From owner-freebsd-security Sun Aug 2 20:53:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA20056 for freebsd-security-outgoing; Sun, 2 Aug 1998 20:53:18 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id UAA20033 for ; Sun, 2 Aug 1998 20:53:13 -0700 (PDT) (envelope-from imp@village.org) Received: from pencil-box.village.org [10.0.0.22] by rover.village.org with esmtp (Exim 1.71 #1) id 0z3BgH-0005st-00; Sun, 2 Aug 1998 21:53:05 -0600 Received: from pencil-box.village.org (localhost [127.0.0.1]) by pencil-box.village.org (8.8.8/8.8.3) with ESMTP id WAA05970; Sat, 1 Aug 1998 22:07:33 -0600 (MDT) Message-Id: <199808020407.WAA05970@pencil-box.village.org> To: Sheldon Hearn Subject: Re: files in /var/log Cc: "Jan B. Koum " , security@FreeBSD.ORG In-reply-to: Your message of "Mon, 27 Jul 1998 14:40:04 +0200." <24385.901543204@iafrica.com> References: <24385.901543204@iafrica.com> Date: Sat, 01 Aug 1998 22:07:33 -0600 From: "M. Warner Losh" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <24385.901543204@iafrica.com> Sheldon Hearn writes: : By the same token, what _don't_ you want your users to see? As a : non-administrative user on several FreeBSD systems, I would be most : disappointed if my read access to maillog and messages were revoked. Privacy conerns would be a big reason to keep maillog non-readable. I know my wife would go non-linear if just anybody on the system could see who she sent mail to or received mail from.... Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Aug 2 23:29:26 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA04616 for freebsd-security-outgoing; Sun, 2 Aug 1998 23:29:26 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA04608 for ; Sun, 2 Aug 1998 23:29:21 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id SAA01420; Mon, 3 Aug 1998 18:27:59 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Mon, 3 Aug 1998 18:27:59 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: "M. Warner Losh" cc: Sheldon Hearn , "Jan B. Koum " , security@FreeBSD.ORG Subject: Re: files in /var/log In-Reply-To: <199808020407.WAA05970@pencil-box.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 1 Aug 1998, M. Warner Losh wrote: > Date: Sat, 01 Aug 1998 22:07:33 -0600 > From: "M. Warner Losh" > To: Sheldon Hearn > Cc: "Jan B. Koum " , security@FreeBSD.ORG > Subject: Re: files in /var/log > > In message <24385.901543204@iafrica.com> Sheldon Hearn writes: > : By the same token, what _don't_ you want your users to see? As a > : non-administrative user on several FreeBSD systems, I would be most > : disappointed if my read access to maillog and messages were revoked. > > Privacy conerns would be a big reason to keep maillog non-readable. I > know my wife would go non-linear if just anybody on the system could > see who she sent mail to or received mail from.... > > Warner So provide a sgid script to provide a filtered view of the log. It need take no arguments at all, so it's easy to secure. Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sun Aug 2 23:41:48 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA06490 for freebsd-security-outgoing; Sun, 2 Aug 1998 23:41:48 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from copernicus.cpt.tech.iafrica.com (copernicus.cpt.tech.iafrica.com [196.31.1.15]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA06485 for ; Sun, 2 Aug 1998 23:41:45 -0700 (PDT) (envelope-from sheldonh@iafrica.com) Received: from localhost ([127.0.0.1] helo=iafrica.com ident=[E34Lb5vDVNkMAD8AMxxj9P8IB0OFmohH]) by copernicus.cpt.tech.iafrica.com with esmtp (Exim 1.92 #1) for security@FreeBSD.ORG id 0z3EJD-00049M-00; Mon, 3 Aug 1998 08:41:27 +0200 From: Sheldon Hearn To: security@FreeBSD.ORG Subject: Re: files in /var/log In-reply-to: Your message of "Mon, 03 Aug 1998 18:27:59 +1200." Date: Mon, 03 Aug 1998 08:41:27 +0200 Message-ID: <15955.902126487@iafrica.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 03 Aug 1998 18:27:59 +1200, Andrew McNaughton wrote: > > Privacy conerns would be a big reason to keep maillog non-readable. > > So provide a sgid script to provide a filtered view of the log. It > need take no arguments at all, so it's easy to secure. Hi folks, This sounds to me (the inexperienced) like a jolly good Way. Does a suggestion like this enjoy the endorsement of seasoned administrators on the development team? Thanks, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Aug 3 03:41:07 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA03950 for freebsd-security-outgoing; Mon, 3 Aug 1998 03:41:07 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id DAA03939 for ; Mon, 3 Aug 1998 03:41:00 -0700 (PDT) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 10458 invoked by uid 1001); 3 Aug 1998 10:40:48 +0000 (GMT) To: ark@eltex.ru Cc: efb@cotdazr.org, danny@hilink.com.au, freebsd-security@FreeBSD.ORG Subject: Re: PPP.3000.exposure In-Reply-To: Your message of "Mon, 3 Aug 1998 14:25:28 GMT" References: <199808031425.OAA01333@paranoid.eltex.spb.ru> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Mon, 03 Aug 1998 12:40:48 +0200 Message-ID: <10456.902140848@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > I'm afraid I don't understand what you're talking about. Bind 8.1.2 > > builds "out of the box" (make clean; make depend; make) on FreeBSD 2.2.x, > > and needs one small patch for FreeBSD 3.x (documented on the ISC errata > > page, http://www.isc.org/bind8/errata/8.1.2/patches/). > > ..and does not build on 2.1 systems AT ALL. I always hated "too smart" > programs.. it tries to build some scriptfile and fails and i don't even > know WHAT should it do if it worked.. It's well known that BIND 8.x doesn't build on 2.1 systems. I sent patches for this to the BIND maintainers long ago - see below. Unfortunately, they haven't been integrated. Steinar Haug, Nethelp consulting, sthaug@nethelp.no ---------------------------------------------------------------------- To: bind-bugs@isc.org Subject: Fixes for bind-8.1.1-T1A on FreeBSD-2.1.7.1 (and earlier) From: sthaug@nethelp.no Date: Sun, 25 May 1997 15:38:53 +0200 bind-8.1.1-T1A doesn't compile "out of the box" on FreeBSD-2.1.7.1 and earlier. This is partly my fault - when I did the original FreeBSD port, I didn't have any 2.1.7.1 system to test on (only 2.2 and newer). I still don't have a 2.1.7.1 system, but I've compiled 8.1.1-T1A on a 2.2 system, but in a 2.1.7.1 *changerooted* environment (ie. 2.1.7.1 include files, compilers etc). There's only one real problem: The following line from port/settings tickles a bug in the 2.1.7.1 sh: eval "env=`echo \\${\$var-'$val'}`" and you get the error message: port/settings: 1: Syntax error: Bad substitution The enclosed diff fixes this for FreeBSD 2.1.7.1. The resulting named runs fine on FreeBSD 2.2. I've also verified that the same .settings file (as the original) is produced on these platforms: SunOS 4.1.3/gcc Solaris 2.5.1/gcc Digital Unix 3.2G/cc HP-UX 10.20/cc when doing an "out of the box" compile (make clean; make depend; make). Note that I've only verified that .settings is equal - I haven't tried running 8.1.1-T1A named on all these platforms. One other change suggested for FreeBSD-2.1.7.1 and earlier: AF_INET6 is undefined in 2.1.7.1 and earlier, and defined to be 28 in 2.2 and newer (/usr/include/sys/socket.h). port/freebsd/include/port_after.h currently defines AF_INET6 as 24 (if undefined). I'd suggest changing this to 28, to be compatible with newer versions of FreeBSD. Steinar Haug, Nethelp consulting, sthaug@nethelp.no ---------------------------------------------------------------------- *** settings.orig Tue Dec 17 22:49:17 1996 --- settings Sun May 25 14:16:51 1997 *************** *** 22,28 **** while read setting; do var=`expr "$setting" : "'\([A-Z0-9_]*\)="` val=`expr "$setting" : "'[A-Z0-9_]*=\([^']*\)'\$"` ! eval "env=`echo \\${\$var-'$val'}`" result="$result '$var=$env'" done --- 22,29 ---- while read setting; do var=`expr "$setting" : "'\([A-Z0-9_]*\)="` val=`expr "$setting" : "'[A-Z0-9_]*=\([^']*\)'\$"` ! rhs="\${""$var""-\$val}" ! eval "env=$rhs" result="$result '$var=$env'" done *** port_after.h.orig Fri Apr 25 20:12:50 1997 --- port_after.h Sun May 25 15:15:47 1997 *************** *** 31,35 **** * derived systems for which AF_INET6 is defined. */ #ifndef AF_INET6 ! #define AF_INET6 24 #endif --- 31,35 ---- * derived systems for which AF_INET6 is defined. */ #ifndef AF_INET6 ! #define AF_INET6 28 #endif To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Mon Aug 3 07:40:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA02849 for freebsd-security-outgoing; Mon, 3 Aug 1998 07:40:06 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from iq.org (violentanaldilation.ai.mit.edu [203.4.184.222]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id HAA02795 for ; Mon, 3 Aug 1998 07:40:00 -0700 (PDT) (envelope-from proff@iq.org) Received: (qmail 20767 invoked by uid 110); 3 Aug 1998 14:39:43 -0000 To: "M. Warner Losh" Cc: Sheldon Hearn , "Jan B. Koum " , security@FreeBSD.ORG Subject: Re: files in /var/log References: <24385.901543204@iafrica.com> <199808020407.WAA05970@pencil-box.village.org> From: Julian Assange Date: 04 Aug 1998 00:39:42 +1000 In-Reply-To: "M. Warner Losh"'s message of "Sat, 01 Aug 1998 22:07:33 -0600" Message-ID: Lines: 17 X-Mailer: Gnus v5.6.23/XEmacs 20.4 - "Emerald" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "M. Warner Losh" writes: > In message <24385.901543204@iafrica.com> Sheldon Hearn writes: > : By the same token, what _don't_ you want your users to see? As a > : non-administrative user on several FreeBSD systems, I would be most > : disappointed if my read access to maillog and messages were revoked. > > Privacy conerns would be a big reason to keep maillog non-readable. I > know my wife would go non-linear if just anybody on the system could > see who she sent mail to or received mail from.... > > Warner Yes, particularly you. Cheers, Julian. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 4 09:35:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA04216 for freebsd-security-outgoing; Tue, 4 Aug 1998 09:35:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hosting.doublesquare.com (hosting.doublesquare.com [195.5.128.151]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA04187 for ; Tue, 4 Aug 1998 09:34:58 -0700 (PDT) (envelope-from ark@eltex.ru) From: ark@eltex.ru Received: from eltex.ru (eltax-spiiras.nw.ru [195.19.204.46] (may be forged)) by hosting.doublesquare.com (8.8.8/8.8.8) with ESMTP id UAA17659 for ; Tue, 4 Aug 1998 20:57:03 +0400 (MSD) Received: from paranoid.eltex.spb.ru (border.eltex.ru [195.19.198.2]) by eltex.ru (8.8.8/8.8.8) with ESMTP id OAA10886; Mon, 3 Aug 1998 14:26:29 +0400 (MSD) Received: (from ark@localhost) by paranoid.eltex.spb.ru (8.8.8/8.7.3) id OAA01333; Mon, 3 Aug 1998 14:25:28 GMT Date: Mon, 3 Aug 1998 14:25:28 GMT Message-Id: <199808031425.OAA01333@paranoid.eltex.spb.ru> In-Reply-To: <8728.901909407@verdi.nethelp.no> from "sthaug@nethelp.no" Organization: "Klingon Imperial Intelligence Service" Subject: Re: PPP.3000.exposure To: sthaug@nethelp.no Cc: efb@cotdazr.org, danny@hilink.com.au, freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- nuqneH, sthaug@nethelp.no said : > I'm afraid I don't understand what you're talking about. Bind 8.1.2 > builds "out of the box" (make clean; make depend; make) on FreeBSD 2.2.x, > and needs one small patch for FreeBSD 3.x (documented on the ISC errata > page, http://www.isc.org/bind8/errata/8.1.2/patches/). ..and does not build on 2.1 systems AT ALL. I always hated "too smart" programs.. it tries to build some scriptfile and fails and i don't even know WHAT should it do if it worked.. Some people say they got complete success by configuring on 2.2 and then moving all the crap to 2.1.. Not a good solution. _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNcXIVqH/mIJW9LeBAQHp4QP+OnOyQifzUfPL3UnV3zTyL4OkybE76r2P ApnrywcxwlT3DupNjfw+Esa38E5QTF3vOugaXjNZkwkyucNDzhn6J0FZnzv6xCwt j9rKrWriwoD7/BEIPNiL5HS25dXotWBItodIMZ4eJYwhoxwNV1UPdSvibvyjuXA9 DxFViUQzZkk= =O0sJ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 4 11:37:01 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA02443 for freebsd-security-outgoing; Tue, 4 Aug 1998 11:37:01 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from relay.nuxi.com (nuxi.cs.ucdavis.edu [128.120.56.38]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA02438; Tue, 4 Aug 1998 11:36:59 -0700 (PDT) (envelope-from obrien@dragon.nuxi.com) Received: from dragon.nuxi.com (d96-072.orchard2.ucdavis.edu [169.237.96.72]) by relay.nuxi.com (8.8.7/8.6.12) with ESMTP id LAA10959; Tue, 4 Aug 1998 11:36:49 -0700 (PDT) Received: (from obrien@localhost) by dragon.nuxi.com (8.8.8/8.7.3) id SAA11966; Tue, 4 Aug 1998 18:36:48 GMT Message-ID: <19980804113647.C702@nuxi.com> Date: Tue, 4 Aug 1998 11:36:47 -0700 From: "David O'Brien" To: Martin Cracauer Cc: freebsd-security@FreeBSD.ORG, ports@FreeBSD.ORG Subject: Re: mutt security fix Reply-To: obrien@NUXI.com References: <19980730134201.A12433@cons.