From owner-freebsd-security Sun Oct 24 4: 7:52 1999 Delivered-To: freebsd-security@freebsd.org Received: from gerpa.ru (gerpa.ru [212.24.32.162]) by hub.freebsd.org (Postfix) with ESMTP id BE6EA14BE3 for ; Sun, 24 Oct 1999 04:06:49 -0700 (PDT) (envelope-from matrix@gerpa.ru) Received: from m1 (p188.pol.ru [212.24.38.188]) by gerpa.ru (8.9.3/8.9.3) with SMTP id PAA13240 for ; Sun, 24 Oct 1999 15:16:37 +0400 (MSD) Message-ID: <001b01bf1e10$20288660$0100a8c0@m1> From: "Artem Koutchine" To: Subject: file security utility Date: Sun, 24 Oct 1999 15:08:27 +0400 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.1 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I don't know is such utility already exists so here is what i need it to do: 1) Check files using filters and all specified filesystems for change in size/date/time/mode/owner/name change 2) Files/Dirs/Filesystems must be groupped into several types and for each type must be specified allowed (not dangerous) modifications (chmod and mask, owner and list of possible owners, size and range for size, name change and regexp for name, access and time range for possible access and so on, deletion) 3) Only for those files/dirs/filesystems which have been changes in a dangerous manner (not described as allowed) a report is generated. Or, at least, they are put first, so i don't have to look through a long list of modified files. Is there such utility ? If not I'll do it (i hope), because i really need it. Also, the tech question is how do i detect renaming. I quite sure that file is not just specified by its name by i-node or something. So, so do i detect that a file has been renamed but it is still the same file? Artem Koutchine (áÒÔÅÍ ëÕÞÉÎ) Sys/Net/Web Admin, Web Designer, Programmer WWW: http://idesign.pp.ru E-Mail: matrix@chat.ru No attachments w/o my permission!!! (îÅ ÐÒÉÓÙÌÁÊÔÅ ÆÁÊÌÙ ÂÅÚ ÒÁÚÒÅÛÅÎÉÑ!!!) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 24 14:19:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from neptune.psn.net (neptune.psn.net [207.211.58.16]) by hub.freebsd.org (Postfix) with ESMTP id A1DC415121 for ; Sun, 24 Oct 1999 14:19:36 -0700 (PDT) (envelope-from will@shadow.blackdawn.com) Received: from 5042-243.008.popsite.net ([209.224.140.243] helo=shadow.blackdawn.com) by neptune.psn.net with esmtp (PSN Internet Service 2.12 #3) id 11fV37-00029e-00; Sun, 24 Oct 1999 14:19:34 -0700 Received: (from will@localhost) by shadow.blackdawn.com (8.9.3/8.9.3) id RAA36103; Sun, 24 Oct 1999 17:19:26 -0400 (EDT) (envelope-from will) Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <001b01bf1e10$20288660$0100a8c0@m1> Date: Sun, 24 Oct 1999 17:19:26 -0400 (EDT) Reply-To: Will Andrews From: Will Andrews To: Artem Koutchine Subject: RE: file security utility Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 24-Oct-99 Artem Koutchine wrote: > Is there such utility ? If not I'll do it (i hope), because i really need it. Your description strikes me as something /usr/ports/security/tripwire does. :-) -- Will Andrews GCS/E/S @d- s+:+>+:- a--->+++ C++ UB++++ P+ L- E--- W+++ !N !o ?K w--- ?O M+ V-- PS+ PE++ Y+ PGP+>+++ t++ 5 X++ R+ tv+ b++>++++ DI+++ D+ G++>+++ e->++++ h! r-->+++ y? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 24 14:31:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 051841512D for ; Sun, 24 Oct 1999 14:31:13 -0700 (PDT) (envelope-from fpscha@ns1.via-net-works.net.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.8.5/8.8.4) id SAA15580; Sun, 24 Oct 1999 18:20:14 -0300 (GMT) From: Fernando Schapachnik Message-Id: <199910242120.SAA15580@ns1.via-net-works.net.ar> Subject: Re: file security utility In-Reply-To: <001b01bf1e10$20288660$0100a8c0@m1> from Artem Koutchine at "Oct 24, 99 03:08:27 pm" To: matrix@gerpa.ru (Artem Koutchine) Date: Sun, 24 Oct 1999 18:20:14 -0300 (GMT) Cc: freebsd-security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL40 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Take a look at tripwire from ports. En un mensaje anterior, Artem Koutchine escribió: > I don't know is such utility already exists so here is > what i need it to do: [...] Fernando P. Schapachnik Administración de la red VIA Net Works Argentina SA Diagonal Roque Sáenz Peña 971, 4º y 5º piso. 1035 - Capital Federal, Argentina. (54-11) 4323-3333 http://www.via-net-works.net.ar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 24 16:52:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from titan.internetconnection.net (titan.internetconnection.net [151.196.212.100]) by hub.freebsd.org (Postfix) with SMTP id 32B7415145 for ; Sun, 24 Oct 1999 16:52:12 -0700 (PDT) (envelope-from mrmagoo@shotblast.com) Received: (qmail 29998 invoked from network); 24 Oct 1999 23:45:25 -0000 Received: from cs26250-212.satx.rr.com (HELO saturn) (mrmagoo@24.26.250.212) by 151.196.212.124 with SMTP; 24 Oct 1999 23:45:25 -0000 From: "Mr Magoo" To: Subject: RE: kernel patch to detect port scan, without turning on ports... Date: Sun, 24 Oct 1999 18:48:38 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <199910240556.PAA55113@atdot.dotat.org> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org How would you go about making these messages go into a syslogd file? I've never really understood howto put things into a log file with it. BTW- can you do that same thing for ICMP's? -- A.G. Russell IV wrote: > Sorry if this is redundant, > I'm looking for the kernel patch to allow detection of a port scan without > turning on each of the ports. Execute the following sysctl -w net.inet.tcp.log_in_vain=1 sysctl -w net.inet.udp.log_in_vain=1 You'll get a console log message whenever someone tries to reach a port which isn't listening. - mark -------------------------------------------------------------------- I tried an internal modem, newton@atdot.dotat.org but it hurt when I walked. Mark Newton ----- Voice: +61-4-1620-2223 ------------- Fax: +61-8-82231777 ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 24 16:59:22 1999 Delivered-To: freebsd-security@freebsd.org Received: from sand2.sentex.ca (sand2.sentex.ca [209.167.248.3]) by hub.freebsd.org (Postfix) with ESMTP id 5048015145 for ; Sun, 24 Oct 1999 16:59:19 -0700 (PDT) (envelope-from mike@sentex.net) Received: from gravel (ospf-mdt.sentex.net [205.211.164.81]) by sand2.sentex.ca (8.8.8/8.8.8) with SMTP id TAA03869; Sun, 24 Oct 1999 19:59:09 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <4.1.19991024195648.04634e00@granite.sentex.ca> X-Sender: mdtancsa@granite.sentex.ca X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Sun, 24 Oct 1999 19:59:06 -0400 To: "Mr Magoo" , From: Mike Tancsa Subject: RE: kernel patch to detect port scan, without turning on ports... In-Reply-To: References: <199910240556.PAA55113@atdot.dotat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 07:48 PM 10/24/99 , Mr Magoo wrote: >How would you go about making these messages go into a syslogd file? I've >never really understood howto put things into a log file with it. > BTW- can you do that same thing for ICMP's? Add the line kern.* /var/log/kern to /etc/syslog.conf (than kill -1 `cat /var/run/syslog.pid` to signal syslogd to reread its config file) To log all icmp traffic, one way to do it is via ipfw e.g. ipfw add 500 allow log icmp from any to any or ipfw add 500 allow log icmp from any to any icmptype 0,8 for just pings. It too will get logged via syslog to kern. ---Mike ********************************************************************** Mike Tancsa, Network Admin * mike@sentex.net Sentex Communications Corp, * http://www.sentex.net/mike Cambridge, Ontario * 01.519.651.3400 Canada * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Oct 24 20:39:29 1999 Delivered-To: freebsd-security@freebsd.org Received: from bubba.whistle.com (bubba.whistle.com [207.76.205.7]) by hub.freebsd.org (Postfix) with ESMTP id A044B15187 for ; Sun, 24 Oct 1999 20:39:21 -0700 (PDT) (envelope-from archie@whistle.com) Received: (from archie@localhost) by bubba.whistle.com (8.9.2/8.9.2) id UAA32711; Sun, 24 Oct 1999 20:38:47 -0700 (PDT) From: Archie Cobbs Message-Id: <199910250338.UAA32711@bubba.whistle.com> Subject: Re: GRE/IP 47/PPTP In-Reply-To: <38114983.15EEE676@bellsouth.net> from Bert Kellerman at "Oct 23, 1999 05:37:08 am" To: bertke@bellsouth.net (Bert Kellerman) Date: Sun, 24 Oct 1999 20:38:47 -0700 (PDT) Cc: security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Bert Kellerman writes: > > True in general.. however, if all you're using GRE for is PPTP, then > > you can multiplex on the call identifier in the PPTP/GRE header. > > > > -Archie > > > > Are you referring to the optional 32 bit key field in the GRE > header? Won't the packet on the way back in have a different key > field, as this is used for authenticating the sender, and change? > The natd implementation would then need a way to calculate the > expected return key field to differentiate between connections. > However, since there is a 32 bit sequence number in the GRE header > like TCP, I wonder if it would be possible for the router to recreate > the internal sequence numbers and assign each internal client a > limited pool out of the 32 bit outside sequence block. Could this > be possible? I mean how many times has a single TCP session used > all 4 million sequence numbers? RFC 1701 states that this sequence > number field is also optional so this might not work for all vendors. No, read the PPTP RFC and look for the call ID. PPTP has it's own custom version of the GRE header. http://www.es.net/pub/rfcs/rfc2637.txt You spoof the Call ID just like normal natd spoof's TCP/UDP port numbers. You would also have to swizzle the data inside the control stream, to spoof the Call ID there as well. -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 25 3:37:42 1999 Delivered-To: freebsd-security@freebsd.org Received: from mirage.nlink.com.br (mirage.nlink.com.br [200.249.195.3]) by hub.freebsd.org (Postfix) with ESMTP id AF3CA15104 for ; Mon, 25 Oct 1999 03:37:35 -0700 (PDT) (envelope-from paulo@nlink.com.br) Received: from localhost (paulo@localhost) by mirage.nlink.com.br (8.9.3/8.9.1) with SMTP id IAA00229 for ; Mon, 25 Oct 1999 08:37:33 -0200 (EDT) Date: Mon, 25 Oct 1999 08:37:33 -0200 (EDT) From: Paulo Fragoso To: freebsd-security@freebsd.org Subject: Procmail + Sendmail Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, We've got one server without shell access, only POP3, FTP and HTTP protocol are permited. We're upgrading this machine to FreeBSD 3.3-RELEASE and we're thinking use procmail instead mail.local. Are there any possible to use .procmailrc like .forward to exec any programa (like gcc) in this machine? To block .forward we're using SMRSH on sendmail, works fine. Is procmail securit? Thanks, Paulo Fragoso. ------ " ... Overall we've found FreeBSD to excel in performace, stability, technical support, and of course price. Two years after discovering FreeBSD, we have yet to find a reason why we switch to anything else" -David Filo, Yahoo! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 25 4: 3:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from news.uni-kl.de (news.uni-kl.de [131.246.137.51]) by hub.freebsd.org (Postfix) with SMTP id A8EE615146 for ; Mon, 25 Oct 1999 04:03:03 -0700 (PDT) (envelope-from sold@cheasy.de) Received: from kit.uni-kl.de ( mail.kit.uni-kl.de [131.246.168.130] ) by news.uni-kl.de id aa18358 ; 25 Oct 1999 13:05 MESZ Received: from KIT_PRIAMOS/SpoolDir by kit.uni-kl.de (Mercury 1.43); 25 Oct 99 13:03:01 +0200 Received: from SpoolDir by KIT_PRIAMOS (Mercury 1.43); 25 Oct 99 13:02:55 +0200 Received: from router.merowingia.uni-kl.de (131.246.134.2) by kit.uni-kl.de (Mercury 1.43) with ESMTP; 25 Oct 99 13:02:49 +0200 Received: from mero-13a.merowingia.uni-kl.de (mero-13a.merowingia.uni-kl.de [131.246.135.13]) by router.merowingia.uni-kl.de (8.9.3/8.8.8) with ESMTP id NAA71811; Mon, 25 Oct 1999 13:02:49 +0200 (CEST) Received: (from sold@localhost) by mero-13a.merowingia.uni-kl.de (8.9.3/8.9.3) id NAA07284; Mon, 25 Oct 1999 13:02:06 +0200 (CEST) (envelope-from sold) From: Christoph Sold Message-ID: <14356.14509.788268.416288@mero-13a.merowingia.uni-kl.de> Date: Mon, 25 Oct 1999 13:02:05 +0200 (CEST) To: Paulo Fragoso Cc: freebsd-security@freebsd.org Subject: Procmail + Sendmail In-Reply-To: References: X-Mailer: VM 6.72 under 21.1 (patch 6) "Big Bend" XEmacs Lucid Mime-Version: 1.0 (generated by tm-edit 7.108) Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Paulo Fragoso writes: > Hi, > > We've got one server without shell access, only POP3, FTP and HTTP > protocol are permited. We're upgrading this machine to FreeBSD 3.3-RELEASE > and we're thinking use procmail instead mail.local. Good. > Are there any possible to use .procmailrc like .forward to exec any > programa (like gcc) in this machine? To block .forward we're using SMRSH > on sendmail, works fine. It is possible to pipe mail into any command. You may have to have some thought about blocking this feature, since it cannot be disabled as easily as sendmail can utilize smrsh. Building a small jail should suffice, though. > Is procmail securit? Depends how you install it. > Thanks, > Paulo Fragoso. You're welcome. -Christoph Sold To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 25 4:34:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.euroweb.hu (mail.euroweb.hu [193.226.220.4]) by hub.freebsd.org (Postfix) with ESMTP id 2751E14A10 for ; Mon, 25 Oct 1999 04:34:12 -0700 (PDT) (envelope-from hu006co@mail.euroweb.hu) Received: (from hu006co@localhost) by mail.euroweb.hu (8.8.5/8.8.5) id NAA15593; Mon, 25 Oct 1999 13:34:09 +0200 (MET DST) Received: (from zgabor@localhost) by CoDe.hu (8.8.8/8.8.8) id NAA00482; Mon, 25 Oct 1999 13:24:16 +0200 (CEST) (envelope-from zgabor) From: Zahemszky Gabor Message-Id: <199910251124.NAA00482@CoDe.hu> Subject: Re: file security utility In-Reply-To: <001b01bf1e10$20288660$0100a8c0@m1> from Artem Koutchine at "Oct 24, 99 03:08:27 pm" To: freebsd-security@freebsd.org Date: Mon, 25 Oct 1999 13:24:16 +0200 (CEST) Cc: matrix@gerpa.ru X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I don't know is such utility already exists so here is > what i need it to do: > 1) Check files using filters and all specified filesystems for > change in size/date/time/mode/owner/name change > 2) Files/Dirs/Filesystems must be groupped into several types and for > each type must be specified allowed (not dangerous) > modifications (chmod and mask, owner and list of possible > owners, size and range for size, name change and regexp for > name, access and time range for possible access and so on, > deletion) > 3) Only for those files/dirs/filesystems which have been > changes in a dangerous manner (not described as allowed) > a report is generated. Or, at least, they are put first, so i don't > have to look through a long list of modified files. > > Is there such utility ? If not I'll do it (i hope), because i really need it. 1) tripwire 2) home-made script(s) with the unknown FreeBSD mtree(8) command ZGabor at CoDe dot HU -- #!/bin/ksh Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set $Z;X=;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;X="$X $i";typeset +l i;};print "$X" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 25 12:46:42 1999 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id F27A814A26; Mon, 25 Oct 1999 12:46:40 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id E02F21CD437; Mon, 25 Oct 1999 12:46:39 -0700 (PDT) (envelope-from kris@hub.freebsd.org) Date: Mon, 25 Oct 1999 12:46:39 -0700 (PDT) From: Kris Kennaway To: Mike Nowlin Cc: Robert Watson , security@FreeBSD.ORG Subject: Re: Kerberos integration into ports--in particular, SSH In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 23 Oct 1999, Mike Nowlin wrote: > Is there a doc somewhere which gets into this, or does one need to be > written? We're trying to handle security through a PAM/(PostgreSQL|MySQL) > interface as much as possible, so we're willing to do a bit of fixing if > necessary. There's a lot of documentation at: http://www.us.kernel.org/pub/linux/libs/pam/index.html In particular, see http://www.us.kernel.org/pub/linux/libs/pam/pre/doc/Linux-PAM-0.70-docs.tar.bz2 although that refers to a slightly newer version than what we have in the tree at present (0.65). One of the documents is a guide for PAMifying applications (more or less). Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 25 13:19:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from mirage.nlink.com.br (mirage.nlink.com.br [200.249.195.3]) by hub.freebsd.org (Postfix) with ESMTP id 557B714C01 for ; Mon, 25 Oct 1999 13:19:36 -0700 (PDT) (envelope-from paulo@nlink.com.br) Received: from localhost (paulo@localhost) by mirage.nlink.com.br (8.9.3/8.9.1) with SMTP id SAA04441; Mon, 25 Oct 1999 18:19:24 -0200 (EDT) Date: Mon, 25 Oct 1999 18:19:24 -0200 (EDT) From: Paulo Fragoso To: Christoph Sold Cc: freebsd-security@freebsd.org Subject: Re: Procmail + Sendmail In-Reply-To: <14356.14509.788268.416288@mero-13a.merowingia.uni-kl.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 25 Oct 1999, Christoph Sold wrote: > > Are there any possible to use .procmailrc like .forward to exec any > > programa (like gcc) in this machine? To block .forward we're using SMRSH > > on sendmail, works fine. > > It is possible to pipe mail into any command. You may have to have > some thought about blocking this feature, since it cannot be disabled > as easily as sendmail can utilize smrsh. Building a small jail should > suffice, though. Where can I found any examples to build one jail for procmail? > > > Is procmail securit? > > Depends how you install it. Hummm... I have installed from ports. Is necessary make anything more? Thanks, Paulo Fragoso. ------ " ... Overall we've found FreeBSD to excel in performace, stability, technical support, and of course price. Two years after discovering FreeBSD, we have yet to find a reason why we switch to anything else" -David Filo, Yahoo! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 25 13:38:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from glitnir.cfar.umd.edu (glitnir.cfar.umd.edu [128.8.132.40]) by hub.freebsd.org (Postfix) with ESMTP id 8017A14A0B for ; Mon, 25 Oct 1999 13:38:00 -0700 (PDT) (envelope-from arensb@cfar.umd.edu) Received: from glitnir.cfar.umd.edu (localhost [127.0.0.1]) by glitnir.cfar.umd.edu (8.9.3/8.9.1) with ESMTP id QAA03330; Mon, 25 Oct 1999 16:38:34 -0400 (EDT) Message-Id: <199910252038.QAA03330@glitnir.cfar.umd.edu> To: Paulo Fragoso Cc: freebsd-security@FreeBSD.ORG Subject: Re: Procmail + Sendmail In-reply-to: Your message of "Mon, 25 Oct 1999 08:37:33 -0200." Date: Mon, 25 Oct 1999 16:38:34 -0400 From: Andrew Arensburger Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 25 Oct 1999 08:37:33 -0200, Paulo Fragoso wrote: > We've got one server without shell access, only POP3, FTP and HTTP > protocol are permited. We're upgrading this machine to FreeBSD 3.3-RELEASE > and we're thinking use procmail instead mail.local. > > Are there any possible to use .procmailrc like .forward to exec any > programa (like gcc) in this machine? To block .forward we're using SMRSH > on sendmail, works fine. Any user can put anything they like in their .procmailrc, so this is a problem. One solution I've come across is to patch 'procmail' to use 'smrsh' instead of /bin/sh when executing commands. I haven't tried this yet, though, so I don't know how easy this is to do. -- Andrew Arensburger, Systems guy Center for Automation Research arensb@cfar.umd.edu University of Maryland Nine hundred years ago, I couldn't spell transcendent parahuman deity, and now I are one. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 25 15:31:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from web1004.mail.yahoo.com (web1004.mail.yahoo.com [128.11.23.94]) by hub.freebsd.org (Postfix) with SMTP id D529114C4E for ; Mon, 25 Oct 1999 15:31:40 -0700 (PDT) (envelope-from pram512@yahoo.com) Message-ID: <19991025223606.10537.rocketmail@web1004.mail.yahoo.com> Received: from [207.149.0.102] by web1004.mail.yahoo.com; Mon, 25 Oct 1999 15:36:06 PDT Date: Mon, 25 Oct 1999 15:36:06 -0700 (PDT) From: "Me Uh, K." Reply-To: pram512@yahoo.com Subject: Probably off-topic To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I suppose this is probably the wrong list to ask, but I'm looking for security reasons, so I suppose I'm halfway-justified. Does anyone know if there is a complete set of Man pages in html format anywhere on the web? I've done a couple of quick searches for them, but can't find them anywhere, or can sometimes find a partial set. -mia k __________________________________________________ Do You Yahoo!? Bid and sell for free at http://auctions.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 25 15:34:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from jade.chc-chimes.com (jade.chc-chimes.com [216.28.46.6]) by hub.freebsd.org (Postfix) with ESMTP id 16BAF14C4E for ; Mon, 25 Oct 1999 15:34:10 -0700 (PDT) (envelope-from billf@chc-chimes.com) Received: by jade.chc-chimes.com (Postfix, from userid 1001) id 6192A1C2B; Mon, 25 Oct 1999 17:36:40 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by jade.chc-chimes.com (Postfix) with ESMTP id 5D3D93817; Mon, 25 Oct 1999 17:36:40 -0400 (EDT) Date: Mon, 25 Oct 1999 17:36:40 -0400 (EDT) From: Bill Fumerola To: "Me Uh, K." Cc: freebsd-security@freebsd.org Subject: Re: Probably off-topic In-Reply-To: <19991025223606.10537.rocketmail@web1004.mail.yahoo.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 25 Oct 1999, Me Uh, K. wrote: > Does anyone know if there is a complete set of Man > pages in html format anywhere on the web? http://www.freebsd.org/cgi/man.cgi, I suppose. -- - bill fumerola - billf@chc-chimes.com - BF1560 - computer horizons corp - - ph:(800) 252-2421 - bfumerol@computerhorizons.com - billf@FreeBSD.org - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 25 15:35:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from kinetic.tiora.net (kinetic.tiora.net [209.126.149.3]) by hub.freebsd.org (Postfix) with ESMTP id F1C8F14C4E for ; Mon, 25 Oct 1999 15:35:32 -0700 (PDT) (envelope-from liam@kinetic.tiora.net) Received: from localhost (liam@localhost) by kinetic.tiora.net (8.9.3/8.9.3) with ESMTP id PAA25827; Mon, 25 Oct 1999 15:35:19 -0700 (PDT) Date: Mon, 25 Oct 1999 15:35:19 -0700 (PDT) From: Liam Slusser To: "Me Uh, K." Cc: freebsd-security@FreeBSD.ORG Subject: Re: Probably off-topic In-Reply-To: <19991025223606.10537.rocketmail@web1004.mail.yahoo.