From owner-freebsd-security Mon Oct 28 13:17:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1DA8437B401 for ; Mon, 28 Oct 2002 13:17:26 -0800 (PST) Received: from hub.cbc.ca (hub.cbc.ca [159.33.1.155]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9A04C43E3B for ; Mon, 28 Oct 2002 13:17:25 -0800 (PST) (envelope-from bryanf@samurai.com) Received: from localhost (localhost.cbc.ca [127.0.0.1]) by hub.cbc.ca (Postfix) with ESMTP id A623E4DFF06 for ; Mon, 28 Oct 2002 16:17:24 -0500 (EST) Received: from samurai.com (ronin.cbc.ca [159.33.1.20]) by hub.cbc.ca (Postfix) with ESMTP id D22BE4DFEFF for ; Mon, 28 Oct 2002 16:17:23 -0500 (EST) Date: Mon, 28 Oct 2002 16:17:28 -0500 Mime-Version: 1.0 (Apple Message framework v546) Content-Type: text/plain; charset=US-ASCII; format=flowed Subject: last cores From: Bryan Fullerton To: security@freebsd.org Content-Transfer-Encoding: 7bit Message-Id: X-Mailer: Apple Mail (2.546) X-Virus-Scanned: by AMaViS snapshot-20020300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Someone might want to look at this. % last -w0 Segmentation fault (core dumped) Does this on 4.6.2-RELEASE-p2, 4.7-RELEASE, 4.7-STABLE (Oct 17). Bryan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 28 13:41:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F1EBF37B401 for ; Mon, 28 Oct 2002 13:41:54 -0800 (PST) Received: from dsl-64-128-185-9.telocity.com (dsl-64-128-185-9.telocity.com [64.128.185.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F36343E3B for ; Mon, 28 Oct 2002 13:41:53 -0800 (PST) (envelope-from mjoyner2@hq.dyns.cx) Received: (from root@localhost) by dsl-64-128-185-9.telocity.com (8.12.6/8.11.5) id g9SLVPMQ069467; Mon, 28 Oct 2002 16:31:26 -0500 (EST) (envelope-from mjoyner2@hq.dyns.cx) Received: from imp.hq.dyns.cx (www@dsl-64-128-185-9.telocity.com [64.128.185.9]) by dsl-64-128-185-9.telocity.com (8.12.6/8.11.5av) with ESMTP id g9SLVK3K069444; Mon, 28 Oct 2002 16:31:21 -0500 (EST) (envelope-from mjoyner2@hq.dyns.cx) Received: (from www@localhost) by imp.hq.dyns.cx (8.12.6/8.12.6/Submit) id g9SLUcas069427; Mon, 28 Oct 2002 16:30:39 -0500 (EST) X-Authentication-Warning: imp.hq.dyns.cx: www set sender to mjoyner2@hq.dyns.cx using -f Received: from 64.128.185.9 ( [64.128.185.9]) as user mjoyner2@localhost by imp.hq.dyns.cx with HTTP; Mon, 28 Oct 2002 16:30:38 -0500 Message-ID: <1035840638.3dbdac7eae307@imp.hq.dyns.cx> Date: Mon, 28 Oct 2002 16:30:38 -0500 From: Michael Joyner To: Bryan Fullerton Cc: security@freebsd.org Subject: Re: last cores References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.1 / FreeBSD-4.7 X-Originating-IP: 64.128.185.9 X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Quoting Bryan Fullerton : > Someone might want to look at this. > > % last -w0 > Segmentation fault (core dumped) > > Does this on 4.6.2-RELEASE-p2, 4.7-RELEASE, 4.7-STABLE (Oct 17). > > Bryan 1) send-pr is your friend 2) it does it on 4.7-STABLE as well -- FreeBSD System Administrator http://manhattan.hq.dyns.cx/ ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Oct 28 13:43:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4DCE337B401 for ; Mon, 28 Oct 2002 13:43:08 -0800 (PST) Received: from be-well.ilk.org (lowellg.ne.client2.attbi.com [24.147.188.198]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2A53D43E42 for ; Mon, 28 Oct 2002 13:43:07 -0800 (PST) (envelope-from freebsd-security-local@be-well.no-ip.com) Received: from be-well.ilk.org (lowellg.ne.client2.attbi.com [24.147.188.198] (may be forged)) by be-well.ilk.org (8.12.6/8.12.5) with ESMTP id g9SLh6WJ051135; Mon, 28 Oct 2002 16:43:06 -0500 (EST) (envelope-from freebsd-security-local@be-well.no-ip.com) Received: (from