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.1i In-Reply-To: <19980730134201.A12433@cons.org>; from Martin Cracauer on Thu, Jul 30, 1998 at 01:42:01PM +0200 X-Operating-System: FreeBSD 2.2.7-STABLE Organization: The NUXI BSD group X-PGP-Fingerprint: B7 4D 3E E9 11 39 5F A3 90 76 5D 69 58 D9 98 7A X-Pgp-Keyid: 34F9F9D5 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Applied -- THANKS!! On Thu, Jul 30, 1998 at 01:42:01PM +0200, Martin Cracauer wrote: > This is from http://paul.boehm.org/mutt-parse.patch. It fixes a > remotly exploitable buffer overrun in MIME subtype checking. As the > mutt folks didn't react yet, I suggest you commit it to the mutt > port. -- -- David (obrien@NUXI.com -or- obrien@FreeBSD.org) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 4 12:23:08 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA09239 for freebsd-security-outgoing; Tue, 4 Aug 1998 12:23:08 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from guinness.tangram.spb.ru (tangram-gw.chance.ru [194.58.86.29]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA09207 for ; Tue, 4 Aug 1998 12:22:51 -0700 (PDT) (envelope-from caseq@tangram.spb.ru) Received: (from caseq@localhost) by guinness.tangram.spb.ru (8.8.8/8.8.5) id WAA03449; Tue, 4 Aug 1998 22:41:50 +0400 (MSD) From: Andrew Kosyakov Message-Id: <199808041841.WAA03449@guinness.tangram.spb.ru> Subject: Re: PPP.3000.exposure In-Reply-To: <199808031425.OAA01333@paranoid.eltex.spb.ru> from "ark@eltex.ru" at "Aug 3, 98 02:25:28 pm" To: ark@eltex.ru Date: Tue, 4 Aug 1998 22:41:50 +0400 (MSD) Cc: sthaug@nethelp.no, efb@cotdazr.org, danny@hilink.com.au, freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Quoting ark@eltex.ru: > > sthaug@nethelp.no said : > > > I'm afraid I don't understand what you're talking about. Bind 8.1.2 > > builds "out of the box" (make clean; make depend; make) on FreeBSD 2.2.x, > > and needs one small patch for FreeBSD 3.x (documented on the ISC errata > > page, http://www.isc.org/bind8/errata/8.1.2/patches/). > > ..and does not build on 2.1 systems AT ALL. I always hated "too smart" > programs.. it tries to build some scriptfile and fails and i don't even > know WHAT should it do if it worked.. > > Some people say they got complete success by configuring on 2.2 and > then moving all the crap to 2.1.. Not a good solution. > Huh?! I have BIND 8.1.2 running under FreeBSD 2.1.0. I don't remember quite well what exactly I've made to make it build, but it definitely wasn't too difficult. So if you insist on running an outdated and not quite supported version of the system, be prepared to spend a couple of minutes porting modern programs to it. Sincerely yours /&rew --- Andrew Kosyakov, Tangram Ltd, +7 (812) 516-6981, caseq@tangram.spb.ru PGP Key fingerprint: BA A8 48 20 E4 AE 9C 52 C5 5F C3 B8 1E 67 2C BF To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 4 12:55:53 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA14688 for freebsd-security-outgoing; Tue, 4 Aug 1998 12:55:53 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from dt053nd2.san.rr.com (dt053nd2.san.rr.com [204.210.34.210]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA14641 for ; Tue, 4 Aug 1998 12:55:10 -0700 (PDT) (envelope-from Studded@dal.net) Received: from dal.net (Studded@localhost [127.0.0.1]) by dt053nd2.san.rr.com (8.8.8/8.8.8) with ESMTP id MAA05314; Tue, 4 Aug 1998 12:54:16 -0700 (PDT) (envelope-from Studded@dal.net) Message-ID: <35C766E8.1A752074@dal.net> Date: Tue, 04 Aug 1998 12:54:16 -0700 From: Studded Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.05 [en] (X11; I; FreeBSD 2.2.6-STABLE-0507 i386) MIME-Version: 1.0 To: "Bobby S. Wen" CC: security@FreeBSD.ORG Subject: Re: Extending max characters for user names References: <199807290244.KAA11138@cerberus.vasia.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org For future reference, please send questions to freebsd-questions@freebsd.org. Bobby S. Wen wrote: > > Hello, > > I need to increase the maximium characters allowed for user names. When i > use adduser, it limits me to 8. I understand that this is normal in many > implementations. You will need to change a couple files and use "make world" to recompile the system for the larger usernames. Any third party utilities that use usernames like ssh or xterm will also have to be recompiled after the make world is done. The good news is that it works just fine, I have been running -Stable with 16 char usernames for over a year now. In /usr/src/sys/sys/param.h: change MAXLOGNAME to 18 In /usr/src/include/utmp.h: change UT_NAMESIZE to 16 If you need help with the make world, take a look at http://www.freebsd.org/docs.html and click on the Upgrading FreeBSD from source (using make world) tutorial. After you're done with this some utilities like adduser will have to be modified by hand to support the long usernames, but we're working on making these fewer and farther between as time goes on. :) Good luck, Doug -- *** Chief Operations Officer, DALnet IRC network *** When you don't know where you're going, every road will take you there. - Yiddish Proverb To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Tue Aug 4 22:42:41 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA14927 for freebsd-security-outgoing; Tue, 4 Aug 1998 22:42:41 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ccvp.com ([207.66.28.145]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA14819 for ; Tue, 4 Aug 1998 22:42:17 -0700 (PDT) (envelope-from robert@usamd.com) Received: from usamd.com ([207.66.33.213]) by ccvp.com (8.8.3/8.8.3) with ESMTP id XAA13774 for ; Tue, 4 Aug 1998 23:42:34 -0600 (MDT) Message-ID: <35C84502.65F2F9A@usamd.com> Date: Wed, 05 Aug 1998 05:41:54 -0600 From: Robert X-Mailer: Mozilla 4.05 [en] (WinNT; I) MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: WatchGuard vs CISCO Pix? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Need to recommend firewall to government facility need to know pros and cons. WatchGuard vs CISCO Pix. Thanks R -- Download our price list at ftp://207.66.33.212/pub/readme/ Visit our web site at http://www.usamd.com Robert Clark USA Microdynamics PO Box 13569 Albuquerque, NM 87192-3569 Phone 505 275-0188 Fax 505 275-8708 sales@usamd.com info@usamd.com support@usamd.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 5 00:13:37 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA00856 for freebsd-security-outgoing; Wed, 5 Aug 1998 00:13:37 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cotdazr.org (cotdazr.org [205.228.248.205]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id AAA00843 for ; Wed, 5 Aug 1998 00:13:30 -0700 (PDT) (envelope-from efb@cotdazr.org) Received: (qmail 20463 invoked from network); 5 Aug 1998 07:13:08 -0000 Received: from efbatey.cotdazr.org (HELO evbatey.cotdazr.org) (199.122.14.50) by gcpacix14.cotdazr.org with SMTP; 5 Aug 1998 07:13:08 -0000 Message-Id: <3.0.3.32.19980805001347.00830100@cotdazr.org> X-Sender: efb@cotdazr.org X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Wed, 05 Aug 1998 00:13:47 -0700 To: sthaug@nethelp.no From: Everett Batey Subject: Re: PPP.3000.exposure Cc: danny@hilink.com.au, freebsd-security@FreeBSD.ORG, ark@eltex.ru In-Reply-To: <10456.902140848@verdi.nethelp.no> References: <199808031425.OAA01333@paranoid.eltex.spb.ru> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org For Info of all Bind_8.1.2 With ONLY the shell fix in port/settings Builds just FINE on FreeBSD 2.0.5 .. runs here now .. seems not to be crashable by the net hacks .. THANKS folks .. Now is there a fast cure for lighting port 3000 in iijppp or is it truly harmless ??? /Everett/ At 12:40 PM 8/3/98 +0200, sthaug@nethelp.no wrote: >> > I'm afraid I don't understand what you're talking about. Bind 8.1.2 >> ..and does not build on 2.1 systems AT ALL. I always hated "too smart" >> programs.. it tries to build some scriptfile and fails and i don't even >> know WHAT should it do if it worked.. > >It's well known that BIND 8.x doesn't build on 2.1 systems. I sent patches >for this to the BIND maintainers long ago - see below. Unfortunately, they >haven't been integrated. > >Steinar Haug, Nethelp consulting, sthaug@nethelp.no >---------------------------------------------------------------------- >To: bind-bugs@isc.org >Subject: Fixes for bind-8.1.1-T1A on FreeBSD-2.1.7.1 (and earlier) >From: sthaug@nethelp.no >Date: Sun, 25 May 1997 15:38:53 +0200 > >bind-8.1.1-T1A doesn't compile "out of the box" on FreeBSD-2.1.7.1 and >earlier. This is partly my fault - when I did the original FreeBSD port, >I didn't have any 2.1.7.1 system to test on (only 2.2 and newer). > >I still don't have a 2.1.7.1 system, but I've compiled 8.1.1-T1A on a >2.2 system, but in a 2.1.7.1 *changerooted* environment (ie. 2.1.7.1 >include files, compilers etc). > >There's only one real problem: The following line from port/settings >tickles a bug in the 2.1.7.1 sh: > > eval "env=`echo \\${\$var-'$val'}`" > >and you get the error message: > > port/settings: 1: Syntax error: Bad substitution > >The enclosed diff fixes this for FreeBSD 2.1.7.1. The resulting named >runs fine on FreeBSD 2.2. > >I've also verified that the same .settings file (as the original) is >produced on these platforms: > > SunOS 4.1.3/gcc > Solaris 2.5.1/gcc > Digital Unix 3.2G/cc > HP-UX 10.20/cc > >when doing an "out of the box" compile (make clean; make depend; make). >Note that I've only verified that .settings is equal - I haven't tried >running 8.1.1-T1A named on all these platforms. > >One other change suggested for FreeBSD-2.1.7.1 and earlier: AF_INET6 >is undefined in 2.1.7.1 and earlier, and defined to be 28 in 2.2 and >newer (/usr/include/sys/socket.h). port/freebsd/include/port_after.h >currently defines AF_INET6 as 24 (if undefined). I'd suggest changing >this to 28, to be compatible with newer versions of FreeBSD. > >Steinar Haug, Nethelp consulting, sthaug@nethelp.no >---------------------------------------------------------------------- >*** settings.orig Tue Dec 17 22:49:17 1996 >--- settings Sun May 25 14:16:51 1997 >*************** >*** 22,28 **** > while read setting; do > var=`expr "$setting" : "'\([A-Z0-9_]*\)="` > val=`expr "$setting" : "'[A-Z0-9_]*=\([^']*\)'\$"` >! eval "env=`echo \\${\$var-'$val'}`" > result="$result '$var=$env'" > done > >--- 22,29 ---- > while read setting; do > var=`expr "$setting" : "'\([A-Z0-9_]*\)="` > val=`expr "$setting" : "'[A-Z0-9_]*=\([^']*\)'\$"` >! rhs="\${""$var""-\$val}" >! eval "env=$rhs" > result="$result '$var=$env'" > done > >*** port_after.h.orig Fri Apr 25 20:12:50 1997 >--- port_after.h Sun May 25 15:15:47 1997 >*************** >*** 31,35 **** > * derived systems for which AF_INET6 is defined. > */ > #ifndef AF_INET6 >! #define AF_INET6 24 > #endif >--- 31,35 ---- > * derived systems for which AF_INET6 is defined. > */ > #ifndef AF_INET6 >! #define AF_INET6 28 > #endif > + Ev Batey - efb@cotdazr.org - http://www.cotdazr.org - Wa6Cre - Unix + + +1 805 228.7180 DSN 296-7180, Eves: +1 800 380.6999 +1 805 985.3146 + + VoiceMail: +1 805 340.6471..x5 +1 800 545.6998 .Pgr +1 805 655.2017 + http://www.vcd.com - - For Info and Contacts for Ventura County, CA USA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 5 01:05:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA07033 for freebsd-security-outgoing; Wed, 5 Aug 1998 01:05:52 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from federation.addy.com (federation.addy.com [207.239.68.