kernel variables?: > net.inet.tcp.log_in_vain=1 > net.inet.udp.log_in_vain=1 I'm sure it does. I have no specific numbers though. I run with both turned on on the main router (which is a FreeBSD box). My router is idle >99% of the time, so the performance hit is not a problem. The machine is much faster than the network connection (33.6 full-time dialup in my case). How fast is your network connection? That and the performance of your machine should be the determining factor(s) about whether or the performance hit will be a problem. Kenneth To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 14 09:52:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA19431 for freebsd-security-outgoing; Wed, 14 Oct 1998 09:52:33 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from colin.muc.de (colin.muc.de [193.174.4.1]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id JAA19426 for ; Wed, 14 Oct 1998 09:52:28 -0700 (PDT) (envelope-from lutz@muc.de) Received: from tavari.muc.de ([193.174.4.22]) by colin.muc.de with SMTP id <140559-1>; Wed, 14 Oct 1998 18:51:55 +0200 Received: (from daemon@localhost) by tavari.muc.de (8.8.8/8.8.7) id SAA01576; Wed, 14 Oct 1998 18:51:27 +0200 (CEST) Received: from ripley(192.168.42.202) by morranon via smap (V2.1) id xma001574; Wed, 14 Oct 98 18:51:23 +0200 From: "Lutz Albers" To: "grimace" , Subject: RE: Spoofed connections on port 13223?? Date: Wed, 14 Oct 1998 18:51:21 +0200 Message-ID: <001601bdf792$df058a10$ca2aa8c0@ripley.tavari.muc.de> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2377.0 In-Reply-To: Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, > the clog package from the ports collection. What really baffles > me, is that > these attacks are clearly intentional, but I've been unable to > determine the > significance of port 13223. a quick search on the Web unearthed a chat program called PowWow using that port. -- Lutz Albers, lutz@muc.de, pgp key available from Do not take life too seriously, you will never get out of it alive. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 14 10:09:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA22085 for freebsd-security-outgoing; Wed, 14 Oct 1998 10:09:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from acetylene.vapornet.net (acetylene.vapornet.net [209.100.218.11]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA22070 for ; Wed, 14 Oct 1998 10:09:13 -0700 (PDT) (envelope-from john@acetylene.vapornet.net) Received: from habanero.chili-pepper.net (vapornet.xnet.com. [205.243.141.107]) by acetylene.vapornet.net (a mail server) with ESMTP id MAA18369; Wed, 14 Oct 1998 12:08:49 -0500 (CDT) (envelope-from john) Received: (from john@localhost) by habanero.chili-pepper.net (a mail client) id MAA00631; Wed, 14 Oct 1998 12:08:41 -0500 (CDT) (envelope-from john) From: John Preisler MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Wed, 14 Oct 1998 12:08:41 -0500 (CDT) To: Kenneth Ingham Cc: "N. N.M" , freebsd-security@FreeBSD.ORG Subject: Re: Again logging! In-Reply-To: <19980114092154.B449@i-pi.com> References: <19981014142006.22104.qmail@hotmail.com> <19980114092154.B449@i-pi.com> X-Mailer: VM 6.43 under 20.4 "Emerald" XEmacs Lucid Message-ID: <13860.55858.134449.692826@habanero.chili-pepper.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Also keep in mind that these sysctl switches, unlike ipfw rules, have NO LIMIT on them. A person could easily overflow your /var partition [assuming you have one] in a few minutes with a program like strobe. fwiw. Kenneth Ingham writes: > > 3- Will it affect the system performance if I activate the logging of > > TCP and UDP connections by setting the following kernel variables?: > > net.inet.tcp.log_in_vain=1 > > net.inet.udp.log_in_vain=1 > I'm sure it does. I have no specific numbers though. > > I run with both turned on on the main router (which is a FreeBSD box). > My router is idle >99% of the time, so the performance hit is not a > problem. The machine is much faster than the network connection (33.6 > full-time dialup in my case). > > How fast is your network connection? That and the performance of your > machine should be the determining factor(s) about whether or the > performance hit will be a problem. > > Kenneth > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 14 12:44:27 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA14784 for freebsd-security-outgoing; Wed, 14 Oct 1998 12:44:27 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA14779 for ; Wed, 14 Oct 1998 12:44:26 -0700 (PDT) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id OAA09160; Wed, 14 Oct 1998 14:43:05 -0500 (CDT) Received: from klinzhai-104.isdn.mke.execpc.com(169.207.65.232) by peak.mountin.net via smap (V1.3) id sma009157; Wed Oct 14 14:42:36 1998 Message-Id: <3.0.3.32.19981014143146.0105ff00@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Wed, 14 Oct 1998 14:31:46 -0500 To: mike@seidata.com, "N. N.M" From: "Jeffrey J. Mountin" Subject: Re: Again logging! Cc: freebsd-security@FreeBSD.ORG In-Reply-To: References: <19981014142006.22104.qmail@hotmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:26 AM 10/14/98 -0400, mike@seidata.com wrote: >On Wed, 14 Oct 1998, N. N.M wrote: > >> 1- I installed TCP Wrapper in the way that I moved the real daemons to >> another directory and copied "tcpd" instead of real daemons. I don't >> know how I can get it's logs. I add a line to log the messages from >> "tcpd" to a file. But it didn't work. > >Default install dumps to /var/log/messages for me - what do you mean >by 'get it's logs'? Yes, but the facility is LOG_AUTH if you use the port. The original source uses LOG_MAIL for some odd reason. Either way it should be logged in messages with the original install's syslog.conf, which lumps it in with other daemons. Personally I change patch-aa to use LOG_LOCAL7 and in syslog.conf I direct local7.* to /var/log/tcpd, which IMO should have a logfile to itself. Then again I like to break things down more than the original syslog.conf does, which makes it easier to sift out the chaff. If you are not familiar with the diff's, it would be better to 'make patch', edit the Makefile, then 'make' and 'make install' (or just 'make install'). Jeff Mountin - Unix Systems TCP/IP networking jeff@mountin.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 14 12:58:48 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA16040 for freebsd-security-outgoing; Wed, 14 Oct 1998 12:58:48 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from uriela.in-berlin.de (servicia.in-berlin.de [192.109.42.145]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA16032 for ; Wed, 14 Oct 1998 12:58:33 -0700 (PDT) (envelope-from nortobor.nostromo.in-berlin.de!ripley@servicia.in-berlin.de) Received: by uriela.in-berlin.de (Smail-3.2.0.101 1997-Dec-17 #1) id m0zTX2R-000VX5C; Wed, 14 Oct 1998 21:56:51 +0200 (CEST) Received: (from ripley@localhost) by nortobor.nostromo.in-berlin.de (8.8.7/8.8.7) id QAA09900; Wed, 14 Oct 1998 16:19:31 +0200 (CEST) (envelope-from ripley) Message-ID: <19981014161930.28966@nostromo.in-berlin.de> Date: Wed, 14 Oct 1998 16:19:30 +0200 From: "H. Eckert" To: Jay Nelson Cc: security@FreeBSD.ORG Subject: Re: URGENT! Need help determining scope of attack... References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.84e In-Reply-To: ; from Jay Nelson on Tue, Oct 13, 1998 at 06:12:41PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Oct 13, 1998 at 06:12:41PM -0500, Jay Nelson wrote: > On Mon, 12 Oct 1998, Leonard C. wrote: [10 kByte full size quote removed] What is it that almost everybodys' editors seem to have the "delete-line" function missing these days ? Greetings, Ripley -- http://www.in-berlin.de/User/nostromo/ == "You don't say what kind of CD drive or hard disks you have, but since it is causing you trouble I'll assume it is IDE." -- comp.unix.bsd.freebsd.misc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 14 13:34:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA21047 for freebsd-security-outgoing; Wed, 14 Oct 1998 13:34:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from axl.training.iafrica.com (axl.training.iafrica.com [196.31.1.175]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA20952 for ; Wed, 14 Oct 1998 13:34:08 -0700 (PDT) (envelope-from sheldonh@axl.training.iafrica.com) Received: from sheldonh (helo=iafrica.com) by axl.training.iafrica.com with local-esmtp (Exim 2.05 #1) id 0zTXc4-0005F1-00 for security@freebsd.org; Wed, 14 Oct 1998 22:33:40 +0200 From: Sheldon Hearn To: security@FreeBSD.ORG Subject: syslog.conf comment about tabs Date: Wed, 14 Oct 1998 22:33:40 +0200 Message-ID: <20150.908397220@iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi folks, It's a pity that, after all the discussion about syslog's differentiation between tabs and spaces, nothing was actually done about it. This is especially sad given that 3.0-RELEASE is about to be snapped. When someone with commit privs has some time (does this sound like millenium hype? ;) it'd be great to see PR8162 making it into the repository. It suggests a comment for etc/syslog.conf which should reduce the number of questions syslog's behaviour generates. Perhaps this will make it into 3.1. Ciao, Sheldon. PS: I do understand that people have been incredibly busy lately. It's just frustrating to see something like this overlooked prior to the release of a CD that's going to generate a huge number of questions as it is. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 14 14:00:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA24852 for freebsd-security-outgoing; Wed, 14 Oct 1998 14:00:46 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from carp.gbr.epa.gov (carp.gbr.epa.gov [204.46.159.110]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA24840 for ; Wed, 14 Oct 1998 14:00:40 -0700 (PDT) (envelope-from mjenkins@carp.gbr.epa.gov) Received: (from mjenkins@localhost) by carp.gbr.epa.gov (8.8.8/8.8.8) id QAA22991; Wed, 14 Oct 1998 16:00:12 -0500 (CDT) (envelope-from mjenkins) Date: Wed, 14 Oct 1998 16:00:12 -0500 (CDT) From: Mike Jenkins Message-Id: <199810142100.QAA22991@carp.gbr.epa.gov> To: jeff-ml@mountin.net, madrapour@hotmail.com, mike@seidata.com Subject: Re: Again logging! Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <3.0.3.32.19981014143146.0105ff00@207.227.119.2> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 14 Oct 1998 14:31:46 -0500, Jeffrey J. Mountin wrote: > At 11:26 AM 10/14/98 -0400, mike@seidata.com wrote: > >On Wed, 14 Oct 1998, N. N.M wrote: > > > >> 1- I installed TCP Wrapper in the way that I moved the real daemons to > >> another directory and copied "tcpd" instead of real daemons. I don't > >> know how I can get it's logs. I add a line to log the messages from > >> "tcpd" to a file. But it didn't work. > > > >Default install dumps to /var/log/messages for me - what do you mean > >by 'get it's logs'? > > Yes, but the facility is LOG_AUTH if you use the port. The original source > uses LOG_MAIL for some odd reason. Either way it should be logged in > messages with the original install's syslog.conf, which lumps it in with > other daemons. > > Personally I change patch-aa to use LOG_LOCAL7 and in syslog.conf I direct > local7.* to /var/log/tcpd, which IMO should have a logfile to itself. Then > again I like to break things down more than the original syslog.conf does, > which makes it easier to sift out the chaff. I find tags very useful when you don't know what facility a program uses. For example, I use the following in /etc/syslog.conf for "inetd -l": !inetd *.*/var/log/inetd.log So tcpd could use something like: !tcpd *.*/var/log/tcpd.log Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 14 14:38:05 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA00624 for freebsd-security-outgoing; Wed, 14 Oct 1998 14:38:05 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA00611 for ; Wed, 14 Oct 1998 14:38:03 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id PAA03508; Wed, 14 Oct 1998 15:37:44 -0600 (MDT) Message-Id: <4.1.19981014153634.078ba510@mail.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Wed, 14 Oct 1998 15:37:17 -0600 To: Sheldon Hearn , security@FreeBSD.ORG From: Brett Glass Subject: Re: syslog.conf comment about tabs In-Reply-To: <20150.908397220@iafrica.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I am beta testing 3.0 now, and it looks quite solid. Let's add this before the code freeze. --Brett At 10:33 PM 10/14/98 +0200, Sheldon Hearn wrote: > >Hi folks, > >It's a pity that, after all the discussion about syslog's >differentiation between tabs and spaces, nothing was actually done about >it. This is especially sad given that 3.0-RELEASE is about to be >snapped. > >When someone with commit privs has some time (does this sound like >millenium hype? ;) it'd be great to see PR8162 making it into the >repository. It suggests a comment for etc/syslog.conf which should >reduce the number of questions syslog's behaviour generates. Perhaps >this will make it into 3.1. > >Ciao, >Sheldon. > >PS: I do understand that people have been incredibly busy lately. It's >just frustrating to see something like this overlooked prior to the >release of a CD that's going to generate a huge number of questions as >it is. > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 14 17:12:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA23274 for freebsd-security-outgoing; Wed, 14 Oct 1998 17:12:43 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from alecto.physics.uiuc.edu (alecto.physics.uiuc.edu [130.126.8.20]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA23263 for ; Wed, 14 Oct 1998 17:12:39 -0700 (PDT) (envelope-from igor@alecto.physics.uiuc.edu) Received: (from igor@localhost) by alecto.physics.uiuc.edu (8.9.0/8.9.0) id TAA22384; Wed, 14 Oct 1998 19:12:18 -0500 (CDT) From: Igor Roshchin Message-Id: <199810150012.TAA22384@alecto.physics.uiuc.edu> Subject: Re: syslog.conf comment about tabs In-Reply-To: <4.1.19981014153634.078ba510@mail.lariat.org> from "Brett Glass" at "Oct 14, 1998 3:37:17 pm" To: brett@lariat.org (Brett Glass) Date: Wed, 14 Oct 1998 19:12:17 -0500 (CDT) Cc: security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! I posted the patch to both security- and stable- lists already - I've tested it on a 2.2-stable, and it works for me. Unfortunately I haven't heard any responses from anybody. Also, I don't have any 3.x machine available. I am trying to right the correction for the man page right now. As soon as I have it done, I can send all the patches together to whoever can commit them. Brett, would you commit them ? IgoR > I am beta testing 3.0 now, and it looks quite solid. Let's add this > before the code freeze. > > --Brett > > At 10:33 PM 10/14/98 +0200, Sheldon Hearn wrote: > > > > >Hi folks, > > > >It's a pity that, after all the discussion about syslog's > >differentiation between tabs and spaces, nothing was actually done about > >it. This is especially sad given that 3.0-RELEASE is about to be > >snapped. > > > >When someone with commit privs has some time (does this sound like > >millenium hype? ;) it'd be great to see PR8162 making it into the > >repository. It suggests a comment for etc/syslog.conf which should > >reduce the number of questions syslog's behaviour generates. Perhaps > >this will make it into 3.1. > > > >Ciao, > >Sheldon. > > > >PS: I do understand that people have been incredibly busy lately. It's > >just frustrating to see something like this overlooked prior to the > >release of a CD that's going to generate a huge number of questions as > >it is. > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 14 17:15:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA23913 for freebsd-security-outgoing; Wed, 14 Oct 1998 17:15:22 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA23901 for ; Wed, 14 Oct 1998 17:15:20 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id SAA04621; Wed, 14 Oct 1998 18:15:00 -0600 (MDT) Message-Id: <4.1.19981014181307.040546e0@mail.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Wed, 14 Oct 1998 18:14:26 -0600 To: Igor Roshchin From: Brett Glass Subject: Re: syslog.conf comment about tabs Cc: security@FreeBSD.ORG In-Reply-To: <199810150012.TAA22384@alecto.physics.uiuc.edu> References: <4.1.19981014153634.078ba510@mail.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm sorry, but I don't have the Great and Mighty Mystical Powers required to do this. Try dg, jkh, etc. --Brett At 07:12 PM 10/14/98 -0500, Igor Roshchin wrote: >Hello! > >I posted the patch to both security- and stable- lists already - >I've tested it on a 2.2-stable, and it works for me. >Unfortunately I haven't heard any responses from anybody. >Also, I don't have any 3.x machine available. >I am trying to right the correction for the man page right now. >As soon as I have it done, I can send all the patches together >to whoever can commit them. > >Brett, would you commit them ? > >IgoR > > > >> I am beta testing 3.0 now, and it looks quite solid. Let's add this >> before the code freeze. >> >> --Brett >> >> At 10:33 PM 10/14/98 +0200, Sheldon Hearn wrote: >> >> > >> >Hi folks, >> > >> >It's a pity that, after all the discussion about syslog's >> >differentiation between tabs and spaces, nothing was actually done about >> >it. This is especially sad given that 3.0-RELEASE is about to be >> >snapped. >> > >> >When someone with commit privs has some time (does this sound like >> >millenium hype? ;) it'd be great to see PR8162 making it into the >> >repository. It suggests a comment for etc/syslog.conf which should >> >reduce the number of questions syslog's behaviour generates. Perhaps >> >this will make it into 3.1. >> > >> >Ciao, >> >Sheldon. >> > >> >PS: I do understand that people have been incredibly busy lately. It's >> >just frustrating to see something like this overlooked prior to the >> >release of a CD that's going to generate a huge number of questions as >> >it is. >> > >> >To Unsubscribe: send mail to majordomo@FreeBSD.org >> >with "unsubscribe freebsd-security" in the body of the message >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 14 20:03:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA20113 for freebsd-security-outgoing; Wed, 14 Oct 1998 20:03:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.143]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA20087 for ; Wed, 14 Oct 1998 20:03:02 -0700 (PDT) (envelope-from easmith@beatrice.rutgers.edu) Received: (from easmith@localhost) by beatrice.rutgers.edu (980427.SGI.8.8.8/970903.SGI.AUTOCF) id XAA04749; Wed, 14 Oct 1998 23:02:57 -0400 (EDT) From: "Allen Smith" Message-Id: <9810142302.ZM4747@beatrice.rutgers.edu> Date: Wed, 14 Oct 1998 23:02:57 -0400 In-Reply-To: Don Lewis "Re: Booting from NT ?" (Sep 28, 4:41am) References: <199809280840.BAA03201@salsa.gv.tsc.tdk.com> X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: Don Lewis Subject: R/O root FS (was Re: Booting from NT ?) Cc: security@FreeBSD.ORG Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sep 28, 4:41am, Don Lewis (possibly) wrote: > On Sep 28, 2:20am, "Allen Smith" wrote: > } Subject: Re: Booting from NT ? > > } Question... what does happen if one has a R/O root filesystem, > } including /dev, without DEVFS? I'm constructing a firewall computer > } with a (switchable - a nice facility of some Seagate drives) hard > } drive for root, a second writeable drive for /var and swap, and a /tmp > } MFS. What problems am I likely to run into with /dev? I'd really > } prefer not to have it as a symlink to /var/dev or some such... > > You won't be able to chown() and chmod() the tty devices when you log in. > Before /dev/log was made a symlink to /var/run/log, syslogd wouldn't be > able to create /dev/log. Ah. Given that login_fbtab.c in both -stable and -current uses chown, not lchown, and chmod follows symbolic links, then symlinking just the /dev/tty*, /dev/console, and /dev/pcaudio* files to /var/dev should work. Thanks, -Allen -- Allen Smith easmith@beatrice.rutgers.