lowell@localhost) by be-well.ilk.org (8.12.6/8.12.6/Submit) id g9SLh5OF051132; Mon, 28 Oct 2002 16:43:05 -0500 (EST) X-Authentication-Warning: be-well.ilk.org: lowell set sender to freebsd-security-local@be-well.ilk.org using -f To: Bryan Fullerton Cc: security@FreeBSD.ORG Subject: Re: last cores References: From: Lowell Gilbert Date: 28 Oct 2002 16:43:05 -0500 In-Reply-To: Message-ID: <44smyq9r4m.fsf@be-well.ilk.org> Lines: 12 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Bryan Fullerton writes: > Someone might want to look at this. > > % last -w0 > Segmentation fault (core dumped) > > Does this on 4.6.2-RELEASE-p2, 4.7-RELEASE, 4.7-STABLE (Oct 17). Doesn't belong the -security list, but it looks like the backward-compatibility hack in the option-handling switch statement of last.c needs another hack. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Oct 29 2:22:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 56B3F37B401 for ; Tue, 29 Oct 2002 02:22:26 -0800 (PST) Received: from antalya.lupe-christoph.de (pD9E88284.dip0.t-ipconnect.de [217.232.130.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id BB76F43E77 for ; Tue, 29 Oct 2002 02:22:24 -0800 (PST) (envelope-from lupe@lupe-christoph.de) Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id 689315EE; Tue, 29 Oct 2002 11:22:22 +0100 (CET) Date: Tue, 29 Oct 2002 11:22:22 +0100 To: security@freebsd.org Subject: aide 0.9, anybody Message-ID: <20021029102222.GA8274@lupe-christoph.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i From: lupe@lupe-christoph.de (Lupe Christoph) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! I found that the Aide version in the ports is quite backrev (0.7, 0.9 is current) and will not install, anyway: bison -y -d -p conf -o /usr/ports/security/aide/work/aide-0.7/src/conf_yacc.c /usr/ports/security/aide/work/aide-0.7/src/conf_yacc.y /usr/ports/security/aide/work/aide-0.7/src/conf_yacc.y:139.23-149.5: type clash (`i' `s') on default action /usr/ports/security/aide/work/aide-0.7/src/conf_yacc.y:149.7: parse error, unexpected ":", expecting ";" or "|" So I downloaded aide-0.9, but alas! bison -y -d -p conf -o conf_yacc.c /usr/home/lupe/aide-0.9/src/conf_yacc.y /usr/home/lupe/aide-0.9/src/conf_yacc.y:175.23-185.5: type clash (`i' `s') on default action /usr/home/lupe/aide-0.9/src/conf_yacc.y:185.7: parse error, unexpected ":", expecting ";" or "|" /usr/home/lupe/aide-0.9/src/conf_yacc.y:247.15: parse error, unexpected ":", expecting ";" or "|" /usr/home/lupe/aide-0.9/src/conf_yacc.y:293.16: parse error, unexpected ":", expecting ";" or "|" Before I invest more time in resolving this incompatibility: has anybody already resolved this? I already overcame some problems in configure with libgcrypt. Who do I talk to about updating the port once it installs and works? Thanks for hints, Lupe Christoph -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | Big Misunderstandings #6398: The Titanic was not supposed to be | | unsinkable. The designer had a speech impediment. He said: "I have | | thith great unthinkable conthept ..." | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Oct 31 17: 0: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 64F2037B401 for ; Thu, 31 Oct 2002 17:00:00 -0800 (PST) Received: from Thanatos.Shenton.Org (chris.shenton.org [209.31.144.77]) by mx1.FreeBSD.org (Postfix) with SMTP id 297C543E6E for ; Thu, 31 Oct 2002 16:59:55 -0800 (PST) (envelope-from chris@Shenton.Org) Received: (qmail 19432 invoked by uid 1000); 1 Nov 2002 00:59:50 -0000 To: security@freebsd.org Subject: Telnet not offering SKey prompt despite keyinit, skeykeys, skey.access From: Chris Shenton Date: 31 Oct 2002 19:59:50 -0500 