From owner-freebsd-security Sun Sep 23 0: 2:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from courier.netrail.net (courier.netrail.net [205.215.10.53]) by hub.freebsd.org (Postfix) with ESMTP id 2071337B417 for ; Sun, 23 Sep 2001 00:02:32 -0700 (PDT) Received: by courier.netrail.net (Postfix, from userid 5408) id D70B4E3; Sun, 23 Sep 2001 03:02:31 -0400 (EDT) Date: Sun, 23 Sep 2001 03:02:31 -0400 From: "Christian S ." To: freebsd-security@freebsd.org Message-ID: <20010923030231.A88974@netrail.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org unsubscribe -- Christian Schreiber, Netrail Network Security Engineer -- "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin, 1759 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 23 1:36:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100]) by hub.freebsd.org (Postfix) with ESMTP id 2961437B422 for ; Sun, 23 Sep 2001 01:36:48 -0700 (PDT) Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by wrath.cs.utah.edu (8.11.6/8.11.1) with ESMTP id f8N8akT06366; Sun, 23 Sep 2001 02:36:47 -0600 (MDT) From: David G Andersen Received: (from danderse@localhost) by faith.cs.utah.edu (8.11.1/8.11.1) id f8N8akx29012; Sun, 23 Sep 2001 02:36:46 -0600 (MDT) Message-Id: <200109230836.f8N8akx29012@faith.cs.utah.edu> Subject: Re: New worm protection To: chris@JEAH.net (Chris Byrnes) Date: Sun, 23 Sep 2001 02:36:46 -0600 (MDT) Cc: security@FreeBSD.ORG In-Reply-To: <006701c141dd$8f185940$24f2fa18@mdsn1.wi.home.com> from "Chris Byrnes" at Sep 20, 2001 09:07:18 AM X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Lo and behold, Chris Byrnes once said: > > Has anyone written an easy-to-use ipfw rule or some kind of script that will > help with this new worm? Someone already pointed out disabling logging on your webserver. He also suggested a Tarpit-like approach. I like the following simple script, which is what I run on my webservers. mkdir DOCROOT/scripts # Cover the two alternate bits as well ln -s DOCROOT/scripts DOCROOT/_mem_bin ln -s DOCROOT/scripts DOCROOT/_vti_bin cat > DOCROOT/scripts/.htaccess ErrorDocument 404 /scripts/nph-foo.cgi cat > DOCROOT/scripts/nph-foo.cgi #!/usr/bin/perl sleep(5); exit(0); NIMDA doesn't hang out for very long waiting for a response to the script headers, so a labrea-tarpit like approach won't actually be particularly effective. The sleep(5) will slow it down a little bit, and the exit(0) will make it return with no data sent back, not even a 404. Which will help a bit on the outbound bandwidth, but, of course won't help on the inbound. Others have posted scripts to NANOG (see http://www.nanog.org/ and check the archive) that will automatically trigger ipfw / ipchains additions, but, as always, be particularly careful with those. -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 23 3: 3:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from portal.eltex.ru (eltex-gw2.nw.ru [195.19.203.86]) by hub.freebsd.org (Postfix) with ESMTP id 2204C37B419 for ; Sun, 23 Sep 2001 03:03:41 -0700 (PDT) Received: from yaksha.eltex.ru (root@yaksha.eltex.ru [195.19.198.2]) by portal.eltex.ru (8.11.3/8.11.3) with SMTP id f8NA3kG89344; Sun, 23 Sep 2001 14:03:46 +0400 (MSD) (envelope-from ark@eltex.ru) Received: by yaksha.eltex.ru (ssmtp TIS-0.6alpha, 19 Jan 2000); Sun, 23 Sep 2001 13:58:02 +0400 Received: from undisclosed-intranet-sender id smtpdy27341; Sun Sep 23 13:57:56 2001 From: ark@eltex.ru Message-Id: <200109230958.NAA29845@paranoid.eltex.ru> Subject: Re: New worm protection To: danderse@cs.utah.edu (David G Andersen) Date: Sun, 23 Sep 2001 13:58:05 +0400 (MSD) Cc: chris@JEAH.net (Chris Byrnes), security@FreeBSD.ORG Reply-To: ark@eltex.ru In-Reply-To: <200109230836.f8N8akx29012@faith.cs.utah.edu> from "David G Andersen" at Sep 23, 2001 02:36:46 AM X-Mailer: ELM [version 2.5 PL3] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org nuqneH, Is there a way to send a command to worm to shut it (or just a machine) down? I remember Code Red installed some kind of backdoor that allowed remote control without trying the whole bunch of exploits, does NIMDA have such a 'feature'? YOU (David G Andersen) WROTE: > > NIMDA doesn't hang out for very long waiting for a response > to the script headers, so a labrea-tarpit like approach won't > actually be particularly effective. The sleep(5) will slow > it down a little bit, and the exit(0) will make it > return with no data sent back, not even a 404. Which > will help a bit on the outbound bandwidth, but, of course > won't help on the inbound. Others have posted scripts to > NANOG (see http://www.nanog.org/ and check the archive) > that will automatically trigger ipfw / ipchains additions, > but, as always, be particularly careful with those. -- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 23 4:39:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from r220-1.rz.RWTH-Aachen.DE (r220-1.rz.RWTH-Aachen.DE [134.130.3.31]) by hub.freebsd.org (Postfix) with ESMTP id 9A45937B409; Sun, 23 Sep 2001 04:38:58 -0700 (PDT) Received: from r220-1.rz.RWTH-Aachen.DE (relay2.RWTH-Aachen.DE [134.130.3.1]) by r220-1.rz.RWTH-Aachen.DE (8.10.1/8.11.3-2) with ESMTP id f8NBcwY18406; Sun, 23 Sep 2001 13:38:58 +0200 (MEST) Received: from kawoserv.kawo2.rwth-aachen.de (root@kawoserv.kawo2.RWTH-Aachen.DE [134.130.180.1]) by r220-1.rz.RWTH-Aachen.DE (8.10.1/8.11.3/6) with ESMTP id f8NBcvc18400; Sun, 23 Sep 2001 13:38:57 +0200 (MEST) Received: from fump.kawo2.rwth-aachen.de (root@fump.kawo2.rwth-aachen.de [134.130.181.148]) by kawoserv.kawo2.rwth-aachen.de (8.9.3/8.9.3) with ESMTP id NAA11978; Sun, 23 Sep 2001 13:38:55 +0200 Received: (from alex@localhost) by fump.kawo2.rwth-aachen.de (8.11.3/8.11.3) id f8NBd0Z10616; Sun, 23 Sep 2001 13:39:00 +0200 (CEST) (envelope-from alex) Date: Sun, 23 Sep 2001 13:38:59 +0200 From: Alexander Langer To: Jordan Hubbard Cc: ache@nagual.pp.ru, security@FreeBSD.org, rwatson@FreeBSD.org, current@FreeBSD.org, developers@FreeBSD.org Subject: Re: ~/.login_conf disabling exact reasons wanted Message-ID: <20010923133859.A10592@fump.kawo2.rwth-aachen.de> Mail-Followup-To: Alexander Langer , Jordan Hubbard , ache@nagual.pp.ru, security@FreeBSD.org, rwatson@FreeBSD.org, current@FreeBSD.org, developers@FreeBSD.org References: <20010922141217.B7524@fump.kawo2.rwth-aachen.de> <20010922164448.A83816@nagual.pp.ru> <20010922151107.C7524@fump.kawo2.rwth-aachen.de> <20010922120739E.jkh@freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010922120739E.jkh@freebsd.org>; from jkh@FreeBSD.org on Sat, Sep 22, 2001 at 12:07:39PM -0700 X-PGP-Fingerprint: 44 28 CA 4C 46 5B D3 A8 A8 E3 BA F3 4E 60 7D 7F X-PGP-at: finger alex@big.endian.de X-Verwirrung: Dieser Header dient der allgemeinen Verwirrung. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thus spake Jordan Hubbard (jkh@FreeBSD.org): > The bug doesn't exist in 4.4 either. It was fixed prior to release. > Doesn't anyone read commit mail anymore?! :-( Yes, I do, but FreeBSD was 4.4 even before it was fixed. OTOH, the report on bugtraq also mentions, that 4.4-RELEASE isn't affected. Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 23 5: 7:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from nyc.rr.com (nycsmtp3fa.rdc-nyc.rr.com [24.29.99.79]) by hub.freebsd.org (Postfix) with ESMTP id 6F10D37B432 for ; Sun, 23 Sep 2001 05:07:29 -0700 (PDT) Received: from equinox ([24.168.44.136]) by nyc.rr.com with Microsoft SMTPSVC(5.5.1877.357.35); Sun, 23 Sep 2001 08:07:28 -0400 Message-ID: <01f601c14428$63637e90$9865fea9@equinox> From: "Jonathan M. Slivko" To: "Chris Byrnes" , References: <006701c141dd$8f185940$24f2fa18@mdsn1.wi.home.com> Subject: Re: New worm protection Date: Sun, 23 Sep 2001 08:07:59 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The best kind of protection I can offer is to write a script that will scan the apache logs and use ipfw to ban whole class C's that generate a 404. That may be a little extreme, but it works. I will try and get a copy of the code to you later. -- Jonathan ----- Original Message ----- From: "Chris Byrnes" To: Sent: Thursday, September 20, 2001 10:07 AM Subject: New worm protection > Has anyone written an easy-to-use ipfw rule or some kind of script that will > help with this new worm? > > I have restricted Apache to just listen to my main two web IPs instead of > all of the IPs (I have > hundreds of domains and each of them previously had its own IP for different > reasons), and > that's cut down the bandwidth use in half, but I'm still about double what > my daily normal bandwidth > usage is. > > Frustration is high, and money issues are going to surface soon. Any help > would be appreciated. > > > Chris Byrnes, Managing Member > JEAH Communications, LLC > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 23 5:14:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id 45B3637B417; Sun, 23 Sep 2001 05:14:04 -0700 (PDT) Received: (from ache@localhost) by nagual.pp.ru (8.11.6/8.11.6) id f8NCE1U00543; Sun, 23 Sep 2001 16:14:02 +0400 (MSD) (envelope-from ache) Date: Sun, 23 Sep 2001 16:13:57 +0400 From: "Andrey A. Chernov" To: Robert Watson Cc: security@FreeBSD.ORG, current@FreeBSD.ORG, developers@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Patch for review (was Re: ~/.login_conf disabling exact reasons wanted) Message-ID: <20010923161354.A426@nagual.pp.ru> References: <20010922151116.A82718@nagual.pp.ru> <20010922224243.A88511@nagual.pp.ru> <20010922225821.A88800@nagual.pp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20010922225821.A88800@nagual.pp.ru> User-Agent: Mutt/1.3.21i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Sep 22, 2001 at 22:58:21 +0400, Andrey A. Chernov wrote: > I'll work on the proper fix tomorrow. Planned for commit. Please, review and/or comment. --- login_cap.c.old Sun Sep 23 16:09:04 2001 +++ login_cap.c Sun Sep 23 16:06:19 2001 @@ -184,18 +184,17 @@ login_cap_t *lc; if ((lc = malloc(sizeof(login_cap_t))) != NULL) { - int r, i = 0; + int r, me, i = 0; uid_t euid = 0; gid_t egid = 0; const char *msg = NULL; - const char *dir = (pwd == NULL) ? NULL : pwd->pw_dir; + const char *dir; char userpath[MAXPATHLEN]; static char *login_dbarray[] = { NULL, NULL, NULL }; -#ifndef _FILE_LOGIN_CONF_WORKS - dir = NULL; -#endif + me = (name != NULL && strcmp(name, LOGIN_MECLASS) == 0); + dir = (!me || pwd == NULL) ? NULL : pwd->pw_dir; /* * Switch to user mode before checking/reading its ~/.login_conf * - some NFSes have root read access disabled. @@ -215,7 +214,7 @@ if (_secure_path(userpath, pwd->pw_uid, pwd->pw_gid) != -1) i++; /* only use 'secure' data */ } - if (_secure_path(_PATH_LOGIN_CONF, 0, 0) != -1) + if (me && _secure_path(_PATH_LOGIN_CONF, 0, 0) != -1) login_dbarray[i++] = _PATH_LOGIN_CONF; login_dbarray[i] = NULL; @@ -227,7 +226,7 @@ switch (cgetent(&lc->lc_cap, login_dbarray, (char*)name)) { case -1: /* Failed, entry does not exist */ - if (strcmp(name, LOGIN_MECLASS) == 0) + if (me) break; /* Don't retry default on 'me' */ if (i == 0) r = -1; -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 23 6: 9:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from bogslab.ucdavis.edu (bogslab.ucdavis.edu [169.237.68.34]) by hub.freebsd.org (Postfix) with ESMTP id 19B9E37B40B for ; Sun, 23 Sep 2001 06:09:15 -0700 (PDT) Received: from thistle.bogs.org (thistle.bogs.org [198.137.203.61]) by bogslab.ucdavis.edu (8.9.3/8.9.3) with ESMTP id GAA20291 for ; Sun, 23 Sep 2001 06:09:08 -0700 (PDT) (envelope-from greg@bogslab.ucdavis.edu) Received: from thistle.bogs.org (localhost [127.0.0.1]) by thistle.bogs.org (8.11.3/8.11.3) with ESMTP id f8ND72A10817 for ; Sun, 23 Sep 2001 06:07:03 -0700 (PDT) (envelope-from greg@thistle.bogs.org) Message-Id: <200109231307.f8ND72A10817@thistle.bogs.org> To: security@FreeBSD.ORG X-To: David G Andersen X-Sender: owner-freebsd-security@FreeBSD.ORG Subject: Re: New worm protection In-reply-to: Your message of "Sun, 23 Sep 2001 02:36:46 MDT." <200109230836.f8N8akx29012@faith.cs.utah.edu> Reply-To: gkshenaut@ucdavis.edu Date: Sun, 23 Sep 2001 06:07:01 -0700 From: Greg Shenaut Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <200109230836.f8N8akx29012@faith.cs.utah.edu>, David G Andersen cleopede: >I like the following >simple script, which is what I run on my webservers. > [script using a sleep(5) for delay purposes] > >NIMDA doesn't hang out for very long waiting for a response >to the script headers, so a labrea-tarpit like approach won't >actually be particularly effective. The sleep(5) will slow >it down a little bit, and the exit(0) will make it >return with no data sent back, not even a 404. Which >will help a bit on the outbound bandwidth, but, of course >won't help on the inbound. Others have posted scripts to >NANOG (see http://www.nanog.org/ and check the archive) >that will automatically trigger ipfw / ipchains additions, >but, as always, be particularly careful with those. What would be the effect of having the web server ignore (as in, make no response at all to) *any* attempt to GET a nonexistent file? It