From owner-freebsd-security@FreeBSD.ORG Sun Aug 24 02:19:26 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 815D416A4BF for ; Sun, 24 Aug 2003 02:19:26 -0700 (PDT) Received: from postfix3-2.free.fr (postfix3-2.free.fr [213.228.0.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id AD4B043FCB for ; Sun, 24 Aug 2003 02:19:25 -0700 (PDT) (envelope-from patpro@patpro.net) Received: from [82.64.132.76] (lns-th2-9-82-64-132-76.adsl.proxad.net [82.64.132.76]) by postfix3-2.free.fr (Postfix) with ESMTP id 7E72CC8EE for ; Sun, 24 Aug 2003 11:19:23 +0200 (CEST) User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2106 Date: Sun, 24 Aug 2003 11:19:24 +0200 From: patpro To: Message-ID: Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Subject: weird problem with chkrootkit and checksums X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Aug 2003 09:19:26 -0000 Hello, last night, my chkrootkit crontab returned an alarm message : > Checking `lkm'... You have 1 process hidden for readdir command > You have 2 process hidden for ps command > Warning: Possible LKM Trojan installed Some research on google make me think it's probably a false positive. I tried few things : re-launching chkrootkit : "Checking `lkm'... nothing detected" re-compiling and launching fresh binary : "Checking `lkm'... nothing detected" and comparing some critical binaries with the one compiled at the beginning of august during a make world : $ md5 /usr/obj/usr/src/bin/ls/ls MD5 (/usr/obj/usr/src/bin/ls/ls) = cd2dcad3cc08b5f5ad05456f016e8099 $ md5 /bin/ls MD5 (/bin/ls) = 1808e84cfcbaf71ce1073cc418ff262a $ md5 /usr/obj/usr/src/usr.bin/netstat/netstat MD5 (/usr/obj/usr/src/usr.bin/netstat/netstat) = 7fbd1e72a5795b038b16ece37df13ee0 $ md5 /usr/bin/netstat MD5 (/usr/bin/netstat) = 77bd719216a4bca383333a420b2d9501 I feel like there is something wrong here... I picked up random binaries and compared their checksum with their /usr/obj/usr/src/ counterpart and every time it does not match. I tried the same checking on another box running the same version of FreeBSD and found out the same different checksums : $ md5 /usr/obj/usr/src/usr.bin/netstat/netstat MD5 (/usr/obj/usr/src/usr.bin/netstat/netstat) = 7fbd1e72a5795b038b16ece37df13ee0 $ md5 /usr/bin/netstat MD5 (/usr/bin/netstat) = 77bd719216a4bca383333a420b2d9501 So I guess it's a normal behavior. Can someone please explain to me why original binaries (/usr/obj/usr/src/) don't have the same checksum than installed binaries ? thanks, patpro From owner-freebsd-security@FreeBSD.ORG Sun Aug 24 03:42:57 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 257E516A4BF for ; Sun, 24 Aug 2003 03:42:57 -0700 (PDT) Received: from void.xpert.com (localhost.xpert.com [199.203.132.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8A5B143F85 for ; Sun, 24 Aug 2003 03:42:55 -0700 (PDT) (envelope-from Yonatan@xpert.com) Received: from void.xpert.com (localhost [127.0.0.1]) by void.xpert.com (8.12.8/8.12.8) with ESMTP id h7OB15ad002300 for ; Sun, 24 Aug 2003 14:01:05 +0300 Received: from EXCHANGE.xpert.com (exchange.xpert.com [199.203.132.135]) by void.xpert.com (8.12.8/8.12.8) with ESMTP id h7OB112G002278; Sun, 24 Aug 2003 14:01:02 +0300 X-MimeOLE: Produced By Microsoft Exchange V6.0.6375.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1255" Content-Transfer-Encoding: quoted-printable Date: Sun, 24 Aug 2003 13:41:52 +0300 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [solution] chkrootkit reports infected files Thread-Index: AcNqLQ2EFvZrbw0HSwWwmL+l+sAfeA== From: "Yonatan Bokovza" To: , , , Subject: [solution] chkrootkit reports infected files X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Aug 2003 10:42:57 -0000 Hey all, I've submitted a fix for chkrootkit port, to solve the false positives on FreeBSD 5 and higher: http://www.freebsd.org/cgi/query-pr.cgi?pr=3D55919 The topic, btw, should be "Teach security/chkrootkit about FreeBSD 5", but it's not my first typo today. Maintainer, please approve. Authors, please see if you can include the changes. I also fixed a minor bug in chk_vdir. Everyone else, please test it, as it was only tested on my 5.0 box. Best Regards,=20 Yonatan From owner-freebsd-security@FreeBSD.ORG Sun Aug 24 04:55:16 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 848E016A4BF for ; Sun, 24 Aug 2003 04:55:16 -0700 (PDT) Received: from void.xpert.com (xpert.com [199.203.132.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2645943FE9 for ; Sun, 24 Aug 2003 04:55:15 -0700 (PDT) (envelope-from Yonatan@xpert.com) Received: from void.xpert.com (localhost [127.0.0.1]) by void.xpert.com (8.12.8/8.12.8) with ESMTP id h7OCDQad011216 for ; Sun, 24 Aug 2003 15:13:26 +0300 Received: from EXCHANGE.xpert.com (exchange.xpert.com [199.203.132.135]) by void.xpert.com (8.12.8/8.12.8) with ESMTP id h7OCDQ2G011210; Sun, 24 Aug 2003 15:13:26 +0300 X-MimeOLE: Produced By Microsoft Exchange V6.0.6375.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Sun, 24 Aug 2003 14:54:16 +0300 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [solution] chkrootkit reports infected files Thread-Index: AcNqNd48d3krPrvmSX6n8K9mIEjnDgAAUIsw From: "Yonatan Bokovza" To: "Nelson Murilo" cc: freebsd-security@freebsd.org cc: jessen@nic.br Subject: RE: [solution] chkrootkit reports infected files X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Aug 2003 11:55:16 -0000 > -----Original Message----- > From: Nelson Murilo [mailto:nelson@pangeia.com.br] > Sent: Sunday, August 24, 2003 14:51 > To: Yonatan Bokovza > Cc: freebsd-security@freebsd.org; cordeiro@luinil.nic.br;=20 > jessen@nic.br > Subject: Re: [solution] chkrootkit reports infected files >=20 >=20 >=20 > Hi Yonatan, >=20 > I fixed all bugs in 5.x in 0.42 (next release), I look for > your patch for chk_vdir. >=20 > Thanks a lot for your interest in chkrootkit, The difference is in chk_vdir: - if [ -r ${CMD} ]; then + if [ ! -r ${CMD} ]; then As things stands now, this returns NOT_FOUND if the file is readable, and errors out if the file doesn't exist, or isn't readable. From owner-freebsd-security@FreeBSD.ORG Sun Aug 24 06:45:55 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C8E3616A4BF for ; Sun, 24 Aug 2003 06:45:55 -0700 (PDT) Received: from pd5mo3so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id C8EC743FAF for ; Sun, 24 Aug 2003 06:45:53 -0700 (PDT) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from pd6mr3so.prod.shaw.ca (pd6mr3so-qfe3.prod.shaw.ca [10.0.141.218]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) freebsd-security@freebsd.org; Sun, 24 Aug 2003 07:45:52 -0600 (MDT) Received: from pn2ml2so.prod.shaw.ca (pn2ml2so-qfe0.prod.shaw.ca [10.0.121.146]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) freebsd-security@freebsd.org; Sun, 24 Aug 2003 07:45:53 -0600 (MDT) Received: from piii600.wadham.ox.ac.uk (h24-87-233-42.vc.shawcable.net [24.87.233.42])2003)) freebsd-security@freebsd.org; Sun, 24 Aug 2003 07:45:52 -0600 (MDT) Date: Sun, 24 Aug 2003 06:45:50 -0700 From: Colin Percival X-Sender: cperciva@popserver.sfu.ca To: freebsd-security@freebsd.org Message-id: <5.0.2.1.1.20030824064019.02d7d090@popserver.sfu.ca> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT Subject: EoL dates X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Aug 2003 13:45:55 -0000 Is there any reason why releases have EoL dates after only 12 months? While it's clear that some sort of EoL is important, I can't think of any security advisories recently which weren't accompanied by patches for all the security branches, even those which are no longer officially supported. Colin Percival From owner-freebsd-security@FreeBSD.ORG Sun Aug 24 07:18:16 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 59AD616A4BF for ; Sun, 24 Aug 2003 07:18:16 -0700 (PDT) Received: from smtp2.home.se (smtp2.home.se [213.214.194.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7114243FB1 for ; Sun, 24 Aug 2003 07:18:15 -0700 (PDT) (envelope-from sopppp@home.se) Received: from oddjob.kul.lan sopppp@home.se [213.66.212.143] Novell NetWare; Sun, 24 Aug 2003 16:16:44 +0200 From: Martin Larsson To: freebsd-security@freebsd.org Content-Type: text/plain Message-Id: <1061734680.20025.1.camel@oddjob.kul.lan> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.3 Date: 24 Aug 2003 16:18:00 +0200 Content-Transfer-Encoding: 7bit Subject: ibm fstack protector X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: sopppp@home.se List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Aug 2003 14:18:16 -0000 yo, ive been using the fstack protector for a while now and it worked fine until i was gonna compile 4.8p3 then i got these errors, sio.o(.text+0x18b7): undefined reference to `__guard' sio.o(.text+0x1da9): undefined reference to `__guard' sio.o(.text+0x1db9): undefined reference to `__stack_smash_handler' vga_isa.o: In function `isavga_probe': vga_isa.o(.text+0x10): undefined reference to `__guard' vga_isa.o(.text+0xb9): undefined reference to `__guard' vga_isa.o(.text+0xc9): undefined reference to `__stack_smash_handler' vga_isa.o(.text+0xc9): undefined reference to `__stack_smash_handler' *** Error code 1 Stop in /usr/obj/usr/src/sys/FJUTTSI. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. anyone succesfully compiled 4.8p3 with fstack protection? if not how do i remove this thing a clean /usr/src doesnt seem to be enough. //martin From owner-freebsd-security@FreeBSD.ORG Sun Aug 24 10:03:56 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BDC2116A4BF for ; Sun, 24 Aug 2003 10:03:56 -0700 (PDT) Received: from obsecurity.dyndns.org (adsl-64-169-107-97.dsl.lsan03.pacbell.net [64.169.107.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D39A43FBF for ; Sun, 24 Aug 2003 10:03:56 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: from rot13.obsecurity.org (rot13.obsecurity.org [10.0.0.5]) by obsecurity.dyndns.org (Postfix) with ESMTP id 95BBB66B04; Sun, 24 Aug 2003 10:03:54 -0700 (PDT) Received: by rot13.obsecurity.org (Postfix, from userid 1000) id 5BF8D82B; Sun, 24 Aug 2003 10:03:54 -0700 (PDT) Date: Sun, 24 Aug 2003 10:03:54 -0700 From: Kris Kennaway To: Colin Percival Message-ID: <20030824170354.GA9172@rot13.obsecurity.org> References: <5.0.2.1.1.20030824064019.02d7d090@popserver.sfu.ca> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="/9DWx/yDrRhgMJTb" Content-Disposition: inline In-Reply-To: <5.0.2.1.1.20030824064019.02d7d090@popserver.sfu.ca> User-Agent: Mutt/1.4.1i cc: freebsd-security@freebsd.org Subject: Re: EoL dates X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Aug 2003 17:03:56 -0000 --/9DWx/yDrRhgMJTb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Aug 24, 2003 at 06:45:50AM -0700, Colin Percival wrote: > Is there any reason why releases have EoL dates after only 12=20 > months? They are supported by unpaid volunteers who have a limit to the amount of free time they can donate to the project. Kris --/9DWx/yDrRhgMJTb Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/SO/6Wry0BWjoQKURApV6AKDtiklujk2xrF9GiikXNIldqUf+iwCg6b6M ZT6WNse6LmLRELEdtOiryz4= =so11 -----END PGP SIGNATURE----- --/9DWx/yDrRhgMJTb-- From owner-freebsd-security@FreeBSD.ORG Sun Aug 24 10:06:36 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E9CC016A4BF for ; Sun, 24 Aug 2003 10:06:36 -0700 (PDT) Received: from obsecurity.dyndns.org (adsl-64-169-107-97.dsl.lsan03.pacbell.net [64.169.107.