Message-ID: <87lm4ef6k9.fsf@thanatos.shenton.org> Lines: 64 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I want to skey my telnet daemon (as I've done on other FreeBSD systems in the past) but I can't get it to work on this system. I'm running: chris@beatnik_44% uname -a FreeBSD beatnik.shenton.org 4.7-RC2 FreeBSD 4.7-RC2 #0: Thu Sep 26 04:07:11 GMT 2002 root@freebsd-stable.sentex.ca:/usr/obj/usr/src/sys/GENERIC i386 I generate keys for myself: chris@beatnik_43% keyinit Adding chris: Reminder - Only use this method if you are directly connected. If you are using telnet or rlogin exit with no password and use keyinit -s. Enter secret password: Again secret password: ID chris s/key is 99 be97113 YALE NEIL EVEN OTT PRY FAIR I check that the skeykeys file is created and make sure skey is allowed (in fact, required from everywhere) in /etc/skey.access: beatnik# ls -l /etc/skey* -rw-r--r-- 1 root wheel 98 Oct 31 20:48 /etc/skey.access -rw------- 1 root wheel 67 Oct 31 20:45 /etc/skeykeys beatnik# cat /etc/skey.access # why can't I get skey or opie to run on telnet? deny internet 192.168.255.0 255.255.255.0 deny # beatnik# cat /etc/skeykeys chris 0099 be97113 fe9861f0982352fa Oct 31,2002 20:45:27 Looks OK, but when I try to telnet, it doesn't offer the skey prompt, just the normal reusable UNIX password: chris@thanatos(260> telnet beatnik Trying 192.168.255.183... Connected to beatnik.shenton.org. Escape character is '^]'. Trying SRA secure login: User (chris): chris Password: [ SRA accepts you ] When I ssh to it, it does offer me the skey prompt, but (unless I'm really fat-fingered) doesn't seem to recognize the phrase I generate on the local box, then reverts to normal password auth: chris@thanatos(264> ssh beatnik s/key 98 be97113 Password: Permission denied, please try again. s/key 98 be97113 Password: Permission denied, please try again. s/key 97 be97113 Password: chris@beatnik.shenton.org's password: Any ideas what I'm missing? Thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 1 5:53:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F027E37B404 for ; Fri, 1 Nov 2002 05:53:32 -0800 (PST) Received: from smtp.melim.com.br (aririba.melim.com.br [200.215.110.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9A34443E8A for ; Fri, 1 Nov 2002 05:53:31 -0800 (PST) (envelope-from ronan@melim.com.br) Received: from fazendinha (ressacada.melim.com.br [200.215.110.4]) by smtp.melim.com.br (Postfix) with SMTP id 8116EFDA0 for ; Fri, 1 Nov 2002 10:52:05 -0300 (EST) Message-ID: <00e901c281a6$7a7dbc50$34a8a8c0@melim.com.br> From: "Ronan Lucio" To: Subject: Something weird Date: Fri, 1 Nov 2002 09:59:13 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, Today, when I logged in my server, last command showed only one connection (the last). So, I took a look at "netstat -a" and I havenīt found any connection from a strange IP on a different port. I also took a look at "ps -ax" and I didnīt found any strange process running, too. After that, Iīve saw that the file /root/.history is dated old (itīs correct because I use another account with bash shell). There is possibility that it be an attack/invasion? Thankīs, Ronan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 1 5:57:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B249237B401 for ; Fri, 1 Nov 2002 05:57:18 -0800 (PST) Received: from tomts19-srv.bellnexxia.net (tomts19.bellnexxia.net [209.226.175.