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org try: http://www.freebsd.org/cgi/man.cgi ;) liam System Administrator Tiora Networks | www.tiora.net <---- tiora's webpage www.tiora.net/~liam <----- homepage | liam@tiora.net <-- my email address Lowered turbo powered Honda Civic's are really cool. <---------- my quote On Mon, 25 Oct 1999, Me Uh, K. wrote: > I suppose this is probably the wrong list to ask, but > I'm looking for security reasons, so I suppose I'm > halfway-justified. > > Does anyone know if there is a complete set of Man > pages in html format anywhere on the web? > > I've done a couple of quick searches for them, but > can't find them anywhere, or can sometimes find a > partial set. > > -mia k > > __________________________________________________ > Do You Yahoo!? > Bid and sell for free at http://auctions.yahoo.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 25 16:36:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id CF2DB14D2C for ; Mon, 25 Oct 1999 16:36:44 -0700 (PDT) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (988 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Mon, 25 Oct 1999 18:31:57 -0500 (CDT) (Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7) Date: Mon, 25 Oct 1999 18:31:56 -0500 (CDT) From: James Wyatt To: Liam Slusser Cc: "Me Uh, K." , freebsd-security@FreeBSD.ORG Subject: Re: Probably off-topic In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 25 Oct 1999, Liam Slusser wrote: > try: http://www.freebsd.org/cgi/man.cgi > > Does anyone know if there is a complete set of Man > > pages in html format anywhere on the web? Gee whiz, these guys have man pages from lotsa places! Where might one obtain man.cgi in file form? I would like it on my laptop and for the AIX pages at work... - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 25 16:49:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from thunk.crazylogic.net (thunk.crazylogic.net [199.45.111.154]) by hub.freebsd.org (Postfix) with ESMTP id 4994D14BF8 for ; Mon, 25 Oct 1999 16:49:46 -0700 (PDT) (envelope-from matt@crazylogic.net) Received: from localhost (matt@localhost) by thunk.crazylogic.net (8.9.3/8.9.3) with ESMTP id TAA74021; Mon, 25 Oct 1999 19:43:23 -0400 (EDT) (envelope-from matt@crazylogic.net) Date: Mon, 25 Oct 1999 19:43:23 -0400 (EDT) From: Matt Gostick To: James Wyatt Cc: freebsd-security@FreeBSD.ORG Subject: Re: Probably off-topic In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Try http://www.linuxdoc.org/docs.html#man Matt. On Mon, 25 Oct 1999, James Wyatt wrote: > On Mon, 25 Oct 1999, Liam Slusser wrote: > > try: http://www.freebsd.org/cgi/man.cgi > > > Does anyone know if there is a complete set of Man > > > pages in html format anywhere on the web? > > Gee whiz, these guys have man pages from lotsa places! Where might one > obtain man.cgi in file form? I would like it on my laptop and for the AIX > pages at work... - Jy@ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 25 16:54:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail.numachi.com (numachi.numachi.com [198.175.254.2]) by hub.freebsd.org (Postfix) with SMTP id D425D14BF8 for ; Mon, 25 Oct 1999 16:54:16 -0700 (PDT) (envelope-from reichert@numachi.com) Received: (qmail 20403 invoked by uid 1001); 25 Oct 1999 23:54:14 -0000 Date: Mon, 25 Oct 1999 19:54:14 -0400 From: Brian Reichert To: "Me Uh, K." Cc: freebsd-security@freebsd.org Subject: Re: Probably off-topic Message-ID: <19991025195413.A20346@numachi.com> References: <19991025223606.10537.rocketmail@web1004.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre4i In-Reply-To: <19991025223606.10537.rocketmail@web1004.mail.yahoo.com>; from pram512@yahoo.com on Mon, Oct 25, 1999 at 03:36:06PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Oct 25, 1999 at 03:36:06PM -0700, Me Uh, K. wrote: > I suppose this is probably the wrong list to ask, but > I'm looking for security reasons, so I suppose I'm > halfway-justified. > > Does anyone know if there is a complete set of Man > pages in html format anywhere on the web? Try -- Brian 'you Bastard' Reichert reichert@numachi.com 37 Crystal Ave. #303 Daytime number: (781) 899-7484 x704 Derry NH 03038-1713 USA Intel architecture: the left-hand path To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 25 17:35:43 1999 Delivered-To: freebsd-security@freebsd.org Received: from plato.mentis.org (cc929562-a.hwrd1.md.home.com [24.6.133.228]) by hub.freebsd.org (Postfix) with ESMTP id ADFCF14D9D for ; Mon, 25 Oct 1999 17:35:39 -0700 (PDT) (envelope-from erickson@mentis.org) Received: from galifrey (master.mddsg.com [24.9.154.156]) by plato.mentis.org (8.9.3/8.9.3) with SMTP id UAA14344 for ; Mon, 25 Oct 1999 20:35:37 -0400 (EDT) (envelope-from erickson@mentis.org) Message-ID: <001e01bf1f4a$bd633660$c802a8c0@columbia.mentis.org> From: "David Erickson" To: Subject: Kerberos Authentication and SSH2 Date: Mon, 25 Oct 1999 20:40:30 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've compiled ssh2 on several machines. I didn't really pay attention to this until I tried to ssh between machines using ssh2. It appears that ssh2 isn't using kerberos but ssh1 does. I guess I didn't notice because the win32 ssh client i was using is ssh1 complaint. Does ssh2 not use kerberos or have compilable kerberos options (I can't seem to find any in the source) or does ssh2 use pam and I just am missing some configuration settings in the pam.conf. I can't seem to find any documentation on kerberos and ssh2. So am i going crazy? (or is it too late?) Thanks, Dave To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 25 21:20:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from gate.az.com (ip-216.145.8.235.az.com [216.145.8.235]) by hub.freebsd.org (Postfix) with ESMTP id 7CE7E1531D for ; Mon, 25 Oct 1999 21:19:56 -0700 (PDT) (envelope-from yankee@gate.az.com) Received: (from yankee@localhost) by gate.az.com (8.8.5/8.8.5) id VAA06612; Mon, 25 Oct 1999 21:19:57 -0700 (PDT) Date: Mon, 25 Oct 1999 21:19:57 -0700 (PDT) From: "Dan Seafeldt, AZ.COM System Administrator" To: freebsd-security@FreeBSD.ORG Subject: IPDIVERT / natd In-Reply-To: <001e01bf1f4a$bd633660$c802a8c0@columbia.mentis.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Clarification I suppose is needed ... Take the case of HOST running natd/IPDIVERT/IPFIREWALL "open" on ethernet lan A which it shares with at least 2 other host/gateways: GATEWAY X and GATEWAY Y. Both GATEWAY's can be used to reach DESTINATION a.b.c.d. HOST receives a telnet packet from CLIENT on its incoming lan B interface bound for DESTINATION: it chooses to forward that packet out LAN A interface to GATEWAY X because GATEWAY X was defined as the default route, no other qualified route exists for DESTINATION, and DESTINATION is not available via a directly attached interface. It works, natd works, just great. However, let's add a new twist: what if the system admin chooses to send outbound telnet's originating from the private subnet through sniffing GATEWAY Y using natd proxy_rule? Can this be done? Or is this beyond natd's current scope? HOST lan B: 192.168.1.1 CLIENT (origin of telnet connection): 192.168.1.x HOST lan A: x.x.x.50, default route is set to: x.x.x.100 GATEWAY X: x.x.x.100 GATEWAY Y: x.x.x.200 "the other gateway" DESTINATION: a.b.c.d syntax: (I tried this) natd -a x.x.x.50 -proxy_rule type encode_ip_hdr port 23 server x.x.x.200:23 and this: natd -a x.x.x.50 -proxy_rule type encode_tcp_stream port 23 server x.x.x.200:23 I wanted the packet forwarded to the other gateway address marked properly? as a forwardable packet with the target address intact. But both ways tanked. I'm not clear on the two options anyway. But trace looks like it might work. If I remember correctly, a gateway bound packet has a special bit set in the IP header. Is that the missing ingredient and if so could it be added to the proxy_rule without conflict? By the way, I found that: /sbin/natd -a x.x.x.50 -proxy_rule port 23 server x.x.x.200 Does do something: it brings up 200's welcome no matter where you go, obviously by intended design and a nifty trick, but not quite what we're after here, although I'm sure I'll use that one elsewhere later on... So if you have something before I go walking through the rfc's and natd source code, much appreciated. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 26 5:35:36 1999 Delivered-To: freebsd-security@freebsd.org Received: from bifrost.agrknives.com (bifrost.hos.net [205.238.129.40]) by hub.freebsd.org (Postfix) with ESMTP id 9337614DD7 for ; Tue, 26 Oct 1999 05:35:15 -0700 (PDT) (envelope-from arussell@bifrost.agrknives.com) Received: (from arussell@localhost) by bifrost.agrknives.com (8.8.8/8.8.8) id HAA04145 for security@freebsd.org; Tue, 26 Oct 1999 07:33:19 -0500 (CDT) (envelope-from arussell) From: "A.G. Russell IV" Message-Id: <199910261233.HAA04145@bifrost.agrknives.com> Subject: sysquery: findns error (SERVFAIL)... bind/named attack? To: security@freebsd.org Date: Tue, 26 Oct 1999 07:33:19 -0500 (CDT) X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I see the following several times over night, have I buggered up my dns, or is something fishy going on? A.G. Oct 26 03:38:27 bifrost named[120]: sysquery: findns error (SERVFAIL) on A.ROOT-SERVERS.NET? Oct 26 03:38:27 bifrost named[120]: sysquery: findns error (SERVFAIL) on H.ROOT-SERVERS.NET? Oct 26 03:38:27 bifrost named[120]: sysquery: findns error (SERVFAIL) on C.ROOT-SERVERS.NET? Oct 26 03:38:27 bifrost named[120]: sysquery: findns error (SERVFAIL) on G.ROOT-SERVERS.NET? Oct 26 03:38:27 bifrost named[120]: sysquery: findns error (SERVFAIL) on F.GTLD-SERVERS.NET? Oct 26 03:38:27 bifrost named[120]: sysquery: findns error (SERVFAIL) on F.ROOT-SERVERS.NET? Oct 26 03:38:27 bifrost named[120]: sysquery: findns error (SERVFAIL) on B.ROOT-SERVERS.NET? Oct 26 03:38:27 bifrost named[120]: sysquery: findns error (SERVFAIL) on I.ROOT-SERVERS.NET? Oct 26 03:38:27 bifrost named[120]: sysquery: findns error (SERVFAIL) on E.ROOT-SERVERS.NET? Oct 26 03:38:27 bifrost named[120]: sysquery: findns error (SERVFAIL) on D.ROOT-SERVERS.NET? Oct 26 03:38:27 bifrost named[120]: sysquery: findns error (SERVFAIL) on J.GTLD-SERVERS.NET? Oct 26 03:38:27 bifrost named[120]: sysquery: findns error (SERVFAIL) on K.GTLD-SERVERS.NET? Oct 26 03:38:37 bifrost named[120]: sysquery: findns error (SERVFAIL) on A.ROOT-SERVERS.NET? Oct 26 03:38:37 bifrost named[120]: sysquery: findns error (SERVFAIL) on H.ROOT-SERVERS.NET? Oct 26 03:38:37 bifrost named[120]: sysquery: findns error (SERVFAIL) on C.ROOT-SERVERS.NET? Oct 26 03:38:37 bifrost named[120]: sysquery: findns error (SERVFAIL) on G.ROOT-SERVERS.NET? Oct 26 03:38:37 bifrost named[120]: sysquery: findns error (SERVFAIL) on F.GTLD-SERVERS.NET? Oct 26 03:38:37 bifrost named[120]: sysquery: findns error (SERVFAIL) on F.ROOT-SERVERS.NET? Oct 26 03:38:37 bifrost named[120]: sysquery: findns error (SERVFAIL) on B.ROOT-SERVERS.NET? Oct 26 03:38:37 bifrost named[120]: sysquery: findns error (SERVFAIL) on I.ROOT-SERVERS.NET? Oct 26 03:38:37 bifrost named[120]: sysquery: findns error (SERVFAIL) on E.ROOT-SERVERS.NET? Oct 26 03:38:37 bifrost named[120]: sysquery: findns error (SERVFAIL) on D.ROOT-SERVERS.NET? Oct 26 03:38:37 bifrost named[120]: sysquery: findns error (SERVFAIL) on J.GTLD-SERVERS.NET? Oct 26 03:38:37 bifrost named[120]: sysquery: findns error (SERVFAIL) on K.GTLD-SERVERS.NET? Oct 26 03:38:52 bifrost named[120]: sysquery: findns error (SERVFAIL) on A.ROOT-SERVERS.NET? Oct 26 03:38:52 bifrost named[120]: sysquery: findns error (SERVFAIL) on H.ROOT-SERVERS.NET? Oct 26 03:38:52 