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id D7BE443F85 for ; Sun, 24 Aug 2003 10:06:35 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: from rot13.obsecurity.org (rot13.obsecurity.org [10.0.0.5]) by obsecurity.dyndns.org (Postfix) with ESMTP id C7ABB66B04; Sun, 24 Aug 2003 10:06:35 -0700 (PDT) Received: by rot13.obsecurity.org (Postfix, from userid 1000) id AAE8382B; Sun, 24 Aug 2003 10:06:35 -0700 (PDT) Date: Sun, 24 Aug 2003 10:06:35 -0700 From: Kris Kennaway To: Martin Larsson Message-ID: <20030824170635.GB9172@rot13.obsecurity.org> References: <1061734680.20025.1.camel@oddjob.kul.lan> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="U+BazGySraz5kW0T" Content-Disposition: inline In-Reply-To: <1061734680.20025.1.camel@oddjob.kul.lan> User-Agent: Mutt/1.4.1i cc: freebsd-security@freebsd.org Subject: Re: ibm fstack protector X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Aug 2003 17:06:37 -0000 --U+BazGySraz5kW0T Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Aug 24, 2003 at 04:18:00PM +0200, Martin Larsson wrote: > yo, ive been using the fstack protector for a while now and it worked > fine until i was gonna compile 4.8p3 then i got these errors, >=20 > sio.o(.text+0x18b7): undefined reference to `__guard' > sio.o(.text+0x1da9): undefined reference to `__guard' > sio.o(.text+0x1db9): undefined reference to `__stack_smash_handler' > vga_isa.o: In function `isavga_probe': > vga_isa.o(.text+0x10): undefined reference to `__guard' > vga_isa.o(.text+0xb9): undefined reference to `__guard' > vga_isa.o(.text+0xc9): undefined reference to `__stack_smash_handler' > vga_isa.o(.text+0xc9): undefined reference to `__stack_smash_handler' > *** Error code 1 >=20 > Stop in /usr/obj/usr/src/sys/FJUTTSI. > *** Error code 1 >=20 > Stop in /usr/src. > *** Error code 1 >=20 > Stop in /usr/src. >=20 > anyone succesfully compiled 4.8p3 with fstack protection? It looks like you don't have the full /usr/src patch installed. The sys/libkern/stack_smash_handler.c file is supposed to provide these symbols. Kris --U+BazGySraz5kW0T Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/SPCbWry0BWjoQKURAuElAJwKo/fEWe67wjdE4NRX++2Q+A6qrQCgxv+L e6G1FVoL9yK/nrUw+H+lzc0= =7xuW -----END PGP SIGNATURE----- --U+BazGySraz5kW0T-- From owner-freebsd-security@FreeBSD.ORG Sun Aug 24 10:15:57 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 237D116A4BF for ; Sun, 24 Aug 2003 10:15:57 -0700 (PDT) Received: from pd6mo2so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C5E843FCB for ; Sun, 24 Aug 2003 10:15:56 -0700 (PDT) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from pd4mr4so.prod.shaw.ca (pd4mr4so-qfe3.prod.shaw.ca [10.0.141.215]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) freebsd-security@freebsd.org; Sun, 24 Aug 2003 11:14:36 -0600 (MDT) Received: from pn2ml5so.prod.shaw.ca (pn2ml5so-qfe0.prod.shaw.ca [10.0.121.149]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) freebsd-security@freebsd.org; Sun, 24 Aug 2003 11:14:35 -0600 (MDT) Received: from piii600.wadham.ox.ac.uk (h24-87-233-42.vc.shawcable.net [24.87.233.42])2003)) freebsd-security@freebsd.org; Sun, 24 Aug 2003 11:14:34 -0600 (MDT) Date: Sun, 24 Aug 2003 10:14:31 -0700 From: Colin Percival In-reply-to: <20030824170354.GA9172@rot13.obsecurity.org> X-Sender: cperciva@popserver.sfu.ca To: Kris Kennaway , Colin Percival Message-id: <5.0.2.1.1.20030824100546.02c8cc00@popserver.sfu.ca> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT References: <5.0.2.1.1.20030824064019.02d7d090@popserver.sfu.ca> <5.0.2.1.1.20030824064019.02d7d090@popserver.sfu.ca> cc: freebsd-security@freebsd.org Subject: Re: EoL dates X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Aug 2003 17:15:57 -0000 At 10:03 24/08/2003 -0700, Kris Kennaway wrote: >On Sun, Aug 24, 2003 at 06:45:50AM -0700, Colin Percival wrote: > > Is there any reason why releases have EoL dates after only 12 > > months? > >They are supported by unpaid volunteers who have a limit to the amount >of free time they can donate to the project. Either I'm missing your point, or you're missing my point. There are five release branches now which are "not officially supported", but I have yet to see any circumstance where they have, in fact, not been supported. If those branches were not being supported because people were too busy to support them, I'd understand perfectly; but as far as I can see, those branches *are* being supported. Colin Percival From owner-freebsd-security@FreeBSD.ORG Sun Aug 24 10:40:16 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 59EC916A4BF for ; Sun, 24 Aug 2003 10:40:16 -0700 (PDT) Received: from pd6mo2so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 70AC743FBF for ; Sun, 24 Aug 2003 10:40:15 -0700 (PDT) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from pd6mr3so.prod.shaw.ca (pd6mr3so-qfe3.prod.shaw.ca [10.0.141.218]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) freebsd-security@freebsd.org; Sun, 24 Aug 2003 11:38:51 -0600 (MDT) Received: from pn2ml6so.prod.shaw.ca (pn2ml6so-qfe0.prod.shaw.ca [10.0.121.150]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) freebsd-security@freebsd.org; Sun, 24 Aug 2003 11:38:51 -0600 (MDT) Received: from piii600.wadham.ox.ac.uk (h24-87-233-42.vc.shawcable.net [24.87.233.42])2003)) freebsd-security@freebsd.org; Sun, 24 Aug 2003 11:38:50 -0600 (MDT) Date: Sun, 24 Aug 2003 10:38:49 -0700 From: Colin Percival In-reply-to: <5.0.2.1.1.20030824100546.02c8cc00@popserver.sfu.ca> X-Sender: cperciva@popserver.sfu.ca To: Colin Percival , Kris Kennaway Message-id: <5.0.2.1.1.20030824103515.02cbf388@popserver.sfu.ca> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT References: <20030824170354.GA9172@rot13.obsecurity.org> <5.0.2.1.1.20030824064019.02d7d090@popserver.sfu.ca> <5.0.2.1.1.20030824064019.02d7d090@popserver.sfu.ca> cc: freebsd-security@freebsd.org Subject: Re: EoL dates X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Aug 2003 17:40:16 -0000 At 10:14 24/08/2003 -0700, I wrote: > Either I'm missing your point, or you're missing my point. There are > five release branches now which are "not officially supported", but I > have yet to see any circumstance where they have, in fact, not been > supported. If those branches were not being supported because people > were too busy to support them, I'd understand perfectly; but as far as I > can see, those branches *are* being supported. Oops. As hawkeyd@visi.com has just pointed out to me, I didn't look far enough; SA-03:01, :02, :03, :05, and :06 didn't have official patches for the unsupported branches. I'll go sit quietly in the corner now. Colin Percival From owner-freebsd-security@FreeBSD.ORG Sun Aug 24 10:47:59 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8CE1C16A4BF for ; Sun, 24 Aug 2003 10:47:59 -0700 (PDT) Received: from obsecurity.dyndns.org (adsl-64-169-107-97.dsl.lsan03.pacbell.net [64.169.107.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id B397643F93 for ; Sun, 24 Aug 2003 10:47:58 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: from rot13.obsecurity.org (rot13.obsecurity.org [10.0.0.5]) by obsecurity.dyndns.org (Postfix) with ESMTP id 0F65266B04; Sun, 24 Aug 2003 10:47:58 -0700 (PDT) Received: by rot13.obsecurity.org (Postfix, from userid 1000) id C8C60643; Sun, 24 Aug 2003 10:47:57 -0700 (PDT) Date: Sun, 24 Aug 2003 10:47:57 -0700 From: Kris Kennaway To: Colin Percival Message-ID: <20030824174757.GA9678@rot13.obsecurity.org> References: <20030824170354.GA9172@rot13.obsecurity.org> <5.0.2.1.1.20030824064019.02d7d090@popserver.sfu.ca> <5.0.2.1.1.20030824064019.02d7d090@popserver.sfu.ca> <5.0.2.1.1.20030824103515.02cbf388@popserver.sfu.ca> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="sdtB3X0nJg68CQEu" Content-Disposition: inline In-Reply-To: <5.0.2.1.1.20030824103515.02cbf388@popserver.sfu.ca> User-Agent: Mutt/1.4.1i cc: freebsd-security@freebsd.org cc: Kris Kennaway Subject: Re: EoL dates X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Aug 2003 17:47:59 -0000 --sdtB3X0nJg68CQEu Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Aug 24, 2003 at 10:38:49AM -0700, Colin Percival wrote: > At 10:14 24/08/2003 -0700, I wrote: > > Either I'm missing your point, or you're missing my point. There are= =20 > >five release branches now which are "not officially supported", but I=20 > >have yet to see any circumstance where they have, in fact, not been=20 > >supported. If those branches were not being supported because people=20 > >were too busy to support them, I'd understand perfectly; but as far as I= =20 > >can see, those branches *are* being supported. >=20 > Oops. As hawkeyd@visi.com has just pointed out to me, I didn't look fa= r=20 > enough; SA-03:01, :02, :03, :05, and :06 didn't have official patches for= =20 > the unsupported branches. Yep. In many cases the security team will go "beyond the call of duty" to fix problems in non-supported releases, but it comes down to factors like how significant the hole is, how easy the patch is to backport and how motivated security-officer is to fix it for non-supported releases. Kris --sdtB3X0nJg68CQEu Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/SPpNWry0BWjoQKURAuvnAKCFwVUVjRDwTKXYsGBO/ZIt7n9thgCeMaA6 xMIa/rrKiksKCaAIzHegT4Q= =ok2R -----END PGP SIGNATURE----- --sdtB3X0nJg68CQEu-- From owner-freebsd-security@FreeBSD.ORG Sun Aug 24 16:27:44 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D178216A4BF for ; Sun, 24 Aug 2003 16:27:44 -0700 (PDT) Received: from dns12.mail.yahoo.co.jp (dns12.mail.yahoo.co.jp [210.81.151.145]) by mx1.FreeBSD.org (Postfix) with SMTP id 7F4C743FA3 for ; Sun, 24 Aug 2003 16:27:43 -0700 (PDT) (envelope-from ayakokiko@ybb.ne.jp) Received: from unknown (HELO gorgon.near.this) (219.11.234.11 with poptime) by dns12.mail.yahoo.co.jp with SMTP; 24 Aug 2003 23:27:42 -0000 X-Apparently-From: Received: from ghost.near.this (ghost.near.this [10.0.3.9]) by gorgon.near.this (Postfix) with ESMTP id 4B8607F7D; Mon, 25 Aug 2003 08:27:40 +0900 (JST) Received: by ghost.near.this (Postfix, from userid 100) id F294119320; Mon, 25 Aug 2003 08:27:35 +0900 (JST) Date: Mon, 25 Aug 2003 08:27:33 +0900 From: horio shoichi To: patpro In-Reply-To: References: X-Mailer: Sylpheed version 0.9.3claws (GTK+ 1.2.10; i386-portbld-freebsd4.8) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-Id: <20030824.232734.8f68bd1f152d203f.10.0.3.9@bugsgrief.net> cc: freebsd-security@freebsd.org Subject: Re: weird problem with chkrootkit and checksums X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Aug 2003 23:27:44 -0000 On Sun, 24 Aug 2003 11:19:24 +0200 patpro wrote: > Hello, > > last night, my chkrootkit crontab returned an alarm message : > > > Checking `lkm'... You