seems to me that this would delay things maximally for the attacker with the least effort at the server end. But I am concerned about the effect on innocent mistypers and web crawling search engines (but not too concerned, frankly). Greg Shenaut To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 23 6:11:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from nagual.pp.ru (pobrecita.freebsd.ru [194.87.13.42]) by hub.freebsd.org (Postfix) with ESMTP id 8339337B42A; Sun, 23 Sep 2001 06:11:02 -0700 (PDT) Received: (from ache@localhost) by nagual.pp.ru (8.11.6/8.11.6) id f8NDB1m01518; Sun, 23 Sep 2001 17:11:01 +0400 (MSD) (envelope-from ache) Date: Sun, 23 Sep 2001 17:11:00 +0400 From: "Andrey A. Chernov" To: Robert Watson Cc: security@FreeBSD.ORG, current@FreeBSD.ORG, developers@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: ~/.login_conf disabling exact reasons wanted Message-ID: <20010923171100.B1253@nagual.pp.ru> References: <20010922151116.A82718@nagual.pp.ru> <20010922224243.A88511@nagual.pp.ru> <20010922225821.A88800@nagual.pp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20010922225821.A88800@nagual.pp.ru> User-Agent: Mutt/1.3.21i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Sep 22, 2001 at 22:58:21 +0400, Andrey A. Chernov wrote: > > Sorry for all that buzz, I am finally able to reproduce it on -current. > Details: there is no security hole under -current, just broken functionality. You can specify copyright=/etc/passwd with passwd output (it is broken functionality), but specifying copyright=/etc/master.passwd outputs nothing. See my patch posted today fixing this. -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 23 8: 0:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from pkl.net (spoon.pkl.net [212.111.57.14]) by hub.freebsd.org (Postfix) with ESMTP id E310237B409 for ; Sun, 23 Sep 2001 08:00:40 -0700 (PDT) Received: from localhost (rik@localhost) by pkl.net (8.9.3/8.9.3) with ESMTP id QAA00998 for ; Sun, 23 Sep 2001 16:00:40 +0100 Date: Sun, 23 Sep 2001 16:00:40 +0100 (BST) From: freebsd-security@rikrose.net X-Sender: rik@pkl.net To: security@FreeBSD.ORG Subject: Re: New worm protection In-Reply-To: <200109230958.NAA29845@paranoid.eltex.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 23 Sep 2001 ark@eltex.ru wrote: > Is there a way to send a command to worm to shut it (or just a machine) down? > I remember Code Red installed some kind of backdoor that allowed remote control > without trying the whole bunch of exploits, does NIMDA have such a 'feature'? Allegedly, yes, it installs a passwordless admin account. There is information "out there", aparently, although, I haven't been bothered to look it up, so I may be wrong. -- PGP Key: D2729A3F - Keyserver: wwwkeys.uk.pgp.net - rich at rdrose dot org Key fingerprint = 5EB1 4C63 9FAD D87B 854C 3DED 1408 ED77 D272 9A3F Public key also encoded with outguess on http://rikrose.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 23 9:25:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from tomts9-srv.bellnexxia.net (tomts9.bellnexxia.net [209.226.175.53]) by hub.freebsd.org (Postfix) with ESMTP id B12AC37B40B for ; Sun, 23 Sep 2001 09:25:25 -0700 (PDT) Received: from unios.dhs.org ([209.226.99.101]) by tomts9-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with ESMTP id <20010923162519.OBGZ1679.tomts9-srv.bellnexxia.net@unios.dhs.org> for ; Sun, 23 Sep 2001 12:25:19 -0400 Message-ID: <3BAE0D83.41ACBF7B@unios.dhs.org> Date: Sun, 23 Sep 2001 12:27:47 -0400 From: Pat Wendorf X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: security@freebsd.org Subject: Identify this exploit Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I notice I get nearly 100 messages a day from my LOG_IN_VAIN rc.conf option. Many of which, for the past few months has been connection attempts to TCP port 2000, as seen here: > Connection attempt to TCP 209.226.99.101:2000 from 216.104.103.95:1169 I'm not much up on my exploits, which one is this? -- Pat Wendorf To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 23 9:30:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from poontang.schulte.org (poontang.schulte.org [209.134.156.197]) by hub.freebsd.org (Postfix) with ESMTP id 74C2B37B419 for ; Sun, 23 Sep 2001 09:30:14 -0700 (PDT) Received: from tarmap.schulte.org (tarmap.schulte.org [209.134.156.198]) by poontang.schulte.org (Postfix) with ESMTP id 437F9D15BB; Sun, 23 Sep 2001 11:30:13 -0500 (CDT) Message-Id: <5.1.0.14.0.20010923112848.0237d488@pop.schulte.org> X-Sender: schulte@pop.schulte.org X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sun, 23 Sep 2001 11:30:12 -0500 To: Pat Wendorf , security@freebsd.org From: Christopher Schulte Subject: Re: Identify this exploit In-Reply-To: <3BAE0D83.41ACBF7B@unios.dhs.org> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:27 PM 9/23/2001 -0400, Pat Wendorf wrote: >I notice I get nearly 100 messages a day from my LOG_IN_VAIN rc.conf >option. Many of which, for the past few months has been connection >attempts to TCP port 2000, as seen here: > > > Connection attempt to TCP 209.226.99.101:2000 from 216.104.103.95:1169 > >I'm not much up on my exploits, which one is this? Could be trying to exploit a wind0wz trojan exploit: from http://www.sans.org/newlook/resources/IDFAQ/oddports.htm port 2000 Der Sp=E4her / Der Spaeher, Insane Network >-- > >Pat Wendorf -- Christopher Schulte christopher@schulte.org http://noc.schulte.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 23 9:32:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from bogslab.ucdavis.edu (bogslab.ucdavis.edu [169.237.68.34]) by hub.freebsd.org (Postfix) with ESMTP id 5FA6437B416 for ; Sun, 23 Sep 2001 09:32:29 -0700 (PDT) Received: from thistle.bogs.org (thistle.bogs.org [198.137.203.61]) by bogslab.ucdavis.edu (8.9.3/8.9.3) with ESMTP id JAA20916 for ; Sun, 23 Sep 2001 09:32:27 -0700 (PDT) (envelope-from greg@bogslab.ucdavis.edu) Received: from thistle.bogs.org (localhost [127.0.0.1]) by thistle.bogs.org (8.11.3/8.11.3) with ESMTP id f8NGUMA11199 for ; Sun, 23 Sep 2001 09:30:24 -0700 (PDT) (envelope-from greg@thistle.bogs.org) Message-Id: <200109231630.f8NGUMA11199@thistle.bogs.org> To: security@FreeBSD.ORG X-To: Pat Wendorf X-Sender: owner-freebsd-security@FreeBSD.ORG Subject: Re: Identify this exploit In-reply-to: Your message of "Sun, 23 Sep 2001 12:27:47 EDT." <3BAE0D83.41ACBF7B@unios.dhs.org> Reply-To: gkshenaut@ucdavis.edu Date: Sun, 23 Sep 2001 09:30:22 -0700 From: Greg Shenaut Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <3BAE0D83.41ACBF7B@unios.dhs.org>, Pat Wendorf cleopede: >I notice I get nearly 100 messages a day from my LOG_IN_VAIN rc.conf >option. Many of which, for the past few months has been connection >attempts to TCP port 2000, as seen here: > >> Connection attempt to TCP 209.226.99.101:2000 from 216.104.103.95:1169 > >I'm not much up on my exploits, which one is this? In my /etc/services file, port 2000 is something known as "callbook", but I don't know what that is. Greg Shenaut To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 23 9:57:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by hub.freebsd.org (Postfix) with ESMTP id 80D2937B430 for ; Sun, 23 Sep 2001 09:57:09 -0700 (PDT) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.2) with SMTP id CAA10601; Mon, 24 Sep 2001 02:56:40 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Mon, 24 Sep 2001 02:56:40 +1000 (EST) From: Ian Smith To: David G Andersen Cc: Chris Byrnes , security@FreeBSD.ORG Subject: Re: New worm protection In-Reply-To: <200109230836.f8N8akx29012@faith.cs.utah.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 23 Sep 2001, David G Andersen wrote: > Lo and behold, Chris Byrnes once said: > > > > Has anyone written an easy-to-use ipfw rule or some kind of script > > that will help with this new worm? > > Someone already pointed out disabling logging on your webserver. Not an option here, but it's the large number of entries in *-error.log that I'd like to be rid of. *-access.log I can just grep out before log analysis, if not exclude in the analyser config. > He also suggested a Tarpit-like approach. I like the following > simple script, which is what I run on my webservers. > > mkdir DOCROOT/scripts > # Cover the two alternate bits as well > ln -s DOCROOT/scripts DOCROOT/_mem_bin > ln -s DOCROOT/scripts DOCROOT/_vti_bin > > cat > DOCROOT/scripts/.htaccess > ErrorDocument 404 /scripts/nph-foo.cgi > > > cat > DOCROOT/scripts/nph-foo.cgi > #!/usr/bin/perl > sleep(5); > exit(0); > Cute. Will play. However there are other directories too; dumping ANY request containing cmd.exe or root.exe would do it best here. > NIMDA doesn't hang out for very long waiting for a response > to the script headers, so a labrea-tarpit like approach won't > actually be particularly effective. The sleep(5) will slow > it down a little bit, and the exit(0) will make it > return with no data sent back, not even a 404. Which But does *error.log still get hit? I dealt with /default.ida by giving 'em a one-line one, which at least meant no error logging while reducing response traffic by two thirds, but poring through apache docs - which I must be too thick to find easy reading, looking for some way to provide some short but valid response to such a range of URLs, I've not yet been able to nut out. Any suggestions? > will help a bit on the outbound bandwidth, but, of course > won't help on the inbound. Others have posted scripts to > NANOG (see http://www.nanog.org/ and check the archive) > that will automatically trigger ipfw / ipchains additions, > but, as always, be particularly careful with those. Will have a look at these, however carpet bombing whole /24s for the not even deliberate misdeeds of a few (ok, plenty of) unpatched m$junk seems rather an overreaction <&^}= The other thing here (ie in 203/8) is the large number of unsuccessful DNS requests for reverse mapping of particularly North Asian addresses, often ending with Server Failures and such - but I guess misconfigured DNS is no more surprising than zillions of compromised webservers .. I'd love to find some way of pre-filtering these NIMDA requests and just dropping them on the floor before apache even considered DNS lookups (?) Ian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 23 10: 3:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100]) by hub.freebsd.org (Postfix) with ESMTP id A685637B40A for ; Sun, 23 Sep 2001 10:03:25 -0700 (PDT) Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by wrath.cs.utah.edu (8.11.6/8.11.1) with ESMTP id f8NH3OT23311; Sun, 23 Sep 2001 11:03:24 -0600 (MDT) From: David G Andersen Received: (from danderse@localhost) by faith.cs.utah.edu (8.11.1/8.11.1) id f8NH3NK24837; Sun, 23 Sep 2001 11:03:23 -0600 (MDT) Message-Id: <200109231703.f8NH3NK24837@faith.cs.utah.edu> Subject: Re: New worm protection To: smithi@nimnet.asn.au (Ian Smith) Date: Sun, 23 Sep 2001 11:03:23 -0600 (MDT) Cc: danderse@cs.utah.edu (David G Andersen), chris@JEAH.net (Chris Byrnes), security@FreeBSD.ORG In-Reply-To: from "Ian Smith" at Sep 24, 2001 02:56:40 AM X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Lo and behold, Ian Smith once said: > > Not an option here, but it's the large number of entries in *-error.log > that I'd like to be rid of. *-access.log I can just grep out before log > analysis, if not exclude in the analyser config. Disable error logging? :) > Cute. Will play. However there are other directories too; dumping > ANY request containing cmd.exe or root.exe would do it best here. Use mod_rewrite to redirect all accesses to that script. RewriteEngine on RewriteRule .*/cmd.exe.