bifrost named[120]: sysquery: findns error (SERVFAIL) on C.ROOT-SERVERS.NET? Oct 26 03:38:52 bifrost named[120]: sysquery: findns error (SERVFAIL) on G.ROOT-SERVERS.NET? Oct 26 03:38:52 bifrost named[120]: sysquery: findns error (SERVFAIL) on F.GTLD-SERVERS.NET? Oct 26 03:38:52 bifrost named[120]: sysquery: findns error (SERVFAIL) on F.ROOT-SERVERS.NET? Oct 26 03:38:52 bifrost named[120]: sysquery: findns error (SERVFAIL) on B.ROOT-SERVERS.NET? Oct 26 03:38:52 bifrost named[120]: sysquery: findns error (SERVFAIL) on I.ROOT-SERVERS.NET? Oct 26 03:38:52 bifrost named[120]: sysquery: findns error (SERVFAIL) on E.ROOT-SERVERS.NET? Oct 26 03:38:52 bifrost named[120]: sysquery: findns error (SERVFAIL) on D.ROOT-SERVERS.NET? Oct 26 03:38:52 bifrost named[120]: sysquery: findns error (SERVFAIL) on J.GTLD-SERVERS.NET? Oct 26 03:38:52 bifrost named[120]: sysquery: findns error (SERVFAIL) on K.GTLD-SERVERS.NET? _______________________________________________________________________________ A.G. Russell IV KC5KFD High Order Software e-mail: ag4@hos.net Phone 512-834-1145 These are my views, on anyone else they would look silly. When it absolutely, positively has to be destroyed by tomorrow... United States Marine Corps ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 26 5:58:17 1999 Delivered-To: freebsd-security@freebsd.org Received: from plato.mentis.org (cc929562-a.hwrd1.md.home.com [24.6.133.228]) by hub.freebsd.org (Postfix) with ESMTP id C5F4614C48 for ; Tue, 26 Oct 1999 05:58:14 -0700 (PDT) (envelope-from erickson@mentis.org) Received: from galifrey (master.mddsg.com [24.9.154.156]) by plato.mentis.org (8.9.3/8.9.3) with SMTP id IAA15685 for ; Tue, 26 Oct 1999 08:58:13 -0400 (EDT) (envelope-from erickson@mentis.org) Message-ID: <00ea01bf1fb2$7b8644e0$c802a8c0@columbia.mentis.org> From: "David Erickson" To: References: <199910261233.HAA04145@bifrost.agrknives.com> Subject: Re: sysquery: findns error (SERVFAIL)... bind/named attack? Date: Tue, 26 Oct 1999 09:03:22 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is your internet connection up and working at all when this occurs? Dave ----- Original Message ----- From: A.G. Russell IV To: Sent: Tuesday, October 26, 1999 8:33 AM Subject: sysquery: findns error (SERVFAIL)... bind/named attack? > I see the following several times over night, have I buggered up my dns, or is something > fishy going on? > > A.G. > > Oct 26 03:38:27 bifrost named[120]: sysquery: findns error (SERVFAIL) on A.ROOT-SERVERS.NET? > Oct 26 03:38:27 bifrost named[120]: sysquery: findns error (SERVFAIL) on H.ROOT-SERVERS.NET? > Oct 26 03:38:27 bifrost named[120]: sysquery: findns error (SERVFAIL) on C.ROOT-SERVERS.NET? > Oct 26 03:38:27 bifrost named[120]: sysquery: findns error (SERVFAIL) on G.ROOT-SERVERS.NET? > Oct 26 03:38:27 bifrost named[120]: sysquery: findns error (SERVFAIL) on F.GTLD-SERVERS.NET? > Oct 26 03:38:27 bifrost named[120]: sysquery: findns error (SERVFAIL) on F.ROOT-SERVERS.NET? > Oct 26 03:38:27 bifrost named[120]: sysquery: findns error (SERVFAIL) on B.ROOT-SERVERS.NET? > Oct 26 03:38:27 bifrost named[120]: sysquery: findns error (SERVFAIL) on I.ROOT-SERVERS.NET? > Oct 26 03:38:27 bifrost named[120]: sysquery: findns error (SERVFAIL) on E.ROOT-SERVERS.NET? > Oct 26 03:38:27 bifrost named[120]: sysquery: findns error (SERVFAIL) on D.ROOT-SERVERS.NET? > Oct 26 03:38:27 bifrost named[120]: sysquery: findns error (SERVFAIL) on J.GTLD-SERVERS.NET? > Oct 26 03:38:27 bifrost named[120]: sysquery: findns error (SERVFAIL) on K.GTLD-SERVERS.NET? > Oct 26 03:38:37 bifrost named[120]: sysquery: findns error (SERVFAIL) on A.ROOT-SERVERS.NET? > Oct 26 03:38:37 bifrost named[120]: sysquery: findns error (SERVFAIL) on H.ROOT-SERVERS.NET? > Oct 26 03:38:37 bifrost named[120]: sysquery: findns error (SERVFAIL) on C.ROOT-SERVERS.NET? > Oct 26 03:38:37 bifrost named[120]: sysquery: findns error (SERVFAIL) on G.ROOT-SERVERS.NET? > Oct 26 03:38:37 bifrost named[120]: sysquery: findns error (SERVFAIL) on F.GTLD-SERVERS.NET? > Oct 26 03:38:37 bifrost named[120]: sysquery: findns error (SERVFAIL) on F.ROOT-SERVERS.NET? > Oct 26 03:38:37 bifrost named[120]: sysquery: findns error (SERVFAIL) on B.ROOT-SERVERS.NET? > Oct 26 03:38:37 bifrost named[120]: sysquery: findns error (SERVFAIL) on I.ROOT-SERVERS.NET? > Oct 26 03:38:37 bifrost named[120]: sysquery: findns error (SERVFAIL) on E.ROOT-SERVERS.NET? > Oct 26 03:38:37 bifrost named[120]: sysquery: findns error (SERVFAIL) on D.ROOT-SERVERS.NET? > Oct 26 03:38:37 bifrost named[120]: sysquery: findns error (SERVFAIL) on J.GTLD-SERVERS.NET? > Oct 26 03:38:37 bifrost named[120]: sysquery: findns error (SERVFAIL) on K.GTLD-SERVERS.NET? > Oct 26 03:38:52 bifrost named[120]: sysquery: findns error (SERVFAIL) on A.ROOT-SERVERS.NET? > Oct 26 03:38:52 bifrost named[120]: sysquery: findns error (SERVFAIL) on H.ROOT-SERVERS.NET? > Oct 26 03:38:52 bifrost named[120]: sysquery: findns error (SERVFAIL) on C.ROOT-SERVERS.NET? > Oct 26 03:38:52 bifrost named[120]: sysquery: findns error (SERVFAIL) on G.ROOT-SERVERS.NET? > Oct 26 03:38:52 bifrost named[120]: sysquery: findns error (SERVFAIL) on F.GTLD-SERVERS.NET? > Oct 26 03:38:52 bifrost named[120]: sysquery: findns error (SERVFAIL) on F.ROOT-SERVERS.NET? > Oct 26 03:38:52 bifrost named[120]: sysquery: findns error (SERVFAIL) on B.ROOT-SERVERS.NET? > Oct 26 03:38:52 bifrost named[120]: sysquery: findns error (SERVFAIL) on I.ROOT-SERVERS.NET? > Oct 26 03:38:52 bifrost named[120]: sysquery: findns error (SERVFAIL) on E.ROOT-SERVERS.NET? > Oct 26 03:38:52 bifrost named[120]: sysquery: findns error (SERVFAIL) on D.ROOT-SERVERS.NET? > Oct 26 03:38:52 bifrost named[120]: sysquery: findns error (SERVFAIL) on J.GTLD-SERVERS.NET? > Oct 26 03:38:52 bifrost named[120]: sysquery: findns error (SERVFAIL) on K.GTLD-SERVERS.NET? > ____________________________________________________________________________ ___ > A.G. Russell IV KC5KFD High Order Software e-mail: ag4@hos.net > Phone 512-834-1145 > These are my views, on anyone else they would look silly. > When it absolutely, positively has to be destroyed by tomorrow... > United States Marine Corps > -------------------------------------------------------------------------- ----- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 26 7:31:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from web1003.mail.yahoo.com (web1003.mail.yahoo.com [128.11.23.93]) by hub.freebsd.org (Postfix) with SMTP id 2494214C8A for ; Tue, 26 Oct 1999 07:31:49 -0700 (PDT) (envelope-from jphdumas@yahoo.fr) Message-ID: <19991026143635.25359.rocketmail@web1003.mail.yahoo.com> Received: from [195.115.72.29] by web1003.mail.yahoo.com; Tue, 26 Oct 1999 16:36:35 CEST Date: Tue, 26 Oct 1999 16:36:35 +0200 (CEST) From: "=?iso-8859-1?q?Jean-Pierre=20H.=20Dumas?=" Subject: Security tests To: FreeBSD-Security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is to verify the security of a FreeBSD 3.2 server I am installing. To be used as a POP3 toaster, with qmail and vmailmgr. I installed and ran COPS (a really old one). It screamed at me about the /var/spool/uucppublic directory as beeing *world* writable. It barfed on the passwd and group having the wrong number of fields (I assume this is because of the use of perl 5 vs perl 3 at the time of creation of COPS, something like @_ changed meaning ?) Question: is the permission of /var/spool/uucppublic correct once in drwxrwxr-x ? (I do not use uucp, but...) Then I installed Nessus 0.98.3 on a SuSE Linux 6.2 (I could not build it, or run it on FreeBSD, I tried to use the port and it failed in a way I don't understand) and I did the scan of the server. No big deal, the biggest problem being that telnet is still the way to connect from a Windows client. Sniffers are only a very remote possibility in our context. (I have to check about ssh, but it is not done yet.) Question: What can I do more to have a realistic report about this server's security ? Is there any other scanners or whatever that I can get and run, either from within the server, or from outside (I have a FreeBSD 3.2, Linux and Windows 95 machine on the Ethernet) Regards, Jean-Pierre ___________________________________________________________ Do You Yahoo!? Votre e-mail @yahoo.fr gratuit sur http://courrier.yahoo.fr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 26 8:40: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from sol.cc.u-szeged.hu (sol.cc.u-szeged.hu [160.114.8.24]) by hub.freebsd.org (Postfix) with ESMTP id 22A3D14E33 for ; Tue, 26 Oct 1999 08:39:58 -0700 (PDT) (envelope-from sziszi@petra.hos.u-szeged.hu) Received: from petra.hos.u-szeged.hu by sol.cc.u-szeged.hu (8.9.1b+Sun/SMI-SVR4) id RAA18665; Tue, 26 Oct 1999 17:40:12 +0200 (MET DST) Received: from sziszi by petra.hos.u-szeged.hu with local-smtp (Exim 2.05 #1 (Debian)) id 11g8qk-0006dr-00; Tue, 26 Oct 1999 17:49:26 +0200 Date: Tue, 26 Oct 1999 17:49:26 +0200 (CEST) From: Adam Szilveszter Reply-To: cc@flanker.itl.net.ua To: freebsd-security@freebsd.org Cc: sziszi@petra.hos.u-szeged.hu Subject: HP automountd security bulletin (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! I am not an expert but I would like to ask if we are vulnerable to this amd problem I got news about the other day... Cheers: Szilveszter ---------- Forwarded message ---------- Date: Fri, 22 Oct 1999 12:45:14 -0500 From: dsiebert@ENGINEERING.UIOWA.EDU Reply-To: douglas-siebert@uiowa.edu To: BUGTRAQ@SECURITYFOCUS.COM Subject: HP automountd security bulletin > Digest Name: Daily Security Bulletins Digest > Created: Thu Oct 21 3:00:03 PDT 1999 > > Table of Contents: > > Document ID Title > --------------- ----------- > HPSBUX9910-104 Security Advisory regarding automountd > I was involved with tracking down this vulnerability and reporting it to HP, SGI, and CERT, so I thought I'd contribute a bit more info for those you of (justifiably!) worried about this. The exploit code has been around for a while, but was written in a way that made it pretty system specific and would be more difficult to build today (because the system it was written for is getting out of date :) ) Apparently it is not the one that automountd (aka autofsd) was "fixed" for previously. To make our testing easier, I modified it to be general and build and run on about any system, which would make a whole lot more dangerous if I posted it (especially now when there are no vendor patches available) so I will not be doing that at this time. I will do so later after the vendors have had a chance to do their thing. Who is vulnerable? As far as I know, all of the new generation automounters (the ones that use RPC, support executable maps, and no longer have the /tmp_mnt directory) are vulnerable. I have only personally tested against HP-UX 10.20 and IRIX 6.5.4, both are vulnerable. HP-UX 11.0 adds a wrinkle to make things harder, but I suspect the exploit could be modified and it would still work. I have no reason to believe IRIX 6.5.5 changed anything to make it not vulnerable. I have not tested against anything else -- HP, SGI, and CERT have a copy of the exploit, so all the vendors should have it by now. I know that people with e.g. Sun, IBM, etc. systems would like to know if they are vulnerable. So I will make the exploit available to the moderators of Bugtraq if they wish to ask me for it, and they can make it available to people they trust to test it on other systems, and