have 1 process hidden for readdir command > > You have 2 process hidden for ps command > > Warning: Possible LKM Trojan installed > > Some research on google make me think it's probably a false positive. I > tried few things : > > re-launching chkrootkit : "Checking `lkm'... nothing detected" > re-compiling and launching fresh binary : "Checking `lkm'... nothing > detected" > and comparing some critical binaries with the one compiled at the beginning > of august during a make world : > > $ md5 /usr/obj/usr/src/bin/ls/ls > MD5 (/usr/obj/usr/src/bin/ls/ls) = cd2dcad3cc08b5f5ad05456f016e8099 > $ md5 /bin/ls > MD5 (/bin/ls) = 1808e84cfcbaf71ce1073cc418ff262a > > $ md5 /usr/obj/usr/src/usr.bin/netstat/netstat > MD5 (/usr/obj/usr/src/usr.bin/netstat/netstat) = > 7fbd1e72a5795b038b16ece37df13ee0 > $ md5 /usr/bin/netstat > MD5 (/usr/bin/netstat) = 77bd719216a4bca383333a420b2d9501 > > I feel like there is something wrong here... > I picked up random binaries and compared their checksum with their > /usr/obj/usr/src/ counterpart and every time it does not match. > I tried the same checking on another box running the same version of FreeBSD > and found out the same different checksums : > > $ md5 /usr/obj/usr/src/usr.bin/netstat/netstat > MD5 (/usr/obj/usr/src/usr.bin/netstat/netstat) = > 7fbd1e72a5795b038b16ece37df13ee0 > $ md5 /usr/bin/netstat > MD5 (/usr/bin/netstat) = 77bd719216a4bca383333a420b2d9501 > > So I guess it's a normal behavior. Can someone please explain to me why > original binaries (/usr/obj/usr/src/) don't have the same checksum than > installed binaries ? > > thanks, > > patpro > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > Like this ? % ls -l /bin/ls -r-xr-xr-x 1 root wheel 304840 Aug 6 23:52 /bin/ls* % ls -l /usr/obj/usr/src/bin/ls/ls -rwxr-xr-x 1 root horio 328286 Aug 6 22:40 /usr/obj/usr/src/bin/ls/ls* % file /bin/ls /bin/ls: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), for FreeBSD 4.8, statically linked, stripped % file /usr/obj/usr/src/bin/ls/ls /usr/obj/usr/src/bin/ls/ls: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), for FreeBSD 4.8, statically linked, not stripped horio shoichi From owner-freebsd-security@FreeBSD.ORG Mon Aug 25 13:44:12 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DDF1316A4BF for ; Mon, 25 Aug 2003 13:44:12 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 330E143FBF for ; Mon, 25 Aug 2003 13:44:10 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id AC0995485D for ; Mon, 25 Aug 2003 15:44:09 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 38DCD6D461; Mon, 25 Aug 2003 15:44:09 -0500 (CDT) Date: Mon, 25 Aug 2003 15:44:09 -0500 From: "Jacques A. Vidrine" To: freebsd-security@FreeBSD.org Message-ID: <20030825204409.GA35646@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , freebsd-security@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 Subject: NOTE regarding sendmail DNS map issue X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Aug 2003 20:44:13 -0000 You may or may not have already seen: I thought I'd drop an explanatory note here until I publish an advisory. This problem has been known for some time (it was first reported in FreeBSD PR#54367). The default configuration of sendmail is unaffected, and it is unknown whether the issue is truly exploitable by any means. Nonetheless, I requested that sendmail.org publish a notice so that we (FreeBSD) could also publish an advisory and merge the fix into our security branches ``just in case''. Since they have now announced the issue, we'll take care of the advisory this week. The fix is already in Sendmail 8.12.9 and so is already in 5.1-RELEASE and later as well as 4.8-STABLE (but not 4.8-RELEASE). Also, I believe the error was introduced in Sendmail 8.12.2, and so it is not present in FreeBSD releases before 4.5-RELEASE. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Sun Aug 24 04:51:02 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1472316A4BF for ; Sun, 24 Aug 2003 04:51:02 -0700 (PDT) Received: from spliff.pangeia.com.br (spliff.pangeia.com.br [200.239.53.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4EF8C43FAF for ; Sun, 24 Aug 2003 04:50:59 -0700 (PDT) (envelope-from nelson@pangeia.com.br) Received: by spliff.pangeia.com.br (Postfix, from userid 505) id 736313D426; Sun, 24 Aug 2003 08:50:59 -0300 (BRT) Date: Sun, 24 Aug 2003 08:50:59 -0300 From: Nelson Murilo To: Yonatan Bokovza Message-ID: <20030824115059.GC22271@pangeia.com.br> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i X-Mailman-Approved-At: Tue, 26 Aug 2003 04:12:35 -0700 cc: freebsd-security@freebsd.org cc: jessen@nic.br Subject: Re: [solution] chkrootkit reports infected files X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Aug 2003 11:51:02 -0000 Hi Yonatan, I fixed all bugs in 5.x in 0.42 (next release), I look for your patch for chk_vdir. Thanks a lot for your interest in chkrootkit, ./nelson -murilo On Sun, Aug 24, 2003 at 01:41:52PM +0300, Yonatan Bokovza wrote: > Hey all, > I've submitted a fix for chkrootkit port, to solve the > false positives on FreeBSD 5 and higher: > http://www.freebsd.org/cgi/query-pr.cgi?pr=55919 > The topic, btw, should be "Teach security/chkrootkit > about FreeBSD 5", but it's not my first typo today. > > Maintainer, please approve. > Authors, please see if you can include the changes. > I also fixed a minor bug in chk_vdir. > Everyone else, please test it, as it was only tested > on my 5.0 box. > > > Best Regards, > Yonatan From owner-freebsd-security@FreeBSD.ORG Tue Aug 26 09:43:33 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 86F7A16A4C1; Tue, 26 Aug 2003 09:43:33 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5AAF143F3F; Tue, 26 Aug 2003 09:43:31 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h7QGhVUp025314; Tue, 26 Aug 2003 09:43:31 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h7QGhVsC025312; Tue, 26 Aug 2003 09:43:31 -0700 (PDT) Date: Tue, 26 Aug 2003 09:43:31 -0700 (PDT) Message-Id: <200308261643.h7QGhVsC025312@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: FreeBSD Security Advisory FreeBSD-SA-03:11.sendmail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Aug 2003 16:43:33 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-03:11.sendmail Security Advisory The FreeBSD Project Topic: sendmail DNS map problem Category: contrib Module: contrib_sendmail Announced: 2003-08-26 Credits: Oleg Bulyzhin Affects: 4.6-RELEASE (up to -p16), 4.7-RELEASE (up to -p13), 4.8-RELEASE (up to -p3), 5.0-RELEASE (up to -p11) 4-STABLE prior to Mar 29 19:33:18 2003 UTC Corrected: 2003-08-25 22:33:14 UTC (RELENG_5_0) 2003-08-25 22:35:23 UTC (RELENG_4_8) 2003-08-25 22:36:10 UTC (RELENG_4_7) 2003-08-25 22:38:53 UTC (RELENG_4_6) FreeBSD only: NO For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes sendmail(8), a general purpose internetwork mail routing facility, as the default Mail Transfer Agent (MTA). II. Problem Description Some versions of sendmail (8.12.0 through 8.12.8) contain a programming error in the code that implements DNS maps. A malformed DNS reply packet may cause sendmail to call `free()' on an uninitialized pointer. NOTE: The default sendmail configuration in FreeBSD does not utilize DNS maps. III. Impact Calling `free()' on an uninitialized pointer may result in a sendmail child process crashing. It may also be possible for an attacker to somehow influence the value of the `uninitialized pointer' and cause an arbitrary memory trunk to be freed. This could further lead to some other exploitable vulnerability, although no such cases are known at this time. IV. Workaround Do not use DNS maps. V. Solution Do one of the following: 1) Upgrade your vulnerable system to 4-STABLE, 5.1-RELEASE, or to the RELENG_5_1, RELENG_4_8, or RELENG_4_7 security branch dated after the correction date (5.1-RELEASE-p11, 4.8-RELEASE-p4, or 4.7-RELEASE-p14, respectively). 2) To patch your present system: The following patch has been verified to apply to FreeBSD 5.0, 4.8, 4.7, and 4.6 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:11/sendmail.patch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:11/sendmail.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/libsm # make obj && make depend && make # cd /usr/src/lib/libsmutil # make obj && make depend && make # cd /usr/src/usr.sbin/sendmail # make obj && make depend && make && make install c) Restart sendmail. Execute the following command as root. # /bin/sh /etc/rc.sendmail restart VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Path Revision Branch - ------------------------------------------------------------------------- src/UPDATING RELENG_5_0 1.229.2.17 RELENG_4_8 1.73.2.80.2.6 RELENG_4_7 1.73.2.74.2.17 RELENG_4_6 1.73.2.68.2.45 src/sys/conf/newvers.sh RELENG_5_0 1.48.2.12 RELENG_4_8 1.44.2.29.2.5 RELENG_4_7 1.44.2.26.2.16 RELENG_4_6 1.44.2.23.2.34 src/contrib/sendmail/src/sm_resolve.c RELENG_5_0 1.1.1.4.2.1 RELENG_4_8 1.1.1.1.2.2.4.1 RELENG_4_7 1.1.1.1.2.2.2.1 RELENG_4_6 1.1.1.1.2.1.2.2 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/S4xUFdaIBMps37IRAoJ4AJ9AiL4AMlSXz/thD2SuNkKSQsUZHgCeKbds qEb9Em5ElZZOEnIajwneKIg= =SjNG -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Aug 26 10:24:59 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9AC3116A4C1; Tue, 26 Aug 2003 10:24:59 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id B15F743F3F; Tue, 26 Aug 2003 10:24:58 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 2CC325485D; Tue, 26 Aug 2003 12:24:58 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id BF72F6D461; Tue, 26 Aug 2003 12:24:57 -0500 (CDT) Date: Tue, 26 Aug 2003 12:24:57 -0500 From: "Jacques A. Vidrine" To: Nate Eldredge Message-ID: <20030826172457.GA58834@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Nate Eldredge , freebsd-security@FreeBSD.org, security-officer@freebsd.org References: <200308261643.h7QGhVrZ025321@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: freebsd-security@FreeBSD.org cc: security-officer@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:11.sendmail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Aug 2003 17:24:59 -0000 On Tue, Aug 26, 2003 at 10:15:58AM -0700, Nate Eldredge wrote: > There appears to be a small but confusing error in this advisory. Hi! Thanks for the report. > On Tue, 26 Aug 2003, FreeBSD Security Advisories wrote: > > ... > > > V. Solution > > > > Do one of the following: > > > > 1) Upgrade your vulnerable system to 4-STABLE, 5.1-RELEASE, or to the > > RELENG_5_1, RELENG_4_8, or RELENG_4_7 security branch dated after the > > correction date (5.1-RELEASE-p11, 4.8-RELEASE-p4, or 4.7-RELEASE-p14, > > respectively). > > I assume this should be RELENG_5_0 and 5.0-RELEASE-p11. The error is a bit more confusing, even. It should have read: > 1) Upgrade your vulnerable system to 4-STABLE, 5.1-RELEASE, or to the > RELENG_5_1, RELENG_4_8, or RELENG_4_7 security branch dated after the > correction date (5.1-RELEASE-p2, 4.8-RELEASE-p4, or 4.7-RELEASE-p14, > respectively). We always recommend that one upgrades to the latest unaffected release, the latest stable branch, or latest supported security branch. 