* /scripts/nph-foo.cgi (I haven't tested this syntax. Test it first. :) > But does *error.log still get hit? I dealt with /default.ida by giving > 'em a one-line one, which at least meant no error logging while reducing > response traffic by two thirds, but poring through apache docs - which I > must be too thick to find easy reading, looking for some way to provide > some short but valid response to such a range of URLs, I've not yet been > able to nut out. Any suggestions? The rewriting I specified above will do what you want. It maps it to a valid script request. It'll show up in *access_log. > I'd love to find some way of pre-filtering these NIMDA requests and just > dropping them on the floor before apache even considered DNS lookups (?) I'm vaguely surprised you have reverse DNS resolution enabled. You could make life a lot easier on yourself by switching to post-resolution for a while, and do the DNS lookup _after_ filtering out the bogus requests. -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 23 10: 3:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from webs1.accretive-networks.net (webs1.accretive-networks.net [207.246.154.13]) by hub.freebsd.org (Postfix) with ESMTP id 8B6F537B41D for ; Sun, 23 Sep 2001 10:03:34 -0700 (PDT) Received: from localhost (davidk@localhost) by webs1.accretive-networks.net (8.11.1/8.11.3) with ESMTP id f8NFxOb41401; Sun, 23 Sep 2001 08:59:24 -0700 (PDT) Date: Sun, 23 Sep 2001 08:59:24 -0700 (PDT) From: David Kirchner X-X-Sender: To: Ian Smith Cc: David G Andersen , Chris Byrnes , Subject: Re: New worm protection In-Reply-To: Message-ID: <20010923085802.C85958-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 24 Sep 2001, Ian Smith wrote: > Not an option here, but it's the large number of entries in *-error.log > that I'd like to be rid of. *-access.log I can just grep out before log > analysis, if not exclude in the analyser config. The method that was mentioned would also work for ErrorLog: ErrorLog "|grep -v cmd.exe > /normal/error_log/location" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 23 10:17:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from virtual-voodoo.com (bdsl.66.12.217.106.gte.net [66.12.217.106]) by hub.freebsd.org (Postfix) with ESMTP id CE57137B40E for ; Sun, 23 Sep 2001 10:17:40 -0700 (PDT) Received: (from steve@localhost) by virtual-voodoo.com (8.11.6/8.11.5) id f8NHHWh34820; Sun, 23 Sep 2001 12:17:32 -0500 (EST) (envelope-from steve) Date: Sun, 23 Sep 2001 12:17:32 -0500 From: Steve Ames To: Chris BeHanna Cc: Chris Byrnes , security@FreeBSD.ORG Subject: Re: New worm protection Message-ID: <20010923121732.B56611@virtual-voodoo.com> References: <006701c141dd$8f185940$24f2fa18@mdsn1.wi.home.com> <20010923014113.P45913-100000@topperwein.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20010923014113.P45913-100000@topperwein.dyndns.org> User-Agent: Mutt/1.3.22.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org One simple shell script and you can automatically add offendors to your ipfw ruleset. Won't stop the initial probe but will stop repeat performances. I use the following run out of cron every minute: #!/bin/sh cd /root grep cmd.exe /var/log/httpd-error.log | awk '{print $8;}' | sort -u | awk -F\] '{printf(" /sbin/ipfw add deny ip from %s to any\n ",$1);}' > l && cat /var/log/httpd-error.log >> /var/log/httpd-error.log.new && cat /dev/null > /var/log/httpd-error.log /bin/sh l && /bin/rm l Short and simple. Its not perfect but it has reduced my bandwidth quite a bit. -Steve On Sun, Sep 23, 2001 at 02:08:19AM -0400, Chris BeHanna wrote: > On Thu, 20 Sep 2001, Chris Byrnes wrote: > > > Has anyone written an easy-to-use ipfw rule or some kind of script that will > > help with this new worm? > > There's La Brea, but that's probably not quite what you're looking > for. > > > I have restricted Apache to just listen to my main two web IPs > > instead of all of the IPs (I have hundreds of domains and each of > > them previously had its own IP for different reasons), and that's > > cut down the bandwidth use in half, but I'm still about double what > > my daily normal bandwidth usage is. > > As others have posted, you can tell Apache not to log certain > requests. That will help your logfile. > > To avoid wasting bandwidth sending a 404, you could possibly > either use mod_rewrite or an ErrorDocument CGI script to "tarpit" the > attacks; i.e., redirect the request to a CGI script that sets MSS to a > few bytes (a l? La Brea), pretending to legitimately service the > request. Be careful: you will have to watch the number of sockets > you have open and the number of threads you tie up in this manner. > Perhaps someone with more time than I have can author up a "mod_NIMDA" > that can be configured with a max # of threads or max# connections to > tarpit in this fashion, so that you can limit the amount of resources > that you use. Any inbound attacks in excess of these limits can > simply be dropped on the floor. > > > Frustration is high, and money issues are going to surface soon. > > Any help would be appreciated. > > This is the best I can do with the time I have available. I'm in > the middle of combatting this problem with a proxy server that is > under attack (for which I have access to the source). My solution is > to do regex parsing on the request using Boost's regex++ (see > http://www.boost.org) to drop the requests on the floor (i.e., I'm not > even going to dignify them with a 404), but keep a hash map of > requesting IP addresses and number of attacks, which periodically gets > dumped to a separate logfile. I'd use regex() and regcmp(), but this > also has to run on Windows. Unfortunately, I can't share the source, > but this description should be enough to get you going. > > Fortunately, I've seen the rate of NIMDA attacks drop by a factor > of four over the last couple of days. Either IIS webmasters are > getting a clue, or their ISPs are being clueful for them (DSL.net, for > example, is shutting off their infected customers until those > customers demonstrate that they've fixed their servers). > > -- > Chris BeHanna > Software Engineer (Remove "bogus" before responding.) > behanna@bogus.zbzoom.net > I was raised by a pack of wild corn dogs. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 23 10:41:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from horsey.gshapiro.net (horsey.gshapiro.net [209.220.147.178]) by hub.freebsd.org (Postfix) with ESMTP id 7D43837B42B for ; Sun, 23 Sep 2001 10:41:08 -0700 (PDT) Received: from horsey.gshapiro.net (gshapiro@localhost [IPv6:::1]) by horsey.gshapiro.net (8.12.0/8.12.0) with ESMTP id f8NHf6I8064501 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Sun, 23 Sep 2001 10:41:06 -0700 (PDT) Received: (from gshapiro@localhost) by horsey.gshapiro.net (8.12.0/8.12.0/Submit) id f8NHf6Gs064498; Sun, 23 Sep 2001 10:41:06 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15278.7858.133595.549621@horsey.gshapiro.net> Date: Sun, 23 Sep 2001 10:41:06 -0700 From: Gregory Neil Shapiro To: Ian Smith Cc: security@FreeBSD.ORG Subject: Re: New worm protection In-Reply-To: References: <200109230836.f8N8akx29012@faith.cs.utah.edu> X-Mailer: VM 6.96 under 21.5 (beta1) "anise" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org smithi> Not an option here, but it's the large number of entries in smithi> *-error.log that I'd like to be rid of. *-access.log I can just smithi> grep out before log analysis, if not exclude in the analyser smithi> config. This is what I am using: RedirectMatch (.*)/(root.exe|cmd.exe|default.ida).* /goaway.html SetEnvIf Request_URI "/(root.exe|cmd.exe|default.ida|goaway.html)" MSExploitCrap CustomLog /var/log/httpd-access.log combined env=!MSExploitCrap And then /goaway.html is just a small file: Go away With this, nothing shows up in either httpd-access.log or httpd-error.log. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 23 10:52: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from tomts9-srv.bellnexxia.net (tomts9.bellnexxia.net [209.226.175.53]) by hub.freebsd.org (Postfix) with ESMTP id 084AF37B405 for ; Sun, 23 Sep 2001 10:51:57 -0700 (PDT) Received: from khan.anarcat.dyndns.org ([65.92.169.79]) by tomts9-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with ESMTP id <20010923175156.PCQT1679.tomts9-srv.bellnexxia.net@khan.anarcat.dyndns.org>; Sun, 23 Sep 2001 13:51:56 -0400 Received: from shall.anarcat.dyndns.org (shall.anarcat.dyndns.org [192.168.0.1]) by khan.anarcat.dyndns.org (Postfix) with ESMTP id 38C271A66; Sun, 23 Sep 2001 13:51:49 -0400 (EDT) Received: by shall.anarcat.dyndns.org (Postfix, from userid 1000) id E5C0A20B4A; Sun, 23 Sep 2001 13:51:44 -0400 (EDT) Date: Sun, 23 Sep 2001 13:51:44 -0400 From: The Anarcat To: David G Andersen Cc: Ian Smith , Chris Byrnes , security@FreeBSD.ORG Subject: Re: New worm protection Message-ID: <20010923135143.A546@shall.anarcat.dyndns.org> References: <200109231703.f8NH3NK24837@faith.cs.utah.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="AqsLC8rIMeq19msA" Content-Disposition: inline In-Reply-To: <200109231703.f8NH3NK24837@faith.cs.utah.edu> User-Agent: Mutt/1.3.22.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --AqsLC8rIMeq19msA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, 23 Sep 2001, David G Andersen wrote: > Lo and behold, Ian Smith once said: > >=20 > > Cute. Will play. However there are other directories too; dumping > > ANY request containing cmd.exe or root.exe would do it best here. >=20 > Use mod_rewrite to redirect all accesses to that script. >=20 > RewriteEngine on > RewriteRule .*/cmd.exe.* /scripts/nph-foo.cgi >=20 > (I haven't tested this syntax. Test it first. :) Nice idea! Here's what I did: RewriteEngine on RewriteRule .*/cmd.exe.* /nimda.txt RewriteRule .*/root.exe.* /nimda.txt RewriteRule .*/default.ida.* /codered.txt RewriteRule .*/Admin.dll.* /codered.txt RewriteRule .*\\Admin.dll.* /codered.txt nimda.txt and codered.txt are simply empty files. This reduces the bandwitdh used by the attack and removes the entries in error.log. So the syntax is correct. Note the default.ida entry for th code red worm (is that it?). I think admin.dll is the same, but I'm not sure. Anyways, it doesn't make much difference. Here is a sample telnet output: GET /default.ida HTTP/1.0 HTTP/1.1 200 OK Date: Sun, 23 Sep 2001 17:46:27 GMT Server: Apache/1.3.20 (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6a Last-Modified: Sun, 23 Sep 2001 17:21:20 GMT ETag: "1d161-0-3bae1a10" Accept-Ranges: bytes Content-Length: 0 Connection: close Content-Type: text/plain --AqsLC8rIMeq19msA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjuuIS4ACgkQttcWHAnWiGe05QCbBGOS4Ze36RR/eGXqS+ASIIih nwEAnAmNfOF5usyn072d8i+UreOEkpwI =Z8qG -----END PGP SIGNATURE----- --AqsLC8rIMeq19msA-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 23 10:56:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from winston.freebsd.org (adsl-64-173-15-98.dsl.sntc01.pacbell.net [64.173.15.98]) by hub.freebsd.org (Postfix) with ESMTP id 7209237B41E; Sun, 23 Sep 2001 10:56:11 -0700 (PDT) Received: from localhost (jkh@localhost [127.0.0.1]) by winston.freebsd.org (8.11.6/8.11.6) with ESMTP id f8NHtiO29481; Sun, 23 Sep 2001 10:55:44 -0700 (PDT) (envelope-from jkh@freebsd.org) To: alex@big.endian.de Cc: ache@nagual.pp.ru, security@freebsd.org, rwatson@freebsd.org, current@freebsd.org, developers@freebsd.org Subject: Re: ~/.login_conf disabling exact reasons wanted In-Reply-To: <20010923133859.A10592@fump.kawo2.rwth-aachen.de> References: <20010922151107.C7524@fump.kawo2.rwth-aachen.de> <20010922120739E.jkh@freebsd.org> <20010923133859.A10592@fump.kawo2.rwth-aachen.de> X-Mailer: Mew version 1.94.1 on Emacs 20.7 / Mule 4.0 (HANANOEN) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20010923105544R.jkh@freebsd.org> Date: Sun, 23 Sep 2001 10:55:44 -0700 From: Jordan Hubbard X-Dispatcher: imput version 20000228(IM140) Lines: 6 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Yes, I do, but FreeBSD was 4.4 even before it was fixed. FreeBSD wasn't 4.4 until it was released and all the tag sliding was over with. - Jordan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 23 11:10:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from tomts5-srv.bellnexxia.net (tomts5.bellnexxia.net [209.226.175.25]) by hub.freebsd.org (Postfix) with ESMTP id 08DFD37B41F for ; Sun, 23 Sep 2001 11:10:42 -0700 (PDT) Received: from khan.anarcat.dyndns.org ([65.92.169.79]) by tomts5-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with ESMTP id <20010923181041.ESAD27768.tomts5-srv.bellnexxia.net@khan.anarcat.dyndns.org>; Sun, 23 Sep 2001 14:10:41 -0400 Received: from shall.anarcat.dyndns.org (shall.anarcat.dyndns.org [192.168.0.1]) by khan.anarcat.dyndns.org (Postfix) with ESMTP id CC20D1A86; Sun, 23 Sep 2001 14:10:34 -0400 (EDT) Received: by shall.anarcat.dyndns.org (Postfix, from userid 1000) id 9D3CD20B4A; Sun, 23 Sep 2001 14:10:31 -0400 (EDT) Date: Sun, 23 Sep 2001 14:10:31 -0400 From: The Anarcat To: David G Andersen Cc: Ian Smith , Chris Byrnes , security@FreeBSD.ORG Subject: Re: New worm protection Message-ID: <20010923141030.B546@shall.anarcat.dyndns.org> References: <200109231703.f8NH3NK24837@faith.cs.utah.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="VrqPEDrXMn8OVzN4" Content-Disposition: inline In-Reply-To: <200109231703.f8NH3NK24837@faith.cs.utah.edu> User-Agent: Mutt/1.3.22.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --VrqPEDrXMn8OVzN4 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, 23 Sep 2001, David G Andersen wrote: > Use mod_rewrite to redirect all accesses to that script. >=20 > RewriteEngine on > RewriteRule .*/cmd.exe.* /scripts/nph-foo.cgi >=20 > (I haven't tested this syntax. Test it first. :) Unfortunatly, I tested this using a text file, which is fine. Here, if I try using a compiled C script (instead of a perl script, faster on a small machine), the script gets dumped in binary form! Not executed! GET /root.exe ELF =F04=F44 (444=C0=C0=F4=F4=F4vvxxx=AC=C8=B4=B4=B4pp/usr/libexec/ld-e= lf.so.FreeBSD=C0=B6 =2E.. So I used the redirect approach: RedirectMatch .*/(root.exe|cmd.exe|default.ida|Admin.dll).* /cgi-bin/sleep.= cgi sleep.c: int main() { sleep(5); printf("Content-type: text/plain\n\n"); } This works. However, it generates a bit too much output: GET /cmd.exe 302 Found