the findings can be reported. I just don't think it would be fair to the vast majority of sysadmins out there to just post it to the world now, when there is no good fix. The vulnerability lets anyone anywhere run anything as root on your system. Since it uses RPC, you can't use tcpwrappers to block it or filter an extra port or two on your router. Unless you have an application level firewall or use the "deny all ; allow these few things" type of router rules, you can get hit. Even with a firewall, you are still vulnerable to anyone on the inside (I hope you trust them!) The exploit does not require root privileges to run (but it does require Unix, at least without a lot of work) What can you do? If you are running that new generation automounter, unless/until you know for sure you are not vulnerable, I would go back to the old generation one immediately (the one that uses /tmp_mnt) That one is not vulnerable. Who is using this exploit? Some systems at the U of Iowa were hit in the early AM on Monday the 18th, the footprint was adding "+ +" to /.rhosts and creating a file /tmp/bob and trying to run "inetd /tmp/bob". An old script kiddie script, used in many previous attacks on various other holes. This is the first we've seen of it, and it seems like the vendors and CERT were very much caught off guard that the automountd fix for the previous exploit was incomplete. Ideally CERT would post a notice about this right away, and update it as soon as they get info from each vendor on the results of their testing, but unless they have changed their policies from what they were in the past, I don't think that this is going to happen, which is why I made the offer to send the exploit to the moderators of Bugtraq so they can determine what other systems are or are not vulnerable. Everyone else, please do NOT email me about this asking me for the code, asking me if OS XXX is or is not vulnerable, or ask me to try the exploit against one of your systems. I had recently been thinking about "upgrading" to the new automounter (I had mainly been dragging my feet waiting for it to become stable on HP-UX) But now I don't think I ever will until they provide a way to completely disable executable maps (and put a sanity check in the code right before the fork() and exec(), to be extra sure no one finds a new code path to get around the checks) IMHO that code has no business existing. I wonder how many people really even make use of that misfeature? -- Douglas Siebert Director of Computing Facilities douglas-siebert@uiowa.edu Division of Mathematical Sciences, U of Iowa I'm not too interested in caller ID. But caller IQ, I'll pay a lot for that! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 26 9:15:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from androcles.com (androcles.com [204.57.240.10]) by hub.freebsd.org (Postfix) with ESMTP id 42DAB14EBC for ; Tue, 26 Oct 1999 09:15:19 -0700 (PDT) (envelope-from alex@androcles.com) Received: (from dhh@localhost) by androcles.com (8.9.3/8.9.3) id JAA30843; Tue, 26 Oct 1999 09:15:10 -0700 (PDT) Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <19991025223606.10537.rocketmail@web1004.mail.yahoo.com> Date: Tue, 26 Oct 1999 09:15:10 -0700 (PDT) Reply-To: dhh@androcles.com From: "Duane H. Hesser" To: "Me Uh, K." Subject: RE: Probably off-topic Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 25-Oct-99 Me Uh, K. wrote: > I suppose this is probably the wrong list to ask, but > I'm looking for security reasons, so I suppose I'm > halfway-justified. > > Does anyone know if there is a complete set of Man > pages in html format anywhere on the web? > > I've done a couple of quick searches for them, but > can't find them anywhere, or can sometimes find a > partial set. > > -mia k > "Rosetta Man" will allow you to create your own very nice set of HTML manual pages, with cross-reference links. It's in the ports as "rman". I have generally found this more effective than the CGI approach (perhaps a matter of tast). -------------- Duane H. Hesser dhh@androcles.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 26 10: 6:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from green.myip.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id D2A2714BF9 for ; Tue, 26 Oct 1999 10:06:38 -0700 (PDT) (envelope-from green@FreeBSD.org) Received: from localhost ([127.0.0.1] ident=green) by green.myip.org with esmtp (Exim 3.02 #1) id 11gA3D-000DWC-00; Tue, 26 Oct 1999 13:06:23 -0400 Date: Tue, 26 Oct 1999 13:06:21 -0400 (EDT) From: Brian Fundakowski Feldman X-Sender: green@green.myip.org To: "=?iso-8859-1?q?Jean-Pierre=20H.=20Dumas?=" Cc: FreeBSD-Security@freebsd.org Subject: Re: Security tests In-Reply-To: <19991026143635.25359.rocketmail@web1003.mail.yahoo.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 26 Oct 1999, Jean-Pierre H. Dumas wrote: > Is there any other scanners or whatever that I can get > and run, either from within the server, or from > outside (I have a FreeBSD 3.2, Linux and Windows 95 > machine on the Ethernet) The only way to really know if your system is "secure" is to thoroughly audit and test it after having attempted to secure it. One tool you may be interested in assisting you for checking local and remote security is SATAN; be careful though, since it doesn't know how to do _everything_. > > Regards, > > Jean-Pierre -- Brian Fundakowski Feldman \ FreeBSD: The Power to Serve! / green@FreeBSD.org `------------------------------' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 26 12:35:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from quaggy.ursine.com (lambda.blueneptune.com [209.133.45.179]) by hub.freebsd.org (Postfix) with ESMTP id 962C41523E for ; Tue, 26 Oct 1999 12:35:39 -0700 (PDT) (envelope-from fbsd-security@ursine.com) Received: from michael (lambda.ursine.com [209.133.45.69]) by quaggy.ursine.com (8.9.2/8.9.3) with ESMTP id MAA27734 for ; Tue, 26 Oct 1999 12:35:38 -0700 (PDT) Message-ID: <199910261235370860.37A18FD1@quaggy.ursine.com> X-Mailer: Calypso Version 3.00.00.13 (2) Date: Tue, 26 Oct 1999 12:35:37 -0700 From: "Michael Bryan" To: freebsd-security@freebsd.org Subject: wuftpd port update for CERT CA-99.13? Content-Type: text/plain; charset="ISO-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I see that the wuftpd port (ports/ftp/wuftpd) was updated on Sunday, October 24th. It now brings the port up to version 2.6.0, which has important security fixes. Is an official security announcement from the security team in the pipeline? Also, as reported earlier, the FreeBSD portion of the original CERT announcement is incorrect, as two of the three vulnerabilities were -not- addressed in the 8/30/99 updates to the port. They are only addressed by this update to 2.6.0 of wuftpd. It would probably be a good idea to get CERT to update their announcement: http://www.cert.org/advisories/CA-99-13-wuftpd.html Michael Bryan fbsd-security@ursine.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 26 14: 5:18 1999 Delivered-To: freebsd-security@freebsd.org Received: from proxy4.ba.best.com (proxy4.ba.best.com [206.184.139.15]) by hub.freebsd.org (Postfix) with ESMTP id 7B28D14FE7; Tue, 26 Oct 1999 14:05:04 -0700 (PDT) (envelope-from ssamalin@ionet.net) Received: from ionet.net (sam.ops.best.com [205.149.163.53]) by proxy4.ba.best.com (8.9.3/8.9.2/best.out) with ESMTP id OAA13326; Tue, 26 Oct 1999 14:02:51 -0700 (PDT) Message-ID: <381616CE.A9C79619@ionet.net> Date: Tue, 26 Oct 1999 17:02:06 -0400 From: Sam Samalin X-Mailer: Mozilla 4.6 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org, freebsd-net@freebsd.org Subject: ftp with ipfw fwd Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org My ftp server isn't using the "PORT" port to after the PORT call, it uses 20: "Can't create data socket (n.n.n.n,20) : Can't assign requested address." I'm using ipfw fwd. Do I need a rule? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 26 14:57:26 1999 Delivered-To: freebsd-security@freebsd.org Received: from barracuda.aquarium.rtci.com (barracuda.aquarium.rtci.com [208.11.247.5]) by hub.freebsd.org (Postfix) with ESMTP id 0718814CC5 for ; Tue, 26 Oct 1999 14:57:22 -0700 (PDT) (envelope-from tstromberg@rtci.com) Received: from rtci.com (chenresig@karma.afterthought.org [208.11.244.6]) by barracuda.aquarium.rtci.com (8.9.3/8.9.3) with ESMTP id RAA07052 for ; Tue, 26 Oct 1999 17:57:23 -0400 (EDT) Message-ID: <3816239E.1D32BD32@rtci.com> Date: Tue, 26 Oct 1999 17:56:47 -0400 From: Thomas Stromberg Organization: Research Triangle Consultants, Inc. X-Mailer: Mozilla 4.7 [en] (X11; I; FreeBSD 4.0-CURRENT i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: ipfilter howto available on the web now! Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org For those of you ipfilter users (and those of you curious why people prefer ipfilter over ipfw), a new HOW-TO has been written for ipfilter by Brenden Conoboy & Erik Fichtner. It is available at http://www.obfuscation.org/ipf/ipf-howto.txt * This HOWTO is still under development, some sections are even empty * Some things it discusses: - Rule processing & precedence - Keeping States (real-states, not just what the packet says) - Returning ICMP & RST packets - Setting up ipnat (Name to Address Translation) - ipmon & ipfstat I found it useful, as we're about to setup a nice dual-PII 400 (not that a firewall takes up much CPU, it just happened to be around) ipfilter/ipnat/socks/squid proxy. -- ====================================================================== thomas r. stromberg smtp://tstromberg@rtci.com assistant is manager / systems guru http://thomas.stromberg.org research triangle commerce, inc. finger://thomas@stromberg.org 'om mani padme hung' pots://1.919.380.9771:3210 ---------------------------------------------------------------------- GPS $GCS d? s: a-- C+++ $UB++++ $US+++ $P++++ L- E- W++ N w- V-- PE-- Y+ tv-- b+++ e h r G D-- $DI++ t+ rbt C B++ xi xw !D ================================================================[eof]= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 26 15: 5:28 1999 Delivered-To: freebsd-security@freebsd.org Received: from zippy.cdrom.com (zippy.cdrom.com [204.216.27.228]) by hub.freebsd.org (Postfix) with ESMTP id 8E2AF14C07 for ; Tue, 26 Oct 1999 15:05:26 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) Received: from localhost (localhost [127.0.0.1]) by zippy.cdrom.com (8.9.3/8.9.3) with ESMTP id PAA83720; Tue, 26 Oct 1999 15:05:11 -0700 (PDT) (envelope-from jkh@zippy.cdrom.com) To: "=?iso-8859-1?q?Jean-Pierre=20H.=20Dumas?=" Cc: FreeBSD-Security@FreeBSD.ORG Subject: Re: Security tests In-reply-to: Your message of "Tue, 26 Oct 1999 16:36:35 +0200." <19991026143635.25359.rocketmail@web1003.mail.yahoo.com> Date: Tue, 26 Oct 1999 15:05:10 -0700 Message-ID: <83716.940975510@localhost> From: "Jordan K. Hubbard" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > This is to verify the security of a FreeBSD 3.2 > server I am installing. To be used as a POP3 toaster, > with qmail and vmailmgr. Before you do anything else, read the security man page. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 26 18:59:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id DAA6F14FC5 for ; Tue, 26 Oct 1999 18:59:11 -0700 (PDT) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id SAA02351; Tue, 26 Oct 1999 18:58:57 -0700 Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by point.osg.gov.bc.ca, id smtpda02349; Tue Oct 26 18:58:49 1999 Received: (from uucp@localhost) by cwsys.cwsent.com (8.9.3/8.9.1) id SAA08102; Tue, 26 Oct 1999 18:58:44 -0700 (PDT) Message-Id: <199910270158.SAA08102@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdVL8098; Tue Oct 26 18:58:03 1999 X-Mailer: exmh version 2.1.0 09/18/1999 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.3-RELEASE X-Sender: cy To: cc@flanker.itl.net.ua Cc: freebsd-security@FreeBSD.ORG, sziszi@petra.hos.u-szeged.hu Subject: Re: HP automountd security bulletin (fwd) In-reply-to: Your message of "Tue, 26 Oct 1999 17:49:26 +0200." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 26 Oct 1999 18:58:03 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Ad am Szilveszter writes: > Hi! > > I am not an expert but I would like to ask if we are vulnerable to this > amd problem I got news about the other day... I would think that amd could be vulnerable because it supports program filesystem (type:=program). This is not exactly the same as automountd's executable maps, but I suspect it could be exploited in some way because amd executes an external program to actually perform mounts/unmounts. The following amd patch disables program maps. --- src/usr.sbin/amd/include/config.h.orig Sun Aug 29 08:39:16 1999 +++ src/usr.sbin/amd/include/config.h Mon Oct 25 23:42:20 1999 @@ -35,7 +35,7 @@ #define HAVE_AM_FS_INHERIT 1 /* Define if have program filesystem */ -#define HAVE_AM_FS_PROGRAM 1 +/* #undef HAVE_AM_FS_PROGRAM */ /* Define if have symbolic-link filesystem */ #define HAVE_AM_FS_LINK 1 Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Sun/DEC Team, UNIX Group Internet: Cy.Schubert@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Province of BC "e**(i*pi)+1=0" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 27 2:38:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from relay2.aha.ru (relay2.aha.ru [195.2.64.35]) by hub.freebsd.org (Postfix) with ESMTP id 9375A153AF for ; Wed, 27 Oct 1999 02:38:44 -0700 (PDT) (envelope-from abb@zenon.net) Received: from pb.hq.zenon.net (pb [195.2.64.18]) by relay2.aha.ru (8.9.3/8.9.3/aha-r/0.04B) with ESMTP id NAA73731 for ; Wed, 27 Oct 1999 13:38:41 +0400 (MSD) Received: from mp.hq.zenon.net (mp [192.168.9.150]) by pb.hq.zenon.net (8.9.3/8.9.3) with ESMTP id NAA59347 for ; Wed, 27 Oct 1999 13:38:41 +0400 (MSD) Received: (from uucp@localhost) by mp.hq.zenon.net (8.9.3/8.9.3) id NAA74420 for ; Wed, 27 Oct 1999 13:38:41 +0400 (MSD) Received: from abb.hq.zenon.net(192.168.9.25) by mp via smap (V1.3) id sma074407; Wed Oct 27 13:38:24 1999 Message-ID: <3817008F.4779686C@zenon.net> Date: Wed, 27 Oct 1999 13:39:27 +0000 From: Alexander Bezroutchko X-Mailer: Mozilla 4.6 [en] (X11; I; FreeBSD 4.0-19990918-CURRENT i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: lookup() deadlock in 3.3-stable ? Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi I have box running 3.3-STABLE which locks up several times per day. After system hangs, ps command in DDB displays a lot of processes in "inode" state. I suspect deadlock occurs:  process 45676 unlink("msg/..") holds lock to "msg" tries to acquire lock to "msg/..", i.e. "."  process 45678 stat("msg") holds lock to "." tries to acquire lock to "msg" How-To-Repeat: 1. create test directory: mkdir t 2. run first process perl -e 'for(;;) { stat("t") || die }' 3. run second process perl -e 'for(;;) { unlink("t/..") || die }' 4. run disk-bound process (one or move) find / > /dev/null I have kernel core and ready to provide additional information. -------------------------------------------------------------------------------- (kgdb) proc 45676 (kgdb) where #0 mi_switch () at ../../kern/kern_synch.c:825 #1 0xc0141c91 in tsleep (ident=0xc2e02400, priority=8, wmesg=0xc01f229b "inode", timo=0) at ../../kern/kern_synch.c:443 #2 0xc013b613 in acquire (lkp=0xc2e02400, extflags=16777216, wanted=1536) at ../../kern/kern_lock.c:145 #3 0xc013b8a0 in debuglockmgr (lkp=0xc2e02400, flags=16842754, interlkp=0xd56529f0, p=0xd54dff40, name=0xc01ea7e3 "vop_stdlock", file=0xc01eaad7 "../../kern/vfs_subr.c", line=1275) at ../../kern/kern_lock.c:343 #4 0xc016234d in vop_stdlock (ap=0xd550cca8) at ../../kern/vfs_default.c:211 #5 0xc01a8ac9 in ufs_vnoperate (ap=0xd550cca8) at ../../ufs/ufs/ufs_vnops.c:2299 #6 0xc016b375 in debug_vn_lock (vp=0xd5652980, flags=65538, p=0xd54dff40, filename=0xc01eaad7 "../../kern/vfs_subr.c", line=1275) at vnode_if.h:811 #7 0xc0164d45 in vget (vp=0xd5652980, flags=65538, p=0xd54dff40) at ../../kern/vfs_subr.c:1275 #8 0xc01a3307 in ufs_ihashget (dev=1048, inum=899385) at ../../ufs/ufs/ufs_ihash.c:113 #9 0xc01a0c23 in ffs_vget (mp=0xc2d05e00, ino=899385, vpp=0xd550cdd0) at ../../ufs/ffs/ffs_vfsops.c:1053 #10 0xc01a3cb2 in ufs_lookup (ap=0xd550ce28) at ../../ufs/ufs/ufs_lookup.c:455 #11 0xc01a8ac9 in ufs_vnoperate (ap=0xd550ce28) at ../../ufs/ufs/ufs_vnops.c:2299 #12 0xc0160f2a in vfs_cache_lookup (ap=0xd550ce84) at vnode_if.h:55 #13 0xc01a8ac9 in ufs_vnoperate (ap=0xd550ce84) at ../../ufs/ufs/ufs_vnops.c:2299 #14 0xc0163429 in lookup (ndp=0xd550cf1c) at vnode_if.h:31 #15 0xc0162ee4 in namei (ndp=0xd550cf1c) at ../../kern/vfs_lookup.c:152 #16 0xc0168135 in unlink (p=0xd54dff40, uap=0xd550cf94) at ../../kern/vfs_syscalls.c:1311 #17 0xc01d1d0b in syscall (frame={tf_es = 39, tf_ds = 39, tf_edi = 134537740, tf_esi = 134781872, tf_ebp = -1077946144, tf_isp = -716124188, tf_ebx = 672080476, tf_edx = 134718596, tf_ecx = 1, tf_eax = 10, tf_trapno = 7, tf_err = 2, tf_eip = 672495280, tf_cs = 31, tf_eflags = 514, tf_esp = -1077946192, tf_ss = 39}) at ../../i386/i386/trap.c:1100 #18 0xc01c711c in Xint0x80_syscall () #19 0x280882c4 in ?? () #20 0x28079c3d in ?? () #21 0x280df0be in ?? () #22 0x8048da8 in ?? () #23 0x8048cd5 in ?? () (kgdb) p *(struct lock*)0xc2e02400 $17 = {lk_interlock = {lock_data = 0}, lk_flags = 2098176, lk_sharecount = 0, lk_waitcount = 2, lk_exclusivecount = 1, lk_prio = 8, lk_wmesg = 0xc01f229b "inode", lk_timo = 0, lk_lockholder = 45678, ^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^ lk_filename = 0xc01eaa0c "../../kern/vfs_lookup.c", lk_lockername = 0xc01ea7e3 "vop_stdlock", lk_lineno = 293} (kgdb) p *(char**)0xd550cf94 $18 = 0x8089bb0 "msg/.." (kgdb) -------------------------------------------------------------------------------- (kgdb) proc 45678 (kgdb) where #0 mi_switch () at ../../kern/kern_synch.c:825 #1 0xc0141c91 in tsleep (ident=0xc2e03e00, priority=8, wmesg=0xc01f229b "inode", timo=0) at ../../kern/kern_synch.c:443 #2 0xc013b613 in acquire (lkp=0xc2e03e00, extflags=16777216, wanted=1536) at ../../kern/kern_lock.c:145 #3 0xc013b8a0 in debuglockmgr (lkp=0xc2e03e00, flags=16842754, interlkp=0xd565d4f0, p=0xd5402b80, name=0xc01ea7e3 "vop_stdlock", file=0xc01eaad7 "../../kern/vfs_subr.c", line=1275) at ../../kern/kern_lock.c:343 #4 0xc016234d in vop_stdlock (ap=0xd5493d74) at ../../kern/vfs_default.c:211 #5 0xc01a8ac9 in ufs_vnoperate (ap=0xd5493d74) at ../../ufs/ufs/ufs_vnops.c:2299 #6 0xc016b375 in debug_vn_lock (vp=0xd565d480, flags=65538, p=0xd5402b80, filename=0xc01eaad7 "../../kern/vfs_subr.c", line=1275) at vnode_if.h:811 #7 0xc0164d45 in vget (vp=0xd565d480, flags=2, p=0xd5402b80) at ../../kern/vfs_subr.c:1275 #8 0xc0160e43 in vfs_cache_lookup (ap=0xd5493e3c) at ../../kern/vfs_cache.c:449 #9 0xc01a8ac9 in ufs_vnoperate (ap=0xd5493e3c) at ../../ufs/ufs/ufs_vnops.c:2299 #10 0xc0163429 in lookup (ndp=0xd5493ebc) at vnode_if.h:31 #11 0xc0162ee4 in namei (ndp=0xd5493ebc) at ../../kern/vfs_lookup.c:152 #12 0xc0168690 in stat (p=0xd5402b80, uap=0xd5493f94) at ../../kern/vfs_syscalls.c:1614 #13 0xc01d1d0b in syscall (frame={tf_es = 39, tf_ds = 39, tf_edi = 134537728, tf_esi = 134649276, tf_ebp = -1077946352, tf_isp = -716619804, tf_ebx = 672745064, tf_edx = 134649228, tf_ecx = 134852364, tf_eax = 188, tf_trapno = 12, tf_err = 2, tf_eip = 672492080, tf_cs = 31, tf_eflags = 514, tf_esp = -1077946768, tf_ss = 39}) at ../../i386/i386/trap.c:1100 #14 0xc01c711c in Xint0x80_syscall () #15 0x28177e0a in ?? () #16 0x28088a7a in ?? () #17 0x28079c3d in ?? () #18 0x280df0be in ?? () #19 0x8048da8 in ?? () #20 0x8048cd5 in ?? () (kgdb) p *(struct lock*)0xc2e03e00 $6 = {lk_interlock = {lock_data = 0}, lk_flags = 2098176, lk_sharecount = 0, lk_waitcount = 1, lk_exclusivecount = 1, lk_prio = 8, lk_wmesg = 0xc01f229b "inode", lk_timo = 0, lk_lockholder = 45676, ^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^ lk_filename = 0xc01eaad7 "../../kern/vfs_subr.c", lk_lockername = 0xc01ea7e3 "vop_stdlock", lk_lineno = 1275} (kgdb) p *(char**)0xd5493f94 $7 = 0x809c250 "msg" (kgdb) -------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 27 4:18:55 1999 Delivered-To: freebsd-security@freebsd.org Received: from relay2.aha.ru (relay2.aha.ru [195.2.64.35]) by hub.freebsd.org (Postfix) with ESMTP id 4167814A06 for ; Wed, 27 Oct 1999 04:18:46 -0700 (PDT) (envelope-from abb@zenon.net) Received: from pb.hq.zenon.net (pb [195.2.64.18]) by relay2.aha.ru (8.9.3/8.9.3/aha-r/0.04B) with ESMTP id PAA76181 for ; Wed, 27 Oct 1999 15:17:55 +0400 (MSD) Received: from mp.hq.zenon.net (mp [192.168.9.150]) by pb.hq.zenon.net (8.9.3/8.9.3) with ESMTP id PAA62719 for ; Wed, 27 Oct 1999 15:17:55 +0400 (MSD) Received: (from uucp@localhost) by mp.hq.zenon.net (8.9.3/8.9.3) id PAA80647 for ; Wed, 27 Oct 1999 15:17:55 +0400 (MSD) Received: from abb.hq.zenon.net(192.168.9.25) by mp via smap (V1.3) id sma080632; Wed Oct 27 15:17:41 1999 Message-ID: <381717D6.B99F6B5C@zenon.net> Date: Wed, 27 Oct 1999 15:18:46 +0000 From: Alexander Bezroutchko X-Mailer: Mozilla 4.6 [en] (X11; I; FreeBSD 4.0-19990918-CURRENT i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: lookup() deadlock in 3.3-stable ? References: <3817008F.4779686C@zenon.net> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Oops, I am sorry for my posting - it was intended to freebsd-hackers. Dealing with locking servers for several nights and having very little sleep caused me hitting wrong buttons. Sorry. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 27 17:26:16 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (Postfix) with ESMTP id 5304914CC0; Wed, 27 Oct 1999 17:25:56 -0700 (PDT) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.3/8.9.2/best.sh) id RAA18573; Wed, 27 Oct 1999 17:25:34 -0700 (PDT) Message-ID: <19991027172534.A17924@best.com> Date: Wed, 27 Oct 1999 17:25:34 -0700 From: "Jan B. Koum " To: Brian Fundakowski Feldman , "Jean-Pierre H. Dumas" Cc: FreeBSD-Security@FreeBSD.ORG Subject: Re: Security tests References: <19991026143635.25359.rocketmail@web1003.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Brian Fundakowski Feldman on Tue, Oct 26, 1999 at 01:06:21PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Oct 26, 1999 at 01:06:21PM -0400, Brian Fundakowski Feldman wrote: > On Tue, 26 Oct 1999, Jean-Pierre H. Dumas wrote: > > > Is there any other scanners or whatever that I can get > > and run, either from within the server, or from > > outside (I have a FreeBSD 3.2, Linux and Windows 95 > > machine on the Ethernet) > > The only way to really know if your system is "secure" is to thoroughly > audit and test it after having attempted to secure it. One tool you > may be interested in assisting you for checking local and remote security > is SATAN; be careful though, since it doesn't know how to do _everything_. In fact, it knows how to do nothing: http://www.hackernews.com/orig/whyvuln.html -- yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Oct 27 17:31: 5 1999 Delivered-To: freebsd-security@freebsd.org Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (Postfix) with ESMTP id 1FADF14CC0 for ; Wed, 27 Oct 1999 17:30:54 -0700 (PDT) (envelope-from jkb@shell6.ba.best.com) Received: (from jkb@localhost) by shell6.ba.best.com (8.9.3/8.9.2/best.sh) id RAA19345; Wed, 27 Oct 1999 17:29:51 -0700 (PDT) Message-ID: <19991027172950.B17924@best.com> Date: Wed, 27 Oct 1999 17:29:50 -0700 From: "Jan B. Koum " To: "Jean-Pierre H. Dumas" , FreeBSD-Security@FreeBSD.ORG Subject: Re: Security tests References: <19991026143635.25359.rocketmail@web1003.