5.0-RELEASE is not a supported security branch any longer. Sorry for the confusion. I'll update the advisory on the ftp site. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Wed Aug 27 00:57:26 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 297B316A4BF for ; Wed, 27 Aug 2003 00:57:26 -0700 (PDT) Received: from postfix4-2.free.fr (postfix4-2.free.fr [213.228.0.176]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4858244003 for ; Wed, 27 Aug 2003 00:57:22 -0700 (PDT) (envelope-from patpro@patpro.net) Received: from [82.65.131.101] (lns-p19-19-82-65-131-101.adsl.proxad.net [82.65.131.101]) by postfix4-2.free.fr (Postfix) with ESMTP id 541D6C2D5; Wed, 27 Aug 2003 09:57:21 +0200 (CEST) User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2106 Date: Wed, 27 Aug 2003 09:57:22 +0200 From: patpro To: horio shoichi , Message-ID: In-Reply-To: <20030824.232734.8f68bd1f152d203f.10.0.3.9@bugsgrief.net> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Subject: Re: weird problem with chkrootkit and checksums X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Aug 2003 07:57:26 -0000 > % file /bin/ls > /bin/ls: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), for > FreeBSD 4.8, statically linked, stripped > % file /usr/obj/usr/src/bin/ls/ls > /usr/obj/usr/src/bin/ls/ls: ELF 32-bit LSB executable, Intel 80386, version 1 > (FreeBSD), for FreeBSD 4.8, statically linked, not stripped ok thanx, so the "make installworld" does not only copy binaries to their destination ? patpro From owner-freebsd-security@FreeBSD.ORG Wed Aug 27 01:46:47 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 73A8416A4BF for ; Wed, 27 Aug 2003 01:46:47 -0700 (PDT) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 28F5843FF7 for ; Wed, 27 Aug 2003 01:46:45 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 31854 invoked from network); 27 Aug 2003 08:37:43 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 27 Aug 2003 08:37:42 -0000 Received: (qmail 35888 invoked by uid 1000); 27 Aug 2003 08:38:29 -0000 Date: Wed, 27 Aug 2003 11:38:29 +0300 From: Peter Pentchev To: patpro Message-ID: <20030827083828.GI623@straylight.oblivion.bg> Mail-Followup-To: patpro , horio shoichi , freebsd-security@freebsd.org References: <20030824.232734.8f68bd1f152d203f.10.0.3.9@bugsgrief.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="CGDBiGfvSTbxKZlW" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.4i cc: freebsd-security@freebsd.org Subject: Re: weird problem with chkrootkit and checksums X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Aug 2003 08:46:47 -0000 --CGDBiGfvSTbxKZlW Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Aug 27, 2003 at 09:57:22AM +0200, patpro wrote: > > % file /bin/ls > > /bin/ls: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), f= or > > FreeBSD 4.8, statically linked, stripped > > % file /usr/obj/usr/src/bin/ls/ls > > /usr/obj/usr/src/bin/ls/ls: ELF 32-bit LSB executable, Intel 80386, ver= sion 1 > > (FreeBSD), for FreeBSD 4.8, statically linked, not stripped >=20 >=20 > ok thanx, so the "make installworld" does not only copy binaries to their > destination ? 'make installworld' uses the install(1) program to copy files cleanly (including overwriting files in use, copying files across filesystems, preserving or modifying ownership and permissions as necessary). For programs, 'make installworld' uses the -s flag to install(1) to strip the debugging information, unless you have not explicitly told it not to by setting the STRIP variable to an empty value: # make STRIP=3D'' installworld =2E.or a bit simpler although error-prone if you're not used to it: # make STRIP=3D installworld (note the space after 'STRIP=3D') Thus, yes, 'make installworld' may modify executable files during the installation. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence was in the past tense. --CGDBiGfvSTbxKZlW Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/TG4E7Ri2jRYZRVMRAszpAJ0UDJ5gQ1aHhyMvcGU6FU099aQQywCeLNcN avt4MW9PQUENPkGA06dgDbg= =xERZ -----END PGP SIGNATURE----- --CGDBiGfvSTbxKZlW-- From owner-freebsd-security@FreeBSD.ORG Wed Aug 27 01:55:45 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB29116A4BF for ; Wed, 27 Aug 2003 01:55:45 -0700 (PDT) Received: from postfix4-2.free.fr (postfix4-2.free.fr [213.228.0.176]) by mx1.FreeBSD.org (Postfix) with ESMTP id AD74743FAF for ; Wed, 27 Aug 2003 01:55:44 -0700 (PDT) (envelope-from patpro@patpro.net) Received: from [82.65.131.101] (lns-p19-19-82-65-131-101.adsl.proxad.net [82.65.131.101]) by postfix4-2.free.fr (Postfix) with ESMTP id 76AB9C3B6; Wed, 27 Aug 2003 10:55:42 +0200 (CEST) User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2106 Date: Wed, 27 Aug 2003 10:55:43 +0200 From: patpro To: Peter Pentchev Message-ID: In-Reply-To: <20030827083828.GI623@straylight.oblivion.bg> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: weird problem with chkrootkit and checksums X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Aug 2003 08:55:45 -0000 >> ok thanx, so the "make installworld" does not only copy binaries to their >> destination ? > > 'make installworld' uses the install(1) program to copy files cleanly > (including overwriting files in use, copying files across filesystems, > preserving or modifying ownership and permissions as necessary). > For programs, 'make installworld' uses the -s flag to install(1) to > strip the debugging information, unless you have not explicitly told > it not to by setting the STRIP variable to an empty value: ok, thank you for the explanation. regards, patpro From owner-freebsd-security@FreeBSD.ORG Wed Aug 27 01:56:18 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8CFB916A4BF for ; Wed, 27 Aug 2003 01:56:18 -0700 (PDT) Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 01A4A43FDD for ; Wed, 27 Aug 2003 01:56:17 -0700 (PDT) (envelope-from andrew@scoop.co.nz) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.9/8.12.9) with ESMTP id h7R8uFNn048959 for ; Wed, 27 Aug 2003 20:56:15 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Date: Wed, 27 Aug 2003 20:56:15 +1200 (NZST) From: Andrew McNaughton To: freebsd-security@freebsd.org Message-ID: <20030827202228.P93986@a2.scoop.co.nz> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: source addresses for IP traffic between jails X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Aug 2003 08:56:18 -0000 I'm setting up a server environment where I've got a bunch of jails running using aliased IPs on the same interface. I'd like to be able to use ipfw to place limits on the traffic between jails, but I'm running into problems. When I use tcpdump to look at TCP traffic from one jail to another, it shows both the source and destination IP for the packets as being the IP assigned to the jail which the connection is made to. When I look at UDP traffic (again using tcpdump) I see both the source and detination IP being that of the jail IP the particular packet is destined for. Given the situation above, is it possible for ipfw to distinguish which jails are involved in a packet exchange? I've wondered about giving each jail its own pseudo-interface. Are there any problems with creating many pseudo-interfaces like this? What sort of interface should I use? You apparently can't create multiple loopback interfaces which would be the obvious choice (ie `ifconfig lo1 create` does not work). The interface types I know about that allow creation of pseudo-interfaces are tunnel type interfaces which don't really suit this purpose. Is there something suitable? Given that packets are coming from a jail, is the packet construction I'm seeing correct, or should this be considered a bug? Andrew McNaughton -- No added Sugar. Not tested on animals. May contain traces of Nuts. If irritation occurs, discontinue use. ------------------------------------------------------------------- Andrew McNaughton In Sydney Working on a Product Recommender System andrew@scoop.co.nz Mobile: +61 422 753 792 http://staff.scoop.co.nz/andrew/cv.doc From owner-freebsd-security@FreeBSD.ORG Thu Aug 28 07:42:04 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B538B16A4BF for ; Thu, 28 Aug 2003 07:42:04 -0700 (PDT) Received: from server05.the-beach.net (ip096-019.the-beach.net [12.43.96.19]) by mx1.FreeBSD.org (Postfix) with SMTP id A4C8A43FE9 for ; Thu, 28 Aug 2003 07:42:03 -0700 (PDT) (envelope-from jahmon@jahmon.com) Received: (qmail 15344 invoked from network); 28 Aug 2003 14:41:37 -0000 Received: from unknown (HELO jahmon.com) (216.189.180.93) by ip096-019.the-beach.net with SMTP; 28 Aug 2003 14:41:37 -0000 Date: Thu, 28 Aug 2003 10:41:59 -0400 Mime-Version: 1.0 (Apple Message framework v552) Content-Type: text/plain; charset=US-ASCII; format=flowed From: jahmon To: freeBSD-security@freebsd.org Content-Transfer-Encoding: 7bit Message-Id: X-Mailer: Apple Mail (2.552) Subject: compromised server X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Aug 2003 14:42:04 -0000 I have a server that has been compromised. I'm running version 4.6.2 when I do >last this line comes up in the list. shutdown ~ Thu Aug 28 05:22 That was the time the server went down. There seemed to be some configuration changes. Some of the files seemed to revert back to default versions (httpd.conf, resolv.conf) Does anyone have a clue what type of exploit they may have used? Is there anyway I can find out if there are any trojans installed? Thanks jahmon From owner-freebsd-security@FreeBSD.ORG Thu Aug 28 08:22:44 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37D2816A4BF for ; Thu, 28 Aug 2003 08:22:44 -0700 (PDT) Received: from pol.dyndns.org (pol.net1.nerim.net [80.65.225.93]) by mx1.FreeBSD.org (Postfix) with ESMTP id AD7D443FDF for ; Thu, 28 Aug 2003 08:22:42 -0700 (PDT) (envelope-from guy@device.dyndns.org) Received: from oemcomputer.device.dyndns.org (partserver.pol.local [172.16.10.10]) by pol.dyndns.org (8.12.9/8.12.6) with ESMTP id h7SFMb2l001037 for ; Thu, 28 Aug 2003 17:22:40 +0200 (CEST) Message-Id: <5.2.1.1.0.20030828171237.02796a00@device.dyndns.org> X-Sender: guy@device.dyndns.org X-Mailer: QUALCOMM Windows Eudora Version 5.2.1 Date: Thu, 28 Aug 2003 17:22:25 +0200 To: freeBSD-security@freebsd.org From: "Guy P." In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Re: compromised server X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Aug 2003 15:22:44 -0000 At 16:41 28/08/2003, jahmon wrote: >I have a server that has been compromised. >I'm running version 4.6.2 >when I do > > >last > >this line comes up in the list. >shutdown ~ Thu Aug 28 05:22 >That was the time the server went down. >There seemed to be some configuration changes. >Some of the files seemed to revert back to default versions >(httpd.conf, resolv.conf) > >Does anyone have a clue what type of exploit they may have used? >Is there anyway I can find out if there are any trojans installed? > >Thanks > >jahmon Usual process is to shut down the computer ASAP, never boot again from its current disk till it's wiped out / or you retrieved all the information you wanted. Instead, boot of a CD (live filesystem if you got it, but install cd could do too) and get sure to mount your (compromised) disk(s) readonly, without running anything executable out of it. Then proceed to investigation. First step would be chkrootkit (thu part of its tests require you to run it "live" on the suspicious system). Also spend some time reading the various /var/log files (but don't rely on their integrity). If you have an aide or tripwire "image" of your system somewhere, time to put it to use. For more ideas you could read for instance the archives of honeynet challenges ( http://project.honeynet.org/misc/chall.html ). gd'luk -- Guy From owner-freebsd-security@FreeBSD.ORG Thu Aug 28 09:15:39 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C3E016A4BF for ; Thu, 28 Aug 2003 09:15:39 -0700 (PDT) Received: from amsfep12-int.chello.nl (amsfep12-int.chello.nl [213.46.243.