From owner-freebsd-security@FreeBSD.ORG Sun Jan 15 20:17:20 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8841816A41F for ; Sun, 15 Jan 2006 20:17:20 +0000 (GMT) (envelope-from lofi@freebsd.org) Received: from mail-in-08.arcor-online.net (mail-in-08.arcor-online.net [151.189.21.48]) by mx1.FreeBSD.org (Postfix) with ESMTP id CA9FE43D45 for ; Sun, 15 Jan 2006 20:17:19 +0000 (GMT) (envelope-from lofi@freebsd.org) Received: from mail-in-08-z2.arcor-online.net (mail-in-08-z2.arcor-online.net [151.189.8.20]) by mail-in-08.arcor-online.net (Postfix) with ESMTP id 1C4C810226B for ; Sun, 15 Jan 2006 21:17:19 +0100 (CET) Received: from mail-in-05.arcor-online.net (mail-in-05.arcor-online.net [151.189.21.45]) by mail-in-08-z2.arcor-online.net (Postfix) with ESMTP id F240F45867 for ; Sun, 15 Jan 2006 21:17:18 +0100 (CET) Received: from lofi.dyndns.org (dslb-084-061-159-162.pools.arcor-ip.net [84.61.159.162]) by mail-in-05.arcor-online.net (Postfix) with ESMTP id 7C4711051D1 for ; Sun, 15 Jan 2006 21:17:16 +0100 (CET) Received: from [192.168.8.4] (kiste.my.domain [192.168.8.4]) (authenticated bits=0) by lofi.dyndns.org (8.13.4/8.13.3) with ESMTP id k0FKH9JQ048566 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sun, 15 Jan 2006 21:17:09 +0100 (CET) (envelope-from lofi@freebsd.org) Message-ID: <43CAADC1.4030103@freebsd.org> Date: Sun, 15 Jan 2006 21:17:05 +0100 From: Michael Nottebrock User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: de-DE, de, en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org X-Enigmail-Version: 0.92.0.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig8C73C569A1C179B6C18AE65C" X-Virus-Scanned: by amavisd-new Subject: Cookie-analyzer (antispyware) tool for FreeBSD? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Jan 2006 20:17:20 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig8C73C569A1C179B6C18AE65C Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit Is anybody aware of existing software that searches the cookiejars of popular browsers available for FreeBSD for known tracking cookies as popular antispyware tools for Windows do? Cheers, -- ,_, | Michael Nottebrock | lofi@freebsd.org (/^ ^\) | FreeBSD - The Power to Serve | http://www.freebsd.org \u/ | K Desktop Environment on FreeBSD | http://freebsd.kde.org --------------enig8C73C569A1C179B6C18AE65C Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-nr1 (Windows 2000) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDyq3EXhc68WspdLARAsy5AKCDcOQ15DXKtNjDAIRhiNf2UAqEPwCeJkuh a4BbI4WF+3um1r/TZtc4Xq4= =Erqn -----END PGP SIGNATURE----- --------------enig8C73C569A1C179B6C18AE65C-- From owner-freebsd-security@FreeBSD.ORG Sun Jan 15 21:18:01 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5AD4F16A41F for ; Sun, 15 Jan 2006 21:18:01 +0000 (GMT) (envelope-from dev@unixdaemon.org) Received: from skewer.dreamhost.com (skewer.dreamhost.com [64.111.107.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 29F5943D46 for ; Sun, 15 Jan 2006 21:18:01 +0000 (GMT) (envelope-from dev@unixdaemon.org) Received: from [192.168.1.100] (cpe-24-24-83-9.stny.res.rr.com [24.24.83.9]) by skewer.dreamhost.com (Postfix) with ESMTP id 7BF977B4A0 for ; Sun, 15 Jan 2006 13:18:00 -0800 (PST) From: Dev Tugnait To: freebsd-security@freebsd.org Content-Type: text/plain Date: Sun, 15 Jan 2006 16:17:56 -0500 Message-Id: <1137359877.2822.53.camel@dracula.transylvania.net> Mime-Version: 1.0 X-Mailer: Evolution 2.4.2.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Subject: Rogue Processes X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dev@unixdaemon.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Jan 2006 21:18:01 -0000 I seem to notice these two processes running with top. Netstat hasn't been issued by me and cant be killed with the START state. Can someone enlighten me on these processes. FreeBSD dracula.transylvania.net 6.0-RELEASE FreeBSD 6.0-RELEASE #4: Sun Dec 4 00:22:01 EST 2005 root@dracula.transylvania.net:/usr/src/sys/i386/compile/BLEACH i386 The box doesnt run ssh or telnet just postfix relaying to my external webhost. 89290 dark 1 96 0 0K 0K START 0:06 0.00% awt_robot 10208 dark 1 -8 0 0K 0K START 0:00 3.00% netstat Thanks -- Dev Tugnait From owner-freebsd-security@FreeBSD.ORG Sun Jan 15 21:27:12 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DAA9316A41F for ; Sun, 15 Jan 2006 21:27:12 +0000 (GMT) (envelope-from gregorynou@altern.org) Received: from esemetz.metz.supelec.fr (esemetz.metz.supelec.fr [193.48.224.