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <19991026143635.25359.rocketmail@web1003.mail.yahoo.com>; from Jean-Pierre H. Dumas on Tue, Oct 26, 1999 at 04:36:35PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Oct 26, 1999 at 04:36:35PM +0200, "Jean-Pierre H. Dumas" wrote: > > Then I installed Nessus 0.98.3 on a SuSE Linux 6.2 > (I could not build it, or run it on FreeBSD, I tried > to use the port and it failed in a way I don't > understand) and I did the scan of the server. > No big deal, the biggest problem > being that telnet is still the way to connect from > a Windows client. Sniffers are only a very remote > possibility in our context. (I have to check about > ssh, but it is not done yet.) Do it then. Hurry up. SSH is Jesus! :) Really though -- there are planty of good ssh clients for Windows out there. I'd myself recomment SecureCRT 2.4 from VanDyke. Best way to convert people to use ssh over telnet is to turn of inetd! Trust me. > Question: What can I do more to have a realistic > report about this server's security ? From outside run nmap (http://www.insecure.org/nmap) against your machine to see what is open. Close everything but ssh port and whatever else you need open (http, pop3, etc.) > Is there any other scanners or whatever that I can get > and run, either from within the server, or from > outside (I have a FreeBSD 3.2, Linux and Windows 95 > machine on the Ethernet) See above. You can run nmap from linux against freebsd. There are many commercial and freeware scanners out there for Windows. -- yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 29 3:42: 2 1999 Delivered-To: freebsd-security@freebsd.org Received: from fsfw.freesoft.hu (fsfw.freesoft.hu [195.228.127.1]) by hub.freebsd.org (Postfix) with ESMTP id 1AA8D15503 for ; Fri, 29 Oct 1999 03:41:58 -0700 (PDT) (envelope-from dbeck@freesoft.hu) Received: (from ftp@localhost) by fsfw.freesoft.hu (8.8.7/8.7.3) id MAA07502 for ; Fri, 29 Oct 1999 12:41:58 +0200 X-Authentication-Warning: fsfw.freesoft.hu: ftp set sender to using -f Received: by netfinity.freesoft.hu with Internet Mail Service (5.5.2232.9) id ; Fri, 29 Oct 1999 12:40:23 +0200 Message-Id: <1BD5A68BE9E8D211BBE8006094B9EB73E97C@netfinity.freesoft.hu> From: Beck David To: "'freebsd-security@FreeBSD.ORG'" Subject: Strange things on my computer / Help Date: Fri, 29 Oct 1999 12:40:20 +0200 Mime-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2232.9) Content-Type: text/plain; charset="iso-8859-2" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is the first time I write to the list, Big Hello To All, I administer a host on the Internet which basically doesn't really do anything. I installed some services like www,ftp,ssh,qmail / no big deal. I started playing with this machine 10 month ago. Since that I found a handful of strange thingies: - my wtmp files turn on each month, but after a short while allways gets corrupted - if I run who, it doesn't show any user - if I run last, it shows a big pile of garbage - I filter out ICMP totally, which is OK for me - but the kernel complains in every 10 minutes for some _out_ going ICMP packets, which goes to two hosts. I am absolutely sure that nor me nor any of my programs has nothing to do with that hosts - when I found this I started to look for the program which generates the ICMP packets but I didn't find anything - I checked the cron rules, but I didn't find anything - then I turned off the setuid bits from nearly every program on my host including ping and traceroute, but didn't help Do you guys suspect that my machine got exploited ? /I do, but I can't prove it./ Any ideas ? Thx, David. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 29 4:55:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from probe.webhosting.com (probe.webhosting.com [207.236.70.204]) by hub.freebsd.org (Postfix) with SMTP id ED4EC15585 for ; Fri, 29 Oct 1999 04:55:41 -0700 (PDT) (envelope-from pm@webhosting.com) Received: (qmail 87940 invoked by uid 1000); 29 Oct 1999 08:00:35 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 29 Oct 1999 08:00:35 -0000 Date: Fri, 29 Oct 1999 08:00:34 +0000 (GMT) From: Paul Mokbel X-Sender: paulm@probe.webhosting.com To: Beck David Cc: "'freebsd-security@FreeBSD.ORG'" Subject: Re: Strange things on my computer / Help In-Reply-To: <1BD5A68BE9E8D211BBE8006094B9EB73E97C@netfinity.freesoft.hu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Get the MD5 checksums for each binary on your FreeBSD system, grab a list of the original MD5 checksums for binary files in your distribution, and then compare. I think that's the easiest way to check if someone has been messin with your system. If this is this case, then CVSup, and make world. If I am not mistaken, tripwire (/usr/ports/security/tripwire) does something similar, but it compares from a previously compiled MD5 checksum list of the files on your system at original time of program install. (I've only heard from friends that have used it). /* "Give an ape a brain and he'll swear he's the center of the universe" Paul Mokbel */ On Fri, 29 Oct 1999, Beck David wrote: > > This is the first time I write to the list, Big Hello To All, > > > I administer a host on the Internet which basically doesn't really > do anything. I installed some services like www,ftp,ssh,qmail > / no big deal. > > I started playing with this machine 10 month ago. Since that I found > a handful of strange thingies: > > - my wtmp files turn on each month, but after a short while allways > gets corrupted > - if I run who, it doesn't show any user > - if I run last, it shows a big pile of garbage > - I filter out ICMP totally, which is OK for me > - but the kernel complains in every 10 minutes for some _out_ going > ICMP packets, which goes to two hosts. I am absolutely sure > that nor me nor any of my programs has nothing to do with that hosts > - when I found this I started to look for the program which generates > the ICMP packets but I didn't find anything > - I checked the cron rules, but I didn't find anything > - then I turned off the setuid bits from nearly every program on my > host including ping and traceroute, but didn't help > > Do you guys suspect that my machine got exploited ? /I do, but I can't > prove it./ > > Any ideas ? > > Thx, David. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 29 6: 5:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix.aye.net (phoenix.aye.net [206.185.8.134]) by hub.freebsd.org (Postfix) with SMTP id E2A7014FDF for ; Fri, 29 Oct 1999 06:05:54 -0700 (PDT) (envelope-from barrett@phoenix.aye.net) Received: (qmail 3154 invoked by uid 1000); 29 Oct 1999 13:08:18 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 29 Oct 1999 13:08:18 -0000 Date: Fri, 29 Oct 1999 09:08:18 -0400 (EDT) From: Barrett Richardson To: Beck David Cc: "'freebsd-security@FreeBSD.ORG'" Subject: Re: Strange things on my computer / Help In-Reply-To: <1BD5A68BE9E8D211BBE8006094B9EB73E97C@netfinity.freesoft.hu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 29 Oct 1999, Beck David wrote: > > This is the first time I write to the list, Big Hello To All, > > > I administer a host on the Internet which basically doesn't really > do anything. I installed some services like www,ftp,ssh,qmail > / no big deal. > > I started playing with this machine 10 month ago. Since that I found > a handful of strange thingies: > > - my wtmp files turn on each month, but after a short while allways > gets corrupted > - if I run who, it doesn't show any user > - if I run last, it shows a big pile of garbage > - I filter out ICMP totally, which is OK for me > - but the kernel complains in every 10 minutes for some _out_ going > ICMP packets, which goes to two hosts. I am absolutely sure > that nor me nor any of my programs has nothing to do with that hosts > - when I found this I started to look for the program which generates > the ICMP packets but I didn't find anything > - I checked the cron rules, but I didn't find anything > - then I turned off the setuid bits from nearly every program on my > host including ping and traceroute, but didn't help > > Do you guys suspect that my machine got exploited ? /I do, but I can't > prove it./ > > Any ideas ? > > Thx, David. > Are you running a 2.x sshd binary on a 3.x system? - Barrett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 29 7:11:25 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 5609E14C4C for ; Fri, 29 Oct 1999 07:11:21 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id QAA79664; Fri, 29 Oct 1999 16:11:00 +0200 (CEST) (envelope-from des) To: Beck David Cc: "'freebsd-security@FreeBSD.ORG'" Subject: Re: Strange things on my computer / Help References: <1BD5A68BE9E8D211BBE8006094B9EB73E97C@netfinity.freesoft.hu> From: Dag-Erling Smorgrav Date: 29 Oct 1999 16:10:59 +0200 In-Reply-To: Beck David's message of "Fri, 29 Oct 1999 12:40:20 +0200" Message-ID: Lines: 33 X-Mailer: Gnus v5.7/Emacs 20.4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Beck David writes: > - but the kernel complains in every 10 minutes for some _out_ going > ICMP packets, which goes to two hosts. I am absolutely sure > that nor me nor any of my programs has nothing to do with that hosts What kind of ICMP packets? Could you set up a sniffer to capture those packets? (tcpdump will do). They may be completely benign (e.g. ICMP_UNREACH or ICMP_TIMXCEED) > - when I found this I started to look for the program which generates > the ICMP packets but I didn't find anything The TCP/IP stack generates ICMP packets on its own in certain circumstances. > Do you guys suspect that my machine got exploited ? /I do, but I can't > prove it./ Like somebody else suggested, compare MD5 checksums of your system binaries (using a known-good copy of /sbin/md5) with those of known-good binaries. The best choice of known-good binaries is the live file system on the second CD-ROM in the set you used to install the machine in the first place. If you can afford the downtime (generally speaking, if you suspect a compromise, you don't have much choice but to accept the downtime), boot the system from known-good boot floppies or (preferably) a bootable CD-ROM such as the one that comes with the Walnut Creek distribution before running checks. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 29 7:15: 4 1999 Delivered-To: freebsd-security@freebsd.org Received: from fsfw.freesoft.hu (fsfw.freesoft.hu [195.228.127.1]) by hub.freebsd.org (Postfix) with ESMTP id 362C514E39 for ; Fri, 29 Oct 1999 07:14:58 -0700 (PDT) (envelope-from dbeck@freesoft.hu) Received: (from ftp@localhost) by fsfw.freesoft.hu (8.8.7/8.7.3) id QAA14211 for ; Fri, 29 Oct 1999 16:14:57 +0200 X-Authentication-Warning: fsfw.freesoft.hu: ftp set sender to using -f Received: by netfinity.freesoft.hu with Internet Mail Service (5.5.2232.9) id ; Fri, 29 Oct 1999 16:13:44 +0200 Message-Id: <1BD5A68BE9E8D211BBE8006094B9EB73E97E@netfinity.freesoft.hu> From: Beck David To: "'freebsd-security@FreeBSD.ORG'" Subject: RE: Strange things on my computer / Help Date: Fri, 29 Oct 1999 16:13:39 +0200 Mime-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2232.9) Content-Type: text/plain; charset="windows-1250" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yes. I forgot to upgrade sshd. Thanks, David. -----Original Message----- From: Barrett Richardson [mailto:barrett@phoenix.aye.net] Sent: Friday, October 29, 1999 3:08 PM To: Beck David Cc: 'freebsd-security@FreeBSD.ORG' Subject: Re: Strange things on my computer / Help > > - my wtmp files turn on each month, but after a short while allways > gets corrupted > - if I run who, it doesn't show any user > - if I run last, it shows a big pile of garbage Are you running a 2.x sshd binary on a 3.x system? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 29 8:19: 9 1999 Delivered-To: freebsd-security@freebsd.org Received: from fsfw.freesoft.hu (fsfw.freesoft.hu [195.228.127.1]) by hub.freebsd.org (Postfix) with ESMTP id E24A814F04 for ; Fri, 29 Oct 1999 08:18:58 -0700 (PDT) (envelope-from dbeck@freesoft.hu) Received: (from ftp@localhost) by fsfw.freesoft.hu (8.8.7/8.7.3) id RAA17141; Fri, 29 Oct 1999 17:18:57 +0200 X-Authentication-Warning: fsfw.freesoft.hu: ftp set sender to using -f Received: by netfinity.freesoft.hu with Internet Mail Service (5.5.2232.9) id ; Fri, 29 Oct 1999 17:17:25 +0200 Message-Id: <1BD5A68BE9E8D211BBE8006094B9EB73E97F@netfinity.freesoft.hu> From: Beck David To: "'Dag-Erling Smorgrav'" , Beck David Cc: "'freebsd-security@FreeBSD.ORG'" Subject: RE: Strange things on my computer / Help Date: Fri, 29 Oct 1999 17:17:22 +0200 Mime-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2232.9) Content-Type: text/plain; charset="iso-8859-2" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Beck David writes: > - but the kernel complains in every 10 minutes for some _out_ going > ICMP packets, which goes to two hosts. I am absolutely sure > that nor me nor any of my programs has nothing to do with that hosts What kind of ICMP packets? Could you set up a sniffer to capture those packets? (tcpdump will do). They may be completely benign (e.g. ICMP_UNREACH or ICMP_TIMXCEED) > - when I found this I started to look for the program which generates > the ICMP packets but I didn't find anything The TCP/IP stack generates ICMP packets on its own in certain circumstances. > Do you guys suspect that my machine got exploited ? /I do, but I can't > prove it./ Like somebody else suggested, compare MD5 checksums of your system binaries (using a known-good copy of /sbin/md5) with those of known-good binaries. The best choice of known-good binaries is the live file system on the second CD-ROM in the set you used to install the machine in the first place. If you can afford the downtime (generally speaking, if you suspect a compromise, you don't have much choice but to accept the downtime), boot the system from known-good boot floppies or (preferably) a bootable CD-ROM such as the one that comes with the Walnut Creek distribution before running checks. ----------- - The ICMP type is 3.3: port unreachable Thank you guys your advises. I check my system using the live filesystem. Cheers, David. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 29 11:40:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from mail2.mco.bellsouth.net (mail2.mco.bellsouth.net [205.152.48.14]) by hub.freebsd.org (Postfix) with ESMTP id 0846A154E5 for ; Fri, 29 Oct 1999 11:40:39 -0700 (PDT) (envelope-from bertke@bellsouth.net) Received: from bellsouth.net (adsl-78-197-184.sdf.bellsouth.net [216.78.197.184]) by mail2.mco.bellsouth.net (3.3.5alt/0.75.2) with ESMTP id OAA01349; Fri, 29 Oct 1999 14:39:07 -0400 (EDT) Message-ID: <3819E935.16B59880@bellsouth.net> Date: Fri, 29 Oct 1999 18:36:38 +0000 From: Bert Kellerman X-Mailer: Mozilla 4.61 [en] (X11; I; Linux 2.0.36 i386) X-Accept-Language: en MIME-Version: 1.0 To: Beck David Cc: "'freebsd-security@FreeBSD.ORG'" Subject: Re: Strange things on my computer / Help References: <1BD5A68BE9E8D211BBE8006094B9EB73E97C@netfinity.freesoft.hu> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org FYI Here is a pretty good general guide by CERT on what action to take after your UNIX box has been compromised. http://www.cert.org/tech_tips/root_compromise.html Bert Beck David wrote: > This is the first time I write to the list, Big Hello To All, > > I administer a host on the Internet which basically doesn't really > do anything. I installed some services like www,ftp,ssh,qmail > / no big deal. > > I started playing with this machine 10 month ago. Since that I found > a handful of strange thingies: > > - my wtmp files turn on each month, but after a short while allways > gets corrupted > - if I run who, it doesn't show any user > - if I run last, it shows a big pile of garbage > - I filter out ICMP totally, which is OK for me > - but the kernel complains in every 10 minutes for some _out_ going > ICMP packets, which goes to two hosts. I am absolutely sure > that nor me nor any of my programs has nothing to do with that hosts > - when I found this I started to look for the program which generates > the ICMP packets but I didn't find anything > - I checked the cron rules, but I didn't find anything > - then I turned off the setuid bits from nearly every program on my > host including ping and traceroute, but didn't help > > Do you guys suspect that my machine got exploited ? /I do, but I can't > prove it./ > > Any ideas ? > > Thx, David. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 29 12:35:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix.aye.net (phoenix.aye.net [206.185.8.134]) by hub.freebsd.org (Postfix) with SMTP id D6D5E14D41 for ; Fri, 29 Oct 1999 12:35:06 -0700 (PDT) (envelope-from barrett@phoenix.aye.net) Received: (qmail 28374 invoked by uid 1000); 29 Oct 1999 19:37:29 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 29 Oct 1999 19:37:29 -0000 Date: Fri, 29 Oct 1999 15:37:29 -0400 (EDT) From: Barrett Richardson To: Beck David Cc: "'freebsd-security@FreeBSD.ORG'" Subject: RE: Strange things on my computer / Help In-Reply-To: <1BD5A68BE9E8D211BBE8006094B9EB73E97E@netfinity.freesoft.hu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org dbeck wrote: > > barrett wrote: > > > > dbeck wrote: > > > > > > - my wtmp files turn on each month, but after a short while allways > > > gets corrupted > > > - if I run who, it doesn't show any user > > > - if I run last, it shows a big pile of garbage > > > > Are you running a 2.x sshd binary on a 3.x system? > > Yes. I forgot to upgrade sshd. Likely the culprit. At least one field increased in width in the wtmp/utmp files in 3.x. - Barrett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Oct 29 15:43:12 1999 Delivered-To: freebsd-security@freebsd.org Received: from astralblue.com (adsl-209-76-108-39.dsl.snfc21.pacbell.net [209.76.108.39]) by hub.freebsd.org (Postfix) with ESMTP id EE255155AA for ; Fri, 29 Oct 1999 15:43:09 -0700 (PDT) (envelope-from ab@astralblue.com) Received: from localhost (ab@localhost) by astralblue.com (8.9.3/8.9.3) with SMTP id PAA58044; Fri, 29 Oct 1999 15:43:01 -0700 (PDT) (envelope-from ab@astralblue.com) Date: Fri, 29 Oct 1999 15:43:01 -0700 (PDT) From: "Eugene M. Kim" To: Beck David Cc: FreeBSD Security Mailing List Subject: RE: Strange things on my computer / Help In-Reply-To: <1BD5A68BE9E8D211BBE8006094B9EB73E97F@netfinity.freesoft.hu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 29 Oct 1999, Beck David wrote: | | Beck David writes: | > - but the kernel complains in every 10 minutes for some _out_ going | > ICMP packets, which goes to two hosts. I am absolutely sure | > that nor me nor any of my programs has nothing to do with that hosts | | What kind of ICMP packets? Could you set up a sniffer to capture those | packets? (tcpdump will do). They may be completely benign (e.g. | ICMP_UNREACH or ICMP_TIMXCEED) | | ----------- | - The ICMP type is 3.3: port unreachable An ICMP 3.3 packet is usually generated when someone tries to reach a UDP port for which there is no listener running on your host. Not sure if your version of FreeBSD supports it, but if you turn on `log in vain' feature (add log_in_vain=YES to /etc/rc.conf) a kernel message is generated for each failed TCP/UDP connection attempt. Hope this helped, Eugene -- Eugene M. Kim "Is your music unpopular? Make it popular; make music which people like, or make people who like your music." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 30 5:39:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 2325C14E77 for ; Sat, 30 Oct 1999 05:39:13 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id OAA82422; Sat, 30 Oct 1999 14:39:11 +0200 (CEST) (envelope-from des) To: Beck David Cc: "'freebsd-security@FreeBSD.ORG'" Subject: Re: Strange things on my computer / Help References: <1BD5A68BE9E8D211BBE8006094B9EB73E97F@netfinity.freesoft.hu> From: Dag-Erling Smorgrav Date: 30 Oct 1999 14:39:10 +0200 In-Reply-To: Beck David's message of "Fri, 29 Oct 1999 17:17:22 +0200" Message-ID: Lines: 14 X-Mailer: Gnus v5.7/Emacs 20.4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Beck David writes: > > Beck David writes: > > > - but the kernel complains in every 10 minutes for some _out_ going > > > ICMP packets, which goes to two hosts. > > What kind of ICMP packets? > - The ICMP type is 3.3: port unreachable Oh - that's totally benign. Some box is trying to connect to an unbound port on your box; if it's a local box, it's probably a simple configuration error. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Oct 30 6:14: 1 1999 Delivered-To: freebsd-security@freebsd.org Received: from adm.sci-nnov.ru (adm.sci-nnov.ru [195.122.226.2]) by hub.freebsd.org (Postfix) with ESMTP id 1E22714C8C for ; Sat, 30 Oct 1999 06:13:54 -0700 (PDT) (envelope-from 3APA3A@SECURITY.NNOV.RU) Received: from anonymous.sandy.ru (anonymous.sandy.ru [195.122.226.12]) by adm.sci-nnov.ru (8.9.3/Dmiter-4.1) with ESMTP id RAA76351; Sat, 30 Oct 1999 17:08:46 +0400 (MSD) Date: Sat, 30 Oct 1999 17:08:52 +0400 From: 3APA3A <3APA3A@SECURITY.NNOV.RU> X-Mailer: The Bat! (v1.34) S/N D33CD428 Reply-To: 3APA3A <3APA3A@SECURITY.NNOV.RU> Organization: http://www.security.nnov.ru X-Priority: 3 (Normal) Message-ID: <19714.991030@SECURITY.NNOV.RU> To: vulN-DEV@SECURITYFOCUS.COM, bugtraq@securityfocus.com Cc: security@freebsd.org Subject: FreeBSD listen() again Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello vulN-DEV@, I wasn't right in defining the problem for backlog in listen() as it was correctly pointed by Sebastian : -=-=-=-=- For some unknown reasons berkeley derived implementations multiply backlog with 1.5. (backlog = 5 will turn to 8 for example). -=-=-=-=- It seems real queue length is counted as backlog + (backlog+1)>>1 that's why listen(sock, 1) will never work as it should. It will allow to establish 2 connections. It's for both FreeBSD 2.2.x and 3.x, so the problem is even deeper. /\_/\ { . . } |\ +--oQQo->{ ^ }<-----+ \ | 3APA3A U 3APA3A } +-------------o66o--+ / |/ X5O!P@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message