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA07028 for ; Wed, 5 Aug 1998 01:05:49 -0700 (PDT) (envelope-from fbsdsec@federation.addy.com) Received: from localhost (fbsdsec@localhost) by federation.addy.com (8.8.5/8.6.12) with SMTP id EAA08726 for ; Wed, 5 Aug 1998 04:05:37 -0400 (EDT) Date: Wed, 5 Aug 1998 04:05:37 -0400 (EDT) From: fbsdsec To: freebsd-security@FreeBSD.ORG Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org subscribe freebsd-security To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 5 05:37:37 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA07619 for freebsd-security-outgoing; Wed, 5 Aug 1998 05:37:37 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shrimp.dataplex.net (shrimp.dataplex.net [208.2.87.3]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA07605 for ; Wed, 5 Aug 1998 05:37:32 -0700 (PDT) (envelope-from rkw@dataplex.net) Received: from [208.2.87.5] (user5.dataplex.net [208.2.87.5]) by shrimp.dataplex.net (8.8.8/8.8.5) with ESMTP id HAA22679 for ; Wed, 5 Aug 1998 07:37:19 -0500 (CDT) X-Sender: rkw@mail.dataplex.net Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 5 Aug 1998 07:36:51 -0500 To: security@FreeBSD.ORG From: Richard Wackerbarth Subject: Please help me stop this Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Someone targeted a machine that I administer with SPAM. (Below, I have replaced the target with 999.999.999.999 targeted.machine.org to protect the victim) Can someone identify what they did to trick the machine into accepting this mail? V2 T902297845 K902316217 N12 P2731277 I4/19/20859 Mhost map: lookup (blueline.com): deferred Fwb $rSMTP $s999.999.999.999 $_usr31-dialup56.mix2.Atlanta.mci.net [166.55.58.184] S RPFD: H?P?Return-Path: HReceived: from 999.999.999.999 (usr31-dialup56.mix2.Atlanta.mci.net [166.55.58.184]) by targeted.machine.org (8.8.8/8.8.5) with SMTP id BAA21916; Wed, 5 Aug 1998 01:17:25 -0500 (CDT) H?F?From: FamilyNeeds@usa.net HDate: Wed, 05 Aug 98 02:19:13 EST HTo: yournews HSubject: ****FAMILY DENTAL NEEDS**** HMessage-ID: <9807241449.AA25980@doc.doc.com> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 5 09:43:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA14623 for freebsd-security-outgoing; Wed, 5 Aug 1998 09:43:45 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org ([206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA14617 for ; Wed, 5 Aug 1998 09:43:42 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id KAA04281; Wed, 5 Aug 1998 10:43:28 -0600 (MDT) Message-Id: <199808051643.KAA04281@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Wed, 05 Aug 1998 10:27:30 -0600 To: security@FreeBSD.ORG From: Brett Glass Subject: Does this mean we have another breakin? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Found this in the security output this morning, after ANOTHER spontaneous crash. setuid diffs: 9c9 < -r-xr-sr-x 2 root tty 225280 Jul 22 02:13:13 1998 /sbin/restore --- > -r-xr-sr-x 2 root tty 225280 Aug 4 15:00:14 1998 /sbin/restore 11c11 < -r-xr-sr-x 2 root tty 225280 Jul 22 02:13:13 1998 /sbin/rrestore --- > -r-xr-sr-x 2 root tty 225280 Aug 4 15:00:14 1998 /sbin/rrestore Does this mean we have intruders? I think I might have *run* restore at that time as root, but didn't think it was self-modifying. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 5 14:34:42 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA27803 for freebsd-security-outgoing; Wed, 5 Aug 1998 14:34:42 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA27790 for ; Wed, 5 Aug 1998 14:34:37 -0700 (PDT) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.1/frmug-2.3/nospam) with UUCP id XAA17963; Wed, 5 Aug 1998 23:33:59 +0200 (CEST) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (VMailer, from userid 101) id 4E0C31514; Wed, 5 Aug 1998 23:26:31 +0200 (CEST) Message-ID: <19980805232631.A22803@keltia.freenix.fr> Date: Wed, 5 Aug 1998 23:26:31 +0200 From: Ollivier Robert To: Richard Wackerbarth , security@FreeBSD.ORG Subject: Re: Please help me stop this Mail-Followup-To: Richard Wackerbarth , security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93i In-Reply-To: ; from Richard Wackerbarth on Wed, Aug 05, 1998 at 07:36:51AM -0500 X-Operating-System: FreeBSD 3.0-CURRENT ctm#4527 AMD-K6 MMX @ 200 MHz Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Richard Wackerbarth: > Can someone identify what they did to trick the machine into accepting > this mail? The spam came from an MCI dialup (*.Atlanta.mci.net) and your machine has no anti-spam (anti-relay to be exact) rules. Get 8.9.1 and install it. It stops relaying by default. Do it quickly before this machine get into the RBL (http://maps.vix.com/rbl/). After you've installed it, forbid the dialup domains from the big companies (Compu$erve, AOL, MSN and so on) from reaching your machines directly. It won't stop them using other open relays but at least it will stop a few of them too stupid. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #62: Mon Jul 27 20:47:08 CEST 1998 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 5 14:40:01 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA28309 for freebsd-security-outgoing; Wed, 5 Aug 1998 14:40:01 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org ([206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA28266 for ; Wed, 5 Aug 1998 14:39:55 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id PAA01240; Wed, 5 Aug 1998 15:39:30 -0600 (MDT) Message-Id: <199808052139.PAA01240@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Wed, 05 Aug 1998 15:39:06 -0600 To: security@FreeBSD.ORG From: Brett Glass Subject: Changes to restore and rrestore Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org As mentioned in an earlier message, our daily security "diff" reports that the dates and times on /sbin/rrestore and /sbin/restore have mysteriously changed. The new dates are approximately the time when we had a system crash and had to run fsck. Could it be that fsck, when it repairs directories, changes dates? Or have we been hacked again, despite replacing the whole OS and bringing back only data files? --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 5 15:18:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA03984 for freebsd-security-outgoing; Wed, 5 Aug 1998 15:18:18 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA03979 for ; Wed, 5 Aug 1998 15:18:14 -0700 (PDT) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.1/frmug-2.3/nospam) with UUCP id AAA20451 for security@FreeBSD.ORG; Thu, 6 Aug 1998 00:17:54 +0200 (CEST) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (VMailer, from userid 101) id 9D36C1514; Wed, 5 Aug 1998 23:47:00 +0200 (CEST) Message-ID: <19980805234700.A23220@keltia.freenix.fr> Date: Wed, 5 Aug 1998 23:47:00 +0200 From: Ollivier Robert To: security@FreeBSD.ORG Subject: Re: Does this mean we have another breakin? Mail-Followup-To: security@FreeBSD.ORG References: <199808051643.KAA04281@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93i In-Reply-To: <199808051643.KAA04281@lariat.lariat.org>; from Brett Glass on Wed, Aug 05, 1998 at 10:27:30AM -0600 X-Operating-System: FreeBSD 3.0-CURRENT ctm#4527 AMD-K6 MMX @ 200 MHz Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Brett Glass: > setuid diffs: > 9c9 > < -r-xr-sr-x 2 root tty 225280 Jul 22 02:13:13 1998 /sbin/restore > --- > > -r-xr-sr-x 2 root tty 225280 Aug 4 15:00:14 1998 /sbin/restore Verify, if you have them, the MD5 checksums. If they don't have changed, you've been hit by a VM bug where mod. time is changed even if the executable has only been loaded. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #62: Mon Jul 27 20:47:08 CEST 1998 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 5 16:28:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA14896 for freebsd-security-outgoing; Wed, 5 Aug 1998 16:28:16 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org ([206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA14816 for ; Wed, 5 Aug 1998 16:28:12 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id RAA00806; Wed, 5 Aug 1998 17:27:59 -0600 (MDT) Message-Id: <199808052327.RAA00806@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Wed, 05 Aug 1998 17:22:15 -0600 To: Ollivier Robert , security@FreeBSD.ORG From: Brett Glass Subject: Re: Does this mean we have another breakin? In-Reply-To: <19980805234700.A23220@keltia.freenix.fr> References: <199808051643.KAA04281@lariat.lariat.org> <199808051643.KAA04281@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The MD5's are the same. Must be a VM bug. Maybe the same one that's crashing us left and right. --Brett At 11:47 PM 8/5/98 +0200, Ollivier Robert wrote: >According to Brett Glass: >> setuid diffs: >> 9c9 >> < -r-xr-sr-x 2 root tty 225280 Jul 22 02:13:13 1998 /sbin/restore >> --- >> > -r-xr-sr-x 2 root tty 225280 Aug 4 15:00:14 1998 /sbin/restore > >Verify, if you have them, the MD5 checksums. If they don't have changed, >you've been hit by a VM bug where mod. time is changed even if the >executable has only been loaded. >-- >Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr >FreeBSD keltia.freenix.fr 3.0-CURRENT #62: Mon Jul 27 20:47:08 CEST 1998 > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 5 17:57:11 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA26617 for freebsd-security-outgoing; Wed, 5 Aug 1998 17:57:11 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from implode.root.com (implode.root.com [198.145.90.17]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA26592 for ; Wed, 5 Aug 1998 17:56:59 -0700 (PDT) (envelope-from root@implode.root.com) Received: from implode.root.com (localhost [127.0.0.1]) by implode.root.com (8.8.5/8.8.5) with ESMTP id RAA20383; Wed, 5 Aug 1998 17:53:26 -0700 (PDT) Message-Id: <199808060053.RAA20383@implode.root.com> To: Brett Glass cc: Ollivier Robert , security@FreeBSD.ORG Subject: Re: Does this mean we have another breakin? In-reply-to: Your message of "Wed, 05 Aug 1998 17:22:15 MDT." <199808052327.RAA00806@lariat.lariat.org> From: David Greenman Reply-To: dg@root.com Date: Wed, 05 Aug 1998 17:53:26 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >The MD5's are the same. Must be a VM bug. > >Maybe the same one that's crashing us left and right. A GP fault wouldn't normally indicate a VM system bug. A few questions: 1) Are your systems being overclocked? 2) What do you have maxusers set to? 3) Do you have NMBCLUSTERS specified in the kernel? If so, at what value? 4) Is there anything else special about the tuning of your kernel? -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 5 18:32:18 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA01844 for freebsd-security-outgoing; Wed, 5 Aug 1998 18:32:18 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id SAA01825 for ; Wed, 5 Aug 1998 18:32:07 -0700 (PDT) (envelope-from imp@village.org) Received: from harmony [10.0.0.6] by rover.village.org with esmtp (Exim 1.71 #1) id 0z4EuH-00002r-00; Wed, 5 Aug 1998 19:31:53 -0600 Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.8.8/8.8.3) with ESMTP id TAA09251; Wed, 5 Aug 1998 19:32:05 -0600 (MDT) Message-Id: <199808060132.TAA09251@harmony.village.org> To: Brett Glass Subject: Re: Does this mean we have another breakin? Cc: security@FreeBSD.ORG In-reply-to: Your message of "Wed, 05 Aug 1998 10:27:30 MDT." <199808051643.KAA04281@lariat.lariat.org> References: <199808051643.KAA04281@lariat.lariat.org> Date: Wed, 05 Aug 1998 19:32:05 -0600 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <199808051643.KAA04281@lariat.lariat.org> Brett Glass writes: : < -r-xr-sr-x 2 root tty 225280 Jul 22 02:13:13 1998 /sbin/restore : --- : > -r-xr-sr-x 2 root tty 225280 Aug 4 15:00:14 1998 /sbin/restore : Does this mean we have intruders? I think I might have *run* restore at : that time as root, but didn't think it was self-modifying. Sicne the sizes are the same, this is a well known bug in the changing of the modification time spontaneously. The security program should keep a md5 database of files instead. The Spontaneous Crash should be looked into, but it does sound much like the David Rivers Memorial Crash[tm] which is both well known and hard to fix. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 5 22:16:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA29177 for freebsd-security-outgoing; Wed, 5 Aug 1998 22:16:06 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mew.gol.com (mew.gol.com [203.216.0.88]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA29158 for ; Wed, 5 Aug 1998 22:16:01 -0700 (PDT) (envelope-from jun@mew.gol.com) Received: (from jun@localhost) by mew.gol.com (8.9.0/8.9.0) id OAA01977; Thu, 6 Aug 1998 14:15:41 +0900 (JST) To: FreeBSD-security@FreeBSD.ORG Subject: Re: Does this mean we have another breakin? References: <199808051643.KAA04281@lariat.lariat.org> <19980805234700.A23220@keltia.freenix.fr> Mime-Version: 1.0 (generated by tm-edit 7.108) Content-Type: text/plain; charset=US-ASCII From: Just Another Perl Hacker Date: 06 Aug 1998 14:15:41 +0900 In-Reply-To: Ollivier Robert's message of "Wed, 5 Aug 1998 23:47:00 +0200" Message-ID: Lines: 24 X-Mailer: Gnus v5.6.24/XEmacs 20.4 - "Emerald" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "O" == Ollivier Robert writes: O> According to Brett Glass: >> setuid diffs: >> 9c9 >> < -r-xr-sr-x 2 root tty 225280 Jul 22 02:13:13 1998 >> /sbin/restore >> --- >> > -r-xr-sr-x 2 root tty 225280 Aug 4 15:00:14 1998 >> /sbin/restore O> Verify, if you have them, the MD5 checksums. If they don't have O> changed, you've been hit by a VM bug where mod. time is changed O> even if the executable has only been loaded. Is this bug send-pr(1)'d yet? I tried the GNATS database of FreeBSD web page, to no avail. If you or anyone on the list have a pointer to the problem, please let me know. Thank you in advance. -- Junichi Kurokawa Global Online Japan Corporation, Tokyo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Wed Aug 5 23:36:25 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA09894 for freebsd-security-outgoing; Wed, 5 Aug 1998 23:36:25 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from cotdazr.org (cotdazr.org [205.228.248.205]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id XAA09886 for ; Wed, 5 Aug 1998 23:36:21 -0700 (PDT) (envelope-from efb@cotdazr.org) Received: (qmail 22846 invoked by uid 10); 6 Aug 1998 06:36:02 -0000 Message-ID: <19980805233601.46547@cotdazr.org> Date: Wed, 5 Aug 1998 23:36:01 -0700 From: Everett F Batey To: freebsd-security@FreeBSD.ORG Cc: efb@cotdazr.org, sthaug@nethelp.no Subject: REPAIRS Tested for bind_8.1.2 For FreeBSD 2.0.5 .. Seconded Reply-To: efb@cotdazr.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary=L5UXtIhxfXey3p5a X-Mailer: Mutt 0.84 X-Tele: +1 805 985.3146 / 805 340.6471 Pg 805 655.2017 X-URL: http://www.cotdazr.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --L5UXtIhxfXey3p5a Content-Type: text/plain; charset=us-ascii freebsd-security, The patch included below in Steinar's email which overcomes the /bin/sh problem in the conf/.... was ALL it took for me to build a clean Bind 812 with default cc/gcc on F.Bsd 2.0.5 .. Please, make it available to the others who have F.Bsd 2.1 back to 2.0.5 IF this needs to get to another address at Free.Bsd .. PLEASE forward it .. losing a week and being kicked off DNS by hackers could have ended sooner. Thank you .. this is a second on Steinar's earlier request /Everett/ -- + http://www.cotdazr.org efb@cotdazr.org -- WA6CRE -- http://www.gitt.gov + + http://www.oxnardsd.org [EFB15] SunUG: http://halide.acs.uci.edu/GCSUG + + BSD Unix Sun Linux, Security, Cisco Routing, QMail Inn DNS & My Opinions + + Beep: 805.655.2017 Vmail: 805.340.6471+5, 800.545.6998 USN: 805.982.7180 + --L5UXtIhxfXey3p5a Content-Type: message/rfc822 Content-Description: Forwarded message from Everett Batey <>Date: Wed, 05 Aug 1998 00:13:47 -0700 <>To: sthaug@nethelp.no <>Subject: Re: PPP.3000.exposure For Info of all Bind_8.1.2 With ONLY the shell fix in port/settings Builds just FINE on FreeBSD 2.0.5 .. runs here now .. seems not to be crashable by the net hacks .. THANKS folks .. Now is there a fast cure for lighting port 3000 in iijppp or is it truly harmless ??? /Everett/ At 12:40 PM 8/3/98 +0200, sthaug@nethelp.no wrote: >> ..and does not build on 2.1 systems AT ALL. I always hated "too smart" >> programs.. it tries to build some scriptfile and fails and i don't even >> know WHAT should it do if it worked.. > >It's well known that BIND 8.x doesn't build on 2.1 systems. I sent patches >for this to the BIND maintainers long ago - see below. Unfortunately, they >haven't been integrated. > >Steinar Haug, Nethelp consulting, sthaug@nethelp.no >---------------------------------------------------------------------- >To: bind-bugs@isc.org >Subject: Fixes for bind-8.1.1-T1A on FreeBSD-2.1.7.1 (and earlier) >From: sthaug@nethelp.no >Date: Sun, 25 May 1997 15:38:53 +0200 > >bind-8.1.1-T1A doesn't compile "out of the box" on FreeBSD-2.1.7.1 and >earlier. This is partly my fault - when I did the original FreeBSD port, >I didn't have any 2.1.7.1 system to test on (only 2.2 and newer). > >I still don't have a 2.1.7.1 system, but I've compiled 8.1.1-T1A on a >2.2 system, but in a 2.1.7.1 *changerooted* environment (ie. 2.1.7.1 >include files, compilers etc). > [[Comment efb@cotdazr.org .. this is the only piece I tested and vrfyd for F.Bsd 2.0.5 /Ev/ ]] >There's only one real problem: The following line from port/settings >tickles a bug in the 2.1.7.1 sh: > > eval "env=`echo \\${\$var-'$val'}`" > >and you get the error message: > > port/settings: 1: Syntax error: Bad substitution > >The enclosed diff fixes this for FreeBSD 2.1.7.1. The resulting named >runs fine on FreeBSD 2.2. > >I've also verified that the same .settings file (as the original) is >produced on these platforms: > > SunOS 4.1.3/gcc > Solaris 2.5.1/gcc > Digital Unix 3.2G/cc > HP-UX 10.20/cc > >when doing an "out of the box" compile (make clean; make depend; make). >Note that I've only verified that .settings is equal - I haven't tried >running 8.1.1-T1A named on all these platforms. > >One other change suggested for FreeBSD-2.1.7.1 and earlier: AF_INET6 >is undefined in 2.1.7.1 and earlier, and defined to be 28 in 2.2 and >newer (/usr/include/sys/socket.h). port/freebsd/include/port_after.h >currently defines AF_INET6 as 24 (if undefined). I'd suggest changing >this to 28, to be compatible with newer versions of FreeBSD. > >Steinar Haug, Nethelp consulting, sthaug@nethelp.no >---------------------------------------------------------------------- >*** settings.orig Tue Dec 17 22:49:17 1996 >--- settings Sun May 25 14:16:51 1997 >*************** >*** 22,28 **** > while read setting; do > var=`expr "$setting" : "'\([A-Z0-9_]*\)="` > val=`expr "$setting" : "'[A-Z0-9_]*=\([^']*\)'\$"` >! eval "env=`echo \\${\$var-'$val'}`" > result="$result '$var=$env'" > done > >--- 22,29 ---- > while read setting; do > var=`expr "$setting" : "'\([A-Z0-9_]*\)="` > val=`expr "$setting" : "'[A-Z0-9_]*=\([^']*\)'\$"` >! rhs="\${""$var""-\$val}" >! eval "env=$rhs" > result="$result '$var=$env'" > done > >*** port_after.h.orig Fri Apr 25 20:12:50 1997 >--- port_after.h Sun May 25 15:15:47 1997 >*************** >*** 31,35 **** > * derived systems for which AF_INET6 is defined. > */ > #ifndef AF_INET6 >! #define AF_INET6 24 > #endif >--- 31,35 ---- > * derived systems for which AF_INET6 is defined. > */ > #ifndef AF_INET6 >! #define AF_INET6 28 > #endif > --L5UXtIhxfXey3p5a-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Aug 6 04:22:03 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id EAA18191 for freebsd-security-outgoing; Thu, 6 Aug 1998 04:22:03 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA18141 for ; Thu, 6 Aug 1998 04:21:59 -0700 (PDT) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.1/frmug-2.3/nospam) with UUCP id NAA25183 for FreeBSD-security@FreeBSD.ORG; Thu, 6 Aug 1998 13:21:45 +0200 (CEST) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (VMailer, from userid 101) id 1708C1514; Thu, 6 Aug 1998 13:10:46 +0200 (CEST) Message-ID: <19980806131045.A28059@keltia.freenix.fr> Date: Thu, 6 Aug 1998 13:10:45 +0200 From: Ollivier Robert To: FreeBSD-security@FreeBSD.ORG Subject: Re: Does this mean we have another breakin? Mail-Followup-To: FreeBSD-security@FreeBSD.ORG References: <199808051643.KAA04281@lariat.lariat.org> <19980805234700.A23220@keltia.freenix.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93i In-Reply-To: ; from Just Another Perl Hacker on Thu, Aug 06, 1998 at 02:15:41PM +0900 X-Operating-System: FreeBSD 3.0-CURRENT ctm#4527 AMD-K6 MMX @ 200 MHz Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Just Another Perl Hacker: > Is this bug send-pr(1)'d yet? I tried the GNATS database of FreeBSD > web page, to no avail. No, I don't think anyone has isolated enough information about it to file a PR. Circumstances are pretty random, it just happens. > If you or anyone on the list have a pointer to the problem, please let > me know. Thank you in advance. You should be able to find many references about this in the mailing-lists archives, the problem has been known for a long time. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #62: Mon Jul 27 20:47:08 CEST 1998 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Aug 6 10:41:47 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id KAA16530 for freebsd-security-outgoing; Thu, 6 Aug 1998 10:41:47 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mercury.jorsm.com (mercury.jorsm.com [207.112.128.9]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA16519 for ; Thu, 6 Aug 1998 10:41:40 -0700 (PDT) (envelope-from jer@jorsm.com) Received: from localhost (jer@localhost) by mercury.jorsm.com (8.8.7/8.8.7) with SMTP id MAA19370; Thu, 6 Aug 1998 12:40:45 -0500 (CDT) Date: Thu, 6 Aug 1998 12:40:45 -0500 (CDT) From: Jeremy Shaffner To: Robert Watson cc: "Jan B. Koum " , sthaug@nethelp.no, j@lumiere.net, freebsd-security@FreeBSD.ORG Subject: Re: ipfw rules to allow DNS activity In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 27 Jul 1998, Robert Watson wrote: > Does this differ on NT/Windows/Macintosh? I don't know if they have the > same concept of "reserved ports" as they don't tend to have the same trust > model that NFS/rsh/etc use. I've never checked to see whether > Mac/Windows95 allocate ports <1024 for outgoing connections. Under NT, > anyway, one assumes they don't so that various services can run on them > unhindered? Win* starts at 1025 and goes up sequentially for each successive outgoing connection. > I could easily see some Microsoft programmer saying "hmm. I'll make an > outgoing connection from port 867 on this machine to port 23 on that > one.." :) > > Stevens' new unix network programming book has port range information for > BSD, Solaris, but no microsoft/etc info (it being a UNIX network > programming book :). > In Windows95 at least there is a \windows\services text file akin to /etc/services. -===================================================================- Jeremy Shaffner JORSM Internet Senior Technical Support Northwest Indiana's Premium jer@jorsm.com Internet Service Provider support@jorsm.com http://www.jorsm.com -===================================================================- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Aug 6 11:04:58 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA20061 for freebsd-security-outgoing; Thu, 6 Aug 1998 11:04:58 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mercury.jorsm.com (mercury.jorsm.com [207.112.128.9]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA20055; Thu, 6 Aug 1998 11:04:55 -0700 (PDT) (envelope-from jer@jorsm.com) Received: from localhost (jer@localhost) by mercury.jorsm.com (8.8.7/8.8.7) with SMTP id NAA20554; Thu, 6 Aug 1998 13:04:21 -0500 (CDT) Date: Thu, 6 Aug 1998 13:04:20 -0500 (CDT) From: Jeremy Shaffner To: andrewr cc: Brett Glass , Robert Watson , "Jan B. Koum " , chat@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: FreeBSD Security How-To (Was: QPopper exploit) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 29 Jul 1998, andrewr wrote: > > On Tue, 28 Jul 1998, Brett Glass wrote: > > > At 08:48 AM 7/28/98 -0400, Robert Watson wrote: > > > > >I heard there was a free Windows ssh client these days -- I haven't used > > >it as (oops) I don't run any Microsoft operating systems :). > > > > Anyone know where to get it? > > For a 30 day trial copy, go to www.datafellows.com and hed to their > download section. You can get a m$ copy