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 247ED43FE3 for ; Thu, 28 Aug 2003 09:15:36 -0700 (PDT) (envelope-from dodell@sitetronics.com) Received: from sitetronics.com ([213.46.142.207]) by amsfep12-int.chello.nl ESMTP <20030828161534.MRWD26845.amsfep12-int.chello.nl@sitetronics.com>; Thu, 28 Aug 2003 18:15:34 +0200 Message-ID: <3F4E2A84.4050007@sitetronics.com> Date: Thu, 28 Aug 2003 18:15:00 +0200 From: "Devon H. O'Dell" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030820 X-Accept-Language: en-us, en MIME-Version: 1.0 To: jahmon , freebsd-security@freebsd.org References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: compromised server X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Aug 2003 16:15:39 -0000 Heh, I forgot to send this to the group... so here it is. To check for suid and sgid programs, run the following command: |find / -type f \(-perm -04000 -o -perm -02000 \) Hope this helps. --Devon | jahmon wrote: > Devon, > > checked the /var/log - nothing strange found > ran chkrootkit - nothing found > checked user accounts - no new accounts found > > how do I check for suid permissions. > > Thanks, > > jahmon > On Thursday, Aug 28, 2003, at 10:55 US/Eastern, Devon H. O'Dell wrote: > >> You will want to read everything in /var/log, run chkrootkit, check >> out .history files, look for new user accounts, look for files with >> suid permissions and other similar stuff. I don't know of a site that >> really says what exactly to do. If someone knows such a reference, >> it'd be highly useful. Otherwise, is anybody willing to write one >> (I'd be willing to contribute). >> >> One good thing may be to search for computer forensics on Google; >> specifically for comprimised servers. Combining those and other words >> may give you varying levels of success, I think. >> >> --Devon >> >> jahmon wrote: >> >>> I have a server that has been compromised. >>> I'm running version 4.6.2 >>> when I do >>> >>> >last >>> >>> this line comes up in the list. >>> shutdown ~ Thu Aug 28 05:22 >>> That was the time the server went down. >>> There seemed to be some configuration changes. >>> Some of the files seemed to revert back to default versions >>> (httpd.conf, resolv.conf) >>> >>> Does anyone have a clue what type of exploit they may have used? >>> Is there anyway I can find out if there are any trojans installed? >>> >>> Thanks >>> >>> jahmon >>> >>> _______________________________________________ >>> freebsd-security@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-security >>> To unsubscribe, send any mail to >>> "freebsd-security-unsubscribe@freebsd.org" >>> >>> >> > > > From owner-freebsd-security@FreeBSD.ORG Thu Aug 28 09:16:45 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C0B016A4E2 for ; Thu, 28 Aug 2003 09:16:45 -0700 (PDT) Received: from oxygenshell.com (ferrari.oxygenshell.com [69.65.4.2]) by mx1.FreeBSD.org (Postfix) with SMTP id C534243FF3 for ; Thu, 28 Aug 2003 09:16:41 -0700 (PDT) (envelope-from admin@oxygenshell.com) Received: (qmail 22780 invoked by uid 0); 28 Aug 2003 16:17:10 -0000 Received: from h000c6e08f88b.ne.client2.attbi.com (HELO jim) (@66.30.149.110) by noc.r1.oxygenshell.com with SMTP; 28 Aug 2003 16:17:08 -0000 Message-ID: <049001c36d7f$c9e5ca60$6502a8c0@jim> From: "James" To: "jahmon" , References: Date: Thu, 28 Aug 2003 12:16:44 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Subject: Re: compromised server X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: James List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Aug 2003 16:16:45 -0000 Hello Jahmon, In regards to your question I would check over your resolv.conf and httpd.conf and check the /var/log/messages and various other logging utilities. Also, a.. Run only the services you plan on using. b.. Use only the services that are necessary. c.. Use secure passwords. d.. Force users on your machine to use secure passwords. e.. Restrict root access to a minimal set of services. f.. Restrict access to these services via inetd and tcpwrappers. g.. Restrict access to your box using IP Firewall services (ipfw). h.. Log events on your machine and understand what logs are being kept. i.. Install some type of system change detection software so that you can tell if your server has been compromised. j.. Back up your server's data so that if it is compromised you can reinstall from scratch, but still have your data available. k.. Finally, physical security is important. The more people who have physical access to the machine, the less secure your server is. when this is completed, run a sockstat command on the root prompt, This will enable you to view various programs and ports being use. If you suspect something that's not binded onto the proper port firewall it until you can reinstall the program. In anycase being hacked rootkits install various programs to setup setuid programs and or utilities for sshd and other programs. In many cases for my clients machines I would login and update all programs run cvsup and make buildworld ; make installworld over again. (Don't forget sockstat) This will enable you to see if there rootkit was enabling any remote open ports to drop to root prompt. Thank You, James Thomas Sr. Administrator admin@oxygenshell.com ----- Original Message ----- From: "jahmon" To: Sent: Thursday, August 28, 2003 10:41 AM Subject: compromised server > I have a server that has been compromised. > I'm running version 4.6.2 > when I do > > >last > > this line comes up in the list. > shutdown ~ Thu Aug 28 05:22 > That was the time the server went down. > There seemed to be some configuration changes. > Some of the files seemed to revert back to default versions > (httpd.conf, resolv.conf) > > Does anyone have a clue what type of exploit they may have used? > Is there anyway I can find out if there are any trojans installed? > > Thanks > > jahmon > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > From owner-freebsd-security@FreeBSD.ORG Thu Aug 28 09:45:26 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 72E2316A4BF for ; Thu, 28 Aug 2003 09:45:26 -0700 (PDT) Received: from web10105.mail.yahoo.com (web10105.mail.yahoo.com [216.136.130.55]) by mx1.FreeBSD.org (Postfix) with SMTP id 2DC4943FAF for ; Thu, 28 Aug 2003 09:45:25 -0700 (PDT) (envelope-from twigles@yahoo.com) Message-ID: <20030828164524.7275.qmail@web10105.mail.yahoo.com> Received: from [68.5.49.41] by web10105.mail.yahoo.com via HTTP; Thu, 28 Aug 2003 09:45:24 PDT Date: Thu, 28 Aug 2003 09:45:24 -0700 (PDT) From: twig les To: "Devon H. O'Dell" , jahmon , freebsd-security@freebsd.org In-Reply-To: <3F4E2A84.4050007@sitetronics.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Re: compromised server X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Aug 2003 16:45:26 -0000 No one will be able to even guess how they got in without knowing what you are running on the box (IIS, MSSql, etc. [hahah, jk]). Although this may be belated, there is an excellent book called "Incident Response: Investigating Computer Crime" from authors Mandia and Prosise. Unfortunately I can almost guaruntee that the advice the book will give you is to restore from the last known-good backup after re-installing the OS cleanly. If you were going to try to go hardcore forensics on an intrusion you would have to already have a nice set of utilities, hopefully on CD or floppy, ready to be mounted like: ps, ls, top, The Coroner's Toolkit, etc (I'm sure I'm missing a bunch). Sorry for the doom and gloom (and the lame MS joke) but the book is truly a fascinating read even if you have nothing to do with incident response. --- "Devon H. O'Dell" wrote: > Heh, I forgot to send this to the group... so here it is. > > To check for suid and sgid programs, run the following > command: > > |find / -type f \(-perm -04000 -o -perm -02000 \) > > Hope this helps. > > --Devon > | > jahmon wrote: > > > Devon, > > > > checked the /var/log - nothing strange found > > ran chkrootkit - nothing found > > checked user accounts - no new accounts found > > > > how do I check for suid permissions. > > > > Thanks, > > > > jahmon > > On Thursday, Aug 28, 2003, at 10:55 US/Eastern, Devon H. > O'Dell wrote: > > > >> You will want to read everything in /var/log, run > chkrootkit, check > >> out .history files, look for new user accounts, look for > files with > >> suid permissions and other similar stuff. I don't know of a > site that > >> really says what exactly to do. If someone knows such a > reference, > >> it'd be highly useful. Otherwise, is anybody willing to > write one > >> (I'd be willing to contribute). > >> > >> One good thing may be to search for computer forensics on > Google; > >> specifically for comprimised servers. Combining those and > other words > >> may give you varying levels of success, I think. > >> > >> --Devon > >> > >> jahmon wrote: > >> > >>> I have a server that has been compromised. > >>> I'm running version 4.6.2 > >>> when I do > >>> > >>> >last > >>> > >>> this line comes up in the list. > >>> shutdown ~ Thu Aug 28 > 05:22 > >>> That was the time the server went down. > >>> There seemed to be some configuration changes. > >>> Some of the files seemed to revert back to default > versions > >>> (httpd.conf, resolv.conf) > >>> > >>> Does anyone have a clue what type of exploit they may have > used? > >>> Is there anyway I can find out if there are any trojans > installed? > >>> > >>> Thanks > >>> > >>> jahmon > >>> > >>> _______________________________________________ > >>> freebsd-security@freebsd.org mailing list > >>> http://lists.freebsd.org/mailman/listinfo/freebsd-security > >>> To unsubscribe, send any mail to > >>> "freebsd-security-unsubscribe@freebsd.org" > >>> > >>> > >> > > > > > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" ===== ----------------------------------------------------------- Emo is what happens when the glee club goes punk. ----------------------------------------------------------- __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com From owner-freebsd-security@FreeBSD.ORG Thu Aug 28 09:58:09 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CF80316A4BF for ; Thu, 28 Aug 2003 09:58:09 -0700 (PDT) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8852944001 for ; Thu, 28 Aug 2003 09:58:08 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.9/8.12.8) with ESMTP id h7SGw7Fb073122; Thu, 28 Aug 2003 12:58:07 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030828125725.066d9ca0@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Thu, 28 Aug 2003 13:00:26 -0400 To: freebsd-security@freebsd.org From: Mike Tancsa Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (lava/20020517) Subject: new DoS technique (exploiting TCP retransmission timeouts) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Aug 2003 16:58:09 -0000 An interesting paper http://www.acm.org/sigcomm/sigcomm2003/papers/p75-kuzmanovic.pdf ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike From owner-freebsd-security@FreeBSD.ORG Thu Aug 28 10:44:31 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7480516A4C0 for ; Thu, 28 Aug 2003 10:44:30 -0700 (PDT) Received: from amsfep14-int.chello.nl (amsfep14-int.chello.nl [213.46.243.