Found

The document has moved here.

Apache/1.3.20 Server at anarcat.dyndns.org Port 80

;) I really don't understand why the Rewrite rule doesn't work as expected. A. --VrqPEDrXMn8OVzN4 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjuuJZUACgkQttcWHAnWiGcT/wCfZUO50hEjQUILZJIfZNlkJDgd c+QAn324N8SSDAEyDviPsqrhDTujaXuP =v3ql -----END PGP SIGNATURE----- --VrqPEDrXMn8OVzN4-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 23 11:18:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100]) by hub.freebsd.org (Postfix) with ESMTP id A058137B429 for ; Sun, 23 Sep 2001 11:18:45 -0700 (PDT) Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by wrath.cs.utah.edu (8.11.6/8.11.1) with ESMTP id f8NIIiT25761; Sun, 23 Sep 2001 12:18:44 -0600 (MDT) From: David G Andersen Received: (from danderse@localhost) by faith.cs.utah.edu (8.11.1/8.11.1) id f8NIIhl29053; Sun, 23 Sep 2001 12:18:43 -0600 (MDT) Message-Id: <200109231818.f8NIIhl29053@faith.cs.utah.edu> Subject: Re: New worm protection To: anarcat@anarcat.dyndns.org (The Anarcat) Date: Sun, 23 Sep 2001 12:18:43 -0600 (MDT) Cc: danderse@cs.utah.edu (David G Andersen), smithi@nimnet.asn.au (Ian Smith), chris@JEAH.net (Chris Byrnes), security@FreeBSD.ORG In-Reply-To: <20010923141030.B546@shall.anarcat.dyndns.org> from "The Anarcat" at Sep 23, 2001 02:10:31 PM X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Sorry, should have mentioned that I have all .cgi files mapped to executables. Have it map to your /cgi-bin like you want. Name the script nph- instead of just , which tells the webserver that your script will generate ALL of the headers. Then the script can just close, and the worm won't get _any_ output from the webserver. Use RewriteRule, not RedirectMatch. RedirectMatch sends a redirect, which is obviously not what you want. You want to internally rewrite the URL so it gets handled transparently. Then, the result is quite pleasing: 131 eep:~/> telnet webby.angio.net 80 Trying 206.197.119.138... Connected to webby.angio.net. Escape character is '^]'. GET /scripts/cmd.exe? HTTP/1.0 Connection closed by foreign host. See? Very nice. :) Lo and behold, The Anarcat once said: > > On Sun, 23 Sep 2001, David G Andersen wrote: > > > Use mod_rewrite to redirect all accesses to that script. > >=20 > > RewriteEngine on > > RewriteRule .*/cmd.exe.* /scripts/nph-foo.cgi > >=20 > > (I haven't tested this syntax. Test it first. :) > > Unfortunatly, I tested this using a text file, which is fine. Here, if I > try using a compiled C script (instead of a perl script, faster on a > small machine), the script gets dumped in binary form! Not executed! > > GET /root.exe > ELF =F04=F44 (444=C0=C0=F4=F4=F4vvxxx=AC=C8=B4=B4=B4pp/usr/libexec/ld-e= > lf.so.FreeBSD=C0=B6 > =2E.. > > So I used the redirect approach: > > RedirectMatch .*/(root.exe|cmd.exe|default.ida|Admin.dll).* /cgi-bin/sleep.= > cgi > > sleep.c: > int main() { > sleep(5); > printf("Content-type: text/plain\n\n"); > } > > This works. However, it generates a bit too much output: > > GET /cmd.exe > > > 302 Found > >

Found

> The document has moved here.

Apache/1.3.20 Server at anarcat.dyndns.org Port 80

> > > ;) > > I really don't understand why the Rewrite rule doesn't work as expected. > > A. > > --VrqPEDrXMn8OVzN4 > Content-Type: application/pgp-signature > Content-Disposition: inline > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (FreeBSD) > Comment: For info see http://www.gnupg.org > > iEYEARECAAYFAjuuJZUACgkQttcWHAnWiGcT/wCfZUO50hEjQUILZJIfZNlkJDgd > c+QAn324N8SSDAEyDviPsqrhDTujaXuP > =v3ql > -----END PGP SIGNATURE----- > > --VrqPEDrXMn8OVzN4-- > -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 23 11:34:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by hub.freebsd.org (Postfix) with ESMTP id 88DFF37B418; Sun, 23 Sep 2001 11:34:08 -0700 (PDT) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.2) with SMTP id EAA13061; Mon, 24 Sep 2001 04:34:06 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Mon, 24 Sep 2001 04:34:06 +1000 (EST) From: Ian Smith To: Gregory Neil Shapiro Cc: security@FreeBSD.ORG Subject: Re: New worm protection In-Reply-To: <15278.7858.133595.549621@horsey.gshapiro.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 23 Sep 2001, Gregory Neil Shapiro wrote: > smithi> Not an option here, but it's the large number of entries in > smithi> *-error.log that I'd like to be rid of. *-access.log I can just > smithi> grep out before log analysis, if not exclude in the analyser > smithi> config. > > This is what I am using: > > RedirectMatch (.*)/(root.exe|cmd.exe|default.ida).* /goaway.html > SetEnvIf Request_URI "/(root.exe|cmd.exe|default.ida|goaway.html)" MSExploitCrap > CustomLog /var/log/httpd-access.log combined env=!MSExploitCrap > > And then /goaway.html is just a small file: > > > Go away > > With this, nothing shows up in either httpd-access.log or httpd-error.log. I like it, short and sweet. Thankyou Greg. Thanks also to David Kirchner, David G Andersen, Steve Ames and The Anarcat for lots of angles to explore .. but tomorrow. Cheers, Ian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 23 11:44: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from ogyo.pointer-software.com (ogyo.pointer-software.com [210.164.96.147]) by hub.freebsd.org (Postfix) with ESMTP id 074AB37B421 for ; Sun, 23 Sep 2001 11:44:02 -0700 (PDT) Received: from long.near.this (long.near.this [10.0.172.9]) by ogyo.pointer-software.com (8.11.1/8.10.1) with ESMTP id f8NIhsj09754; Mon, 24 Sep 2001 03:43:54 +0900 (JST) Received: from pointer-software.com (char.near.this [10.0.172.11]) by long.near.this (8.11.1/8.9.3) with ESMTP id f8NIhr483067; Mon, 24 Sep 2001 03:43:53 +0900 (JST) Message-ID: <3BAE2D69.F8A82FE4@pointer-software.com> Date: Mon, 24 Sep 2001 03:43:53 +0900 From: horio shoichi Organization: pointer software X-Mailer: Mozilla 4.76 [ja] (X11; U; Linux 2.2.18pre21 i686) X-Accept-Language: en, ja MIME-Version: 1.0 To: Stanley Hopcroft Cc: FreeBSD-Security@FreeBSD.ORG Subject: Re: Policy based routing/restricting access __inside__ ones net.. References: <20010921105320.A6282@IPAustralia.Gov.AU> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Stanley Hopcroft wrote: > > Dear Ladies and Gentlemen, > > I am writing to ask for advice about providing profile dependent access > to subsets of ones internal network. > > The context is having third parties access the network for maintenance. > > Once they get logged in on the host they are hired to maintain, how can > I prevent them accessing other hosts while allowing __some__ access to > others they may need for problem resolution ? (given that both sets of > hosts can be specified) > > Can a Kerberos realm enforce access profiles such as these (and then if > they were forced to use only kerberised applications, grant them tickets > for access to some hosts only) ? > If you mean by realm to split servers into possibly overlapping set of realms each of which has separate set of principals (users and services) and users access servers through cross-realm authentication, I see no reason it doesn't work. > Can ipfilter/ipfw provide ACLs depending on user ? > Ipfilter is so low level that it has no notion of user. It only recognizes protocol, ip and port. If a user (or users) could be bound to a specific set of protocol, ip and port corresponding to an instance of service, then access control might be possible. But I doubt doing this would worth efforts. > The access could include Solaris/FreeBSD/AIX servers as well as MS Win > NT ... > > Thank you, > > Yours sincerely. > > -- > ------------------------------------------------------------------------ > Stanley Hopcroft IP Australia > Network Specialist > +61 2 6283 3189 +61 2 6281 1353 (FAX) Stanley.Hopcroft@IPAustralia.Gov.AU > ------------------------------------------------------------------------ > The study of non-linear physics is like the study of non-elephant > biology. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 23 11:52:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from tomts11-srv.bellnexxia.net (tomts11.bellnexxia.net [209.226.175.55]) by hub.freebsd.org (Postfix) with ESMTP id 40B9537B436 for ; Sun, 23 Sep 2001 11:52:22 -0700 (PDT) Received: from khan.anarcat.dyndns.org ([65.92.169.79]) by tomts11-srv.bellnexxia.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with ESMTP id <20010923185221.PLBO17886.tomts11-srv.bellnexxia.net@khan.anarcat.dyndns.org>; Sun, 23 Sep 2001 14:52:21 -0400 Received: from shall.anarcat.dyndns.org (shall.anarcat.dyndns.org [192.168.0.1]) by khan.anarcat.dyndns.org (Postfix) with ESMTP id EC5941A66; Sun, 23 Sep 2001 14:52:16 -0400 (EDT) Received: by shall.anarcat.dyndns.org (Postfix, from userid 1000) id B269220B4A; Sun, 23 Sep 2001 14:52:11 -0400 (EDT) Date: Sun, 23 Sep 2001 14:52:10 -0400 From: The Anarcat To: David G Andersen Cc: Ian Smith , Chris Byrnes , security@FreeBSD.ORG Subject: Re: New worm protection Message-ID: <20010923145210.C546@shall.anarcat.dyndns.org> References: <20010923141030.B546@shall.anarcat.dyndns.org> <200109231818.f8NIIhl29053@faith.cs.utah.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="NKoe5XOeduwbEQHU" Content-Disposition: inline In-Reply-To: <200109231818.f8NIIhl29053@faith.cs.utah.edu> User-Agent: Mutt/1.3.22.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --NKoe5XOeduwbEQHU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, 23 Sep 2001, David G Andersen wrote: > Sorry, should have mentioned that I have all .cgi files mapped > to executables. > > Have it map to your /cgi-bin like you want. I had cgi configuration problems. They're fixed. :) > Name the script nph- instead of just , which > tells the webserver that your script will generate ALL of the > headers. Then the script can just close, and the worm > won't get _any_ output from the webserver. Interesting. I didn't know of this feature. > Use RewriteRule, not RedirectMatch. RedirectMatch sends a redirect, > which is obviously not what you want. You want to internally=20 > rewrite the URL so it gets handled transparently. Then, the=20 > result is quite pleasing: >=20 > 131 eep:~/> telnet webby.angio.net 80 > Trying 206.197.119.138... > Connected to webby.angio.net. > Escape character is '^]'. > GET /scripts/cmd.exe? HTTP/1.0 >=20 > Connection closed by foreign host. >=20 > See? Very nice. :) Very nice indeed. I have the same result here now. :) Without the perl overhead. :) :) A. --NKoe5XOeduwbEQHU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjuuL1kACgkQttcWHAnWiGcipQCfdjLyAq5S39dvrHDU+s6kEGhu F94An18y8UO0IV4Too1BiyI0XAFE8pek =Q0/r -----END PGP SIGNATURE----- --NKoe5XOeduwbEQHU-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 23 14:13:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from I-Sphere.COM (shell.i-sphere.com [209.249.146.70]) by hub.freebsd.org (Postfix) with ESMTP id 3429437B438 for ; Sun, 23 Sep 2001 14:12:57 -0700 (PDT) Received: (from fasty@localhost) by I-Sphere.COM (8.11.6/8.11.6) id f8NLDVD95333; Sun, 23 Sep 2001 14:13:31 -0700 (PDT) (envelope-from fasty) Date: Sun, 23 Sep 2001 14:13:31 -0700 From: faSty To: David G Andersen Cc: freebsd-security@freebsd.org Subject: Re: New worm protection Message-ID: <20010923141330.A94941@i-sphere.com> References: <20010923141030.B546@shall.anarcat.dyndns.org> <200109231818.f8NIIhl29053@faith.cs.utah.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200109231818.f8NIIhl29053@faith.cs.utah.edu>; from danderse@cs.utah.edu on Sun, Sep 23, 2001 at 12:18:43PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org can you give me sample of statment that closes without output from the webserver. I tried use your statement seems not work and it simply envade almost all 500 domains on my webservers. ugh I hope your sample can handle all domains not just one domain. let me know thanks -trev On Sun, Sep 23, 2001 at 12:18:43PM -0600, David G Andersen wrote: > Sorry, should have mentioned that I have all .cgi files mapped > to executables. > > Have it map to your /cgi-bin like you want. > > Name the script nph- instead of just , which > tells the webserver that your script will generate ALL of the > headers. Then the script can just close, and the worm > won't get _any_ output from the webserver. > > Use RewriteRule, not RedirectMatch. RedirectMatch sends a redirect, > which is obviously not what you want. You want to internally > rewrite the URL so it gets handled transparently. Then, the > result is quite pleasing: > > 131 eep:~/> telnet webby.angio.net 80 > Trying 206.197.119.138... > Connected to webby.angio.net. > Escape character is '^]'. > GET /scripts/cmd.exe? HTTP/1.0 > > Connection closed by foreign host. > > See? Very nice. :) > > Lo and behold, The Anarcat once said: > > > > On Sun, 23 Sep 2001, David G Andersen wrote: > > > > > Use mod_rewrite to redirect all accesses to that script. > > >=20 > > > RewriteEngine on > > > RewriteRule .*/cmd.exe.* /scripts/nph-foo.cgi > > >=20 > > > (I haven't tested this syntax. Test it first. :) > > > > Unfortunatly, I tested this using a text file, which is fine. Here, if I > > try using a compiled C script (instead of a perl script, faster on a > > small machine), the script gets dumped in binary form! Not executed! > > > > GET /root.exe > > ELF =F04=F44 (444=C0=C0=F4=F4=F4vvxxx=AC=C8=B4=B4=B4pp/usr/libexec/ld-e= > > lf.so.FreeBSD=C0=B6 > > =2E.. > > > > So I used the redirect approach: > > > > RedirectMatch .*/(root.exe|cmd.exe|default.ida|Admin.dll).* /cgi-bin/sleep.= > > cgi > > > > sleep.c: > > int main() { > > sleep(5); > > printf("Content-type: text/plain\n\n"); > > } > > > > This works. However, it generates a bit too much output: > > > > GET /cmd.exe > > > > > > 302 Found > > > >