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id 19D1043D46 for ; Sun, 15 Jan 2006 21:27:11 +0000 (GMT) (envelope-from gregorynou@altern.org) Received: from smtp.metz.supelec.fr (smtp.metz.supelec.fr [193.48.224.205]) by esemetz.metz.supelec.fr (8.11.6/8.9.3) with ESMTP id k0FLR8Y23542 for ; Sun, 15 Jan 2006 22:27:08 +0100 Received: from [193.48.225.2] (nou.rez-metz.supelec.fr [193.48.225.2]) by smtp.metz.supelec.fr (8.11.6/8.11.6) with ESMTP id k0FLHNB23747; Sun, 15 Jan 2006 22:17:24 +0100 Message-ID: <43CABE2A.7000700@altern.org> Date: Sun, 15 Jan 2006 22:27:06 +0100 From: Gregory Nou User-Agent: Thunderbird 1.5 (X11/20060113) MIME-Version: 1.0 To: dev@unixdaemon.org References: <1137359877.2822.53.camel@dracula.transylvania.net> In-Reply-To: <1137359877.2822.53.camel@dracula.transylvania.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: Rogue Processes X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Jan 2006 21:27:13 -0000 Dev Tugnait wrote: > I seem to notice these two processes running with top. > > Netstat hasn't been issued by me and cant be killed with the START > state. Can someone enlighten me on these processes. > > FreeBSD dracula.transylvania.net 6.0-RELEASE FreeBSD 6.0-RELEASE #4: Sun > Dec 4 00:22:01 EST 2005 > root@dracula.transylvania.net:/usr/src/sys/i386/compile/BLEACH i386 > > The box doesnt run ssh or telnet just postfix relaying to my external > webhost. > > > 89290 dark 1 96 0 0K 0K START 0:06 0.00% > awt_robot > > 10208 dark 1 -8 0 0K 0K START 0:00 3.00% > netstat > > Thanks > I would be tempted to say that awt_robot is the java thing. http://java.sun.com/j2se/1.3/docs/api/java/awt/Robot.html It's is a class to allow you to program a demo. Do you have java installed on this machine ? From owner-freebsd-security@FreeBSD.ORG Sun Jan 15 21:33:09 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E125D16A420 for ; Sun, 15 Jan 2006 21:33:09 +0000 (GMT) (envelope-from dev@unixdaemon.org) Received: from ladle.dreamhost.com (ladle.dreamhost.com [205.196.219.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0322143D76 for ; Sun, 15 Jan 2006 21:33:04 +0000 (GMT) (envelope-from dev@unixdaemon.org) Received: from [192.168.1.100] (cpe-24-24-83-9.stny.res.rr.com [24.24.83.9]) by ladle.dreamhost.com (Postfix) with ESMTP id 91391129A83; Sun, 15 Jan 2006 13:33:02 -0800 (PST) From: Dev Tugnait To: Gregory Nou In-Reply-To: <43CABE2A.7000700@altern.org> References: <1137359877.2822.53.camel@dracula.transylvania.net> <43CABE2A.7000700@altern.org> Content-Type: text/plain Date: Sun, 15 Jan 2006 16:32:58 -0500 Message-Id: <1137360778.2822.56.camel@dracula.transylvania.net> Mime-Version: 1.0 X-Mailer: Evolution 2.4.2.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: Rogue Processes X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dev@unixdaemon.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Jan 2006 21:33:10 -0000 On Sun, 2006-01-15 at 22:27 +0100, Gregory Nou wrote: > Dev Tugnait wrote: > > I seem to notice these two processes running with top. > > > > Netstat hasn't been issued by me and cant be killed with the START > > state. Can someone enlighten me on these processes. > > > > FreeBSD dracula.transylvania.net 6.0-RELEASE FreeBSD 6.0-RELEASE #4: Sun > > Dec 4 00:22:01 EST 2005 > > root@dracula.transylvania.net:/usr/src/sys/i386/compile/BLEACH i386 > > > > The box doesnt run ssh or telnet just postfix relaying to my external > > webhost. > > > > > > 89290 dark 1 96 0 0K 0K START 0:06 0.00% > > awt_robot > > > > 10208 dark 1 -8 0 0K 0K START 0:00 3.00% > > netstat > > > > Thanks > > > > I would be tempted to say that awt_robot is the java thing. > http://java.sun.com/j2se/1.3/docs/api/java/awt/Robot.html > It's is a class to allow you to program a demo. > Do you have java installed on this machine ? Yes killing java fixed that thanks. I still dont know why netstat is eating my CPU -- Dev Tugnait From owner-freebsd-security@FreeBSD.ORG Sun Jan 15 21:41:01 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C30A16A41F for ; Sun, 15 Jan 2006 21:41:01 +0000 (GMT) (envelope-from dev@unixdaemon.org) Received: from spatula.dreamhost.com (spatula.dreamhost.com [66.33.205.