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id C073443FBD for ; Thu, 28 Aug 2003 10:44:28 -0700 (PDT) (envelope-from dodell@sitetronics.com) Received: from sitetronics.com ([213.46.142.207]) by amsfep14-int.chello.nl (InterMail vM.5.01.05.17 201-253-122-126-117-20021021) with ESMTP id <20030828174427.KMOO13847.amsfep14-int.chello.nl@sitetronics.com> for ; Thu, 28 Aug 2003 19:44:27 +0200 Message-ID: <3F4E3F55.1080308@sitetronics.com> Date: Thu, 28 Aug 2003 19:43:49 +0200 From: "Devon H. O'Dell" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030820 X-Accept-Language: en-us, en MIME-Version: 1.0 Cc: freebsd-security@freebsd.org References: <5.2.0.9.0.20030828125725.066d9ca0@209.112.4.2> In-Reply-To: <5.2.0.9.0.20030828125725.066d9ca0@209.112.4.2> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: new DoS technique (exploiting TCP retransmission timeouts) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Aug 2003 17:44:32 -0000 It's good to see countermeasures discussed in this text. At the same time, I wonder how long it will take for people to develop these countermeasures on a large scale. --Devon Mike Tancsa wrote: > An interesting paper > > http://www.acm.org/sigcomm/sigcomm2003/papers/p75-kuzmanovic.pdf > > > ---Mike > -------------------------------------------------------------------- > Mike Tancsa, tel +1 519 651 3400 > Sentex Communications, mike@sentex.net > Providing Internet since 1994 www.sentex.net > Cambridge, Ontario Canada www.sentex.net/mike > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > > From owner-freebsd-security@FreeBSD.ORG Thu Aug 28 11:37:50 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6592616A4BF for ; Thu, 28 Aug 2003 11:37:50 -0700 (PDT) Received: from e250.cryptomonkeys.org (102Net-254.sou.edu [140.211.102.254]) by mx1.FreeBSD.org (Postfix) with ESMTP id 53B4543FFD for ; Thu, 28 Aug 2003 11:37:47 -0700 (PDT) (envelope-from louisk@bend.com) Received: from e250.cryptomonkeys.org (localhost [127.0.0.1]) h7SIbgVd093732 for ; Thu, 28 Aug 2003 11:37:42 -0700 (PDT) (envelope-from louisk@e250.cryptomonkeys.org) Received: (from louisk@localhost) by e250.cryptomonkeys.org (8.12.9/8.12.9/Submit) id h7SIbgfh093717 for freebsd-security@freebsd.org; Thu, 28 Aug 2003 11:37:42 -0700 (PDT) (envelope-from louisk) Date: Thu, 28 Aug 2003 11:37:42 -0700 From: Louis Kowolowski To: freebsd-security@freebsd.org Message-ID: <20030828183742.GA249@freespoon.cryptomonkeys.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="TB36FDmn/VVEgNH/" Content-Disposition: inline User-Agent: Mutt/1.5.4i Subject: snort, postgres, bridge X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Aug 2003 18:37:50 -0000 --TB36FDmn/VVEgNH/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I've been prowling through the FreeBSD and Snort list archives in=20 search of information on setting up snort on a FreeBSD bridge(4) that logs to a remote postgres box via a third interface (hme0) Snort is being started with the following command: /usr/local/bin/snort -A full -D -e -d -s -i fxp0 -c /usr /local/etc/snort.conf=20 Where fxp0 and fxp1 are in the bridge output from sysctl: net.link.ether.bridge_cfg: fxp0:0,fxp1:0 net.link.ether.bridge: 1 net.link.ether.bridge_ipfw: 0 net.link.ether.bridge_ipf: 1 net.link.ether.bridge_ipfw_drop: 0 net.link.ether.bridge_ipfw_collisions: 0 The snort.conf is attached. I've attempted to start with a pretty generic config, just to ensure things work. The problem appears to be that snort simply doesn't log to the remote postgres box (yes, there are host entries in pg_hba.conf, and other databases are accessible remotely, so I believe that is not the issue). I've just been running trafshow to watch connections. Any hints/pointers/solutions welcome. Thanks --=20 Louis Kowolowski louisk@cryptomonkeys.org Crypto Monkeys: http://www.cryptomonkeys.org/~louisk IRC: outcast-consultants.biz#outcasts gpg info: http://www.cryptomonkeys.org/~louisk/gurgi.html gpg print: F04B 9A37 822A 4CE1 95CE 4D28 1AFF CCB7 DE4B A841 Everyone is a genius. It's just that some people are too stupid to realize it. --TB36FDmn/VVEgNH/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/Tkv2Gv/Mt95LqEERAvKYAJ46V4jnroIHen3IG5mJdJwCb+/usACfQzzn JPcnlclR283BC0fVCcLEZYs= =JjdX -----END PGP SIGNATURE----- --TB36FDmn/VVEgNH/-- From owner-freebsd-security@FreeBSD.ORG Thu Aug 28 11:45:47 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 83D6D16A4BF for ; Thu, 28 Aug 2003 11:45:47 -0700 (PDT) Received: from mail1.qc.uunet.ca (mail1.qc.uunet.ca [198.168.54.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7ECAE43FD7 for ; Thu, 28 Aug 2003 11:45:46 -0700 (PDT) (envelope-from anarcat@espresso-com.com) Received: from xtanbul.studio.espresso-com.com ([216.94.147.57]) by mail1.qc.uunet.ca (8.12.9/8.12.9) with ESMTP id h7SIjBsB021078; Thu, 28 Aug 2003 14:45:12 -0400 Received: from anarcat by xtanbul.studio.espresso-com.com with local (Exim 3.36 #1 (Debian)) id 19sRle-00013S-00; Thu, 28 Aug 2003 14:45:10 -0400 Date: Thu, 28 Aug 2003 14:45:10 -0400 From: The Anarcat To: Louis Kowolowski Message-ID: <20030828184509.GA920@xtanbul> Mail-Followup-To: Louis Kowolowski , freebsd-security@freebsd.org References: <20030828183742.GA249@freespoon.cryptomonkeys.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030828183742.GA249@freespoon.cryptomonkeys.org> User-Agent: Mutt/1.5.4i Sender: The Anarcat cc: freebsd-security@freebsd.org Subject: Re: snort, postgres, bridge X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Aug 2003 18:45:47 -0000 On Thu Aug 28, 2003 at 11:37:42AM -0700, Louis Kowolowski wrote: ... > The snort.conf is attached. It is not. List filters attachments. A. From owner-freebsd-security@FreeBSD.ORG Thu Aug 28 12:21:58 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 37F2A16A4C0 for ; Thu, 28 Aug 2003 12:21:58 -0700 (PDT) Received: from e250.cryptomonkeys.org (102Net-254.sou.edu [140.211.102.254]) by mx1.FreeBSD.org (Postfix) with ESMTP id B1DF543FE9 for ; Thu, 28 Aug 2003 12:21:56 -0700 (PDT) (envelope-from louisk@bend.com) Received: from e250.cryptomonkeys.org (localhost [127.0.0.1]) h7SJLqVd011634 for ; Thu, 28 Aug 2003 12:21:52 -0700 (PDT) (envelope-from louisk@e250.cryptomonkeys.org) Received: (from louisk@localhost) by e250.cryptomonkeys.org (8.12.9/8.12.9/Submit) id h7SJLpou011633 for freebsd-security@freebsd.org; Thu, 28 Aug 2003 12:21:51 -0700 (PDT) (envelope-from louisk) Date: Thu, 28 Aug 2003 12:21:51 -0700 From: Louis Kowolowski To: freebsd-security@freebsd.org Message-ID: <20030828192151.GC249@freespoon.cryptomonkeys.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="AkbCVLjbJ9qUtAXD" Content-Disposition: inline User-Agent: Mutt/1.5.4i Subject: [louisk@bend.com: snort, postgres, bridge] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Aug 2003 19:21:58 -0000 --AkbCVLjbJ9qUtAXD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable ----- Forwarded message from Louis Kowolowski ----- Date: Thu, 28 Aug 2003 11:37:42 -0700 =46rom: Louis Kowolowski To: freebsd-security@freebsd.org Subject: snort, postgres, bridge User-Agent: Mutt/1.5.4i I've been prowling through the FreeBSD and Snort list archives in=20 search of information on setting up snort on a FreeBSD bridge(4) that logs to a remote postgres box via a third interface (hme0) Snort is being started with the following command: /usr/local/bin/snort -A full -D -e -d -s -i fxp0 -c /usr /local/etc/snort.conf=20 Where fxp0 and fxp1 are in the bridge output from sysctl: net.link.ether.bridge_cfg: fxp0:0,fxp1:0 net.link.ether.bridge: 1 net.link.ether.bridge_ipfw: 0 net.link.ether.bridge_ipf: 1 net.link.ether.bridge_ipfw_drop: 0 net.link.ether.bridge_ipfw_collisions: 0 The snort.conf is attached. I've attempted to start with a pretty generic config, just to ensure things work. The problem appears to be that snort simply doesn't log to the remote postgres box (yes, there are host entries in pg_hba.conf, and other databases are accessible remotely, so I believe that is not the issue). I've just been running trafshow to watch connections. Any hints/pointers/solutions welcome. Thanks --=20 ----- End forwarded message ----- Appending snort.conf: #-------------------------------------------------- # http://www.snort.org Snort 2.0.0 Ruleset # Contact: snort-sigs@lists.sourceforge.net #-------------------------------------------------- # $Id: snort.conf,v 1.124 2003/05/16 02:52:41 cazz Exp $ # ################################################### # This file contains a sample snort configuration. # You can take the following steps to create your # own custom configuration: # # 1) Set the network variables for your network # 2) Configure preprocessors # 3) Configure output plugins # 4) Customize your rule set # ################################################### # Step #1: Set the network variables: # # You must change the following variables to reflect # your local network. The variable is currently # setup for an RFC 1918 address space. # # You can specify it explicitly as: # # var HOME_NET 10.1.1.0/24 # # or use global variable $_ADDRESS # which will be always initialized to IP address and # netmask of the network interface which you run # snort at. Under Windows, this must be specified # as $(_ADDRESS), such as: # $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS) # # var HOME_NET $eth0_ADDRESS # # You can specify lists of IP addresses for HOME_NET # by separating the IPs with commas like this: # # var HOME_NET [10.1.1.0/24,192.168.1.0/24] # # MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST! # # or you can specify the variable to be any IP address # like this: var HOME_NET any # Set up the external network addresses as well. # A good start may be "any" var EXTERNAL_NET any # Configure your server lists. This allows snort to only look for attacks # to systems that have a service up. Why look for HTTP attacks if you are # not running a web server? This allows quick filtering based on IP addres= ses # These configurations MUST follow the same configuration scheme as defined # above for $HOME_NET. # List of DNS servers on your network var DNS_SERVERS $HOME_NET # List of SMTP servers on your network var SMTP_SERVERS $HOME_NET # List of web servers on your network var HTTP_SERVERS $HOME_NET # List of sql servers on your network var SQL_SERVERS $HOME_NET # List of telnet servers on your network var TELNET_SERVERS $HOME_NET # Configure your service ports. This allows snort to look for attacks # destined to a specific application only on the ports that application # runs on. For example, if you run a web server on port 8081, set your # HTTP_PORTS variable like this: # # var HTTP_PORTS 8010 # # Port lists must either be continuous [eg 80:8080], or a single port [eg 8= 0]. # We will adding support for a real list of ports in the future. # Ports you run web servers on var HTTP_PORTS 80 # Ports you want to look for SHELLCODE on. var SHELLCODE_PORTS !80 # Ports you do oracle attacks on var ORACLE_PORTS 1521 # other variables # # AIM servers. AOL has a habit of adding new AIM servers, so instead of # modifying the signatures when they do, we add them to this list of # servers. var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.