Found

> > The document has moved here.

> >

Apache/1.3.20 Server at anarcat.dyndns.org Port 80

> > > > > > ;) > > > > I really don't understand why the Rewrite rule doesn't work as expected. > > > > A. > > > > --VrqPEDrXMn8OVzN4 > > Content-Type: application/pgp-signature > > Content-Disposition: inline > > > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.0.6 (FreeBSD) > > Comment: For info see http://www.gnupg.org > > > > iEYEARECAAYFAjuuJZUACgkQttcWHAnWiGcT/wCfZUO50hEjQUILZJIfZNlkJDgd > > c+QAn324N8SSDAEyDviPsqrhDTujaXuP > > =v3ql > > -----END PGP SIGNATURE----- > > > > --VrqPEDrXMn8OVzN4-- > > > > > -- > work: dga@lcs.mit.edu me: dga@pobox.com > MIT Laboratory for Computer Science http://www.angio.net/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- The primary theme of SoupCon is communication. The acronym "LEO" represents the secondary theme: Law Enforcement Officials The overall theme of SoupCon shall be: Avoiding Communication with Law Enforcement Officials To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 23 15: 4: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from webs1.accretive-networks.net (webs1.accretive-networks.net [207.246.154.13]) by hub.freebsd.org (Postfix) with ESMTP id 06A0237B401 for ; Sun, 23 Sep 2001 15:04:05 -0700 (PDT) Received: from localhost (davidk@localhost) by webs1.accretive-networks.net (8.11.1/8.11.3) with ESMTP id f8NL0Ae41687 for ; Sun, 23 Sep 2001 14:00:10 -0700 (PDT) Date: Sun, 23 Sep 2001 14:00:10 -0700 (PDT) From: David Kirchner X-X-Sender: To: Subject: Re: New worm protection In-Reply-To: <20010923141330.A94941@i-sphere.com> Message-ID: <20010923135836.Q85958-100000@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Would it be possible to create an accept-filter module (ala accf_http) that could take care of these and future similar filters, server-wide? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 23 16:22:34 2001 Delivered-To: freebsd-security@freebsd.org Received: from sv07e.atm-tzs.kmjeuro.com (sv07e.atm-tzs.kmjeuro.com [193.81.94.207]) by hub.freebsd.org (Postfix) with ESMTP id 39D1937B408 for ; Sun, 23 Sep 2001 16:22:28 -0700 (PDT) Received: (from root@localhost) by sv07e.atm-tzs.kmjeuro.com (8.11.5/8.11.4) id f8NNMQj82453 for freebsd-security@freebsd.org; Mon, 24 Sep 2001 01:22:26 +0200 (CEST) (envelope-from k.joch@kmjeuro.com) Received: from karl (e31f48139ccbe44ff66921e5c712c212@adsl.ooe.kmjeuro.com [193.154.186.21]) (authenticated) by sv07e.atm-tzs.kmjeuro.com (8.11.5/8.11.4) with ESMTP id f8NNMGv82184; Mon, 24 Sep 2001 01:22:16 +0200 (CEST) (envelope-from k.joch@kmjeuro.com) Message-ID: <060301c14487$048f79f0$0a05a8c0@ooe.kmjeuro.com> From: "Karl M. Joch" To: "David Kirchner" , References: <20010923135836.Q85958-100000@localhost> Subject: Re: New worm protection Date: Mon, 24 Sep 2001 01:24:41 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X--virus-scanner: scanned for Virus and dangerous attachments on sv07e.atm-tzs.kmjeuro.com (System Setup/Maintainance: http://www.ctseuro.com/) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have made a quick and may dirty solution which helps me alot on the servers. it handles multiple error files. my error files are resetted onec every 24h. so i dont get to big files. ############################################ # include trailing / in run & wrk $run = "/usr/local/blockwins/"; $wrk = "/usr/local/blockwins/data/"; # create it in advance $logfiles = "/usr/local/blockwins/logfiles"; # made by ls /var/log/your-apache-error-logs $domfile = "IPs"; $rule = "50"; # the ipfw rule you want to use #*************************************************** end of config # Datum vorfuellen: chop($dat=`date "+%y/%m/%d %H:%M"`); $cnt=0; # ips $cnto=0; # ips old $cnt2=0; # access # create domain/register file if non existent: dbmopen (%domains,"$wrk$domfile",0640); dbmclose (%domains); dbmopen (%domains,"$wrk$domfile",0640); # GET OUR LOGFILES open ("INPUT",$logfiles) || die "$0: cannot open $logfiles !\n"; while () { chop ($_); open ("LOG",$_) || die "cannot open $_! \n"; while () { ## [Mon Sep 10 10:38:43 2001] [error] [client 193.215.176.192] File does not exist: /usr/local/www/default.ida $virus=0; if (/winnt/) { $virus=1;}; if (/root.exe/) { $virus=1;}; if (/cmd.exe/) { $virus=1;}; if (/default.ida/) { $virus=1;}; if ($virus) { #block them: $results=$_; $results=~ s/.*client ([0-9.]+).*\/(.*)$/$1##$2/; ($ip,$comm) = split(/##/,$results); if ( $domains{$ip}) { $cnt2++; $domains{$ip}=$comm; ## last command } else { $cnt++; $domains{$ip}=$comm; ## last command } } } } print "########################################################################\n" ; print "Angriffe von Code Red/Nimda \n"; print "########################################################################\n" ; print "DIFFERNT IPs: $cnt\n"; print "########################################################################\n" ; print "TOTAL ACCESS: $cnt2\n"; print "########################################################################\n" ; close (INPUT); # NOW LETS CHECK EVERYTHING: # clear the one rule: @args = ("/sbin/ipfw $rule delete"); system(@args) == 0 or print "system @args failed: $?\n"; # add all of our idiots: foreach $dom (sort keys %domains) { $cnto++; # print "$dom - denied access to the server with rule $rule\n"; @args = ("/sbin/ipfw $rule add deny all from $dom to any >/dev/null"); system(@args) == 0 or die "system @args failed: $?"; } print "########################################################################\n" ; print "All Rules (Total IPS: $cnto) added to Firewall\n"; print "Known Windows Systems denied access!\n"; print "########################################################################\n" ; dbmclose (%domains); -- -- Best regards / Mit freundlichen Gruessen, Karl M. Joch KMJ Consulting - CTS Consulting & Trade Service http://www.kmjeuro.com - http://www.ctseuro.com k.joch@kmjeuro.com - k.joch@ctseuro.com GSM : +43-664-3407888 Unsere Services: http://www.proline.at - Netzwerk und Sicherheitstechnik http://www.eushop.net - Onlineshop und Applikationen einfach mieten http://www.freebsd.at - Power Operating System ----- Original Message ----- From: "David Kirchner" To: Sent: Sunday, September 23, 2001 11:00 PM Subject: Re: New worm protection > Would it be possible to create an accept-filter module (ala accf_http) > that could take care of these and future similar filters, server-wide? > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 23 17: 4:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 07AFD37B41D; Sun, 23 Sep 2001 17:04:13 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id RAA28979; Sun, 23 Sep 2001 17:04:03 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda28977; Sun Sep 23 17:03:47 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.6/8.9.1) id f8O03lQ24008; Sun, 23 Sep 2001 17:03:47 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdb24006; Sun Sep 23 17:03:26 2001 Received: (from smtpd@localhost) by cwsys.cwsent.com (8.11.6/8.9.1) id f8O037701400; Sun, 23 Sep 2001 17:03:07 -0700 (PDT) Message-Id: <200109240003.f8O037701400@cwsys.cwsent.com> X-Authentication-Warning: cwsys.cwsent.com: smtpd set sender to using -f Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdYA1389; Sun Sep 23 17:02:41 2001 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: "Andrey A. Chernov" Cc: Robert Watson , security@FreeBSD.ORG, current@FreeBSD.ORG, developers@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: Patch for review (was Re: ~/.login_conf disabling exact reasons wanted) In-reply-to: Your message of "Sun, 23 Sep 2001 16:13:57 +0400." <20010923161354.A426@nagual.pp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 23 Sep 2001 17:02:41 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <20010923161354.A426@nagual.pp.ru>, "Andrey A. Chernov" writes: > On Sat, Sep 22, 2001 at 22:58:21 +0400, Andrey A. Chernov wrote: > > > I'll work on the proper fix tomorrow. > > > Planned for commit. Please, review and/or comment. > > --- login_cap.c.old Sun Sep 23 16:09:04 2001 > +++ login_cap.c Sun Sep 23 16:06:19 2001 > @@ -184,18 +184,17 @@ > login_cap_t *lc; > > if ((lc = malloc(sizeof(login_cap_t))) != NULL) { > - int r, i = 0; > + int r, me, i = 0; > uid_t euid = 0; > gid_t egid = 0; > const char *msg = NULL; > - const char *dir = (pwd == NULL) ? NULL : pwd->pw_dir; > + const char *dir; > char userpath[MAXPATHLEN]; > > static char *login_dbarray[] = { NULL, NULL, NULL }; > > -#ifndef _FILE_LOGIN_CONF_WORKS > - dir = NULL; > -#endif > + me = (name != NULL && strcmp(name, LOGIN_MECLASS) == 0); > + dir = (!me || pwd == NULL) ? NULL : pwd->pw_dir; > /* > * Switch to user mode before checking/reading its ~/.login_conf > * - some NFSes have root read access disabled. > @@ -215,7 +214,7 @@ > if (_secure_path(userpath, pwd->pw_uid, pwd->pw_gid) != -1) > i++; /* only use 'secure' data */ > } > - if (_secure_path(_PATH_LOGIN_CONF, 0, 0) != -1) > + if (me && _secure_path(_PATH_LOGIN_CONF, 0, 0) != -1) > login_dbarray[i++] = _PATH_LOGIN_CONF; > login_dbarray[i] = NULL; > > @@ -227,7 +226,7 @@ > > switch (cgetent(&lc->lc_cap, login_dbarray, (char*)name)) { > case -1: /* Failed, entry does not exist */ > - if (strcmp(name, LOGIN_MECLASS) == 0) > + if (me) > break; /* Don't retry default on 'me' */ > if (i == 0) > r = -1; After applying the patch and building world the following are logged to syslog. Sep 23 13:40:00 cwtest /usr/sbin/cron[17208]: login_getclass: unknown class 'root' Sep 23 13:40:00 cwtest /usr/sbin/cron[17207]: login_getclass: unknown class 'daemon' Sep 23 13:40:00 cwtest inetd[17213]: login_getclass: unknown class 'daemon' Rsh between hosts behind my firewall here at home work however rsync, which uses rsh, does not, an EOF error is displayed. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD Ministry of Management Services Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 23 17:56:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-172.zoominternet.net [24.154.28.172]) by hub.freebsd.org (Postfix) with ESMTP id 5019A37B439 for ; Sun, 23 Sep 2001 17:56:55 -0700 (PDT) Received: from topperwein.dyndns.org (topperwein.dyndns.org [192.168.168.10]) by topperwein.dyndns.org (8.11.6/8.11.6) with ESMTP id f8O0vN252830; Sun, 23 Sep 2001 20:57:23 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Sun, 23 Sep 2001 20:57:18 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: David G Andersen Cc: Chris Byrnes , Subject: Re: New worm protection In-Reply-To: <200109230836.f8N8akx29012@faith.cs.utah.edu> Message-ID: <20010923205118.Y52704-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 23 Sep 2001, David G Andersen wrote: > Lo and behold, Chris Byrnes once said: > > > > Has anyone written an easy-to-use ipfw rule or some kind of script that will > > help with this new worm? > > Someone already pointed out disabling logging on your webserver. > > He also suggested a Tarpit-like approach. I like the following > simple script, which is what I run on my webservers. > > mkdir DOCROOT/scripts > # Cover the two alternate bits as well > ln -s DOCROOT/scripts DOCROOT/_mem_bin > ln -s DOCROOT/scripts DOCROOT/_vti_bin > > cat > DOCROOT/scripts/.htaccess > ErrorDocument 404 /scripts/nph-foo.cgi > > > cat > DOCROOT/scripts/nph-foo.cgi > #!/usr/bin/perl > sleep(5); > exit(0); > > > NIMDA doesn't hang out for very long waiting for a response > to the script headers, so a labrea-tarpit like approach won't > actually be particularly effective. I had a thought that since the initial request was for a directory listing of a Windows C: drive, that I'd give one to him. One byte per second. I don't know if NIMDA will time out after I send the initial headers, but if not, then I could potentially tarpit one for a couple of hours. :-) The trouble with triggering ipfw/ipchain rules is that as the ruleset gets large, network performance gets slow (rulesets are searched linearly). A nice compromisse would be to gather statistics on the attackers and just firewall out the top 10 or 20 or so. The trouble with attempting to send a remote shutdown is that it's illegal (breaking into someone else's machine to run a program and all). Of course, if you have some unused IP addresses, there is always La Brea. :-) -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net I was raised by a pack of wild corn dogs. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 23 18: 1:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from cage.simianscience.com (cage.simianscience.com [64.7.134.1]) by hub.freebsd.org (Postfix) with ESMTP id 2968837B428 for ; Sun, 23 Sep 2001 18:01:21 -0700 (PDT) Received: from chimp.sentex.net (fcage [192.168.0.2]) by cage.simianscience.com (8.11.6/8.11.6) with ESMTP id f8O11HS00711; Sun, 23 Sep 2001 21:01:17 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20010923205904.03bb7bb8@192.168.0.12> X-Sender: mdtancsa@192.168.0.12 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sun, 23 Sep 2001 21:01:16 -0400 To: Chris BeHanna From: Mike Tancsa Subject: Re: New worm protection Cc: security@FreeBSD.ORG In-Reply-To: <20010923205118.Y52704-100000@topperwein.dyndns.org> References: <200109230836.f8N8akx29012@faith.cs.utah.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 08:57 PM 9/23/2001 -0400, Chris BeHanna wrote: > The trouble with triggering ipfw/ipchain rules is that as the >ruleset gets large, network performance gets slow (rulesets are >searched linearly). A nice compromisse would be to gather statistics >on the attackers and just firewall out the top 10 or 20 or so. Another option is to null route the IP address-- e.g. add a /32 route to ds0. One problem with this and blocking in general is that in some cases, the infected machines are from dynamic IP addresses. You would be punishing innocent users. ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Sep 23 21:12:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from au.dk (au.dk [130.225.9.11]) by hub.freebsd.org (Postfix) with ESMTP id 2611337B432 for ; Sun, 23 Sep 2001 21:11:30 -0700 (PDT) Received: from localhost (localhost) by au.dk (8.11.4/8.11.4) id f8O3fAi21562; Mon, 24 Sep 2001 06:01:23 +0200 (MET DST) Date: Mon, 24 Sep 2001 06:01:23 +0200 (MET DST) From: Mail Delivery Subsystem Message-Id: <200109240401.f8O3fAi21562@au.dk> To: MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="f8O3fAi21562.1001304083/au.dk" Subject: Warning: could not send message for past 4 hours Auto-Submitted: auto-generated (warning-timeout) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a MIME-encapsulated message --f8O3fAi21562.1001304083/au.dk ********************************************** ** THIS IS A WARNING MESSAGE ONLY ** ** YOU DO NOT NEED TO RESEND YOUR MESSAGE ** ********************************************** The original message was received at Mon, 24 Sep 2001 01:56:14 +0200 (MET DST) from mbone.iie.cnam.fr [192.70.23.180] ----- The following addresses had transient non-fatal errors ----- ----- Transcript of session follows ----- ... Deferred: Connection refused by daimi.au.dk. Warning: message still undelivered after 4 hours Will keep trying until message is 5 days old --f8O3fAi21562.1001304083/au.dk Content-Type: message/delivery-status Reporting-MTA: dns; au.dk Arrival-Date: Mon, 24 Sep 2001 01:56:14 +0200 (MET DST) Final-Recipient: RFC822; FARRET@daimi.au.dk Action: delayed Status: 4.4.1 Remote-MTA: DNS; daimi.au.dk Last-Attempt-Date: Mon, 24 Sep 2001 06:01:23 +0200 (MET DST) Will-Retry-Until: Sat, 29 Sep 2001 01:56:14 +0200 (MET DST) --f8O3fAi21562.1001304083/au.dk Content-Type: message/rfc822 Return-Path: Received: from mbone.iie.cnam.fr (mbone.iie.cnam.fr [192.70.23.180]) by au.dk (8.11.4/8.11.4) with ESMTP id f8NNuD517047 for ; Mon, 24 Sep 2001 01:56:14 +0200 (MET DST) Received: from rubis.iie.cnam.fr (smtp_relay@rubis.iie.cnam.fr [192.70.23.3]) by mbone.iie.cnam.fr (8.9.3/8.9.3) with SMTP id CAA21526 for ; Mon, 24 Sep 2001 02:06:14 +0200 (MET DST) From: security@FreeBSD.ORG Received: by rubis.iie.cnam.fr (MX V4.2 VAX) id 23; Mon, 24 Sep 2001 02:06:08 MET_DST Date: Mon, 24 Sep 2001 02:06:07 MET_DST To: freebsd-security-digest@FreeBSD.ORG Message-ID: <00A02825.EFF8D7F0.23@rubis.iie.cnam.fr> Subject: security-digest V5 #289 Return-Path: Received: from mbone.iie.cnam.fr by rubis.iie.cnam.fr (MX V4.2 VAX) with SMTP; Mon, 24 Sep 2001 02:06:04 MET_DST Received: from mx2.freebsd.org (mx2.FreeBSD.org [216.136.204.119]) by mbone.iie.cnam.fr (8.9.3/8.9.3) with ESMTP id CAA21501 for ; Mon, 24 Sep 2001 02:05:05 +0200 (MET DST) Received: from hub.freebsd.org (hub.FreeBSD.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id 9307355EDB; Sun, 23 Sep 2001 17:04:47 -0700 (PDT) (envelope-from owner-freebsd-security-digest@FreeBSD.ORG) Received: by hub.freebsd.org (Postfix, from userid 538) id 2F73A37B417; Sun, 23 Sep 2001 17:04:38 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with SMTP id 4BF4C2E8040; Sun, 23 Sep 2001 17:04:38 -0700 (PDT) Received: by hub.freebsd.org (bulk_mailer v1.12); Sun, 23 Sep 2001 17:04:38 -0700 From: owner-freebsd-security-digest@FreeBSD.ORG (security-digest) To: freebsd-security-digest@FreeBSD.ORG Subject: security-digest V5 #289 Reply-To: security@FreeBSD.ORG Sender: owner-freebsd-security-digest@FreeBSD.ORG Precedence: bulk Message-ID: Date: Sun, 23 Sep 2001 17:04:38 -0700 (PDT) security-digest Sunday, September 23 2001 Volume 05 : Number 289 In this issue: Re: ~/.login_conf disabling exact reasons wanted Re: New worm protection Patch for review (was Re: ~/.login_conf disabling exact reasons wanted) Re: New worm protection Re: ~/.login_conf disabling exact reasons wanted Re: New worm protection Identify this exploit Re: Identify this exploit Re: Identify this exploit Re: New worm protection Re: New worm protection Re: New worm protection Re: New worm protection Re: New worm protection Re: New worm protection Re: ~/.login_conf disabling exact reasons wanted Re: New worm protection Re: New worm protection Re: New worm protection Re: Policy based routing/restricting access __inside__ ones net.. Re: New worm protection Re: New worm protection Re: New worm protection Re: New worm protection Re: Patch for review (was Re: ~/.login_conf disabling exact reasons wanted) ---------------------------------------------------------------------- Date: Sun, 23 Sep 2001 13:38:59 +0200 From: Alexander Langer Subject: Re: ~/.login_conf disabling exact reasons wanted Thus spake Jordan Hubbard (jkh@FreeBSD.org): > The bug doesn't exist in 4.4 either. It was fixed prior to release. > Doesn't anyone read commit mail anymore?! :-( Yes, I do, but FreeBSD was 4.4 even before it was fixed. OTOH, the report on bugtraq also mentions, that 4.4-RELEASE isn't affected. Alex ------------------------------ Date: Sun, 23 Sep 2001 08:07:59 -0400 From: "Jonathan M. Slivko" Subject: Re: New worm protection The best kind of protection I can offer is to write a script that will scan the apache logs and use ipfw to ban whole class C's that generate a 404. That may be a little extreme, but it works. I will try and get a copy of the code to you later. -- Jonathan - ----- Original Message ----- From: "Chris Byrnes" To: Sent: Thursday, September 20, 2001 10:07 AM Subject: New worm protection > Has anyone written an easy-to-use ipfw rule or some kind of script that will > help with this new worm? > > I have restricted Apache to just listen to my main two web IPs instead of > all of the IPs (I have > hundreds of domains and each of them previously had its own IP for different > reasons), and > that's cut down the bandwidth use in half, but I'm still about double what > my daily normal bandwidth > usage is. > > Frustration is high, and money issues are going to surface soon. Any help > would be appreciated. > > > Chris Byrnes, Managing Member > JEAH Communications, LLC > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ------------------------------ Date: Sun, 23 Sep 2001 16:13:57 +0400 From: "Andrey A. Chernov" Subject: Patch for review (was Re: ~/.login_conf disabling exact reasons wanted) On Sat, Sep 22, 2001 at 22:58:21 +0400, Andrey A. Chernov wrote: > I'll work on the proper fix tomorrow. Planned for commit. Please, review and/or comment. - --- login_cap.c.old Sun Sep 23 16:09:04 2001 +++ login_cap.c Sun Sep 23 16:06:19 2001 @@ -184,18 +184,17 @@ login_cap_t *lc; if ((lc = malloc(sizeof(login_cap_t))) != NULL) { - - int r, i = 0; + int r, me, i = 0; uid_t euid = 0; gid_t egid = 0; const char *msg = NULL; - - const char *dir = (pwd == NULL) ? NULL : pwd->pw_dir; + const char *dir; char userpath[MAXPATHLEN]; static char *login_dbarray[] = { NULL, NULL, NULL }; - -#ifndef _FILE_LOGIN_CONF_WORKS - - dir = NULL; - -#endif + me = (name != NULL && strcmp(name, LOGIN_MECLASS) == 0); + dir = (!me || pwd == NULL) ? NULL : pwd->pw_dir; /* * Switch to user mode before checking/reading its ~/.login_conf * - some NFSes have root read access disabled. @@ -215,7 +214,7 @@ if (_secure_path(userpath, pwd->pw_uid, pwd->pw_gid) != -1) i++; /* only use 'secure' data */ } - - if (_secure_path(_PATH_LOGIN_CONF, 0, 0) != -1) + if (me && _secure_path(_PATH_LOGIN_CONF, 0, 0) != -1) login_dbarray[i++] = _PATH_LOGIN_CONF; login_dbarray[i] = NULL; @@ -227,7 +226,7 @@ switch (cgetent(&lc->lc_cap, login_dbarray, (char*)name)) { case -1: /* Failed, entry does not exist */ - - if (strcmp(name, LOGIN_MECLASS) == 0) + if (me) break; /* Don't retry default on 'me' */ if (i == 0) r = -1; - -- Andrey A. Chernov http://ache.pp.ru/ ------------------------------ Date: Sun, 23 Sep 2001 06:07:01 -0700 From: Greg Shenaut Subject: Re: New worm protection In message <200109230836.f8N8akx29012@faith.cs.utah.edu>, David G Andersen cleopede: >I like the following >simple script, which is what I run on my webservers. > [script using a sleep(5) for delay purposes] > >NIMDA doesn't hang out for very long waiting for a response >to the script headers, so a labrea-tarpit like approach won't >actually be particularly effective. The sleep(5) will slow >it down a little bit, and the exit(0) will make it >return with no data sent back, not even a 404. Which >will help a bit on the outbound bandwidth, but, of course >won't help on the inbound. Others have posted scripts to >NANOG (see http://www.nanog.org/ and check the archive) >that will automatically trigger ipfw / ipchains additions, >but, as always, be particularly careful with those. What would be the effect of having the web server ignore (as in, make no response at all to) *any* attempt to GET a nonexistent file? It seems to me that this would delay things maximally for the attacker with the least effort at the server end. But I am concerned about the effect on innocent mistypers and web crawling search engines (but not too concerned, frankly). Greg Shenaut ------------------------------ Date: Sun, 23 Sep 2001 17:11:00 +0400 From: "Andrey A. Chernov" Subject: Re: ~/.login_conf disabling exact reasons wanted On Sat, Sep 22, 2001 at 22:58:21 +0400, Andrey A. Chernov wrote: > > Sorry for all that buzz, I am finally able to reproduce it on -current. > Details: there is no security hole under -current, just broken functionality. You can specify copyright=/etc/passwd with passwd output (it is broken functionality), but specifying copyright=/etc/master.passwd outputs nothing. See my patch posted today fixing this. - -- Andrey A. Chernov http://ache.pp.ru/ ------------------------------ Date: Sun, 23 Sep 2001 16:00:40 +0100 (BST) From: freebsd-security@rikrose.net Subject: Re: New worm protection On Sun, 23 Sep 2001 ark@eltex.ru wrote: > Is there a way to send a command to worm to shut it (or just a machine) down? > I remember Code Red installed some kind of backdoor that allowed remote control > without trying the whole bunch of exploits, does NIMDA have such a 'feature'? Allegedly, yes, it installs a passwordless admin account. There is information "out there", aparently, although, I haven't been bothered to look it up, so I may be wrong. - -- PGP Key: D2729A3F - Keyserver: wwwkeys.uk.pgp.net - rich at rdrose dot org Key fingerprint = 5EB1 4C63 9FAD D87B 854C 3DED 1408 ED77 D272 9A3F Public key also encoded with outguess on http://rikrose.net ------------------------------ Date: Sun, 23 Sep 2001 12:27:47 -0400 From: Pat Wendorf Subject: Identify this exploit I notice I get nearly 100 messages a day from my LOG_IN_VAIN rc.conf option. Many of which, for the past few months has been connection attempts to TCP port 2000, as seen here: > Connection attempt to TCP 209.226.99.101:2000 from 216.104.103.95:1169 I'm not much up on my exploits, which one is this? - -- Pat Wendorf ------------------------------ Date: Sun, 23 Sep 2001 11:30:12 -0500 From: Christopher Schulte Subject: Re: Identify this exploit At 12:27 PM 9/23/2001 -0400, Pat Wendorf wrote: >I notice I get nearly 100 messages a day from my LOG_IN_VAIN rc.conf >option. Many of which, for the past few months has been connection >attempts to TCP port 2000, as seen here: > > > Connection attempt to TCP 209.226.99.101:2000 from 216.104.103.95:1169 > >I'm not much up on my exploits, which one is this? Could be trying to exploit a wind0wz trojan exploit: from http://www.sans.org/newlook/resources/IDFAQ/oddports.htm port 2000 Der Sp=E4her / Der Spaeher, Insane Network >-- > >Pat Wendorf - -- Christopher Schulte christopher@schulte.org http://noc.schulte.org ------------------------------ Date: Sun, 23 Sep 2001 09:30:22 -0700 From: Greg Shenaut Subject: Re: Identify this exploit In message <3BAE0D83.41ACBF7B@unios.dhs.org>, Pat Wendorf cleopede: >I notice I get nearly 100 messages a day from my LOG_IN_VAIN rc.conf >option. Many of which, for the past few months has been connection >attempts to TCP port 2000, as seen here: > >> Connection attempt to TCP 209.226.99.101:2000 from 216.104.103.95:1169 > >I'm not much up on my exploits, which one is this? In my /etc/services file, port 2000 is something known as "callbook", but I don't know what that is. Greg Shenaut ------------------------------ Date: Mon, 24 Sep 2001 02:56:40 +1000 (EST) From: Ian Smith Subject: Re: New worm protection On Sun, 23 Sep 2001, David G Andersen wrote: > Lo and behold, Chris Byrnes once said: > > > > Has anyone written an easy-to-use ipfw rule or some kind of script > > that will help with this new worm? > > Someone already pointed out disabling logging on your webserver. Not an option here, but it's the large number of entries in *-error.log that I'd like to be rid of. *-access.log I can just grep out before log analysis, if not exclude in the analyser config. > He also suggested a Tarpit-like approach. I like the following > simple script, which is what I run on my webservers. > > mkdir DOCROOT/scripts > # Cover the two alternate bits as well > ln -s DOCROOT/scripts DOCROOT/_mem_bin > ln -s DOCROOT/scripts DOCROOT/_vti_bin > > cat > DOCROOT/scripts/.htaccess > ErrorDocument 404 /scripts/nph-foo.cgi > > > cat > DOCROOT/scripts/nph-foo.cgi > #!