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 14 20:11:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA21474 for freebsd-security-outgoing; Wed, 14 Oct 1998 20:11:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA21469 for ; Wed, 14 Oct 1998 20:11:14 -0700 (PDT) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) id UAA28883; Wed, 14 Oct 1998 20:10:26 -0700 (PDT) Message-ID: <19981014201025.A27450@best.com> Date: Wed, 14 Oct 1998 20:10:25 -0700 From: "Jan B. Koum " To: Sheldon Hearn , security@FreeBSD.ORG Subject: Re: syslog.conf comment about tabs References: <20150.908397220@iafrica.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <20150.908397220@iafrica.com>; from Sheldon Hearn on Wed, Oct 14, 1998 at 10:33:40PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Oct 14, 1998 at 10:33:40PM +0200, Sheldon Hearn wrote: > > Hi folks, > > It's a pity that, after all the discussion about syslog's > differentiation between tabs and spaces, nothing was actually done about > it. This is especially sad given that 3.0-RELEASE is about to be > snapped. > > When someone with commit privs has some time (does this sound like > millenium hype? ;) it'd be great to see PR8162 making it into the > repository. It suggests a comment for etc/syslog.conf which should > reduce the number of questions syslog's behaviour generates. Perhaps > this will make it into 3.1. > > Ciao, > Sheldon. > > PS: I do understand that people have been incredibly busy lately. It's > just frustrating to see something like this overlooked prior to the > release of a CD that's going to generate a huge number of questions as > it is. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message I honestly fail to see why this patch NEEDS to be in FreeBSD? I mean - you have the source and you have the patch .. this is why FreeBSD ships with the source. What's next? Making shells case insensitive? :P -- Yan I don't have the password .... + Jan Koum But the path is chainlinked .. | Spelled Jan, pronounced Yan. There. So if you've got the time .... | Web: http://www.best.com/~jkb Set the tone to sync ......... + OS: http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 15 04:15:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA07790 for freebsd-security-outgoing; Thu, 15 Oct 1998 04:15:06 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mcfs.whowhere.com (mcfs.whowhere.com [209.1.236.44]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id EAA07785 for ; Thu, 15 Oct 1998 04:15:05 -0700 (PDT) (envelope-from dish77@my-dejanews.com) Received: from Unknown/Local ([?.?.?.?]) by my-dejanews.com; Thu Oct 15 04:14:38 1998 To: freebsd-security@FreeBSD.ORG Date: Thu, 15 Oct 1998 04:14:38 -0700 From: "Dmitry Sergeev" Message-ID: Mime-Version: 1.0 X-Sent-Mail: on X-Mailer: MailCity Service Subject: Firewall log and setup X-Sender-Ip: 195.66.198.9 Organization: Deja News Mail (http://www.my-dejanews.com:80) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! When i have installed FreeBSD 2.2.7 my firewall become to log this packets..(see log below) When i worked with FreeBSD 2.2.5 everything was ok. These denied UDP packets come from root DNS servers which are listed in named.root Maybe someone comment this situation? What does Fragment = 34 mean? -------------------------- Here is a set of rules from my rc.firewall dns1=DNS server of my ISP rip=my IP $fwcmd add pass udp from ${dns1} to ${rip} 53 $fwcmd add pass udp from ${rip} 53 to any $fwcmd add pass udp from ${rip} to ${dns1} 53 $fwcmd add pass udp from ${dns1} 53 to any 1024-65535 in recv ${pppif} ----------------- Log 195.xxx.xxx.xxx it's my ip Oct 15 10:46:25 transe /kernel: ipfw: 5110 Deny UDP my_provider_dns 195.xxx.xxx.xxx in via tun0 Fragment = 34 Oct 15 10:46:25 transe /kernel: ipfw: 5110 Deny UDP 192.5.5.241 195.xxx.xxx.xxx in via tun0 Fragment = 34 Oct 15 10:46:27 myhost /kernel: ipfw: 5110 Deny UDP 128.9.0.107 195.xxx.xxx.xxx in via tun0 Fragment = 34 Oct 15 10:46:30 myhost /kernel: ipfw: 5110 Deny UDP 192.33.4.12 195.xxx.xxx.xxx in via tun0 Fragment = 34 Oct 15 10:46:32 myhost /kernel: ipfw: 5110 Deny UDP 128.9.0.107 195.xxx.xxx.xxx in via tun0 Fragment = 34 Oct 15 10:46:32 myhost /kernel: ipfw: 5110 Deny UDP 198.32.64.12 195.xxx.xxx.xxx in via tun0 Fragment =34 Oct 15 10:46:34 myhost /kernel: ipfw: 5110 Deny UDP 192.203.230.10 195.xxx.xxx.xxx in via tun0 Fragment = 34 Oct 15 10:46:39 myhost /kernel: ipfw:5110 Deny UDP 193.0.14.129 195.xxx.xxx.xxx in via tun0 Fragment = 34 Oct 15 10:46:40 myhost /kernel: ipfw: 5110 Deny UDP 128.8.10.90 195.xxx.xxx.xxx in via tun0 Fragment = 34 -----== Sent via Deja News, The Discussion Network ==----- http://www.dejanews.com/ Easy access to 50,000+ discussion forums To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 15 05:30:24 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA14629 for freebsd-security-outgoing; Thu, 15 Oct 1998 05:30:24 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA14621 for ; Thu, 15 Oct 1998 05:30:20 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.8/8.8.7) with SMTP id BAA00476; Fri, 16 Oct 1998 01:29:54 +1300 (NZDT) (envelope-from andrew@squiz.co.nz) Date: Fri, 16 Oct 1998 01:29:54 +1300 (NZDT) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Dmitry Sergeev cc: freebsd-security@FreeBSD.ORG Subject: Re: Firewall log and setup In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 15 Oct 1998, Dmitry Sergeev wrote: > Hi! > When i have installed FreeBSD 2.2.7 my firewall become to log this packets..(see log below) > When i worked with FreeBSD 2.2.5 everything was ok. These denied UDP packets > come from root DNS servers which are listed in named.root If you don't want your named to try to talk to name services all over the place you should tell it to only forward requests to a list of IP's you specify using forwarders your_privder_dns some_other_dns options forward-only > Maybe someone comment this situation? > What does Fragment = 34 mean? I think this is a separate issue. dns packets are mostly fairly small and shouldn't need to be fragmented. Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 15 06:27:55 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA20286 for freebsd-security-outgoing; Thu, 15 Oct 1998 06:27:55 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA20281 for ; Thu, 15 Oct 1998 06:27:54 -0700 (PDT) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.8.8/8.6.10) id GAA21188; Thu, 15 Oct 1998 06:27:32 -0700 (PDT) Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by passer.osg.gov.bc.ca, id smtpdT21186; Thu Oct 15 06:26:59 1998 Received: (from uucp@localhost) by cwsys.cwsent.com (8.8.8/8.6.10) id GAA06424; Thu, 15 Oct 1998 06:26:56 -0700 (PDT) Message-Id: <199810151326.GAA06424@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdDM6420; Thu Oct 15 06:26:46 1998 X-Mailer: exmh version 2.0.2 2/24/98 Reply-to: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: cy To: spork cc: freebsd-security@FreeBSD.ORG Subject: Re: mountd exploit In-reply-to: Your message of "Tue, 13 Oct 1998 17:39:36 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 15 Oct 1998 06:26:45 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I saw in the annoucement posted to Bugtraq that FreeBSD post 2.2.6(?) was > immune. Does anyone have data on whether earlier versions, especially > 2.1.7.1, are vulnerable? I would doubt that FreeBSD ever had the bug, as the Linux NFS code is not based on BSD, as other parts of Linux and commercial UNIX are. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: cschuber@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Government of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 15 06:57:57 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA24397 for freebsd-security-outgoing; Thu, 15 Oct 1998 06:57:57 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA24385 for ; Thu, 15 Oct 1998 06:57:55 -0700 (PDT) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.8.8/8.6.10) id GAA21275; Thu, 15 Oct 1998 06:57:35 -0700 (PDT) Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by passer.osg.gov.bc.ca, id smtpdh21273; Thu Oct 15 06:57:32 1998 Received: (from uucp@localhost) by cwsys.cwsent.com (8.8.8/8.6.10) id GAA06509; Thu, 15 Oct 1998 06:57:28 -0700 (PDT) Message-Id: <199810151357.GAA06509@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdII6505; Thu Oct 15 06:57:21 1998 X-Mailer: exmh version 2.0.2 2/24/98 Reply-to: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: cy To: "Jeffrey J. Mountin" cc: mike@seidata.com, "N. N.M" , freebsd-security@FreeBSD.ORG, mjenkins@carp.gbr.epa.gov Subject: Re: Again logging! In-reply-to: Your message of "Wed, 14 Oct 1998 14:31:46 CDT." <3.0.3.32.19981014143146.0105ff00@207.227.119.2> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 15 Oct 1998 06:57:20 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Yes, but the facility is LOG_AUTH if you use the port. The original source > uses LOG_MAIL for some odd reason. Either way it should be logged in > messages with the original install's syslog.conf, which lumps it in with > other daemons. > > Personally I change patch-aa to use LOG_LOCAL7 and in syslog.conf I direct > local7.