of ssh client there. > Since we're talking trial versions... SecureCRT from www.vandyke.com -===================================================================- Jeremy Shaffner JORSM Internet Senior Technical Support Northwest Indiana's Premium jer@jorsm.com Internet Service Provider support@jorsm.com http://www.jorsm.com -===================================================================- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Aug 6 12:42:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA12086 for freebsd-security-outgoing; Thu, 6 Aug 1998 12:42:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from destiny.erols.com (destiny.erols.com [207.96.73.65]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA12081; Thu, 6 Aug 1998 12:42:27 -0700 (PDT) (envelope-from jdowdal@destiny.erols.com) Received: from destiny.erols.com (someone@destiny.erols.com [207.96.73.65]) by destiny.erols.com (8.8.8/8.6.12) with SMTP id PAA03273; Thu, 6 Aug 1998 15:41:15 -0400 (EDT) Date: Thu, 6 Aug 1998 15:41:15 -0400 (EDT) From: John Dowdal To: Jeremy Shaffner cc: andrewr , Brett Glass , Robert Watson , "Jan B. Koum " , chat@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: FreeBSD Security How-To (Was: QPopper exploit) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 6 Aug 1998, Jeremy Shaffner wrote: > On Wed, 29 Jul 1998, andrewr wrote: > > > > On Tue, 28 Jul 1998, Brett Glass wrote: > > > > > At 08:48 AM 7/28/98 -0400, Robert Watson wrote: > > > > > > >I heard there was a free Windows ssh client these days -- I haven't used > > > >it as (oops) I don't run any Microsoft operating systems :). > > > > > > Anyone know where to get it? > > > > For a 30 day trial copy, go to www.datafellows.com and hed to their > > download section. You can get a m$ copy of ssh client there. > > > > Since we're talking trial versions... SecureCRT from www.vandyke.com > There is an absolutely free ssh for windows at: http://www.doc.ic.ac.uk/~ci2/ssh/ >From that web page, you need to download the current 32 or 16 bit as appropriate version of the SSH program, as well as the crypto library. The crypto library includes source. The ssh program does not include source, which does make me uncomfortable using it. To install: unzip the whole ssh archive into a directory under c:\program files\ssh, and also place the 'crypt32.dll' file from the cyrpto libary in the same directory as ssh. You do not need any other files from the crypto lib in order to use ssh. Make a shortcut in start menu. I do not endorse the use of this program; I am simply stating that it exists. John To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Thu Aug 6 20:22:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA12604 for freebsd-security-outgoing; Thu, 6 Aug 1998 20:22:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mew.gol.com (mew.gol.com [203.216.0.88]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA12474 for ; Thu, 6 Aug 1998 20:22:15 -0700 (PDT) (envelope-from jun@mew.gol.com) Received: (from jun@localhost) by mew.gol.com (8.9.0/8.9.0) id MAA03907; Fri, 7 Aug 1998 12:21:58 +0900 (JST) To: FreeBSD-security@FreeBSD.ORG Subject: Re: Does this mean we have another breakin? References: <199808051643.KAA04281@lariat.lariat.org> <19980805234700.A23220@keltia.freenix.fr> <19980806131045.A28059@keltia.freenix.fr> Mime-Version: 1.0 (generated by tm-edit 7.108) Content-Type: text/plain; charset=US-ASCII From: Just Another Perl Hacker Date: 07 Aug 1998 12:21:57 +0900 In-Reply-To: Ollivier Robert's message of "Thu, 6 Aug 1998 13:10:45 +0200" Message-ID: Lines: 53 X-Mailer: Gnus v5.6.24/XEmacs 20.4 - "Emerald" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Just for the record, >>>>> "O" == Ollivier Robert writes: >> If you or anyone on the list have a pointer to the problem, >> please let me know. Thank you in advance. O> You should be able to find many references about this in the O> mailing-lists archives, the problem has been known for a long O> time. I managed to dig out Mike Smith's nice comment on this subject, which he posted to freebsd-hackers. I assume that this spontaneous writebacks *could* occur not only to setuid(2)'d executables such as sendmail(8), but to arbitrary command as a file on the filesystem. We thank you for the helpful message, Mike! --------begin quote-------- Date: Wed, 26 Mar 1997 13:51:06 +1030 (CST) From: Michael Smith To: smc@servtech.com (Shawn Carey) Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: Anyone else seen this? Message-ID: <199703260321.NAA24228@genesis.atrad.adelaide.edu.au> In-Reply-To: <33388927.41C67EA6@servtech.com> from Shawn Carey at "Mar 25, 97 09:25:43 pm" Shawn Carey stands accused of saying: > > Now that we are running 2.2-RELEASE, this anomaly appears to be > something more serious than I originally thought, as gdb now stops the > program with the message "Process killed due to text file modification", > and sure enough, the file's date is changing but a diff between an idle > copy and the "modified" executable is nil. Furthermore, I have recently > discovered that if I link the program with -static, the problem goes > away. This looks very much like a problem that has been reported many times before, where one or more pages from a process' text are written back to the file. The pages aren't actually changed, but the file's timestamp is obviously updated. (snip) --------end quote-------- -- Junichi Kurokawa Global Online Japan Corporation, Tokyo To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Aug 7 03:44:04 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA16669 for freebsd-security-outgoing; Fri, 7 Aug 1998 03:44:04 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from frmug.org (frmug-gw.frmug.org [193.56.58.252]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA16563 for ; Fri, 7 Aug 1998 03:43:56 -0700 (PDT) (envelope-from roberto@keltia.freenix.fr) Received: (from uucp@localhost) by frmug.org (8.9.1/frmug-2.3/nospam) with UUCP id MAA29824 for FreeBSD-security@FreeBSD.ORG; Fri, 7 Aug 1998 12:43:38 +0200 (CEST) (envelope-from roberto@keltia.freenix.fr) Received: by keltia.freenix.fr (VMailer, from userid 101) id D7AA51527; Fri, 7 Aug 1998 12:20:35 +0200 (CEST) Message-ID: <19980807122035.A4145@keltia.freenix.fr> Date: Fri, 7 Aug 1998 12:20:35 +0200 From: Ollivier Robert To: FreeBSD-security@FreeBSD.ORG Subject: Re: Does this mean we have another breakin? Mail-Followup-To: FreeBSD-security@FreeBSD.ORG References: <199808051643.KAA04281@lariat.lariat.org> <19980805234700.A23220@keltia.freenix.fr> <19980806131045.A28059@keltia.freenix.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93i In-Reply-To: ; from Just Another Perl Hacker on Fri, Aug 07, 1998 at 12:21:57PM +0900 X-Operating-System: FreeBSD 3.0-CURRENT ctm#4527 AMD-K6 MMX @ 200 MHz Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org According to Just Another Perl Hacker: > I assume that this spontaneous writebacks *could* occur not only to > setuid(2)'d executables such as sendmail(8), but to arbitrary command > as a file on the filesystem. Of course but unless you run Tripwire, the /etc/security script will detect changes only on setuid/setgid ones. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 3.0-CURRENT #62: Mon Jul 27 20:47:08 CEST 1998 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Aug 7 06:20:09 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id GAA03435 for freebsd-security-outgoing; Fri, 7 Aug 1998 06:20:09 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from speedy.nethampton.com (speedy.nethampton.com [207.252.75.40]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id GAA03371 for ; Fri, 7 Aug 1998 06:20:05 -0700 (PDT) (envelope-from tplatt@nethampton.com) Date: Fri, 7 Aug 1998 06:20:05 -0700 (PDT) Received: (qmail 1321 invoked from network); 7 Aug 1998 13:17:26 -0000 Received: from teebee.hamptons.com (HELO ?204.141.112.245?) (204.141.112.245) by speedy.nethampton.com with SMTP; 7 Aug 1998 13:17:26 -0000 X-Sender: tplatt@nethampton.com (Unverified) Message-Id: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: security@FreeBSD.ORG From: "Timothy R. Platt" Subject: Sysloging to a remote host Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Should be simple enough, but I just can't get this to work. In syslog.conf on 192.168.2.1: *.notice;kern.debug;mail.cri /var/log/messages *.notice;kern.debug;mail.cri @192.168.2.2 And on 192.168.2.2: syslogd -a 192.168.2.1/255.255.255.0 Is there anything required in the syslog.conf file on 192.168.2.2? The syslogd/syslog.conf man pages make no mention of it. Once I do get it working, I would like all the messages from the remote machine in a separate file, if syslog doesn't take care of that by default. TIA, Tim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Aug 7 08:36:37 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id IAA24242 for freebsd-security-outgoing; Fri, 7 Aug 1998 08:36:37 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.craxx.com (craxx.com [195.108.198.119]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA24218 for ; Fri, 7 Aug 1998 08:36:32 -0700 (PDT) (envelope-from lva@dds.nl) Received: from uptight (classless.student.utwente.nl [130.89.230.96]) by mail.craxx.com (8.9.1/8.9.1) with SMTP id RAA27507; Fri, 7 Aug 1998 17:35:44 +0200 From: "laurens van alphen" To: "Timothy R. Platt" Cc: Subject: RE: Sysloging to a remote host Date: Fri, 7 Aug 1998 17:35:34 +0200 Message-ID: <006e01bdc219$04bf78b0$0a00a8c0@uptight.student.utwente.nl> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 In-Reply-To: Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V4.72.2106.4 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org hello, you might want to have a look at secure syslog the website is at http://www.core-sdi.com/ssyslog and it's free the latest version is 1.22 (available from their website) -- laurens van alphen craxx e-consultants alphen@craxx.com http://craxx.com/ -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Timothy R. Platt Sent: Friday, August 07, 1998 3:20 PM To: security@FreeBSD.ORG Subject: Sysloging to a remote host Should be simple enough, but I just can't get this to work. In syslog.conf on 192.168.2.1: *.notice;kern.debug;mail.cri /var/log/messages *.notice;kern.debug;mail.cri @192.168.2.2 And on 192.168.2.2: syslogd -a 192.168.2.1/255.255.255.0 Is there anything required in the syslog.conf file on 192.168.2.2? The syslogd/syslog.conf man pages make no mention of it. Once I do get it working, I would like all the messages from the remote machine in a separate file, if syslog doesn't take care of that by default. TIA, Tim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Aug 7 16:01:32 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA14622 for freebsd-security-outgoing; Fri, 7 Aug 1998 16:01:32 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from elisa.utopianet.net ([212.210.224.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA14617 for ; Fri, 7 Aug 1998 16:01:29 -0700 (PDT) (envelope-from rlucia@elisa.utopianet.net) Received: (from rlucia@localhost) by elisa.utopianet.net (8.8.8/8.8.7) id BAA18993; Sat, 8 Aug 1998 01:02:13 +0200 (CEST) (envelope-from rlucia) Message-ID: <19980808010213.A18953@utopianet.net> Date: Sat, 8 Aug 1998 01:02:13 +0200 From: Rocco Lucia To: "Timothy R. Platt" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Sysloging to a remote host Mail-Followup-To: "Timothy R. Platt" , freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91 In-Reply-To: ; from Timothy R. Platt on Fri, Aug 07, 1998 at 06:20:05AM -0700 X-Disclaimer: The truth is out there X-Organization: Iscanet Internet Services X-Evil: Microsoft Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Aug 07, 1998 at 06:20:05AM -0700, Timothy R. Platt wrote: > Should be simple enough, but I just can't get this to work. > > In syslog.conf on 192.168.2.1: > > *.notice;kern.debug;mail.cri /var/log/messages > *.notice;kern.debug;mail.cri @192.168.2.2 > > And on 192.168.2.2: > > syslogd -a 192.168.2.1/255.255.255.0 > > > > > Is there anything required in the syslog.conf file on 192.168.2.2? The > syslogd/syslog.conf man pages make no mention of it. Once I do get it > working, I would like all the messages from the remote machine in a > separate file, if syslog doesn't take care of that by default. > > TIA, > > Tim > syslogd -a 192.168.2.1/32:* this should work, allowing just .1 host to be logged by .2 I don't know if it is possible to filter directly from syslogd incoming messages, but you can easily do it 'cause you got the ip address of the host who sent the message in the logfile rocco -- Rocco Lucia Iscanet Internet Services rlucia@utopianet.net System and Network Admin Free unices for a free world. Support *BSD. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Aug 7 16:37:49 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA21017 for freebsd-security-outgoing; Fri, 7 Aug 1998 16:37:49 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org ([206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA20991; Fri, 7 Aug 1998 16:37:41 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id RAA13808; Fri, 7 Aug 1998 17:37:21 -0600 (MDT) Message-Id: <199808072337.RAA13808@lariat.lariat.org> X-Sender: brett@127.0.0.1 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Fri, 07 Aug 1998 15:17:43 -0600 To: Ollivier Robert , FreeBSD-security@FreeBSD.ORG From: Brett Glass Subject: Re: Does this mean we have another breakin? Cc: hackers@FreeBSD.ORG In-Reply-To: <19980807122035.A4145@keltia.freenix.fr> References: <199808051643.KAA04281@lariat.lariat.org> <19980805234700.A23220@keltia.freenix.fr> <19980806131045.A28059@keltia.freenix.fr> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org We have set up Tripwire, and are getting "Alarums and Excursions" (with apologies to old Will Shakespeare) from changed "last modification" dates on executables. Is this a bug or a break-in? I could not find anything about a bug anywhere in the GNATS database. When we encountered the changed files, we were sure we were being hacked by the same intruder who "owned" us via QPopper not long ago. That intruder installed several Trojans; perhaps as many as half a dozen. We dealt with that first break-in by wiping the disk, installing 2.2.7-RELEASE, bringing back all the e-mail and user data, forcing 250 users to change passwords, and having two people audit each one of our administrative Perl scripts and shell scripts. We also audited every configuration file that can specify that a program should be run, meaning everything from our customized sendmail.cf to rc.everything to /etc/crontab. That process took 4 people a full weekend (not counting the time it took to notify every single user) and took a mail server that serves 250 people down for a full day. Not to mention the cost of all of that pizza. ;-) We were about to do it AGAIN. Now we're holding out some hope that it's just a bug -- though perhaps the same one that's crashing us when we try to back up. In any event, I just received private e-mail stating that at least one person has encountered VM problems in -stable under heavy CPU loads when the swapper kicks in. According to the message, they cause corruption of file modification dates. Is this a known bug? If so, could it also be responsible for the spontaneous crashes we see when we pipe dump | gzip | ftp for backups? --Brett At 12:20 PM 8/7/98 +0200, Ollivier Robert wrote: >According to Just Another Perl Hacker: >> I assume that this spontaneous writebacks *could* occur not only to >> setuid(2)'d executables such as sendmail(8), but to arbitrary command >> as a file on the filesystem. > >Of course but unless you run Tripwire, the /etc/security script will detect >changes only on setuid/setgid ones. >-- >Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr >FreeBSD keltia.freenix.fr 3.0-CURRENT #62: Mon Jul 27 20:47:08 CEST 1998 > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Aug 7 18:38:24 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA07643 for freebsd-security-outgoing; Fri, 7 Aug 1998 18:38:24 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from unix1.it-datacntr.louisville.edu (unix1.it-datacntr.louisville.edu [136.165.4.27]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA07617 for ; Fri, 7 Aug 1998 18:38:16 -0700 (PDT) (envelope-from k.stevenson@louisville.edu) Received: from homer.louisville.edu (ktstev01@homer.it-datacntr.louisville.edu [136.165.1.20]) by unix1.it-datacntr.louisville.edu (8.8.7/8.8.7) with ESMTP id VAA24188; Fri, 7 Aug 1998 21:37:48 -0400 Received: (from ktstev01@localhost) by homer.louisville.edu (8.8.8/8.8.8) id VAA02272; Fri, 7 Aug 1998 21:37:48 -0400 (EDT) Message-ID: <19980807213747.A1702@homer.louisville.edu> Date: Fri, 7 Aug 1998 21:37:47 -0400 From: Keith Stevenson To: Brett Glass Cc: freebsd-security@FreeBSD.ORG Subject: Re: Does this mean we have another breakin? Mail-Followup-To: Brett Glass , freebsd-security@freebsd.org References: <199808051643.KAA04281@lariat.lariat.org> <19980805234700.A23220@keltia.freenix.fr> <19980806131045.A28059@keltia.freenix.fr> <19980807122035.A4145@keltia.freenix.fr> <199808072337.RAA13808@lariat.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <199808072337.RAA13808@lariat.lariat.org>; from Brett Glass on Fri, Aug 07, 1998 at 03:17:43PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Aug 07, 1998 at 03:17:43PM -0600, Brett Glass wrote: > We have set up Tripwire, and are getting "Alarums and Excursions" (with > apologies to old Will Shakespeare) from changed "last modification" dates > on executables. > Are the file checksums changing? If not, then the binary probably is safe. The Ports version of tripwire does a MD5 hash on the contents of /bin /lkm /sbin /stand /usr/bin /usr/lib /usr/libdata /usr/libexec /usr/local/bin /usr/local/lib /usr/local/libexec /usr/local/sbin /usr/local/share /usr/sbin and /usr/share . (At least I _think_ this is what it does based upon my reading of the default tw.config file installed by the port. MD5 is a pretty good checksum. It is highly unlikely that someone could alter a binary in such a way to maintain the file size and MD5 checksum. If you are truly paranoid, remove the "-2" from the end of the "ignore list". (See the documentation at the top of the tw.conf file.) This will enable a second cryptographic checksum at a significant performance penalty. It is _extremely unlikely_ that a trojan'd binary could pass both checksum tests. Regards, --Keith Stevenson-- -- Keith Stevenson System Programmer - Data Center Services - University of Louisville k.stevenson@louisville.edu PGP key fingerprint = 4B 29 A8 95 A8 82 EA A2 29 CE 68 DE FC EE B6 A0 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Aug 7 18:39:56 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA07900 for freebsd-security-outgoing; Fri, 7 Aug 1998 18:39:56 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from implode.root.com (implode.root.com [198.145.90.17]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA07867; Fri, 7 Aug 1998 18:39:41 -0700 (PDT) (envelope-from root@implode.root.com) Received: from implode.root.com (localhost [127.0.0.1]) by implode.root.com (8.8.5/8.8.5) with ESMTP id SAA00798; Fri, 7 Aug 1998 18:35:55 -0700 (PDT) Message-Id: <199808080135.SAA00798@implode.root.com> To: Brett Glass cc: Ollivier Robert , FreeBSD-security@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: Does this mean we have another breakin? In-reply-to: Your message of "Fri, 07 Aug 1998 15:17:43 MDT." <199808072337.RAA13808@lariat.lariat.org> From: David Greenman Reply-To: dg@root.com Date: Fri, 07 Aug 1998 18:35:55 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >We were about to do it AGAIN. Now we're holding out some hope that it's >just a bug -- though perhaps the same one that's crashing us when we try to >back up. > >In any event, I just received private e-mail stating that at least one >person has encountered VM problems in -stable under heavy CPU loads when >the swapper kicks in. According to the message, they cause corruption of >file modification dates. Corruption is probably not the right word. There might be a bug where a page is seen as modified when it isn't, causing the modify date to get updated. The only way to be certain is to compare the binary with your backup (e.g. if installed from CDROM, then with the copy on the CDROM). I haven't personally seen this happen in more than a year, so if the bug is still there, it must be fairly rare. -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Aug 7 21:03:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA25043 for freebsd-security-outgoing; Fri, 7 Aug 1998 21:03:59 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from burka.rdy.com (burka.rdy.com [205.149.163.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA25029; Fri, 7 Aug 1998 21:03:53 -0700 (PDT) (envelope-from dima@burka.rdy.com) Received: (from dima@localhost) by burka.rdy.com (8.8.8/RDY&DVV) id VAA05702; Fri, 7 Aug 1998 21:03:24 -0700 (PDT) Message-Id: <199808080403.VAA05702@burka.rdy.com> Subject: Re: Does this mean we have another breakin? In-Reply-To: <199808080135.SAA00798@implode.root.com> from David Greenman at "Aug 7, 1998 6:35:55 pm" To: dg@root.com Date: Fri, 7 Aug 1998 21:03:24 -0700 (PDT) Cc: brett@lariat.org, roberto@keltia.freenix.fr, FreeBSD-security@FreeBSD.ORG, hackers@FreeBSD.ORG X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org David Greenman writes: > >We were about to do it AGAIN. Now we're holding out some hope that it's > >just a bug -- though perhaps the same one that's crashing us when we try to > >back up. > > > >In any event, I just received private e-mail stating that at least one > >person has encountered VM problems in -stable under heavy CPU loads when > >the swapper kicks in. According to the message, they cause corruption of > >file modification dates. > > Corruption is probably not the right word. There might be a bug where a > page is seen as modified when it isn't, causing the modify date to get > updated. The only way to be certain is to compare the binary with your > backup (e.g. if installed from CDROM, then with the copy on the CDROM). I > haven't personally seen this happen in more than a year, so if the bug is > still there, it must be fairly rare. We usually get this bug once in two weeks. But since file by itself stays the same and machine doesn't crash, fixing/finding the problem wasn't in out TODO list. > > -DG > > David Greenman > Co-founder/Principal Architect, The FreeBSD Project > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Aug 7 23:35:28 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA07249 for freebsd-security-outgoing; Fri, 7 Aug 1998 23:35:28 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell.futuresouth.com (mail.futuresouth.com [198.78.58.19]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA07244; Fri, 7 Aug 1998 23:35:26 -0700 (PDT) (envelope-from fullermd@futuresouth.com) Received: (from fullermd@localhost) by shell.futuresouth.com (8.8.8/8.8.8) id BAA11150; Sat, 8 Aug 1998 01:34:56 -0500 (CDT) Message-ID: <19980808013456.49685@futuresouth.com> Date: Sat, 8 Aug 1998 01:34:56 -0500 From: "Matthew D. Fuller" To: dg@root.com Cc: FreeBSD-security@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: Does this mean we have another breakin? References: <199808072337.RAA13808@lariat.lariat.org> <199808080135.SAA00798@implode.root.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.88 In-Reply-To: <199808080135.SAA00798@implode.root.com>; from David Greenman on Fri, Aug 07, 1998 at 06:35:55PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Aug 07, 1998 at 06:35:55PM -0700, David Greenman woke me up to tell me: > >We were about to do it AGAIN. Now we're holding out some hope that it's > >just a bug -- though perhaps the same one that's crashing us when we try to > >back up. > > > >In any event, I just received private e-mail stating that at least one > >person has encountered VM problems in -stable under heavy CPU loads when > >the swapper kicks in. According to the message, they cause corruption of > >file modification dates. > > Corruption is probably not the right word. There might be a bug where a > page is seen as modified when it isn't, causing the modify date to get > updated. The only way to be certain is to compare the binary with your > backup (e.g. if installed from CDROM, then with the copy on the CDROM). I > haven't personally seen this happen in more than a year, so if the bug is > still there, it must be fairly rare. We get it all the time here. On sendmail on one machine (sendmail -q run out of cron) and on {r}restore on another machine (amanda, I'm guessing) Happens every couple days. *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* | FreeBSD; the way computers were meant to be | * "The only reason I'm burning my candle at both ends, is * | that I haven't figured out how to light the middle yet."