/usr/bin/perl > sleep(5); > exit(0); > Cute. Will play. However there are other directories too; dumping ANY request containing cmd.exe or root.exe would do it best here. > NIMDA doesn't hang out for very long waiting for a response > to the script headers, so a labrea-tarpit like approach won't > actually be particularly effective. The sleep(5) will slow > it down a little bit, and the exit(0) will make it > return with no data sent back, not even a 404. Which But does *error.log still get hit? I dealt with /default.ida by giving 'em a one-line one, which at least meant no error logging while reducing response traffic by two thirds, but poring through apache docs - which I must be too thick to find easy reading, looking for some way to provide some short but valid response to such a range of URLs, I've not yet been able to nut out. Any suggestions? > will help a bit on the outbound bandwidth, but, of course > won't help on the inbound. Others have posted scripts to > NANOG (see http://www.nanog.org/ and check the archive) > that will automatically trigger ipfw / ipchains additions, > but, as always, be particularly careful with those. Will have a look at these, however carpet bombing whole /24s for the not even deliberate misdeeds of a few (ok, plenty of) unpatched m$junk seems rather an overreaction <&^}= The other thing here (ie in 203/8) is the large number of unsuccessful DNS requests for reverse mapping of particularly North Asian addresses, often ending with Server Failures and such - but I guess misconfigured DNS is no more surprising than zillions of compromised webservers .. I'd love to find some way of pre-filtering these NIMDA requests and just dropping them on the floor before apache even considered DNS lookups (?) Ian ------------------------------ Date: Sun, 23 Sep 2001 11:03:23 -0600 (MDT) From: David G Andersen Subject: Re: New worm protection Lo and behold, Ian Smith once said: > > Not an option here, but it's the large number of entries in *-error.log > that I'd like to be rid of. *-access.log I can just grep out before log > analysis, if not exclude in the analyser config. Disable error logging? :) > Cute. Will play. However there are other directories too; dumping > ANY request containing cmd.exe or root.exe would do it best here. Use mod_rewrite to redirect all accesses to that script. RewriteEngine on RewriteRule .*/cmd.exe.* /scripts/nph-foo.cgi (I haven't tested this syntax. Test it first. :) > But does *error.log still get hit? I dealt with /default.ida by giving > 'em a one-line one, which at least meant no error logging while reducing > response traffic by two thirds, but poring through apache docs - which I > must be too thick to find easy reading, looking for some way to provide > some short but valid response to such a range of URLs, I've not yet been > able to nut out. Any suggestions? The rewriting I specified above will do what you want. It maps it to a valid script request. It'll show up in *access_log. > I'd love to find some way of pre-filtering these NIMDA requests and just > dropping them on the floor before apache even considered DNS lookups (?) I'm vaguely surprised you have reverse DNS resolution enabled. You could make life a lot easier on yourself by switching to post-resolution for a while, and do the DNS lookup _after_ filtering out the bogus requests. -Dave - -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ ------------------------------ Date: Sun, 23 Sep 2001 08:59:24 -0700 (PDT) From: David Kirchner Subject: Re: New worm protection On Mon, 24 Sep 2001, Ian Smith wrote: > Not an option here, but it's the large number of entries in *-error.log > that I'd like to be rid of. *-access.log I can just grep out before log > analysis, if not exclude in the analyser config. The method that was mentioned would also work for ErrorLog: ErrorLog "|grep -v cmd.exe > /normal/error_log/location" ------------------------------ Date: Sun, 23 Sep 2001 12:17:32 -0500 From: Steve Ames Subject: Re: New worm protection One simple shell script and you can automatically add offendors to your ipfw ruleset. Won't stop the initial probe but will stop repeat performances. I use the following run out of cron every minute: #!/bin/sh cd /root grep cmd.exe /var/log/httpd-error.log | awk '{print $8;}' | sort -u | awk -F\] '{printf(" /sbin/ipfw add deny ip from %s to any\n ",$1);}' > l && cat /var/log/httpd-error.log >> /var/log/httpd-error.log.new && cat /dev/null > /var/log/httpd-error.log /bin/sh l && /bin/rm l Short and simple. Its not perfect but it has reduced my bandwidth quite a bit. - -Steve On Sun, Sep 23, 2001 at 02:08:19AM -0400, Chris BeHanna wrote: > On Thu, 20 Sep 2001, Chris Byrnes wrote: > > > Has anyone written an easy-to-use ipfw rule or some kind of script that will > > help with this new worm? > > There's La Brea, but that's probably not quite what you're looking > for. > > > I have restricted Apache to just listen to my main two web IPs > > instead of all of the IPs (I have hundreds of domains and each of > > them previously had its own IP for different reasons), and that's > > cut down the bandwidth use in half, but I'm still about double what > > my daily normal bandwidth usage is. > > As others have posted, you can tell Apache not to log certain > requests. That will help your logfile. > > To avoid wasting bandwidth sending a 404, you could possibly > either use mod_rewrite or an ErrorDocument CGI script to "tarpit" the > attacks; i.e., redirect the request to a CGI script that sets MSS to a > few bytes (a l? La Brea), pretending to legitimately service the > request. Be careful: you will have to watch the number of sockets > you have open and the number of threads you tie up in this manner. > Perhaps someone with more time than I have can author up a "mod_NIMDA" > that can be configured with a max # of threads or max# connections to > tarpit in this fashion, so that you can limit the amount of resources > that you use. Any inbound attacks in excess of these limits can > simply be dropped on the floor. > > > Frustration is high, and money issues are going to surface soon. > > Any help would be appreciated. > > This is the best I can do with the time I have available. I'm in > the middle of combatting this problem with a proxy server that is > under attack (for which I have access to the source). My solution is > to do regex parsing on the request using Boost's regex++ (see > http://www.boost.org) to drop the requests on the floor (i.e., I'm not > even going to dignify them with a 404), but keep a hash map of > requesting IP addresses and number of attacks, which periodically gets > dumped to a separate logfile. I'd use regex() and regcmp(), but this > also has to run on Windows. Unfortunately, I can't share the source, > but this description should be enough to get you going. > > Fortunately, I've seen the rate of NIMDA attacks drop by a factor > of four over the last couple of days. Either IIS webmasters are > getting a clue, or their ISPs are being clueful for them (DSL.net, for > example, is shutting off their infected customers until those > customers demonstrate that they've fixed their servers). > > -- > Chris BeHanna > Software Engineer (Remove "bogus" before responding.) > behanna@bogus.zbzoom.net > I was raised by a pack of wild corn dogs. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message ------------------------------ Date: Sun, 23 Sep 2001 10:41:06 -0700 From: Gregory Neil Shapiro Subject: Re: New worm protection smithi> Not an option here, but it's the large number of entries in smithi> *-error.log that I'd like to be rid of. *-access.log I can just smithi> grep out before log analysis, if not exclude in the analyser smithi> config. This is what I am using: RedirectMatch (.*)/(root.exe|cmd.exe|default.ida).* /goaway.html SetEnvIf Request_URI "/(root.exe|cmd.exe|default.ida|goaway.html)" MSExploitCrap CustomLog /var/log/httpd-access.log combined env=!MSExploitCrap And then /goaway.html is just a small file: Go away With this, nothing shows up in either httpd-access.log or httpd-error.log. ------------------------------ Date: Sun, 23 Sep 2001 13:51:44 -0400 From: The Anarcat Subject: Re: New worm protection - --AqsLC8rIMeq19msA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, 23 Sep 2001, David G Andersen wrote: > Lo and behold, Ian Smith once said: > >=20 > > Cute. Will play. However there are other directories too; dumping > > ANY request containing cmd.exe or root.exe would do it best here. >=20 > Use mod_rewrite to redirect all accesses to that script. >=20 > RewriteEngine on > RewriteRule .*/cmd.exe.* /scripts/nph-foo.cgi >=20 > (I haven't tested this syntax. Test it first. :) Nice idea! Here's what I did: RewriteEngine on RewriteRule .*/cmd.exe.* /nimda.txt RewriteRule .*/root.exe.* /nimda.txt RewriteRule .*/default.ida.* /codered.txt RewriteRule .*/Admin.dll.* /codered.txt RewriteRule .*\\Admin.dll.* /codered.txt nimda.txt and codered.txt are simply empty files. This reduces the bandwitdh used by the attack and removes the entries in error.log. So the syntax is correct. Note the default.ida entry for th code red worm (is that it?). I think admin.dll is the same, but I'm not sure. Anyways, it doesn't make much difference. Here is a sample telnet output: GET /default.ida HTTP/1.0 HTTP/1.1 200 OK Date: Sun, 23 Sep 2001 17:46:27 GMT Server: Apache/1.3.20 (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6a Last-Modified: Sun, 23 Sep 2001 17:21:20 GMT ETag: "1d161-0-3bae1a10" Accept-Ranges: bytes Content-Length: 0 Connection: close Content-Type: text/plain - --AqsLC8rIMeq19msA Content-Type: application/pgp-signature Content-Disposition: inline - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjuuIS4ACgkQttcWHAnWiGe05QCbBGOS4Ze36RR/eGXqS+ASIIih nwEAnAmNfOF5usyn072d8i+UreOEkpwI =Z8qG - -----END PGP SIGNATURE----- - --AqsLC8rIMeq19msA-- ------------------------------ Date: Sun, 23 Sep 2001 10:55:44 -0700 From: Jordan Hubbard Subject: Re: ~/.login_conf disabling exact reasons wanted > Yes, I do, but FreeBSD was 4.4 even before it was fixed. FreeBSD wasn't 4.4 until it was released and all the tag sliding was over with. - - Jordan ------------------------------ Date: Sun, 23 Sep 2001 14:10:31 -0400 From: The Anarcat Subject: Re: New worm protection - --VrqPEDrXMn8OVzN4 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, 23 Sep 2001, David G Andersen wrote: > Use mod_rewrite to redirect all accesses to that script. >=20 > RewriteEngine on > RewriteRule .*/cmd.exe.* /scripts/nph-foo.cgi >=20 > (I haven't tested this syntax. Test it first. :) Unfortunatly, I tested this using a text file, which is fine. Here, if I try using a compiled C script (instead of a perl script, faster on a small machine), the script gets dumped in binary form! Not executed! GET /root.exe ELF =F04=F44 (444=C0=C0=F4=F4=F4vvxxx=AC=C8=B4=B4=B4pp/usr/libexec/ld-e= lf.so.FreeBSD=C0=B6 =2E.. So I used the redirect approach: RedirectMatch .*/(root.exe|cmd.exe|default.ida|Admin.dll).* /cgi-bin/sleep.= cgi sleep.c: int main() { sleep(5); printf("Content-type: text/plain\n\n"); } This works. However, it generates a bit too much output: GET /cmd.exe 302 Found