* to /var/log/tcpd, which IMO should have a logfile to itself. Then > again I like to break things down more than the original syslog.conf does, > which makes it easier to sift out the chaff. Or you could configure tcpd to log to a file instead of syslog, though I wouldn't recommend it. (I know many sysadmins who do). I especially like Mike Jenkins' comment. An excellent suggestion. I've noticed that the ports, some in particular, have become quite configurable. Yet another opportunity... Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: cschuber@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Government of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 15 07:26:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA29433 for freebsd-security-outgoing; Thu, 15 Oct 1998 07:26:58 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA29426 for ; Thu, 15 Oct 1998 07:26:56 -0700 (PDT) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.8.8/8.6.10) id HAA21448; Thu, 15 Oct 1998 07:26:39 -0700 (PDT) Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by passer.osg.gov.bc.ca, id smtpdw21446; Thu Oct 15 07:26:11 1998 Received: (from uucp@localhost) by cwsys.cwsent.com (8.8.8/8.6.10) id HAA06662; Thu, 15 Oct 1998 07:26:09 -0700 (PDT) Message-Id: <199810151426.HAA06662@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdhx6658; Thu Oct 15 07:26:01 1998 X-Mailer: exmh version 2.0.2 2/24/98 Reply-to: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: cy To: "Jan B. Koum " cc: Sheldon Hearn , security@FreeBSD.ORG Subject: Re: syslog.conf comment about tabs In-reply-to: Your message of "Wed, 14 Oct 1998 20:10:25 PDT." <19981014201025.A27450@best.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 15 Oct 1998 07:26:01 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I honestly fail to see why this patch NEEDS to be in FreeBSD? > I mean - you have the source and you have the patch .. this is why > FreeBSD ships with the source. > What's next? Making shells case insensitive? :P Hey, I like this idea! I'll feel like I'm working on an IBM mainframe again. ... just kidding :) Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: cschuber@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Government of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 15 08:35:55 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA08838 for freebsd-security-outgoing; Thu, 15 Oct 1998 08:35:55 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from alecto.physics.uiuc.edu (alecto.physics.uiuc.edu [130.126.8.20]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA08830; Thu, 15 Oct 1998 08:35:49 -0700 (PDT) (envelope-from igor@alecto.physics.uiuc.edu) Received: (from igor@localhost) by alecto.physics.uiuc.edu (8.9.0/8.9.0) id KAA09617; Thu, 15 Oct 1998 10:35:22 -0500 (CDT) From: Igor Roshchin Message-Id: <199810151535.KAA09617@alecto.physics.uiuc.edu> Subject: Re: syslogd and syslog.conf In-Reply-To: <199810151408.KAA22591@gaylord.async.vt.edu> from "Clark Gaylord" at "Oct 15, 1998 10: 8:20 am" To: gaylord@gaylord.async.vt.edu (Clark Gaylord) Date: Thu, 15 Oct 1998 10:35:22 -0500 (CDT) Cc: freebsd-stable@FreeBSD.ORG, security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, folks! I hope this will be the last message I am writing - to answer all the questions. (I spent much more time on all e-mails then I planned to and then I actually had) Since this discussion was on both mail-lists : stable and security (sorry, I don't read current - don't know what's going there now), I am writing to both lists. (sorry if this is inappropriate) I exchanged e-mails with Jordan (jkh) and David (dg), and I think that we agreed on that it's a bit late for this change to make it to the 3.0-release, so let's hold until after the release is out, and then this change will be committed. Thanks to everybody who expresed their useful (pros and cons) opinions. If you are not too bored yet, you can read the rest of the e-mail, where I kind of summarize all the points made. IgoR > > > > Yuck! > > > > BSDI's syslogd can handle spaces in syslog.conf just fine. Ours > > should too. > > > > This isn't a new feature, it's a long-overdue bug fix. > > I could only agree if we say in very large, bold letters: TABS ARE > THE STANDARD, USUAL FORMAT. USE SPACE AT YOUR OWN PERIL. No problem with that. I just wonder, why people are so conservative if it comes to some kind of "tradition". Everybody who is against changes is mostly providing their emotions (except the only objective reason - to have a cross-platform syslog.conf compatible with "old giants" like SunOS, AIX, ..) Some people say why the tabs can be better (it saves space, i/o time), but then why don't leave it to the sysadmin to decide - what he/she wants to use in the actual syslogd.conf, while providing her/him with the syslogd which can understand both ways. NOBODY so far provided with any reason 1) why it is bad to have syslogd understanding both just tabs and any mixture of tabs and spaces. 2) why "tabs only" scenario was used in the first place for the syslog.conf, and 3) it was not used for other config files in /etc - (name your favorites) (The only possible idea for 2) which I can come up with - in the old days people were in a tough on disk space, but that's just an idea which does not explain 3) ) It looks to me that the answer to 2) and 3) is: "It just happened to be that way, because the author of the syslogd just wrote that way" Now, why one wants to bother to do the changes. 1) MANY people make this mistake, learning it "hard way". (after not having such restriction with othe config files, you think that this is logical to have both tabs and spaces allowed, or at least intuitive) Note, that it's easy to miss in the man pages that only tabs are allowed as separators. (It is not written in capital letters, as Clark suggests ;) ) 2) Cut-N-Paste procedure is usable if the spaces are allowed. (via X features, screen's buffer, or any other means which read the layout of the text from the screen without differentiation between tabs ans spaces) After all, since this change does not brake the old behavior - everybody is free to chose - what style of syslog.conf to use. For the sake of completeness of my summary: Remark (after Cy's and somebody's else e-mails - sorry don't remember the name): Since the new syslogd is fully backwards compatible, and it is not the only program in FreeBSD which has "extended" behavior in comparison to the counterparts in other systems, there is no need to call it a different name, nor provide this feature as a separate command line option. > > No, more seriously, tab-delimited is the usual means of formatting > a text "database" file, and there are potentially non-system routines > that will break with this "fix". I don't know that a lot of > sysadmins actually try to make sense of syslogd.conf, but in general > if you have a fixed number of fields of data that require delimiting, > tab and colon are the usual delimiters; using space begs one to > use multiple spaces, and then you run into having to consider > "[ ]+" or, worse yet " [ ]*", when parsing said file. Let's not make hypothetical guesses. Read the previous e-mails again to find what is proposed. Nobody suggests to use spaces _inside_ the fields of the syslog.conf. The only change that tab characters used as the separator between the two fields of syslog.conf can (not must!) be replaced with spaces. If it was not clear, why would not you take a look at the changes yourself ? > > Again, we could make syslogd able to read space delimited, but I > think advising one to use space instead of tab in syslogd.conf > would be a mistake. Nobody advises to do that. But many people DO (inadvertently). So for their sake, and for the sake of saving time of everybody - who makes the mistake, and who explains how to do it right - the proposed feature should be added. > > -- > Clark K. Gaylord > Blacksburg, Virginia USA > cgaylord@vt.edu > Best Regards, IgoR To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 15 13:40:25 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA26808 for freebsd-security-outgoing; Thu, 15 Oct 1998 13:40:25 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from icarus.reshall.berkeley.edu (icarus.Reshall.Berkeley.EDU [169.229.87.90]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA26800 for ; Thu, 15 Oct 1998 13:40:21 -0700 (PDT) (envelope-from leonard@icarus.reshall.berkeley.edu) Received: (from leonard@localhost) by icarus.reshall.berkeley.edu (8.8.8/8.8.8) id NAA02873 for security@freebsd.org; Thu, 15 Oct 1998 13:42:48 -0700 (PDT) (envelope-from leonard) From: Leonard Chung Message-Id: <199810152042.NAA02873@icarus.reshall.berkeley.edu> Subject: Thanks for all of your help! To: security@FreeBSD.ORG Date: Thu, 15 Oct 1998 13:42:46 -0700 (PDT) X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks to everyone who helped me with my security problem. Upon further examination of the logs, someone tried a qpopper exploit and a BO exploit on me, but no damage was done. Thanks again for your help in giving me an informed and calm POV while I had a small panic. You guys are the best! Keep up the good work! :-) Leonard To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 15 22:08:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA11231 for freebsd-security-outgoing; Thu, 15 Oct 1998 22:08:46 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA11202 for ; Thu, 15 Oct 1998 22:08:32 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.8/8.8.7) with SMTP id SAA04675 for ; Fri, 16 Oct 1998 18:08:03 +1300 (NZDT) (envelope-from andrew@squiz.co.nz) Date: Fri, 16 Oct 1998 18:08:02 +1300 (NZDT) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: security@FreeBSD.ORG Subject: X allows ordinary user to read first line of any file Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org found this on http://www.hoobie.net/security/exploits/ joeuser@host$ X -config /etc/master.passwd Unrecognized option: root:yd0Rj.v.r1wKA:0:0::0:0:Charlie use: X [:] [option] . . . I'm sure there's other files where this can be a problem, but in the case of the password file it seems wise to have a dummy entry as the first line of the master.passwd file. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 15 22:59:10 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA15918 for freebsd-security-outgoing; Thu, 15 Oct 1998 22:59:10 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from internationalschool.co.uk ([194.72.37.214]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA15911; Thu, 15 Oct 1998 22:59:06 -0700 (PDT) (envelope-from stuart@internationalschool.co.uk) Received: from internationalschool.co.uk (bamboo [10.0.0.70]) by internationalschool.co.uk (8.8.8/8.8.8) with ESMTP id SAA28806; Thu, 15 Oct 1998 18:32:48 +0100 (BST) Message-ID: <3626320A.712D129F@internationalschool.co.uk> Date: Thu, 15 Oct 1998 18:34:02 +0100 From: Stuart Henderson Organization: http://ints.ml.org/ X-Mailer: Mozilla 4.5b2 [en] (X11; I; FreeBSD 2.2.7-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Igor Roshchin CC: Clark Gaylord , freebsd-stable@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: syslogd and syslog.conf References: <199810151535.KAA09617@alecto.physics.uiuc.edu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Igor Roshchin wrote: > > Now, why one wants to bother to do the changes. > > 1) MANY people make this mistake, learning it "hard way". > Note, that it's easy to miss in the man pages that only > tabs are allowed as separators. (It is not written in capital letters, > as Clark suggests ;) ) It might be good to add a warning to the top of the standard syslog.conf file if it's not too late, bearing in mind that the normally recommended editor for new users is ee, which by default converts tabs to spaces automatically. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 16 02:24:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA03493 for freebsd-security-outgoing; Fri, 16 Oct 1998 02:24:35 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA03488 for ; Fri, 16 Oct 1998 02:24:34 -0700 (PDT) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) id CAA00836; Fri, 16 Oct 1998 02:23:11 -0700 (PDT) Message-ID: <19981016022311.A753@best.com> Date: Fri, 16 Oct 1998 02:23:11 -0700 From: "Jan B. Koum " To: andrew@squiz.co.nz, security@FreeBSD.ORG Subject: Re: X allows ordinary user to read first line of any file References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Andrew McNaughton on Fri, Oct 16, 1998 at 06:08:02PM +1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Oct 16, 1998 at 06:08:02PM +1300, Andrew McNaughton wrote: > > found this on http://www.hoobie.net/security/exploits/ > > joeuser@host$ X -config /etc/master.passwd > Unrecognized option: root:yd0Rj.v.r1wKA:0:0::0:0:Charlie > use: X [:] [option] > . > . > . > > I'm sure there's other files where this can be a problem, but in the case > of the password file it seems wise to have a dummy entry as the first line > of the master.passwd file. > > > Andrew McNaughton > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message I am sure something will correct me, but I think you are running the 3.3.1 version which is vulnerable I guess. It is old. You should really upgrade. The new release doesn't even have the -config options as far as I can tell: % bin/XF86_SVGA -version [...] XFree86 Version 3.3.2.3 / X Window System Operating System: FreeBSD 3.0-CURRENT i386 [ELF] [...] % bin/XF86_SVGA -config /etc/master.passwd bin/XF86_SVGA -config /etc/master.passwd Unrecognized option: -config I am not sure if 3.0 will ship with 3.3.2.3 - Jordan? I myself use XiG product (hence limited knowledge of XFree86) and that also seem fine at first glance. BTW, wouldn't you kind of consider this to be a bug in XFree86 rather then a bug in FreeBSD OS? :) -- Yan I don't have the password .... + Jan Koum But the path is chainlinked .. | Spelled Jan, pronounced Yan. There. So if you've got the time .... | Web: http://www.best.com/~jkb Set the tone to sync ......... + OS: http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 16 02:43:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA05552 for freebsd-security-outgoing; Fri, 16 Oct 1998 02:43:06 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA05547 for ; Fri, 16 Oct 1998 02:43:03 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.8/8.8.7) with SMTP id WAA06947; Fri, 16 Oct 1998 22:42:29 +1300 (NZDT) (envelope-from andrew@squiz.co.nz) Date: Fri, 16 Oct 1998 22:42:29 +1300 (NZDT) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: "Jan B. Koum " cc: security@FreeBSD.ORG Subject: Re: X allows ordinary user to read first line of any file In-Reply-To: <19981016022311.A753@best.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 16 Oct 1998, Jan B. Koum wrote: > On Fri, Oct 16, 1998 at 06:08:02PM +1300, Andrew McNaughton wrote: > > > > found this on http://www.hoobie.net/security/exploits/ > > > > joeuser@host$ X -config /etc/master.passwd > > Unrecognized option: root:yd0Rj.v.r1wKA:0:0::0:0:Charlie > > use: X [:] [option] > > I am sure something will correct me, but I think you are running > the 3.3.1 version which is vulnerable I guess. It is old. You should > really upgrade. The new release doesn't even have the -config > options as far as I can tell: > > % bin/XF86_SVGA -version > [...] > XFree86 Version 3.3.2.3 / X Window System > Operating System: FreeBSD 3.0-CURRENT i386 [ELF] > [...] > % bin/XF86_SVGA -config /etc/master.passwd > bin/XF86_SVGA -config /etc/master.passwd > Unrecognized option: -config > > I am not sure if 3.0 will ship with 3.3.2.3 - Jordan? > > I myself use XiG product (hence limited knowledge of XFree86) and > that also seem fine at first glance. > > BTW, wouldn't you kind of consider this to be a bug in XFree86 rather > then a bug in FreeBSD OS? :) Yes it is 3.3.1, and yes the problem is with XFree86 rather than FreeBSD itself. Xfree86 came with my version of FreeBSD 2.2.5. Perhaps that's old enough to let it go, but this list regularly seems to cover software used by FreeBSD users outside of the operating system itself. Seemed worth a comment. What version of Xfree86 is in the latest 2.2-STABLE? Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 16 07:18:44 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA02715 for freebsd-security-outgoing; Fri, 16 Oct 1998 07:18:44 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from www.scancall.no (www.scancall.no [195.139.183.5]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id HAA02710 for ; Fri, 16 Oct 1998 07:18:40 -0700 (PDT) (envelope-from Marius.Bendiksen@scancall.no) Received: from super2.langesund.scancall.no [195.139.183.29] by www with smtp id JDPFTHOJ; Fri, 16 Oct 98 14:18:21 GMT (PowerWeb version 4.04r6) Message-Id: <3.0.5.32.19981016161322.00920830@mail.scancall.no> X-Sender: Marius@mail.scancall.no X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Fri, 16 Oct 1998 16:13:22 +0200 To: andrew@squiz.co.nz, security@FreeBSD.ORG From: Marius Bendiksen Subject: Re: X allows ordinary user to read first line of any file In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >I'm sure there's other files where this can be a problem, but in the case >of the password file it seems wise to have a dummy entry as the first line >of the master.passwd file. You could of course just delete the file, if you're concerned that they're going to crack the password. If you enforce a sound password policy, they won't be able to get anything from that. --- Marius Bendiksen, IT-Trainee, ScanCall AS To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 16 09:03:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA15544 for freebsd-security-outgoing; Fri, 16 Oct 1998 09:03:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from link.cpt.nsc.iafrica.com (link.cpt.nsc.iafrica.com [196.31.1.126]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA15500 for ; Fri, 16 Oct 1998 09:02:37 -0700 (PDT) (envelope-from khetan@link.freebsd.os.org.za) To: (original recipient in envelope at link.cpt.nsc.iafrica.com) X-Disclaimer: Contents of this e-mail are the writer's opinion X-Disclaimer2: and may not be quoted, re-produced or forwarded X-Disclaimer3: (in part or whole) without the author's permission. Received: from localhost (khetan@localhost) by link.cpt.nsc.iafrica.com (8.9.1+3.1W/8.9.1a/smtpfeed 0.83) with SMTP id SAA01712 for ; Fri, 16 Oct 1998 18:02:14 +0200 (SAT) (envelope-from khetan@link.freebsd.os.org.za) Date: Fri, 16 Oct 1998 18:02:13 +0200 (SAT) From: Khetan Gajjar X-Sender: khetan@link.cpt.nsc.iafrica.com Reply-To: Khetan Gajjar To: security@FreeBSD.ORG Subject: Recent RST DoS Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi. I just wanted to know if a gateway PC running ipfw would be resistant against the RST attack that there was recently a advisory for. The machine I'm dealing with is a vintage 2.2.6-RELEASE box. --- Khetan Gajjar (!kg1779) * khetan@iafrica.com ; khetan@os.org.za http://www.os.org.za/~khetan * Talk/Finger khetan@chain.freebsd.os.org.za UUNET Internet Africa Support * FreeBSD enthusiast-www2.za.freebsd.org FreeBSD is like a wigwam - no windows, no gates, apache inside! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 16 10:07:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA24550 for freebsd-security-outgoing; Fri, 16 Oct 1998 10:07:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mercury.jorsm.com (mercury.jorsm.com [207.112.128.9]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA24545 for ; Fri, 16 Oct 1998 10:07:07 -0700 (PDT) (envelope-from jer@jorsm.com) Received: from localhost (jer@localhost) by mercury.jorsm.com (8.8.7/8.8.7) with SMTP id MAA18345; Fri, 16 Oct 1998 12:06:39 -0500 (CDT) Date: Fri, 16 Oct 1998 12:06:38 -0500 (CDT) From: Jeremy Shaffner To: Liam Slusser cc: security@FreeBSD.ORG Subject: Re: smurf and broadcast packets.. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 14 Sep 1998, Liam Slusser wrote: > > Today my server was bombed by a smurf attack. After i got everthing up > > What am i doing wrong? What can i do to stop my server from being the > victom of another smurf attack? > I know this is a bit old, but it wasn't your network that was exploited, it was someone elses. Yours was the target. Patching yourself only prevents your network from being used to launch an attack against someone else. -===================================================================- Jeremy Shaffner JORSM Internet Senior Technical Support Northwest Indiana's Premium jer@jorsm.com Internet Service Provider support@jorsm.com http://www.jorsm.com -===================================================================- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 16 10:53:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA02836 for freebsd-security-outgoing; Fri, 16 Oct 1998 10:53:06 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dt053nb4.san.rr.com (dt053nb4.san.rr.com [204.210.34.180]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA02830 for ; Fri, 16 Oct 1998 10:53:03 -0700 (PDT) (envelope-from Studded@gorean.org) Received: from gorean.org (Studded@localhost [127.0.0.1]) by dt053nb4.san.rr.com (8.8.8/8.8.8) with ESMTP id KAA09450; Fri, 16 Oct 1998 10:52:36 -0700 (PDT) (envelope-from Studded@gorean.org) Message-ID: <362787E3.3884E136@gorean.org> Date: Fri, 16 Oct 1998 10:52:35 -0700 From: Studded Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.5b2 [en] (X11; I; FreeBSD 2.2.7-STABLE-1015 i386) X-Accept-Language: en MIME-Version: 1.0 To: Khetan Gajjar CC: security@FreeBSD.ORG Subject: Re: Recent RST DoS References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Khetan Gajjar wrote: > > Hi. > > I just wanted to know if a gateway PC running ipfw would be > resistant against the RST attack that there was recently a advisory > for. The machine I'm dealing with is a vintage 2.2.6-RELEASE > box. It is vulnerable. You should upgrade to 2.2.7-Stable. Good luck, Doug -- *** Chief Operations Officer, DALnet IRC network *** Go PADRES! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 16 14:17:27 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA17953 for freebsd-security-outgoing; Fri, 16 Oct 1998 14:17:27 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell.futuresouth.com (shell.futuresouth.com [198.78.58.28]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA17811 for ; Fri, 16 Oct 1998 14:16:37 -0700 (PDT) (envelope-from fullermd@futuresouth.com) Received: (from fullermd@localhost) by shell.futuresouth.com (8.8.8/8.8.8) id QAA17715; Fri, 16 Oct 1998 16:15:58 -0500 (CDT) Message-ID: <19981016161558.25098@futuresouth.com> Date: Fri, 16 Oct 1998 16:15:58 -0500 From: "Matthew D. Fuller" To: Marius Bendiksen Cc: andrew@squiz.co.nz, security@FreeBSD.ORG Subject: Re: X allows ordinary user to read first line of any file References: <3.0.5.32.19981016161322.00920830@mail.scancall.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.88 In-Reply-To: <3.0.5.32.19981016161322.00920830@mail.scancall.no>; from Marius Bendiksen on Fri, Oct 16, 1998 at 04:13:22PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Oct 16, 1998 at 04:13:22PM +0200, Marius Bendiksen woke me up to tell me: > >I'm sure there's other files where this can be a problem, but in the case > >of the password file it seems wise to have a dummy entry as the first line > >of the master.passwd file. > > You could of course just delete the file, if you're concerned that they're > going to crack the password. If you enforce a sound password policy, they > won't be able to get anything from that. You could of course just stript the setuid bit from the server, and use xdm instead of xinit. On a single user machine (single user on console, that is), I'd just use startx, but then again, most workstations are limited to console access. On a multiple user machine (lab, etc), xdm seems to be a better choice anyway. *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* | FreeBSD; the way computers were meant to be | * "The only reason I'm burning my candle at both ends, is * | that I haven't figured out how to light the middle yet."| * fullermd@futuresouth.com :-} MAtthew Fuller * | http://keystone.westminster.edu/~fullermd | *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 16 16:54:07 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA18370 for freebsd-security-outgoing; Fri, 16 Oct 1998 16:54:07 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from rf900.physics.usyd.edu.au (rf900.physics.usyd.edu.au [129.78.129.109]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA18265 for ; Fri, 16 Oct 1998 16:53:19 -0700 (PDT) (envelope-from dawes@rf900.physics.usyd.edu.au) Received: (from dawes@localhost) by rf900.physics.usyd.edu.au (8.8.5/8.8.2) id JAA03369; Sat, 17 Oct 1998 09:52:45 +1000 (EST) Message-ID: <19981017095244.E24991@rf900.physics.usyd.edu.au> Date: Sat, 17 Oct 1998 09:52:44 +1000 From: David Dawes To: andrew@squiz.co.nz, security@FreeBSD.ORG Subject: Re: X allows ordinary user to read first line of any file References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Andrew McNaughton on Fri, Oct 16, 1998 at 06:08:02PM +1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Oct 16, 1998 at 06:08:02PM +1300, Andrew McNaughton wrote: > >found this on http://www.hoobie.net/security/exploits/ > >joeuser@host$ X -config /etc/master.passwd >Unrecognized option: root:yd0Rj.v.r1wKA:0:0::0:0:Charlie >use: X [:] [option] >. >. >. > >I'm sure there's other files where this can be a problem, but in the case >of the password file it seems wise to have a dummy entry as the first line >of the master.passwd file. To put this problem into perspective, if you're running an XFree86 server with this bug, then it is old enough to have some much more serious security problems. That includes at least one that a local user can use to get root. That particular one only relies on the server running as root and not on it being set-uid root. Most of these bugs are not XFree86-specific, and will be present in any server based closely enough on the X11R6.x releases that have the same bugs. For details on the bugs found and fixed since XFree86 3.3.2 was released, see the XFree86 security advisories at: ftp://ftp.xfree86.org/pub/XFree86/Security/ All of the problems mentioned there are fixed in XFree86 3.3.2.3. David To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 16 20:01:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA18137 for freebsd-security-outgoing; Fri, 16 Oct 1998 20:01:15 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from azazel.async.org (hun-al1-02.ix.netcom.com [205.184.6.34]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA18130 for ; Fri, 16 Oct 1998 20:01:11 -0700 (PDT) (envelope-from ysyi@async.org) Received: from localhost (ysyi@localhost) by azazel.async.org (8.9.1a/8.9.1a) with SMTP id VAA28987; Fri, 16 Oct 1998 21:59:40 -0500 Date: Fri, 16 Oct 1998 21:59:38 -0500 (CDT) From: "Yong S. Yi" To: andrew@squiz.co.nz cc: security@FreeBSD.ORG Subject: Re: X allows ordinary user to read first line of any file In-Reply-To: <19981017095244.E24991@rf900.physics.usyd.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >On Fri, Oct 16, 1998 at 06:08:02PM +1300, Andrew McNaughton wrote: > >found this on http://www.hoobie.net/security/exploits/ > >joeuser@host$ X -config /etc/master.passwd >Unrecognized option: root:yd0Rj.v.r1wKA:0:0::0:0:Charlie >use: X [:] [option] >. >. >. > >I'm sure there's other files where this can be a problem, but in the case >of the password file it seems wise to have a dummy entry as the first line >of the master.passwd file. On Fri, Oct 16, 1998 at 10:42PM +1300, Andrew McNaughton wrote: >Yes it is 3.3.1, and yes the problem is with XFree86 rather than FreeBSD >itself. Xfree86 came with my version of FreeBSD 2.2.5. Perhaps that's So upgrade your XFree86 server (and any other components you wish to upgrade). >old enough to let it go, but this list regularly seems to cover software "let it go"? This problem was discovered+fixed months ago. Some possible things to do: upgrade your server (and/or XFree86 distribution), install a wrapper for the server, or just delete the passwd file (Marius.Bendiksen@scancall.no). No need to "let it go" -- it's already been dealt with. >used by FreeBSD users outside of the operating system itself. Seemed Yup. But this issue has been discussed (same crap that's going through the thread right now) many times, on various mailing lists and usenet newsgroups. Do a websearch for it... find out more if interested. >worth a comment. Sure. -- Yong S. Yi Email: ysyi@hybrid.async.org Phone: 1.256.881.8821 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 16 23:17:01 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA02911 for freebsd-security-outgoing; Fri, 16 Oct 1998 23:17:01 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.224.24]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA02905 for ; Fri, 16 Oct 1998 23:16:58 -0700 (PDT) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199810170616.XAA02905@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA152684986; Sat, 17 Oct 1998 16:16:26 +1000 From: Darren Reed Subject: Re: X allows ordinary user to read first line of any file To: andrew@squiz.co.nz Date: Sat, 17 Oct 1998 16:16:26 +1000 (EST) Cc: security@FreeBSD.ORG In-Reply-To: from "Andrew McNaughton" at Oct 16, 98 06:08:02 pm X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Andrew McNaughton, sie said: > > > found this on http://www.hoobie.net/security/exploits/ > > joeuser@host$ X -config /etc/master.passwd > Unrecognized option: root:yd0Rj.v.r1wKA:0:0::0:0:Charlie > use: X [:] [option] which X11 is this ? Xfree86 ? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 17 00:25:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA07707 for freebsd-security-outgoing; Sat, 17 Oct 1998 00:25:13 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from azazel.async.org (hun-al1-02.ix.netcom.com [205.184.6.34]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA07701 for ; Sat, 17 Oct 1998 00:25:08 -0700 (PDT) (envelope-from ysyi@async.org) Received: from localhost (ysyi@localhost) by azazel.async.org (8.9.1a/8.9.1a) with SMTP id CAA29992; Sat, 17 Oct 1998 02:23:36 -0500 Date: Sat, 17 Oct 1998 02:23:35 -0500 (CDT) From: "Yong S. Yi" To: Darren Reed cc: andrew@squiz.co.nz, security@FreeBSD.ORG Subject: Re: X allows ordinary user to read first line of any file In-Reply-To: <199810170616.XAA02905@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 17 Oct 1998, Darren Reed wrote: >> use: X [:] [option] > >which X11 is this ? > >Xfree86 ? *Sigh* ... Yes, XFree86. Read the entire thread. Can't we just murder this thread? This issue is very old, has been discussed, many solutions found. Don't know what it's doing back on -security right now. If you'd really like in-depth information on this, wouldn't it be nicer to do a websearch, considering that this has been discussed so many times way before? (No need to forward this to netbsd-security, either, but I guess I'm too late) Just my thoughts... -ysyi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 17 02:17:24 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA17034 for freebsd-security-outgoing; Sat, 17 Oct 1998 02:17:24 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from uriela.in-berlin.de (servicia.in-berlin.de [192.109.42.145]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA17013; Sat, 17 Oct 1998 02:17:15 -0700 (PDT) (envelope-from nortobor.nostromo.in-berlin.de!ripley@servicia.in-berlin.de) Received: by uriela.in-berlin.de (Smail-3.2.0.101 1997-Dec-17 #1) id m0zUSWM-000VYfC; Sat, 17 Oct 1998 11:19:34 +0200 (CEST) Received: (from ripley@localhost) by nortobor.nostromo.in-berlin.de (8.8.7/8.8.7) id JAA01607; Sat, 17 Oct 1998 09:59:06 +0200 (CEST) (envelope-from ripley) Message-ID: <19981017095905.23337@nostromo.in-berlin.de> Date: Sat, 17 Oct 1998 09:59:05 +0200 From: "H. Eckert" To: freebsd-stable@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: syslogd and syslog.conf References: <199810151535.KAA09617@alecto.physics.uiuc.edu> <3626320A.712D129F@internationalschool.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.84e In-Reply-To: <3626320A.712D129F@internationalschool.co.uk>; from Stuart Henderson on Thu, Oct 15, 1998 at 06:34:02PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Oct 15, 1998 at 06:34:02PM +0100, Stuart Henderson wrote: > It might be good to add a warning to the top of the standard syslog.conf file > if it's not too late, bearing in mind that the normally recommended editor > for new users is ee, which by default converts tabs to spaces automatically. Ee does that ? One more reason to hate it. The first thing I do on a new installation is edit root's dotfiles to change the editor to vim or at least vi. It would be nice if sysconfig would copy the default editor from the config options page if it had been changed during the installation. Greetings, Ripley -- http://www.in-berlin.de/User/nostromo/ == "You don't say what kind of CD drive or hard disks you have, but since it is causing you trouble I'll assume it is IDE." -- comp.unix.bsd.freebsd.misc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 17 02:54:42 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA20260 for freebsd-security-outgoing; Sat, 17 Oct 1998 02:54:42 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id CAA20250 for ; Sat, 17 Oct 1998 02:54:40 -0700 (PDT) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 17691 invoked by uid 1001); 17 Oct 1998 09:54:17 +0000 (GMT) To: ripley@nostromo.in-berlin.de Cc: freebsd-stable@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: syslogd and syslog.conf In-Reply-To: Your message of "Sat, 17 Oct 1998 09:59:05 +0200" References: <19981017095905.23337@nostromo.in-berlin.de> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Sat, 17 Oct 1998 11:54:16 +0200 Message-ID: <17684.908618056@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > The first thing I do on a new installation is edit root's > dotfiles to change the editor to vim or at least vi. Basically the same here, except I simply remove the definition of EDITOR. Having ee as the default editor for root is awful... Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 17 03:53:27 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA26493 for freebsd-security-outgoing; Sat, 17 Oct 1998 03:53:27 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from zeus.theinternet.com.au (zeus.theinternet.com.au [203.34.176.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA26478; Sat, 17 Oct 1998 03:53:15 -0700 (PDT) (envelope-from akm@zeus.theinternet.com.au) Received: (from akm@localhost) by zeus.theinternet.com.au (8.8.7/8.8.7) id UAA12971; Sat, 17 Oct 1998 20:49:58 +1000 (EST) (envelope-from akm) From: Andrew Kenneth Milton Message-Id: <199810171049.UAA12971@zeus.theinternet.com.au> Subject: Re: syslogd and syslog.conf In-Reply-To: <17684.908618056@verdi.nethelp.no> from "sthaug@nethelp.no" at "Oct 17, 98 11:54:16 am" To: sthaug@nethelp.no Date: Sat, 17 Oct 1998 20:49:58 +1000 (EST) Cc: ripley@nostromo.in-berlin.de, freebsd-stable@FreeBSD.ORG, security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org +----[ sthaug@nethelp.no ]--------------------------------------------- | > The first thing I do on a new installation is edit root's | > dotfiles to change the editor to vim or at least vi. | | Basically the same here, except I simply remove the definition of | EDITOR. Having ee as the default editor for root is awful... The point being that you know how to... UNIX in general is a wonderful thing, not exposing people to vi or ed as their first editor is probably a GoodThing(tm). I don't think a friendlier UNIX is a bad thing, those that know how to change it to their favourite religious icon. ee might not be the best thing in the world, but, it's certainly not the worst. -- Totally Holistic Enterprises Internet| P:+61 7 3870 0066 | Andrew The Internet (Aust) Pty Ltd | F:+61 7 3870 4477 | Milton ACN: 082 081 472 | M:+61 416 022 411 |72 Col .Sig PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au|Specialist To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 17 06:31:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA11866 for freebsd-security-outgoing; Sat, 17 Oct 1998 06:31:58 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hotmail.com (f168.hotmail.com [207.82.251.54]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id GAA11859 for ; Sat, 17 Oct 1998 06:31:57 -0700 (PDT) (envelope-from madrapour@hotmail.com) Received: (qmail 1625 invoked by uid 0); 17 Oct 1998 13:31:37 -0000 Message-ID: <19981017133137.1623.qmail@hotmail.com> Received: from 195.96.144.12 by www.hotmail.com with HTTP; Sat, 17 Oct 1998 06:31:34 PDT X-Originating-IP: [195.96.144.12] From: "N. N.M" To: mjenkins@carp.gbr.epa.gov Cc: freebsd-security@FreeBSD.ORG Subject: Re: Again logging! Content-Type: text/plain Date: Sat, 17 Oct 1998 06:31:34 PDT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >To see the inetd logging messages you'll need: > >1. add something like this to /etc/syslog.conf: > > !inetd > *.*/var/log/inetd.log > >2. create the log file: > > # touch /var/log/inetd.log > >3. tell syslogd about the change: > > # kill -HUP `cat /var/run/syslog.pid` > >4. optionally, add an entry to /etc/newsyslog.conf: > > /var/log/inetd.log 664 7 * 24 Z > >Then you'll see messages in /var/log/inetd.log when someone connects >to an inetd service (telnetd, ftpd, etc.). > Dear Mike, Thank you and all others who helped me in this regard. I did what you said for both inetd and tcpd. So I have two parts in my syslog.conf as follows: !inetd *.* /var/log/inetd !tcpd *.* tab> /var/log/tcpd And I have two files (tcpd and logd) in /var/log. But it still dosen't work (also I restarted inetd after changes). It seems that I've missed some points, becasue neither INETD nor TCPD don't log anything. What could be the missing points? Nazila N. ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 17 07:57:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA18938 for freebsd-security-outgoing; Sat, 17 Oct 1998 07:57:33 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from paprika.michvhf.com (paprika.michvhf.com [209.57.60.12]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id HAA18928 for ; Sat, 17 Oct 1998 07:57:29 -0700 (PDT) (envelope-from vev@michvhf.com) Received: (qmail 14685 invoked by uid 1000); 17 Oct 1998 14:57:19 -0000 Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <19981017095905.23337@nostromo.in-berlin.de> Date: Sat, 17 Oct 1998 10:57:19 -0400 (EDT) From: Vince Vielhaber To: "H. Eckert" Subject: Re: syslogd and syslog.conf Cc: security@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 17-Oct-98 H. Eckert wrote: > On Thu, Oct 15, 1998 at 06:34:02PM +0100, Stuart Henderson wrote: >> It might be good to add a warning to the top of the standard syslog.conf >> file >> if it's not too late, bearing in mind that the normally recommended editor >> for new users is ee, which by default converts tabs to spaces >> automatically. > > Ee does that ? One more reason to hate it. > The first thing I do on a new installation is edit root's > dotfiles to change the editor to vim or at least vi. It > would be nice if sysconfig would copy the default editor > from the config options page if it had been changed during > the installation. EE doesn't convert existing tabs only new ones unless you tell it not to. You can do that from the command line or from the options menu. I've been using it for years, once you learn HOW to use it it's not the Evil Editor you want to think it is. Vince. -- ========================================================================== Vince Vielhaber -- KA8CSH email: vev@michvhf.com flame-mail: /dev/null # include TEAM-OS2 Online Searchable Campground Listings http://www.camping-usa.com "There is no outfit less entitled to lecture me about bloat than the federal government" -- Tony Snow ========================================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 17 11:55:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA10589 for freebsd-security-outgoing; Sat, 17 Oct 1998 11:55:58 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from set.spradley.tmi.net (set.spradley.tmi.net [207.170.107.99]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA10569; Sat, 17 Oct 1998 11:55:54 -0700 (PDT) (envelope-from tsprad@set.spradley.tmi.net) Received: from set.spradley.tmi.net (localhost [127.0.0.1]) by set.spradley.tmi.net (8.9.1/8.9.1) with ESMTP id NAA18114; Sat, 17 Oct 1998 13:55:05 -0500 (CDT) (envelope-from tsprad@set.spradley.tmi.net) Message-Id: <199810171855.NAA18114@set.spradley.tmi.net> X-Mailer: exmh version 2.0zeta 7/24/97 To: Vince Vielhaber cc: "H. Eckert" , security@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG Subject: Re: syslogd and syslog.conf In-reply-to: Your message of "Sat, 17 Oct 1998 10:57:19 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sat, 17 Oct 1998 13:55:04 -0500 From: Ted Spradley Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > ..., once you learn HOW to use it it's not the Evil Editor > you want to think it is. > > Vince. Heh! :-} Once you learn HOW to use vi, or emacs, or MeSs-Word.... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 17 12:57:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA17138 for freebsd-security-outgoing; Sat, 17 Oct 1998 12:57:13 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from paprika.michvhf.com (paprika.michvhf.com [209.57.60.12]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id MAA17115 for ; Sat, 17 Oct 1998 12:57:03 -0700 (PDT) (envelope-from vev@michvhf.com) Received: (qmail 15942 invoked by uid 1000); 17 Oct 1998 19:48:18 -0000 Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <199810171855.NAA18114@set.spradley.tmi.net> Date: Sat, 17 Oct 1998 15:48:18 -0400 (EDT) From: Vince Vielhaber To: Ted Spradley Subject: Re: syslogd and syslog.conf Cc: freebsd-stable@FreeBSD.ORG, security@FreeBSD.ORG, "H.Eckert" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 17-Oct-98 Ted Spradley wrote: >> >> >> ..., once you learn HOW to use it it's not the Evil Editor >> you want to think it is. >> >> Vince. > > Heh! :-} Once you learn HOW to use ..., MeSs-Word.... > > Why would you want to use "MeSs-Word" on syslog.conf? Vince. -- ========================================================================== Vince Vielhaber -- KA8CSH email: vev@michvhf.com flame-mail: /dev/null # include TEAM-OS2 Online Searchable Campground Listings http://www.camping-usa.com "There is no outfit less entitled to lecture me about bloat than the federal government" -- Tony Snow ========================================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 17 13:43:24 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA23146 for freebsd-security-outgoing; Sat, 17 Oct 1998 13:43:24 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA23141; Sat, 17 Oct 1998 13:43:22 -0700 (PDT) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) id NAA24055; Sat, 17 Oct 1998 13:42:31 -0700 (PDT) Message-ID: <19981017134231.C22818@best.com> Date: Sat, 17 Oct 1998 13:42:31 -0700 From: "Jan B. Koum " To: Vince Vielhaber , Ted Spradley Cc: freebsd-stable@FreeBSD.ORG, security@FreeBSD.ORG, "H.Eckert" Subject: Re: syslogd and syslog.conf References: <199810171855.NAA18114@set.spradley.tmi.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Vince Vielhaber on Sat, Oct 17, 1998 at 03:48:18PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Oct 17, 1998 at 03:48:18PM -0400, Vince Vielhaber wrote: > > On 17-Oct-98 Ted Spradley wrote: > >> > >> > >> ..., once you learn HOW to use it it's not the Evil Editor > >> you want to think it is. > >> > >> Vince. > > > > Heh! :-} Once you learn HOW to use ..., MeSs-Word.... > > > > > > Why would you want to use "MeSs-Word" on syslog.conf? > > Vince. > -- > ========================================================================== > Vince Vielhaber -- KA8CSH email: vev@michvhf.com flame-mail: /dev/null > # include TEAM-OS2 > Online Searchable Campground Listings http://www.camping-usa.com > "There is no outfit less entitled to lecture me about bloat > than the federal government" -- Tony Snow > ========================================================================== > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message Hate to be the party pooper here, but when people will learn to trim -security (and -stable also in this case) from threads which really should be on -chat? -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 17 21:32:36 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA05511 for freebsd-security-outgoing; Sat, 17 Oct 1998 21:32:36 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA05505 for ; Sat, 17 Oct 1998 21:32:31 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.8/8.8.7) with SMTP id RAA23711; Sun, 18 Oct 1998 17:31:36 +1300 (NZDT) (envelope-from andrew@squiz.co.nz) Date: Sun, 18 Oct 1998 17:31:35 +1300 (NZDT) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: "N. N.M" cc: freebsd-security@FreeBSD.ORG Subject: Re: Again logging! In-Reply-To: <19981017133137.1623.qmail@hotmail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 17 Oct 1998, N. N.M wrote: > And I have two files (tcpd and logd) in /var/log. But it still dosen't > work (also I restarted inetd after changes). It seems that I've missed > some points, becasue neither INETD nor TCPD don't log anything. What > could be the missing points? inetd needs to be run with the '-l' flag. Restart it using this flag, and also put the flag into your rc.conf ( inetd_flags="-l" ) Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 17 23:11:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA12892 for freebsd-security-outgoing; Sat, 17 Oct 1998 23:11:52 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA12887 for ; Sat, 17 Oct 1998 23:11:50 -0700 (PDT) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id BAA19229; Sun, 18 Oct 1998 01:11:20 -0500 (CDT) Received: from harkol-105.isdn.mke.execpc.com(169.207.64.233) by peak.mountin.net via smap (V1.3) id sma019227; Sun Oct 18 01:10:57 1998 Message-Id: <3.0.3.32.19981018011033.00fc17e8@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Sun, 18 Oct 1998 01:10:33 -0500 To: "Jan B. Koum " , Sheldon Hearn , Igor Roshchin From: "Jeffrey J. Mountin" Subject: Re: syslogd and syslog.conf (new feature) Cc: security@FreeBSD.ORG In-Reply-To: <19981017134231.C22818@best.com> References: <199810171855.NAA18114@set.spradley.tmi.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 01:42 PM 10/17/98 -0700, Jan B. Koum wrote: > Hate to be the party pooper here, but when people will learn to > trim -security (and -stable also in this case) from threads which > really should be on -chat? > Agreed. One last thought about syslogd. If you consider the default setup for syslog.conf and the fact that *most* messages are going to one logfile, which can get messy and difficult to discern the important from the routine. With that in mind why not have the LEVEL after the FACILITY in the log? []: : Programs like ssh and Apache do something along this line. Certainly would make it easy to search/grep the logs for things demanding more notice than usual. Not to mention if you want to pipe your syslog through a script it provides another common point for comparison. A better feature/improvement (for my usage) than having something to remind me about spaces and or ignore them (neither applies). Jeff Mountin - Unix Systems TCP/IP networking jeff@mountin.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message