= 12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] # Path to your rules files (this can be a relative path) var RULE_PATH ../share/snort # Configure the snort decoder: # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D # # Stop generic decode events: # # config disable_decode_alerts # # Stop Alerts on experimental TCP options # # config disable_tcpopt_experimental_alerts # # Stop Alerts on obsolete TCP options # # config disable_tcpopt_obsolete_alerts # # Stop Alerts on T/TCP alerts # # config disable_ttcp_alerts # # Stop Alerts on all other TCPOption type events: # # config disable_tcpopt_alerts # # Stop Alerts on invalid ip options # # config disable_ipopt_alerts # Configure the detection engine # =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D # # Use a different pattern matcher in case you have a machine with very # limited resources: # # config detection: search-method lowmem ################################################### # Step #2: Configure preprocessors # # General configuration for preprocessors is of # the form # preprocessor : # frag2: IP defragmentation support # ------------------------------- # This preprocessor performs IP defragmentation. This plugin will also det= ect # people launching fragmentation attacks (usually DoS) against hosts. No # arguments loads the default configuration of the preprocessor, which is a # 60 second timeout and a 4MB fragment buffer. # The following (comma delimited) options are available for frag2 # timeout [seconds] - sets the number of [seconds] than an unfinished # fragment will be kept around waiting for completio= n, # if this time expires the fragment will be flushed # memcap [bytes] - limit frag2 memory usage to [number] bytes # (default: 4194304) # # min_ttl [number] - minimum ttl to accept # # ttl_limit [number] - difference of ttl to accept without alerting # will cause false positves with router flap # # Frag2 uses Generator ID 113 and uses the following SIDS # for that GID: # SID Event description # ----- ------------------- # 1 Oversized fragment (reassembled frag > 64k bytes) # 2 Teardrop-type attack preprocessor frag2 # stream4: stateful inspection/stream reassembly for Snort #---------------------------------------------------------------------- # Use in concert with the -z [all|est] command line switch to defeat # stick/snot against TCP rules. Also performs full TCP stream # reassembly, stateful inspection of TCP streams, etc. Can statefully # detect various portscan types, fingerprinting, ECN, etc. # stateful inspection directive # no arguments loads the defaults (timeout 30, memcap 8388608) # options (options are comma delimited): # detect_scans - stream4 will detect stealth portscans and generate alerts # when it sees them when this option is set # detect_state_problems - detect TCP state problems, this tends to be very # noisy because there are a lot of crappy ip stack # implementations out there # # disable_evasion_alerts - turn off the possibly noisy mitigation of # overlapping sequences. # # # min_ttl [number] - set a minium ttl that snort will accept to # stream reassembly # # ttl_limit [number] - differential of the initial ttl on a session versus # the normal that someone may be playing games. # Routing flap may cause lots of false positive= s. # # keepstats [machine|binary] - keep session statistics, add "machine" to # get them in a flat format for machine reading, add # "binary" to get them in a unified binary output # format # noinspect - turn off stateful inspection only # timeout [number] - set the session timeout counter to [number] seconds, # default is 30 seconds # memcap [number] - limit stream4 memory usage to [number] bytes # log_flushed_streams - if an event is detected on a stream this option w= ill # cause all packets that are stored in the stream4 # packet buffers to be flushed to disk. This only # works when logging in pcap mode! # # Stream4 uses Generator ID 111 and uses the following SIDS # for that GID: # SID Event description # ----- ------------------- # 1 Stealth activity # 2 Evasive RST packet # 3 Evasive TCP packet retransmission # 4 TCP Window violation # 5 Data on SYN packet # 6 Stealth scan: full XMAS # 7 Stealth scan: SYN-ACK-PSH-URG # 8 Stealth scan: FIN scan # 9 Stealth scan: NULL scan # 10 Stealth scan: NMAP XMAS scan # 11 Stealth scan: Vecna scan # 12 Stealth scan: NMAP fingerprint scan stateful detect # 13 Stealth scan: SYN-FIN scan # 14 TCP forward overlap preprocessor stream4: detect_scans, disable_evasion_alerts # tcp stream reassembly directive # no arguments loads the default configuration # Only reassemble the client, # Only reassemble the default list of ports (See below), # Give alerts for "bad" streams # # Available options (comma delimited): # clientonly - reassemble traffic for the client side of a connection only # serveronly - reassemble traffic for the server side of a connection only # both - reassemble both sides of a session # noalerts - turn off alerts from the stream reassembly stage of stream4 # ports [list] - use the space separated list of ports in [list], "all" # will turn on reassembly for all ports, "default" will tu= rn # on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111 # and 513 preprocessor stream4_reassemble # http_decode: normalize HTTP requests # ------------------------------------ # http_decode normalizes HTTP requests from remote # machines by converting any %XX character # substitutions to their ASCII equivalent. This is # very useful for doing things like defeating hostile # attackers trying to stealth themselves from IDSs by # mixing these substitutions in with the request. # Specify the port numbers you want it to analyze as arguments. # # Major code cleanups thanks to rfp # # unicode - normalize unicode # iis_alt_unicode - %u encoding from iis # double_encode - alert on possible double encodings # iis_flip_slash - normalize \ as / # full_whitespace - treat \t as whitespace ( for apache ) # # for that GID: # SID Event description # ----- ------------------- # 1 UNICODE attack # 2 NULL byte attack preprocessor http_decode: 80 unicode iis_alt_unicode double_encode iis_flip_slash full_whitespace # rpc_decode: normalize RPC traffic # --------------------------------- # RPC may be sent in alternate encodings besides the usual # 4-byte encoding that is used by default. This preprocessor # normalized RPC traffic in much the same way as the http_decode # preprocessor. This plugin takes the ports numbers that RPC # services are running on as arguments. # The RPC decode preprocessor uses generator ID 106 # # arguments: space separated list # alert_fragments - alert on any rpc fragmented TCP data # no_alert_multiple_requests - don't alert when >1 rpc query is in a packet # no_alert_large_fragments - don't alert when the fragmented # sizes exceed the current packet size # no_alert_incomplete - don't alert when a single segment # exceeds the current packet size preprocessor rpc_decode: 111 32771 # bo: Back Orifice detector # ------------------------- # Detects Back Orifice traffic on the network. Takes no arguments in 2.0. # # The Back Orifice detector uses Generator ID 105 and uses the # following SIDS for that GID: # SID Event description # ----- ------------------- # 1 Back Orifice traffic detected preprocessor bo # telnet_decode: Telnet negotiation string normalizer # --------------------------------------------------- # This preprocessor "normalizes" telnet negotiation strings from # telnet and ftp traffic. It works in much the same way as the # http_decode preprocessor, searching for traffic that breaks up # the normal data stream of a protocol and replacing it with # a normalized representation of that traffic so that the "content" # pattern matching keyword can work without requiring modifications. # This preprocessor requires no arguments. # Portscan uses Generator ID 109 and does not generate any SID currently. preprocessor telnet_decode # Portscan: detect a variety of portscans # --------------------------------------- # portscan preprocessor by Patrick Mullen # This preprocessor detects UDP packets or TCP SYN packets going to # four different ports in less than three seconds. "Stealth" TCP # packets are always detected, regardless of these settings. # Portscan uses Generator ID 100 and uses the following SIDS for that GID: # SID Event description # ----- ------------------- # 1 Portscan detect # 2 Inter-scan info # 3 Portscan End # preprocessor portscan: $HOME_NET 4 3 portscan.log # Use portscan-ignorehosts to ignore TCP SYN and UDP "scans" from # specific networks or hosts to reduce false alerts. It is typical # to see many false alerts from DNS servers so you may want to # add your DNS servers here. You can all multiple hosts/networks # in a whitespace-delimited list. # #preprocessor portscan-ignorehosts: 0.0.0.0 # arpspoof #---------------------------------------- # Experimental ARP detection code from Jeff Nathan, detects ARP attacks, # unicast ARP requests, and specific ARP mapping monitoring. To make use # of this preprocessor you must specify the IP and hardware address of host= s on # the same layer 2 segment as you. Specify one host IP MAC combo per line. # Also takes a "-unicast" option to turn on unicast ARP request detection. # Arpspoof uses Generator ID 112 and uses the following SIDS for that GID: # SID Event description # ----- ------------------- # 1 Unicast ARP request # 2 Etherframe ARP mismatch (src) # 3 Etherframe ARP mismatch (dst) # 4 ARP cache overwrite attack #preprocessor arpspoof #preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00 # Conversation #------------------------------------------ # This preprocessor tracks conversations for tcp, udp and icmp traffic. It # is a prerequisite for running portscan2. # # allowed_ip_protcols 1 6 17 # list of allowed ip protcols ( defaults to any ) # # timeout [num] # conversation timeout ( defaults to 60 ) # # # max_conversations [num] # number of conversations to support at once (defaults to 65335) # # # alert_odd_protocols # alert on protocols not listed in allowed_ip_protocols # # preprocessor conversation: allowed_ip_protocols all, timeout 60, max_conversations 3000 # # Portscan2 #------------------------------------------- # Portscan 2, detect portscans in a new and exciting way. You must enable # spp_conversation in order to use this preprocessor. # # Available options: # scanners_max [num] # targets_max [num] # target_limit [num] # port_limit [num] # timeout [num] # log [logdir] # #preprocessor portscan2: scanners_max 256, targets_max 1024, target_limit 5, port_limit 20, timeout 60 # Too many false alerts from portscan2? Tone it down with # portscan2-ignorehosts! # # A space delimited list of addresses in CIDR notation to ignore # # preprocessor portscan2-ignorehosts: 10.0.0.0/8 192.168.24.0/24 # # Experimental Perf stats # ----------------------- # No docs. Highly subject to change. # # preprocessor perfmonitor: console flow events time 10 #################################################################### # Step #3: Configure output plugins # # Uncomment and configure the output plugins you decide to use. # General configuration for output plugins is of the form: # # output : # # alert_syslog: log alerts to syslog # ---------------------------------- # Use one or more syslog facilities as arguments. Win32 can also # optionally specify a particular hostname/port. Under Win32, the # default hostname is '127.0.0.1', and the default port is 514. # # [Unix flavours should use this format...] # output alert_syslog: LOG_AUTH LOG_ALERT # # [Win32 can use any of these formats...] # output alert_syslog: LOG_AUTH LOG_ALERT # output alert_syslog: host=3Dhostname, LOG_AUTH LOG_ALERT # output alert_syslog: host=3Dhostname:port, LOG_AUTH LOG_ALERT # log_tcpdump: log packets in binary tcpdump format # ------------------------------------------------- # The only argument is the output file name. # # output log_tcpdump: tcpdump.log # database: log to a variety of databases # --------------------------------------- # See the README.database file for more information about configuring # and using this plugin. # # output database: log, mysql, user=3Droot password=3Dtest dbname=3Ddb host= =3Dlocalhost output database: log, postgresql, sensor_name=3Dexternalfirewall encoding= =3Dhex port=3D5432 user=3Dsnort dbname=3Dsnort host=3Dpostgres.csia.sou.edu # output database: alert, postgresql, user=3Dsnort dbname=3Dsnort # output database: log, unixodbc, user=3Dsnort dbname=3Dsnort # output database: log, mssql, dbname=3Dsnort user=3Dsnort password=3Dtest # unified: Snort unified binary format alerting and logging # ------------------------------------------------------------- # The unified output plugin provides two new formats for logging # and generating alerts from Snort, the "unified" format. The # unified format is a straight binary format for logging data # out of Snort that is designed to be fast and efficient. Used # with barnyard (the new alert/log processor), most of the overhead # for logging and alerting to various slow storage mechanisms # such as databases or the network can now be avoided. # # Check out the spo_unified.h file for the data formats. # # Two arguments are supported. # filename - base filename to write to (current time_t is appended) # limit - maximum size of spool file in MB (default: 128) # # output alert_unified: filename snort.alert, limit 128 # output log_unified: filename snort.log, limit 128 # You can optionally define new rule types and associate one or # more output plugins specifically to that type. # # This example will create a type that will log to just tcpdump. # ruletype suspicious # { # type log # output log_tcpdump: suspicious.log # } # # EXAMPLE RULE FOR SUSPICIOUS RULETYPE: # suspicious $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";) # # This example will create a rule type that will log to syslog # and a mysql database. # ruletype redalert # { # type alert # output alert_syslog: LOG_AUTH LOG_ALERT # output database: log, mysql, user=3Dsnort dbname=3Dsnort host=3Dlocalho= st # } # # EXAMPLE RULE FOR REDALERT RULETYPE # redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \ # (msg:"Someone is being LEET"; flags:A+;) # # Include classification & priority settings # include ../share/snort/classification.config # # Include reference systems # include ../share/snort/reference.config #################################################################### # Step #4: Customize your rule set # # Up to date snort rules are available at http://www.snort.org # # The snort web site has documentation about how to write your own # custom snort rules. # # The rules included with this distribution generate alerts based on # on suspicious activity. Depending on your network environment, your # security policies, and what you consider to be suspicious, some of # these rules may either generate false positives ore may be detecting # activity you consider to be acceptable; therefore, you are # encouraged to comment out rules that are not applicable in your # environment. # # Note that using all of the rules at the same time may lead to # serious packet loss on slower machines. YMMV, use with caution, # standard disclaimers apply. :) # # The following individuals contributed many of rules in this # distribution. # # Credits: # Ron Gula of Network Security Wizards # Max Vision # Martin Markgraf # Fyodor Yarochkin # Nick Rogness # Jim Forster # Scott McIntyre # Tom Vandepoel # Brian Caswell # Zeno # Ryan Russell # #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D # Include all relevant rulesets here # # shellcode, policy, info, backdoor, and virus rulesets are # disabled by default. These require tuning and maintance. # Please read the included specific file for more information. #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D include $RULE_PATH/bad-traffic.rules include $RULE_PATH/exploit.rules include $RULE_PATH/scan.rules include $RULE_PATH/finger.rules include $RULE_PATH/ftp.rules include $RULE_PATH/telnet.rules include $RULE_PATH/rpc.rules include $RULE_PATH/rservices.rules include $RULE_PATH/dos.rules include $RULE_PATH/ddos.rules include $RULE_PATH/dns.rules include $RULE_PATH/tftp.rules include $RULE_PATH/web-cgi.rules include $RULE_PATH/web-coldfusion.rules include $RULE_PATH/web-iis.rules include $RULE_PATH/web-frontpage.rules include $RULE_PATH/web-misc.rules include $RULE_PATH/web-client.rules include $RULE_PATH/web-php.rules include $RULE_PATH/sql.rules include $RULE_PATH/x11.rules include $RULE_PATH/icmp.rules include $RULE_PATH/netbios.rules include $RULE_PATH/misc.rules include $RULE_PATH/attack-responses.rules include $RULE_PATH/oracle.rules include $RULE_PATH/mysql.rules include $RULE_PATH/snmp.rules include $RULE_PATH/smtp.rules include $RULE_PATH/imap.rules include $RULE_PATH/pop2.rules include $RULE_PATH/pop3.rules include $RULE_PATH/nntp.rules include $RULE_PATH/other-ids.rules # include $RULE_PATH/web-attacks.rules # include $RULE_PATH/backdoor.rules # include $RULE_PATH/shellcode.rules # include $RULE_PATH/policy.rules # include $RULE_PATH/porn.rules # include $RULE_PATH/info.rules # include $RULE_PATH/icmp-info.rules # include $RULE_PATH/virus.rules # include $RULE_PATH/chat.rules # include $RULE_PATH/multimedia.rules # include $RULE_PATH/p2p.rules include $RULE_PATH/experimental.rules include $RULE_PATH/local.rules # end snort.conf --=20 Louis Kowolowski louisk@cryptomonkeys.org Crypto Monkeys: http://www.cryptomonkeys.org/~louisk IRC: outcast-consultants.biz#outcasts gpg info: http://www.cryptomonkeys.org/~louisk/gurgi.html gpg print: F04B 9A37 822A 4CE1 95CE 4D28 1AFF CCB7 DE4B A841 Everyone is a genius. It's just that some people are too stupid to realize it. --AkbCVLjbJ9qUtAXD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/TlZPGv/Mt95LqEERAoWJAJkBLClJ/vtvBZcEMG1bBI+iBRzhnQCfVZqX 4q6+lq9gG9yx7nVFp4I4OF0= =h2nj -----END PGP SIGNATURE----- --AkbCVLjbJ9qUtAXD-- From owner-freebsd-security@FreeBSD.ORG Fri Aug 29 05:37:34 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6378416A4BF for ; Fri, 29 Aug 2003 05:37:34 -0700 (PDT) Received: from sccrmhc12.comcast.net (sccrmhc12.comcast.net [204.127.202.56]) by mx1.FreeBSD.org (Postfix) with ESMTP id 96AF743FE0 for ; Fri, 29 Aug 2003 05:37:33 -0700 (PDT) (envelope-from rootman22@comcast.net) Received: from 12-209-185-111.client.attbi.com ([12.209.185.111]) by comcast.net (sccrmhc12) with SMTP id <20030829123732012005vt45e>; Fri, 29 Aug 2003 12:37:32 +0000 From: Joe Warner To: jahmon , freeBSD-security@freebsd.org Date: Fri, 29 Aug 2003 06:38:12 -0600 User-Agent: KMail/1.5.2 References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200308290638.12847.rootman22@comcast.net> Subject: Re: compromised server X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Aug 2003 12:37:34 -0000 Hi Jahmon, I'd highly recommend you try The Coroners Toolkit (TCT): http://www.porcupine.org/forensics/tct.html Take a look at "Help! Someone has broken into my system!' http://www.fish.com/tct/help-when-broken-into ..at the bottom of the page. Good luck, Joe On Thursday 28 August 2003 08:41 am, jahmon wrote: > I have a server that has been compromised. > I'm running version 4.6.2 > when I do > > >last > > this line comes up in the list. > shutdown ~ Thu Aug 28 05:22 > That was the time the server went down. > There seemed to be some configuration changes. > Some of the files seemed to revert back to default versions > (httpd.conf, resolv.conf) > > Does anyone have a clue what type of exploit they may have used? > Is there anyway I can find out if there are any trojans installed? > > Thanks > > jahmon > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Sat Aug 30 16:08:11 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C8D2716A4D8 for ; Sat, 30 Aug 2003 16:08:11 -0700 (PDT) Received: from kruger.drs-sss.com (kruger.drs-sss.com [12.153.72.219]) by mx1.FreeBSD.org (Postfix) with SMTP id 0AAA243F3F for ; Sat, 30 Aug 2003 16:08:11 -0700 (PDT) (envelope-from david.hutchens@drs-sss.com) Received: (qmail 75468 invoked from network); 26 Aug 2003 19:02:49 -0000 Received: from rads61.drs-sss.com (HELO rads61) (192.168.115.233) by kruger.drs-sss.com with SMTP; 26 Aug 2003 19:02:49 -0000 From: "hutchens" To: Date: Tue, 26 Aug 2003 15:07:42 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.6604 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Subject: testing X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Aug 2003 23:08:12 -0000 Sincerely; David Hutchens III Network Technician DRS Surveillance Support Systems - A division of DRS Technologies. (727) 541-6681 ext.3313 david.hutchens@drs-sss.com