| * fullermd@futuresouth.com :-} MAtthew Fuller * | http://keystone.westminster.edu/~fullermd | *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Aug 7 23:41:44 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA08029 for freebsd-security-outgoing; Fri, 7 Aug 1998 23:41:44 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org ([206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA08003; Fri, 7 Aug 1998 23:41:35 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.6) id AAA16434; Sat, 8 Aug 1998 00:41:05 -0600 (MDT) Message-Id: <199808080641.AAA16434@lariat.lariat.org> X-Sender: brett@127.0.0.1 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Sat, 08 Aug 1998 00:40:49 -0600 To: dima@best.net, dg@root.com From: Brett Glass Subject: Re: Does this mean we have another breakin? Cc: roberto@keltia.freenix.fr, FreeBSD-security@FreeBSD.ORG, hackers@FreeBSD.ORG In-Reply-To: <199808080403.VAA05702@burka.rdy.com> References: <199808080135.SAA00798@implode.root.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 09:03 PM 8/7/98 -0700, Dima Ruban wrote: >We usually get this bug once in two weeks. But since file by itself >stays the same and machine doesn't crash, fixing/finding the problem >wasn't in out TODO list. The MD5 of the file stayed the same, and diff reveals no change. But we can't turn off the alarm that's triggered by the date change in /usr/sbin without potentially missing breakins, so our two new admins are constantly getting scary messages. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Fri Aug 7 23:50:19 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA09136 for freebsd-security-outgoing; Fri, 7 Aug 1998 23:50:19 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from burka.rdy.com (burka.rdy.com [205.149.163.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA09045; Fri, 7 Aug 1998 23:50:01 -0700 (PDT) (envelope-from dima@burka.rdy.com) Received: (from dima@localhost) by burka.rdy.com (8.8.8/RDY&DVV) id XAA06334; Fri, 7 Aug 1998 23:49:35 -0700 (PDT) Message-Id: <199808080649.XAA06334@burka.rdy.com> Subject: Re: Does this mean we have another breakin? In-Reply-To: <199808080641.AAA16434@lariat.lariat.org> from Brett Glass at "Aug 8, 1998 0:40:49 am" To: brett@lariat.org (Brett Glass) Date: Fri, 7 Aug 1998 23:49:35 -0700 (PDT) Cc: dima@best.net, dg@root.com, roberto@keltia.freenix.fr, FreeBSD-security@FreeBSD.ORG, hackers@FreeBSD.ORG X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL43 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Brett Glass writes: > At 09:03 PM 8/7/98 -0700, Dima Ruban wrote: > > >We usually get this bug once in two weeks. But since file by itself > >stays the same and machine doesn't crash, fixing/finding the problem > >wasn't in out TODO list. > > The MD5 of the file stayed the same, and diff reveals no change. But > we can't turn off the alarm that's triggered by the date change in > /usr/sbin without potentially missing breakins, so our two new admins > are constantly getting scary messages. I wouldn't even know about this bug, if somebody from my users wouldn't be checking was changed since the last time he's checked (once a day). He mentioned, that /usr/bin/du gets changed every once in a while. That forced me to spend some time monitoring this particular machine. And I found out that the only thing that was changed, was modification date on /usr/bin/du. Etc etc etc etc. The rest you already know. > > --Brett > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Aug 8 13:47:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA22717 for freebsd-security-outgoing; Sat, 8 Aug 1998 13:47:22 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from Mercury.unix.acs.cc.unt.edu (mercury.acs.unt.edu [129.120.220.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA22703 for ; Sat, 8 Aug 1998 13:47:16 -0700 (PDT) (envelope-from john@unt.edu) Received: from leonardo.cascss.unt.edu (leonardo.cascss.unt.edu [129.120.32.203]) by Mercury.unix.acs.cc.unt.edu (8.8.8/8.8.8) with ESMTP id PAA23456 for ; Sat, 8 Aug 1998 15:46:56 -0500 (CDT) Received: (from john@localhost) by leonardo.cascss.unt.edu (8.8.8/8.6.9) id PAA26643 for freebsd-security@freebsd.org; Sat, 8 Aug 1998 15:45:12 -0500 (CDT) From: john Message-Id: <199808082045.PAA26643@leonardo.cascss.unt.edu> Subject: Network Watcher Program To: freebsd-security@FreeBSD.ORG Date: Sat, 8 Aug 1998 15:45:12 -0500 (CDT) X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The program looks for certain attacks against hosts and possible port scans. It's originally from http://www.rootshell.com I ported the packet capturing part to use libpcap and also added a configuration file to make the program more versatile. ---------------------------------------------- John Booth Computer Support Specialist Arts & Sciences Computing Services University of North Texas phone: (940)565-4498, campus extension 4498 Internet: john@unt.edu GroupWise: cas.po7.john Feel free to modify/use/and or distribute this. Included in the uuencoded file are a source file and a makefile. begin 644 netwatcher.tgz M'XL(`*ZYS#4``^Q;>U,;QY;/OYY/T4OJVA(1DL#825#LN@2$K;L85!;D<;TN MU6BF)?5E-#UW'L@DQ7??WSG=\Y($V`G9K:W:<2(T_3CO/N=T]U$HTZ6;>G,9 M=]ZY5W*J`OG58S^[W>[+_7WQE1"[W[[H5O^:9__EKA`O7[Q\OMM]OK_W'-W/ MN_O[7XGNHU.RXA[>-^ZA_O^CCPK!?Q`(/#<2.S.QHRL] M3BJ3]`#&8@D6SI,[$8K759#IIU0\=>(L_-S93YTK11(1&$7?:'S9_;^ML$=^ M2L8Z534\*@Y:_]WN'>M_M[OW?.];N_Z?[^_OO:#U_^VW+_]__?]//'%G^S$> MYYWVU51)7TQN!(GJ[UF8MJ6?.<[%7"4BBO4L=A=BD0]+M<@2*=*Y%(&:\)*? MR5#&RA.1ZUW)5*`IS6(5SAP,B-WX1BSGRIL+0'.O716XDT`*-Q73-#KH=/#9 MEK(=3(+V3%]W+,PV=-O^IW,22_GCZ%AX>B$3L53IG!`GC!J0%1H;QA^H23YU MNRG<():N?],&"R65GO:E6+J)2!$N0S&-]8*YH*')8@(/5E)'G*;0$IB(G65\`Z M!\NC5%[+$)S$"FX1\*;B1F#FW)-I"Y8=)[(?QSIV0-_'1 M%3O')+.)IH6G,07JUQ#PDFP*!N14IZ9+Z5X)-B.YF0C'Z1D-$VXBAN'D410" M3#``D'P)JUR0J&&G9/ISG06^E99P0XR"]<=D,/B*_SX,6I./G;#- M_SJ+MOG7(:LSPP[9`LFX?Y.Q-M)8*D#VW)A9R#$@?A?+-%]9/>%!=:EQ6)6. MSL)-KDAN$]UV>AAF@2187YZ$T3&DT>@M(T]*P+O?[[5W7WXGDFP"4,2ZG)%Z M>%Y!Z=Z>F6%'MU^T]Q`9GXJ]%_B&_[OM+C$B_YW!&,$"P.1#J0NVLI0K`E1I MFS1A+`[=$P$3)J:=06?4Z;;Y7_'WNRZ:CS_KW!KAM]C4V9XA5.:<1^3E1D%AOL8-.,Y MA0EG-O8.Q))77Y+-9KPEB722J`DB6Y0%`>F=O(&;ILAB'')]'"E,[")GZ\+I MLNNAH8B;\E.*4*XHCB8W"-T+@\8C)/#S(O%B%9&?RI+*C!C!5,19((WWS6,M M.?`$H<'Q]=)X[CQLIUJ;T`VG,N&,P*1?.IO-X3^V.X[S)S-!Y]P&>6+/5W"! M0X/[H(@).^*#F*>$UMQL1(,,)D&>$*M4Q2U7K((\F7HK`A#G4 M;K)%I%*AKY`WJ&MBSHDTI)HJ$&,TD;1M(IKH*:(8[-7`200%4H/,YIV)YX9( M1!/65(*>&%".STLD-88TH@04Z@)`AP5%!!)*2I'4;R`6.0M%M$01B6!M MDG&"I3W/311G6NB2;(P3.QR,6M8H^4=&B.2'B9$Q)6[45I47$D8Q^O7LY/3\ M_-AREYMX+C=@RZ`DI!2N0$('?L-L,8$P8-I(3T*S[A)1L*"(L`F2?23#"BS" M6NP)BG;A8@974#26F.FP#,^WZI+.=`L$.=K6!MM#X;_>7': M/Q/?OWQ"!T.=;3$RB>Z$?,FG2N:+S;.`C>3S^A=OQX^0A%=G(6JFVD/`03=-4=,0L_`V?G=2`.`W MH.M^0@[?=;[&;EI-B]Z+P;O^^>7%^*?#T\N^>($!-L"*GP\OCMZ*T_Y/_=.1 M*.P]G_?NUU'_].3\[/17P\QNM>?RQ[/^17YLOE?TO+U\=W@VN#A\/S@\HY[G M!:[W_>'Y^XL:L@HNTWMX>BI6<9D>BGJKN$S/Z,A@8ERP[8Q",B>"O-/YW7F2 MC:$L?*7W'KT&&A[0AO>R@;9;>%L'L1TBS^DYMTB_)#R[^'WP9C``4^XTE'09TFO$$D8 M6-&WHN<4#F0\/AV<7?XR'CLY")G.YWY,#&8AQ0TZ!R)!SL<^=A;!P7Z+CH@HC3O8[ZT.2'52;3-(4IV. M`QFN=RA_O8V$/M;3Z3KH-%AKR[WP.AA.3ZO-M+2L&=<;?=-8,2K2C!6Y6)%I M_E`0[MW=37NY>K>A*N_FW#E;V"&4ZQG[%173J;3DSRHT9>WVWD$)DDL9>K(R M]%9(;ZXK#<4<%.R09,V_6&_L:`NMMM MF1=:;*3"-^1X`NP]".>WMBVY"=F?H.D[V[24$X^W1:_$?M>VD;+SJ7MY(V]' MS1[M52UVVGX3-O(!19#L.6P%VV_LGCITB0M$6C$\.AQ"L=ET2B(SHWQYS>?0 MN0]!`C2&(R'+FY.`N`$^/YKZO34M"U;$"9VKP@WP"0!V1'2NQP?AM=TZY2CY MGHX55.;0N4YX94"J=C$8R418M&A3":U)^@)S<]8-[J$G)T3T[;%$4E"0DV$. M+'@Y=1@=?H=^B_YB!NBZULK'=FD,Y]QHMN@;O+']1CJF MK[P_&9,,S)O&7CD9&]$TFCT#`Q*P,/#-PO`"!(\Q>WEZG60J\,/*'%^#OH2Z ML@0;:SNY"&?T'B\JKW::H)O%=$P:HS;#+`QG8IJ(SVWHH-E;7V.^5AZV7`1Y MFRCF;5T)Q`5UI$KNEY2TCL-4NS2`H)K4AQ'03M:O!LB6IR5I!;7F4T M2B@^NIV%"\F`!@^,Q[/K)F.A]X(@M'Y``/J]R',@3?"&Y8/5K%J4]TW]6J:P MC1&FP80SG:2TH#X\WZMG#=0A253SJ)Y\](RQ6N54J#/#^`,KIJ%>=7OJA_V> M^N:;IK"9H/IHW9=%Q1NVQFCPYNWEL%411!66CB0VZ[/&%N?O_?=;+>(-V^#Q M\6'_W?F9':NF#>@J9Z>1?Z%=^F]23XN&9E/\(+I-GE,&@TC2[5!CJP)BJUFZ M>5X745UY07S+2!#2:PML36D1N&.K7W M0LN0;05+Z+_"ATA8R(47W30:1K'-IR8(M,0\VGD]'U>_![P-LY.K"ZT0,_P> MR=_>AIF[I4W73^0$:7S%:KLK<%2HZ)2#SJQRMVD,*U^6`I@+/Y;/.M-+0T%^ MLD@'1-=TR@:Q6*]"ARV+-OMA-DE(G\RRT;#&N=W,:5G.B8$&C)TT5"S^IV9] M0#E6*BR4"9L9XUNL0-^7MMXW"R&UA,6R(F">"*RJ"W$,.:M#5__@2H@\\TY M-QQKR*?>FG;M%"!+H15F"'M'"@'QV,P"#H/\1H_>^<-T[;RF)!N=6,T>[9>#;YU;BMF.@.#FLA8:BNOD MU;*"KD7 M-0.-&5T^\)5_&W+<-O]U3(AU:FO#8Q$K!TF[>&!C+",EE+B`*7^.` MG$-!LM7BX.1D/'Q__FXP.FK5CZT*87R6+$L,7R#+*(.]-K;.,1=<66Z2S"/? M-\VHC&2K8*>B,3JD*_AX6EK64VM:!>KU(+O)``C<%Q!-_H],/LQA87GD`9Y? MD)>=#$XO^N_'1^^.>6*!]3"*@AM:LXAL<,DEVJ68%PU MG5F>'^0UAU>@Y-89E6?$C*1Y-]-5NA(D/NG;U?SQSFQP>+`9KZ. M,\SB2"?R@`X#L)BNW2"3MC!%AM+^2[!1-?K'"K>VOHEO<5W8^55`I)IDEUL34T.&A,:VMZ,%<'BX/H M(#Y(#Y8'6["!_W@E^N79F-YR*Q>C9]=K`A)RC/'-Q4JX;9 MN&Y(+B8(L5>]#6#G&\#:/>4Z%(X%W>8F.&H3>=6SCC](WV(#7$7Y94Q[;`,/ MH2Z1P73+!KJ-)P;U(Y;R2F,#DY3';D+!951?AH1O1S:C6&O<=+.-JDN>H!UQ_47/QYFO-U*52+VIJKJ>N)^T4L\,N8:T^E#&8*:6+I223Y_AIE\SJL0V%K8>8RB/`1KXEF1XDR9I6\+(O2H<@U5;/@;I'% MTYPUR]%#S)BR]`+!X.C=4/2/WIZ3RSD=]$?,32+EFE1V%K:"RS[O3!5:*4;Q MKPSZHYH9.B:CD[;V0\0<6I#@YIF);<]L65S"!F8*@N+4U!51M0_)-S_[JBJ<3FH(H',?7:6,2D2F4MJ6 MDM=KJ];DMA/;.BS.I(483*OOBGXMD;2$#H,;<2Q#JF$ZGXJ1J8Q[2&:V3,XR M9;;B[0TH2!0/&Y<,#1EEO6`=;)^*H\S/+M2:(E:??!Z=V-B5ORZ:M!`>/T<< M00I-\>DD'\ZLUCZ:.JT'.;*P;2W7&O:E**(6&W2Q6(GOB>1J/FM'X1>ZG0+P M9K.CG0P7OG/4]']-.6G6SFVY9L@H/-\;LE/\UW0 MIS+C4"YS";;8?05+]R8QEK]F=DQM:0\K9K>9&MO*QZ5_D:\J**I:"]A++'^# M8DTUL8T%\APM->PUZDK M_;"9A(%%_WWH4UOT?.;;=:I&9MO;(0S%%744>3+YZJ M.?TE9E._4ZS:SM#>:\;N,K\\)(?,OT>4Y8\$E[+\?:`VA>_\\[-A%@1FVY)/ MYM2=?[4`MX6T]$K>\($HI8&S0$\H.\'>EF]7P?@4VX/0DP[2'U/97OS$\I$C MZCW7JDZM,J$L8E@Q5UNQMRWKM8:FIFY;50*Q*;ZS@]Q4>44)8J!FH?B]/A4S MS5DH7X7Q9=?'GK@5[FX>Z4W-!E?/&0LR55)W7S_*J+*$K2P4@]M294M#=NX=5%Z& MB]?VZB^_4RM*2^R-(+GV_`?+OI9)^,S\O)I,E%:8#',G:`L"S!$Y6Q[=D,_3 MW._7JAF>NKML&I5K=T,9"16=[5S5IKP*C0H"K-32FG(KVVY+KPKO9JZU\T!K MAJ[ZKC790O6%M@AH7DUI969KN4CG-/*IJ5`WNJ1J>EG9VM$^AP;;'YY;`9BJ ML!H.6]Y9H/!KO-F[D?5W]BJT!RU*R26S9:8LZ,A#D M<0BN38LD15'D?,4F6B7NZ05IG31H]=]OGN1PERM+CAS@4!&)+/'-X7`X0\X, M14FLF-&\54[#*L=I04T_/Z[7A`IBF]>$)PVUJDA+;:VZH@=\)@]L#3=TGX20 MB^T*Q'4"I!WND!TWQ%V,R0G`9-MR3V426Q'2&Q#K@$!#2JR5Y1 M4:5IQ"IS),"DAB8:JI1$FIN>FFHCAIJB,@W$P9)Y_]MPE+];P`H$6OGB)<@\ ML/S@+[NXR$O8#R=39Z2EBP^#+/>T&NZ1VLBQ71$J,%K7NW"`L)S/,O.L'D^^+C-%5M M3SX:G!`[AFG(4Q1ZM0OK\1V9"6(&WM_*CWB"#5B1+.3H!3$[V]M?[&5.@Y1' MC`QL8K3)H(5L#TEKNK_X;G^0WCGCOUBTE5`UO)9\/;R#\?1G;VE0;3-0;(&7 M4Y(07$01UR[)+`W1(X3Q3ZZC%ZL-;*ASJ8KD!& M2UAL"#2W$1*6,&K0,ZR.(5-/GSTGNF?C'C[Z5[?>A%4&;VI!^;J06&#`B2$X MA?I&Z0]X/O>F(/F>_*4X@&-'RYD5EV6BX[(R):XA*/]`A=>4C\M93$"6IDXM M7UWB?"H-Y3\5XED:1`A(,B?(YF5,U$J#(H&=&L8[(2G8`U:A2H`B974&:6]2 MQ.X&T^8$_5)G+[C!]L4TRTT1--?]*EGS-GCX,1^3KZ'6=KK@Z5D,_5M5&G1: M)6L!J:H8"S)AL2AN,L31W&7H^HG#&M9!>CPI<^777`'#V`*H=6(8Q^"A/R1" MG%7[2/X.D<.;0A9#JRRNO"C&4^0FO@"^Q*GEYZ`+;&NS>?'!F7BX76EXX>&; M\G^";>..9&:KKQVS5+PBN4FKPX!T1]`.@]T`Z'@%BTHFH?A/24V@&#&39Z0$ M@Q;<]0BQP0H=3H7YAO.B@#[=G%XBRLV-7LG/;U'?O93>H$'E,5H<)==NY#+G'3ZYL/%]'(Q(@4" M8(4F[^@V%M4N`%7034\^SR>(>&-R`/(1I%?RA@:[`7G-,J0OWA6:17_QNM`@^]<$W[^5=(N++A3J MOI`T6R&^3IKUA/=FI=G(P#<08S<77$-YD[TT?!EYLUF\B.WRGB7`L!/SOI"8 MY[%BS:+&Z8*=B0[LZC^0N2Y4U$&;`L@(T3-$29:]M M/XG&UN,B+]]W&U@$=0>S%HO@,F_$(KA2C2R"C`LS`C:C*B(L7!S0;ZBTBCJK MOW;K=;Z=E+=O6_6!&\)39U$;*'87J"+,F@(@4\!:105F@;@7Q(854S?=04,U)2)J!LDH M3I;#JI5U:'=AC[YFT:JHFIFMQ==0,P0)KD/]*"NDOF$.*,=GSX%Q!V4'J5O& MM@=Y0PI!:@4?;D#D@X6 M^/C'E]$+T(ADV825A6QS^Q'V,C3\M&2OK7^XNTL[_H MIOF['-]085DIK800,%I/US&`N;6KECZ0&\@.NE&!;?/%*W2_4\TCO&<[J#7" MA@*,NM&5I="TE\*;0M)?_:X'Q1&=8QD(7@V^+4()6[\.A*ILRJ90"IFCE9`B M7DU95/&>K-K^U\`V;7F[V*:U7A>6Z#[DS)CF-L$S`AHR52K?SPN0DH&3*OYX M6Q2#`OT,H"V4>%YYEB[RC^D^,EHMXK38L,TT?PT(-#L_67H3^&O?\X8UKGLL M[XHCMQN`^C/H;7T>D`''"5-KNJN8IL@Z<')OQ!*S@58X5]<6^3.#_3+3+9EJ M-].U!C"X=>'DZW!-9&G,(_7D M>_1V^^C'Y\^?/'KU76HV*'3VPR"-E9+ MQ-IX&1D[-):/S&452.#&J,)>5(5C(.AT:AQ=_/A*T[N5:0H;OP)BE5M=[2'6 MNQ=9`W$C\A#K97O(1[$MH:'/;H:%SD6TS&1N(<-1;;Q7SJR?U7IYQ4:#JD&Z MYZ>5;_9C]M8UFQ-9M.BO>9S[K$7341C=,0/N(K7VIJ;0'0.,,V]I?Q6F-%!F MT@"C,^N0V`S8UM%Q*"WQ([.:(/N5GNF$1TD1=6@C>KQL!4!>]SB\#@LW12)6 MK9RB."C7I&_QP@2O9CJ'(4*E0F#4?U4I%H9FJA7OV5:H5[TS:\)D0TJ&81.7 M&->A:@R4*RF;9HM2)TT4"J5(5\OCA7Q+I<*Q1#;G=9"X1F>TLY:P7)-\D`+! M_P7YX$_ZPT=I0J*K)-R2[^H!%Q\$2CD?7=]A[)&=3%&T'4F+MJ/E?'0=1[9Y M:A:BW]FC&^U'LK#+.)#71V=7"#;ZVS:MO9,"MX,5CP"-QI;Z@,, MQC"1;=+\8=C77S> MM9YD;PPGEX#1$C?8$.9=T31^[10'89@^]O;2TXE/!]2=G7].R_ M9,A%^"#W<;-RGGI'R.*KMB/1ZLZ7?>,1A19_?^\#6S4L*I6CA?Y@?A?RD]VD M@CVE*K>J\G`K@+N7+:L+\M4\GRQ8A3U/?WCXR.VX\,]XT_!D\N MJ+;?;]\^UP,$Z@Z0D+.S].3TZFQ(5Y[&\QU\=V`IRQHMK=-*T,*_#P]"VBAC M/?HF.EC@/:@XU`AY*G*>IMR&6OXX-B=H:JM@BGZ]HNC];^RHA2QB#EZ>U_`? MCP^)1![=$?6HOKA^24#E<=+?-;K./0/N=([KJCAA8=,7VG^.V=. M#RV(Z?==;ZA`1S867XZQX M,$55-GF(%7JZ1)C*:P7^L5^")/KC4;%.WR*[=.DS/^@R_.HNW.@ M)>2VL(&(H^Z]V_3[!JZ@_E0IV\M7J3 MN.XD2]>C7-]!CJ.20-_]9K^]GX-:&3[$\Y%S0D\8<3HNRBJ5F-KB$IS/876H M"+LJGB3<,`D0B1>[$%U)^_I2EDF0%<.*4#Q8 MNZ:"5292CV)T/\1LQ.5WK!>(;X(#U\K"[3VW&%SW/8"Q4#X8:"',#`,FT^??;]$Q@A)$(A=J`+WV&;';Z^?X1[+T=>3.>7KWOWOW81B^E\H!'! M,TF3HVS2RR;'V>0D,V^TV2SCHVS\R>OY'T.@A]J M?T5K[/H)'>*3F1T%8`8`S*@);@.'@2=1B6N;P'QX_E7_X/1`L(#'B(HA*.@/ M?65[^Z__<^_\GGQZ<:7R?2]KXUQE;9R@K`VST8;I:,-\M&%"V@#Z-L"^#))D.B)XX$'OI(L. M(":]!P^`':&OQP\>?(O?)B?5$NS52W?C6&/C56,8KQK#>-48QN$8A-)":VX` M8S^`L0Y@?!)DY]X3P7W3DMS1$Z]"DRF]))7HDY?L' MSP#)=%7QW2GF<9=O/N//8<:>R?BGY4;,@)>N/>U1_^"QJ881W[0FV0#W7RKN MPWZXHF[Z\(R`(P^Z^=.F[_&9\B_U`_X/WXZFBX+7O#`7]VZUGO`FA;N)OBW- M"ICT7DSKUKU_[,(N[,(N[,(N[,(N[,(N[,(N[,(N[,(N[,(N[,(N_-W#_P#* '7?5V`*```+U_ ` end To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Aug 8 16:26:26 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA07296 for freebsd-security-outgoing; Sat, 8 Aug 1998 16:26:26 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA07291 for ; Sat, 8 Aug 1998 16:26:24 -0700 (PDT) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id QAA03799; Sat, 8 Aug 1998 16:26:04 -0700 (PDT) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Sat, 8 Aug 1998 16:26:04 -0700 (PDT) From: "Jan B. Koum " X-Sender: jkb@shell6.ba.best.com To: john cc: freebsd-security@FreeBSD.ORG Subject: Re: Network Watcher Program In-Reply-To: <199808082045.PAA26643@leonardo.cascss.unt.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks for making a port. Why don't you turn it into a freebsd package and submit it? Speaking of network watcher programs: I am pretty happy with NFR (www.nfr.net) myself. They do have FreeBSD version also. Then again, I am biased. *grin* -- Yan Jan Koum www.best.com/~jkb jkb@best.com | "Turn up the lights; I don't want www.FreeBSD.org -- The Power to Serve | to go home in the dark." "Write longer sentences - they are paying us a lot of money" On Sat, 8 Aug 1998, john wrote: >The program looks for certain attacks against hosts and possible >port scans. It's originally from http://www.rootshell.com >I ported the packet capturing part to use libpcap and also >added a configuration file to make the program more versatile. >---------------------------------------------- >John Booth >Computer Support Specialist >Arts & Sciences Computing Services >University of North Texas >phone: (940)565-4498, campus extension 4498 >Internet: john@unt.edu >GroupWise: cas.po7.john > >Feel free to modify/use/and or distribute this. >Included in the uuencoded file are a source file and a makefile. > >begin 644 netwatcher.tgz [snip] >end > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Aug 8 20:25:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA03607 for freebsd-security-outgoing; Sat, 8 Aug 1998 20:25:06 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.camalott.com ([208.203.140.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA03588; Sat, 8 Aug 1998 20:25:00 -0700 (PDT) (envelope-from joelh@gnu.org) Received: from detlev.UUCP (tex-97.camalott.com [208.229.74.97]) by mail.camalott.com (8.8.7/8.8.5) with ESMTP id WAA29974; Sat, 8 Aug 1998 22:25:29 -0500 Received: (from joelh@localhost) by detlev.UUCP (8.8.8/8.8.8) id WAA18897; Sat, 8 Aug 1998 22:24:04 -0500 (CDT) (envelope-from joelh) Date: Sat, 8 Aug 1998 22:24:04 -0500 (CDT) Message-Id: <199808090324.WAA18897@detlev.UUCP> To: brett@lariat.org CC: dima@best.net, dg@root.com, roberto@keltia.freenix.fr, FreeBSD-security@FreeBSD.ORG, hackers@FreeBSD.ORG In-reply-to: <199808080641.AAA16434@lariat.lariat.org> (message from Brett Glass on Sat, 08 Aug 1998 00:40:49 -0600) Subject: Re: Does this mean we have another breakin? From: Joel Ray Holveck Reply-to: joelh@gnu.org References: <199808080135.SAA00798@implode.root.com> <199808080641.AAA16434@lariat.lariat.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >> We usually get this bug once in two weeks. But since file by itself >> stays the same and machine doesn't crash, fixing/finding the problem >> wasn't in out TODO list. > The MD5 of the file stayed the same, and diff reveals no change. But > we can't turn off the alarm that's triggered by the date change in > /usr/sbin without potentially missing breakins, so our two new admins > are constantly getting scary messages. grep out what you're ignoring? Happy hacking, joelh -- Joel Ray Holveck - joelh@gnu.org - http://www.wp.com/piquan Fourth law of programming: Anything that can go wrong wi sendmail: segmentation violation - core dumped To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Aug 8 22:10:43 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA11560 for freebsd-security-outgoing; Sat, 8 Aug 1998 22:10:43 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from icarus.idirect.com (icarus.idirect.com [207.136.80.7]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA11555 for ; Sat, 8 Aug 1998 22:10:42 -0700 (PDT) (envelope-from tetragon@idirect.com) Received: from terminus.idirect.com (terminus.idirect.com [207.136.80.70]) by icarus.idirect.com (8.9.1/8.9.1) with ESMTP id BAA08658 for ; Sun, 9 Aug 1998 01:10:23 -0400 (EDT) Received: from ns.idirect.com (ts6-20t-12.idirect.com [209.161.224.108]) by terminus.idirect.com (8.9.1/8.9.0) with SMTP id BAA29980 for ; Sun, 9 Aug 1998 01:10:27 -0400 (EDT) Message-ID: <0cc701bdc354$19dfabc0$6ce0a1d1@ns.idirect.com> From: "tetragon" To: Date: Sun, 9 Aug 1998 01:10:59 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0CC4_01BDC332.916D9160" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3115.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0CC4_01BDC332.916D9160 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Graham Mc Lorn Tetragon Distributors Inc. Police & Security Equipment http://www.tetragon.ca http://www.tetragon.ca/simunition.html http://www.tetragon.ca/ult_protection.html ------=_NextPart_000_0CC4_01BDC332.916D9160 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
 

Graham Mc = Lorn
Tetragon=20 Distributors Inc.
Police & Security Equipment
http://www.tetragon.ca
http://www.tetragon.ca/si= munition.html
http://www.tetragon.c= a/ult_protection.html
------=_NextPart_000_0CC4_01BDC332.916D9160-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Aug 8 22:34:33 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA13264 for freebsd-security-outgoing; Sat, 8 Aug 1998 22:34:33 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA13240 for ; Sat, 8 Aug 1998 22:34:21 -0700 (PDT) (envelope-from kkennawa@physics.adelaide.edu.au) Received: from bragg (bragg [129.127.36.34]) by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id PAA17316 for ; Sun, 9 Aug 1998 15:03:59 +0930 (CST) Received: by bragg; (5.65/1.1.8.2/05Aug95-0227PM) id AA05401; Sun, 9 Aug 1998 15:03:59 +0930 Date: Sun, 9 Aug 1998 15:03:59 +0930 (CST) From: Kris Kennaway X-Sender: kkennawa@bragg To: security@FreeBSD.ORG Subject: Capturing IPFW denied packets Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've recently set up an ipfw firewall on my dialup box here, and have noticed some strange-looking packets coming back at me (and bouncing off a filter entry) when I've surfed some particular webites. One sent back a whole bunch of packets to the identd port when I just browsed a non-interactive document on their website, and another had their DNS try and contact mine, plus another dodgy-looking packet ipfw: 1200 Deny TCP 203.63.152.26:30284 203.20.69.71:113 in via tun0 ipfw: 1200 Deny TCP 203.63.152.26:30284 203.20.69.71:113 in via tun0 ... (19 of these) ipfw: 2200 Deny TCP 209.67.27.71:53 203.20.69.71:53 in via tun0 ipfw: 2200 Deny TCP 209.67.27.71:7777 203.20.69.71:2044 in via tun0 Now, these may well be nothing to worry about, but I'm interested to know what the unsolicited packets have to say for themselves. Is there any way I can set things up to log the contents of the packets which fail the ipfw filter? Can anyone think of legitimate reasons these sites might want to know my identity or information about my DNS, other than trying to harvest addresses for spammers? Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Aug 8 23:39:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA16797 for freebsd-security-outgoing; Sat, 8 Aug 1998 23:39:23 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (aniwa.actrix.gen.nz [203.96.56.186]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA16792 for ; Sat, 8 Aug 1998 23:39:20 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id SAA13231; Sun, 9 Aug 1998 18:37:34 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Sun, 9 Aug 1998 18:37:34 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Kris Kennaway cc: security@FreeBSD.ORG Subject: Re: Capturing IPFW denied packets In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, 9 Aug 1998, Kris Kennaway wrote: > Is there any way I can set things up to log the contents of the packets > which fail the ipfw filter? Can anyone think of legitimate reasons these > sites might want to know my identity or information about my DNS, other > than trying to harvest addresses for spammers? It's often useful to have the names of connecting hosts in your httpd logs. Recent versions of Apache don't do these lookups by default, but a fair proportion of servers do, probably most of them. Some servers may be configured to verify that the A record and the PTR record agree, since otherwise a bogus PTR record could be used to spoof where a connection is made from. It may be that the site uses ident info for valid reasons with local users, and that calling your identd is a side effect of this setup. I'm not sure why someone would use ident, but I guess since it made it into the standard http log format there must be a few people out there who think it's useful. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message From owner-freebsd-security Sat Aug 8 23:41:25 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id XAA17005 for freebsd-security-outgoing; Sat, 8 Aug 1998 23:41:25 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ns1.yes.no (ns1.yes.no [195.119.24.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id XAA17000 for ; Sat, 8 Aug 1998 23:41:23 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.8.7/8.8.7) with ESMTP id GAA10462; Sun, 9 Aug 1998 06:40:56 GMT Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id IAA08461; Sun, 9 Aug 1998 08:40:55 +0200 (MET DST) Message-ID: <19980809084055.46112@follo.net> Date: Sun, 9 Aug 1998 08:40:55 +0200 From: Eivind Eklund To: Kris Kennaway , security@FreeBSD.ORG Subject: Re: Capturing IPFW denied packets References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.89.1i In-Reply-To: ; from Kris Kennaway on Sun, Aug 09, 1998 at 03:03:59PM +0930 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Aug 09, 1998 at 03:03:59PM +0930, Kris Kennaway wrote: > Is there any way I can set things up to log the contents of the packets > which fail the ipfw filter? By using a divert socket instead of a deny rule, probably. You might need some extra skipto rules to be able to make this work. > Can anyone think of legitimate reasons these sites might want to know my > identity or information about my DNS, other than trying to harvest > addresses for spammers? For the DNS, I can see the wish to log with verified DNS - it is used to check against anybody that might attempt to attack their computer, and showing a spoofed/changed DNS can be fairly helpful. I can see no reason for identd. Use whois to find out who the guy that own the web-site is, and call him on the phone and ask. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message