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id C665043D45 for ; Sun, 15 Jan 2006 21:41:00 +0000 (GMT) (envelope-from dev@unixdaemon.org) Received: from [192.168.1.100] (cpe-24-24-83-9.stny.res.rr.com [24.24.83.9]) by spatula.dreamhost.com (Postfix) with ESMTP id EC7D57F04C; Sun, 15 Jan 2006 13:40:59 -0800 (PST) From: Dev Tugnait To: Igor Roshchin , freebsd-security@freebsd.org In-Reply-To: <200601152132.k0FLW6Of097758@trantor.komkon.org> References: <200601152132.k0FLW6Of097758@trantor.komkon.org> Content-Type: text/plain Date: Sun, 15 Jan 2006 16:40:57 -0500 Message-Id: <1137361258.2822.59.camel@dracula.transylvania.net> Mime-Version: 1.0 X-Mailer: Evolution 2.4.2.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: Subject: Re: Rogue Processes X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: dev@unixdaemon.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Jan 2006 21:41:01 -0000 On Sun, 2006-01-15 at 16:32 -0500, Igor Roshchin wrote: > Dev, > > You might want to run lsof and see if that would reveal > any useful information. > > I would look for where > awt_robot file is started from, and what files/sockets/.. it is using. > The same is for netstat (just in case it is not the one that came > with the OS). > I didn't use FBSD 6.0, but I don't think awt_robot is anything standard > for this version. There is a Java program with that name out there.. > I guess, you already searched Google for it, didn't you? > > HTH, > > Igor Yeah i googled it awt_robot is from java although upon googling i came across random stuff rather than the actual answer. lsof | grep netstat Exit 1 > > -- Dev Tugnait From owner-freebsd-security@FreeBSD.ORG Wed Jan 18 09:10:21 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2DA0316A41F; Wed, 18 Jan 2006 09:10:21 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 84DAD43D6D; Wed, 18 Jan 2006 09:10:16 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k0I9AGvL083011; Wed, 18 Jan 2006 09:10:16 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k0I9AGW1083009; Wed, 18 Jan 2006 09:10:16 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 18 Jan 2006 09:10:16 GMT Message-Id: <200601180910.k0I9AGW1083009@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-06:05.80211 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: security-advisories@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2006 09:10:21 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-06:05.80211 Security Advisory The FreeBSD Project Topic: IEEE 802.11 buffer overflow Category: core Module: net80211 Announced: 2006-01-18 Credits: Karl Janmar Affects: FreeBSD 6.0 Corrected: 2006-01-18 09:03:15 UTC (RELENG_6, 6.0-STABLE) 2006-01-18 09:03:36 UTC (RELENG_6_0, 6.0-RELEASE-p3) CVE Name: CVE-2006-0226 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The IEEE 802.11 network subsystem of FreeBSD implements the protocol negotiation used for wireless networking. II. Problem Description An integer overflow in the handling of corrupt IEEE 802.11 beacon or probe response frames when scanning for existing wireless networks can result in the frame overflowing a buffer. III. Impact An attacker able broadcast a carefully crafted beacon or probe response frame may be able to execute arbitrary code within the context of the FreeBSD kernel on any system scanning for wireless networks. IV. Workaround No workaround is available, but systems without IEEE 802.11 hardware or drivers loaded are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE or to the RELENG_6_0 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:05/80211.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-06:05/80211.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_6 src/sys/net80211/ieee80211_ioctl.c 1.25.2.9 RELENG_6_0 src/UPDATING 1.416.2.3.2.8 src/sys/conf/newvers.sh 1.69.2.8.2.4 src/sys/net80211/ieee80211_ioctl.c 1.25.2.3.2.1 - ------------------------------------------------------------------------- VII. References http://www.signedness.org/advisories/sps-0x1.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0226 The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-06:05.80211.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFDzgUEFdaIBMps37IRAnB4AJ9btdO5oRpjDyksIQKhimmnAvaqSgCfdqZJ q5gy4Ec/4lhZjoaGCbUuncU= =XgsT -----END PGP SIGNATURE-----