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id B7E1743E8A for ; Fri, 1 Nov 2002 05:57:17 -0800 (PST) (envelope-from freymann@scaryg.shacknet.nu) Received: from scaryg.shacknet.nu ([64.231.139.9]) by tomts19-srv.bellnexxia.net (InterMail vM.5.01.04.19 201-253-122-122-119-20020516) with ESMTP id <20021101135716.JANK27245.tomts19-srv.bellnexxia.net@scaryg.shacknet.nu>; Fri, 1 Nov 2002 08:57:16 -0500 Received: from freymann (helo=localhost) by scaryg.shacknet.nu with local-esmtp (Exim 3.36 #1) id 187cG9-000Lik-00; Fri, 01 Nov 2002 08:54:49 -0500 Date: Fri, 1 Nov 2002 08:54:49 -0500 (EST) From: "Gerald T. Freymann" To: Ronan Lucio Cc: security@freebsd.org Subject: Re: Something weird In-Reply-To: <00e901c281a6$7a7dbc50$34a8a8c0@melim.com.br> Message-ID: <20021101085414.L83489-100000@scaryg.shacknet.nu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 1 Nov 2002, Ronan Lucio wrote: > Today, when I logged in my server, last command showed > only one connection (the last). It's the first day of November. Your history has been rolled over by newsyslog. That's my guess! =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Scary Gerry -- Senior Systems Manager freymann@scaryg.shacknet.nu -For web-hosting, Perl, PHP & MySql programming see http://www.interpool.ca -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 1 5:58:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 91B4E37B401 for ; Fri, 1 Nov 2002 05:58:42 -0800 (PST) Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 68E5D43E88 for ; Fri, 1 Nov 2002 05:58:41 -0800 (PST) (envelope-from cdf.lists@fxp.org) Received: by peitho.fxp.org (Postfix, from userid 1501) id D5986136FE; Fri, 1 Nov 2002 08:58:24 -0500 (EST) Date: Fri, 1 Nov 2002 08:58:24 -0500 From: Chris Faulhaber To: Ronan Lucio Cc: security@freebsd.org Subject: Re: Something weird Message-ID: <20021101135824.GA59540@peitho.fxp.org> References: <00e901c281a6$7a7dbc50$34a8a8c0@melim.com.br> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="3MwIy2ne0vdjdPXF" Content-Disposition: inline In-Reply-To: <00e901c281a6$7a7dbc50$34a8a8c0@melim.com.br> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --3MwIy2ne0vdjdPXF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Nov 01, 2002 at 09:59:13AM -0300, Ronan Lucio wrote: > Hello, >=20 > Today, when I logged in my server, last command showed > only one connection (the last). >=20 Monthly wtmp/log rotation, perhaps? --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --3MwIy2ne0vdjdPXF Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (FreeBSD) Comment: FreeBSD: The Power To Serve iD8DBQE9woiAObaG4P6BelARAizaAJ9RSN8iGH7LudmseO7P09om1bOBZwCcCeNv nRHOGcEloXxBbNJvfYseg6A= =XRhi -----END PGP SIGNATURE----- --3MwIy2ne0vdjdPXF-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 1 6:10:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9A83437B401 for ; Fri, 1 Nov 2002 06:10:37 -0800 (PST) Received: from smtp.melim.com.br (aririba.melim.com.br [200.215.110.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1106143E4A for ; Fri, 1 Nov 2002 06:10:37 -0800 (PST) (envelope-from ronan@melim.com.br) Received: from fazendinha (ressacada.melim.com.br [200.215.110.4]) by smtp.melim.com.br (Postfix) with SMTP id 2A481FDBE for ; Fri, 1 Nov 2002 11:09:17 -0300 (EST) Message-ID: <012d01c281a8$e25930a0$34a8a8c0@melim.com.br> From: "Ronan Lucio" Cc: References: <00e901c281a6$7a7dbc50$34a8a8c0@melim.com.br> <20021101135642.GA27538@palomine.net> Subject: Re: Something weird Date: Fri, 1 Nov 2002 10:16:26 -0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Fri, Nov 01, 2002 at 09:59:13AM -0300, Ronan Lucio wrote: > > Today, when I logged in my server, last command showed > > only one connection (the last). > > That's because the month just changed from October to November. Realy, now I could see that wtmp.0 file is dated as Oct-31 at 18:09. Thank you very much to all of you, Ronan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message