Found

The document has moved here.

Apache/1.3.20 Server at anarcat.dyndns.org Port 80

;) I really don't understand why the Rewrite rule doesn't work as expected. A. - --VrqPEDrXMn8OVzN4 Content-Type: application/pgp-signature Content-Disposition: inline - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjuuJZUACgkQttcWHAnWiGcT/wCfZUO50hEjQUILZJIfZNlkJDgd c+QAn324N8SSDAEyDviPsqrhDTujaXuP =v3ql - -----END PGP SIGNATURE----- - --VrqPEDrXMn8OVzN4-- ------------------------------ Date: Sun, 23 Sep 2001 12:18:43 -0600 (MDT) From: David G Andersen Subject: Re: New worm protection Sorry, should have mentioned that I have all .cgi files mapped to executables. Have it map to your /cgi-bin like you want. Name the script nph- instead of just , which tells the webserver that your script will generate ALL of the headers. Then the script can just close, and the worm won't get _any_ output from the webserver. Use RewriteRule, not RedirectMatch. RedirectMatch sends a redirect, which is obviously not what you want. You want to internally rewrite the URL so it gets handled transparently. Then, the result is quite pleasing: 131 eep:~/> telnet webby.angio.net 80 Trying 206.197.119.138... Connected to webby.angio.net. Escape character is '^]'. GET /scripts/cmd.exe? HTTP/1.0 Connection closed by foreign host. See? Very nice. :) Lo and behold, The Anarcat once said: > > On Sun, 23 Sep 2001, David G Andersen wrote: > > > Use mod_rewrite to redirect all accesses to that script. > >=20 > > RewriteEngine on > > RewriteRule .*/cmd.exe.* /scripts/nph-foo.cgi > >=20 > > (I haven't tested this syntax. Test it first. :) > > Unfortunatly, I tested this using a text file, which is fine. Here, if I > try using a compiled C script (instead of a perl script, faster on a > small machine), the script gets dumped in binary form! Not executed! > > GET /root.exe > ELF =F04=F44 (444=C0=C0=F4=F4=F4vvxxx=AC=C8=B4=B4=B4pp/usr/libexec/ld-e= > lf.so.FreeBSD=C0=B6 > =2E.. > > So I used the redirect approach: > > RedirectMatch .*/(root.exe|cmd.exe|default.ida|Admin.dll).* /cgi-bin/sleep.= > cgi > > sleep.c: > int main() { > sleep(5); > printf("Content-type: text/plain\n\n"); > } > > This works. However, it generates a bit too much output: > > GET /cmd.exe > > > 302 Found > >

Found

> The document has moved here.

Apache/1.3.20 Server at anarcat.dyndns.org Port 80

Found

> > The document has moved here.

> >

Apache/1.3.20 Server at anarcat.dyndns.org Port 80

Here's a nickel. Buy yourself a real operating system.

Thereby putting a message on the console and taking the machine off the Internet in a "friendly" way. -- Paul Chvostek Operations / Development / Abuse / Whatever vox: +1 416 598-0000 IT Canada http://www.it.ca/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 24 6:12: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 3DB5137B41A for ; Mon, 24 Sep 2001 06:12:02 -0700 (PDT) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id GAA31108; Mon, 24 Sep 2001 06:11:44 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda31106; Mon Sep 24 06:11:42 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.6/8.9.1) id f8ODBf527148; Mon, 24 Sep 2001 06:11:41 -0700 (PDT) Received: from UNKNOWN(10.1.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdd27146; Mon Sep 24 06:11:38 2001 Received: (from smtpd@localhost) by cwsys.cwsent.com (8.11.6/8.9.1) id f8ODBMd08884; Mon, 24 Sep 2001 06:11:22 -0700 (PDT) Message-Id: <200109241311.f8ODBMd08884@cwsys.cwsent.com> X-Authentication-Warning: cwsys.cwsent.com: smtpd set sender to using -f Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdpT8850; Mon Sep 24 06:10:46 2001 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: horio shoichi Cc: Stanley Hopcroft , FreeBSD-Security@FreeBSD.ORG Subject: Re: Policy based routing/restricting access __inside__ ones net.. In-reply-to: Your message of "Mon, 24 Sep 2001 03:43:53 +0900." <3BAE2D69.F8A82FE4@pointer-software.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 24 Sep 2001 06:10:46 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <3BAE2D69.F8A82FE4@pointer-software.com>, horio shoichi writes: > Stanley Hopcroft wrote: > > > > Dear Ladies and Gentlemen, > > > > I am writing to ask for advice about providing profile dependent access > > to subsets of ones internal network. > > > > The context is having third parties access the network for maintenance. > > > > Once they get logged in on the host they are hired to maintain, how can > > I prevent them accessing other hosts while allowing __some__ access to > > others they may need for problem resolution ? (given that both sets of > > hosts can be specified) > > > > Can a Kerberos realm enforce access profiles such as these (and then if > > they were forced to use only kerberised applications, grant them tickets > > for access to some hosts only) ? > > > If you mean by realm to split servers into possibly overlapping set of > realms each of which has separate set of principals (users and services) > and > users access servers through cross-realm authentication, I see no reason > it > doesn't work. > > > Can ipfilter/ipfw provide ACLs depending on user ? > > > Ipfilter is so low level that it has no notion of user. It only > recognizes > protocol, ip and port. If a user (or users) could be bound to a specific > set of protocol, ip and port corresponding to an instance of service, > then access control might be possible. But I doubt doing this would > worth efforts. Don't forget the IPFW will only be able to filter depending on user only if the user is on the system doing the filtering. If you have a separate firewall system, access control based on user is close to impossible. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD Ministry of Management Services Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 24 7:25: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.delaware.net (mail2.delaware.net [204.253.96.6]) by hub.freebsd.org (Postfix) with ESMTP id DF4DF37B406 for ; Mon, 24 Sep 2001 07:24:59 -0700 (PDT) Received: from richnew (mushumba.delaware.net [204.253.96.150]) by mail.delaware.net (8.12.0/8.12.0) with SMTP id f8OEJr1K017395 for ; Mon, 24 Sep 2001 10:19:54 -0400 From: "Rich Culp" To: Subject: Date: Mon, 24 Sep 2001 10:19:41 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 24 9:29:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.thelbane.com (dsl-209-87-101-182.constant.com [209.87.101.182]) by hub.freebsd.org (Postfix) with SMTP id 7E31937B417 for ; Mon, 24 Sep 2001 09:29:46 -0700 (PDT) Received: (qmail 30122 invoked from network); 24 Sep 2001 16:29:40 -0000 Received: from dsl-198-92-137-12.constant.com (HELO ?192.168.100.202?) (198.92.137.12) by shalmaneser.thelbane.com with SMTP; 24 Sep 2001 16:29:40 -0000 From: Timothy Knox To: Subject: LaBrea for BSD? Date: Mon, 24 Sep 2001 11:27:50 -0500 Message-Id: <20010924162750.24311@shalmaneser.thelbane.com> X-Mailer: CTM PowerMail 3.0.9 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Has anyone here looked at LaBrea ? If so, how much effort would be needed to port it to FreeBSD? It seems like an interesting idea, and a potentially amusing way to slow the spread of these darn IIS worms. Just my 2.02 yen worth, YMMV, void where prohibited by law. -- Timothy Knox -- "Stupidity is like nuclear power. It can be used for good or evil, and you don't want to get any on you." -- Scott Adams To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Sep 24 9:43:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id E39B637B41B for ; Mon, 24 Sep 2001 09:43:33 -0700 (PDT) Received: by peitho.fxp.org (Postfix, from userid 1501) id E86AF13643; Mon, 24 Sep 2001 12:43:28 -0400 (EDT) Date: Mon, 24 Sep 2001 12:43:28 -0400 From: Chris Faulhaber To: Timothy Knox Cc: freebsd-security@FreeBSD.ORG Subject: Re: LaBrea for BSD? Message-ID: <20010924124328.A61140@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber