From owner-freebsd-security@FreeBSD.ORG Sun Sep 7 12:51:22 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2315B16A4C0 for ; Sun, 7 Sep 2003 12:51:22 -0700 (PDT) Received: from ran.psg.com (ip166.usw12.rb1.bel.nwlink.com [209.20.253.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id 75EEB43FE1 for ; Sun, 7 Sep 2003 12:51:21 -0700 (PDT) (envelope-from randy@psg.com) Received: from localhost ([127.0.0.1] helo=ran.psg.com) by ran.psg.com with esmtp (Exim 4.22) id 19w5ZA-000JeV-H4 for freebsd-security@freebsd.org; Sun, 07 Sep 2003 12:51:20 -0700 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Sun, 7 Sep 2003 12:51:20 -0700 To: freebsd-security@freebsd.org Message-Id: Subject: @LongLink X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Sep 2003 19:51:22 -0000 what the heck is # ls -li /usr/\@LongLink 3 ---------- 1 root wheel 111 Jan 1 1970 /usr/@LongLink randy From owner-freebsd-security@FreeBSD.ORG Sun Sep 7 13:35:25 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2D8DE16A4BF for ; Sun, 7 Sep 2003 13:35:25 -0700 (PDT) Received: from gunjin.wccnet.org (gunjin.wccnet.org [198.111.176.99]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5BB9C43F75 for ; Sun, 7 Sep 2003 13:35:24 -0700 (PDT) (envelope-from anthony@gunjin.wccnet.org) Received: from gunjin.wccnet.org (localhost.rexroof.com [127.0.0.1]) by gunjin.wccnet.org (8.12.3/8.12.2) with ESMTP id h87KaYfc035307; Sun, 7 Sep 2003 16:36:35 -0400 (EDT) Received: (from anthony@localhost) by gunjin.wccnet.org (8.12.3/8.12.3/Submit) id h87KaYPY035306; Sun, 7 Sep 2003 16:36:34 -0400 (EDT) Date: Sun, 7 Sep 2003 16:36:34 -0400 From: Anthony Schneider To: Randy Bush Message-ID: <20030907203633.GA35241@x-anthony.com> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="dDRMvlgZJXvWKvBx" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i cc: freebsd-security@freebsd.org Subject: Re: @LongLink X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Sep 2003 20:35:25 -0000 --dDRMvlgZJXvWKvBx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable what does 'file' tell you? On Sun, Sep 07, 2003 at 12:51:20PM -0700, Randy Bush wrote: > what the heck is=20 >=20 > # ls -li /usr/\@LongLink=20 > 3 ---------- 1 root wheel 111 Jan 1 1970 /usr/@LongLink >=20 > randy >=20 > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" --dDRMvlgZJXvWKvBx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE/W5bRKUeW47UGY2kRApumAJwIY/Z4lKNzdpzTv91wKHpIygxa8wCeJbWc u7VHRYj2bfsBjkxNrRQmgQU= =9iVX -----END PGP SIGNATURE----- --dDRMvlgZJXvWKvBx-- From owner-freebsd-security@FreeBSD.ORG Sun Sep 7 13:48:48 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B53D416A4BF for ; Sun, 7 Sep 2003 13:48:48 -0700 (PDT) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 82ABF4400D for ; Sun, 7 Sep 2003 13:48:47 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.9/8.12.8) with ESMTP id h87KmjFb027099; Sun, 7 Sep 2003 16:48:45 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030907164805.08de3eb0@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Sun, 07 Sep 2003 16:51:50 -0400 To: Randy Bush , freebsd-security@freebsd.org From: Mike Tancsa In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (lava/20020517) Subject: Re: @LongLink X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Sep 2003 20:48:48 -0000 How about chown asafenonrootuserid ?LongLink su asafenonrootuserid cat ?LongLink | strings ---Mike At 12:51 PM 07/09/2003 -0700, Randy Bush wrote: >what the heck is > ># ls -li /usr/\@LongLink >3 ---------- 1 root wheel 111 Jan 1 1970 /usr/@LongLink > >randy > >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Sun Sep 7 13:53:57 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3ABE716A4BF for ; Sun, 7 Sep 2003 13:53:57 -0700 (PDT) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4F51443FBD for ; Sun, 7 Sep 2003 13:53:55 -0700 (PDT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1]) h87KraQr039798 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 7 Sep 2003 21:53:46 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)h87KraFk039797; Sun, 7 Sep 2003 21:53:36 +0100 (BST) (envelope-from matthew) Date: Sun, 7 Sep 2003 21:53:36 +0100 From: Matthew Seaman To: Randy Bush Message-ID: <20030907205336.GA39567@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Randy Bush , freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="AhhlLboLdkugWU4S" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.4i X-Spam-Status: No, hits=-11.4 required=5.0 tests=AWL,BAYES_00,EMAIL_ATTRIBUTION,IN_REP_TO,PGP_SIGNATURE_2, QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_MUTT autolearn=ham version=2.55 X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: freebsd-security@freebsd.org Subject: Re: @LongLink X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Sep 2003 20:53:57 -0000 --AhhlLboLdkugWU4S Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Sep 07, 2003 at 12:51:20PM -0700, Randy Bush wrote: > what the heck is=20 >=20 > # ls -li /usr/\@LongLink=20 > 3 ---------- 1 root wheel 111 Jan 1 1970 /usr/@LongLink >=20 The result of unpacking a tar archive made with GNU tar, but using a different tar implementation, perhaps? GNU tar has a built-in bit of trickery to get round the limitation of 100 character path names in tar archives that uses such names as placeholders, until it can replace the 'long link' with the actual required file name. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --AhhlLboLdkugWU4S Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/W5rQdtESqEQa7a0RAib9AJ0Y1vUh1mtDIEpKHH2n+DqYYHIr4ACZAZ5J ymReyMLWEdhWULrcDY439T8= =2/BP -----END PGP SIGNATURE----- --AhhlLboLdkugWU4S-- From owner-freebsd-security@FreeBSD.ORG Sun Sep 7 13:54:18 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC9A416A4BF for ; Sun, 7 Sep 2003 13:54:18 -0700 (PDT) Received: from ran.psg.com (ip166.usw12.rb1.bel.nwlink.com [209.20.253.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id 337BF43FF2 for ; Sun, 7 Sep 2003 13:54:18 -0700 (PDT) (envelope-from randy@psg.com) Received: from localhost ([127.0.0.1] helo=ran.psg.com) by ran.psg.com with esmtp (Exim 4.22) id 19w6Y4-000LC3-Iy; Sun, 07 Sep 2003 13:54:16 -0700 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Sun, 7 Sep 2003 13:54:16 -0700 To: Anthony Schneider References: <20030907203633.GA35241@x-anthony.com> Message-Id: cc: freebsd-security@freebsd.org Subject: Re: @LongLink X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Sep 2003 20:54:18 -0000 > what does 'file' tell you? >> what the heck is >> # ls -li /usr/\@LongLink >> 3 ---------- 1 root wheel 111 Jan 1 1970 /usr/@LongLink @LongLink: ASCII text, with no line terminators what disturbs me is the inode number randy --- Q: Because it reverses the logical flow of conversation. A: Why is top posting frowned upon? From owner-freebsd-security@FreeBSD.ORG Sun Sep 7 14:01:13 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9708D16A4BF for ; Sun, 7 Sep 2003 14:01:13 -0700 (PDT) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id EC0C743FF7 for ; Sun, 7 Sep 2003 14:01:06 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.9/8.12.8) with ESMTP id h87L15Fb027130; Sun, 7 Sep 2003 17:01:05 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030907170253.0993d6a0@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Sun, 07 Sep 2003 17:04:10 -0400 To: Randy Bush From: Mike Tancsa In-Reply-To: References: <20030907203633.GA35241@x-anthony.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (lava/20020517) cc: freebsd-security@freebsd.org Subject: Re: @LongLink X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Sep 2003 21:01:13 -0000 At 01:54 PM 07/09/2003 -0700, Randy Bush wrote: > > what does 'file' tell you? > >> what the heck is > >> # ls -li /usr/\@LongLink > >> 3 ---------- 1 root wheel 111 Jan 1 1970 /usr/@LongLink > >@LongLink: ASCII text, with no line terminators > >what disturbs me is the inode number What does find / -inum 3 -ls show it linked to ? ---Mike From owner-freebsd-security@FreeBSD.ORG Sun Sep 7 14:03:58 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5DEEC16A4BF for ; Sun, 7 Sep 2003 14:03:58 -0700 (PDT) Received: from ran.psg.com (ip166.usw12.rb1.bel.nwlink.com [209.20.253.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6116643FE1 for ; Sun, 7 Sep 2003 14:03:57 -0700 (PDT) (envelope-from randy@psg.com) Received: from localhost ([127.0.0.1] helo=ran.psg.com) by ran.psg.com with esmtp (Exim 4.22) id 19w6hP-000LPn-0I; Sun, 07 Sep 2003 14:03:55 -0700 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Sun, 7 Sep 2003 14:03:54 -0700 To: Mike Tancsa References: <20030907203633.GA35241@x-anthony.com> <5.2.0.9.0.20030907170253.0993d6a0@209.112.4.2> Message-Id: cc: freebsd-security@freebsd.org Subject: Re: @LongLink X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Sep 2003 21:03:58 -0000 >>> what does 'file' tell you? >>>> what the heck is >>>> # ls -li /usr/\@LongLink >>>> 3 ---------- 1 root wheel 111 Jan 1 1970 /usr/@LongLink >> @LongLink: ASCII text, with no line terminators >> what disturbs me is the inode number > What does > find / -inum 3 -ls > show it linked to ? but it does not make me more clueful # find / -inum 3 -ls 3 36 drwxr-xr-x 3 root wheel 18432 Sep 2 01:18 /dev 3 4 -rw-r--r-- 1 root wheel 802 Apr 3 08:55 /root/.cshrc 3 4 ---------- 1 root wheel 111 Jan 1 1970 /usr/@LongLink 3 4 drwxrwxrwx 2 uucp uucp 512 Apr 3 08:51 /var/spool/uucppublic 3 4 dr-xr-xr-x 2 root wheel 512 Apr 3 08:51 /var/empty 3 0 lr--r--r-- 1 root wheel 3 Sep 7 21:02 /proc/curproc -> 441 3 4 drwxrwxrwt 2 root wheel 512 Sep 2 02:59 /tmp/.X11-unix it's the only inode 3 on /usr randy From owner-freebsd-security@FreeBSD.ORG Sun Sep 7 15:25:55 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7CE0D16A4C0 for ; Sun, 7 Sep 2003 15:25:55 -0700 (PDT) Received: from eth0.a.smtp.sonic.net (eth0.a.smtp.sonic.net [64.142.16.244]) by mx1.FreeBSD.org (Postfix) with ESMTP id EE86043FEC for ; Sun, 7 Sep 2003 15:25:52 -0700 (PDT) (envelope-from bmah@intruder.kitchenlab.org) Received: from intruder.kitchenlab.org (adsl-64-142-29-77.sonic.net [64.142.29.77]) by eth0.a.smtp.sonic.net (8.12.9/8.12.7) with ESMTP id h87MPqub027168 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Sun, 7 Sep 2003 15:25:52 -0700 Received: from intruder.kitchenlab.org (bmah@localhost [127.0.0.1]) h87MPqYe008845; Sun, 7 Sep 2003 15:25:52 -0700 (PDT) (envelope-from bmah@intruder.kitchenlab.org) Message-Id: <200309072225.h87MPqYe008845@intruder.kitchenlab.org> X-Mailer: exmh version 2.6.3 04/04/2003 with nmh-1.0.4 To: Randy Bush In-Reply-To: References: <20030907203633.GA35241@x-anthony.com> <5.2.0.9.0.20030907170253.0993d6a0@209.112.4.2> Comments: In-reply-to Randy Bush message dated "Sun, 07 Sep 2003 14:03:54 -0700." From: "Bruce A. Mah" X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Image-Url: http://www.employees.org/~bmah/Images/bmah-cisco-small.gif X-Url: http://www.employees.org/~bmah/ Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_-2143965968P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Sun, 07 Sep 2003 15:25:52 -0700 Sender: bmah@intruder.kitchenlab.org cc: freebsd-security@freebsd.org Subject: Re: @LongLink X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: bmah@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Sep 2003 22:25:55 -0000 --==_Exmh_-2143965968P Content-Type: text/plain; charset=us-ascii If memory serves me right, Randy Bush wrote: > >>> what does 'file' tell you? > >>>> what the heck is > >>>> # ls -li /usr/\@LongLink > >>>> 3 ---------- 1 root wheel 111 Jan 1 1970 /usr/@LongLink > >> @LongLink: ASCII text, with no line terminators > >> what disturbs me is the inode number > > What does > > find / -inum 3 -ls > > show it linked to ? > > but it does not make me more clueful [snip] > it's the only inode 3 on /usr We used to have this problem with extremely long (>100 characters or so) pathnames in the ports tree, almost always patch files. Part of the problem was that we used GNU tar to create an archive that was then unpacked using cpio (in sysinstall). I remember dealing with this twice since joining the RE team. Not sure if that's related to your situation, tho'. Bruce. --==_Exmh_-2143965968P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) Comment: Exmh version 2.5+ 20020506 iD8DBQE/W7Bv2MoxcVugUsMRAubPAJ9sEI8AgWcbquZ6giNU/71NOZ+fmQCg8eIK +gHA5S3LnDioQRktlkHDGp4= =BTB4 -----END PGP SIGNATURE----- --==_Exmh_-2143965968P-- From owner-freebsd-security@FreeBSD.ORG Sun Sep 7 20:03:04 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5752216A4BF for ; Sun, 7 Sep 2003 20:03:04 -0700 (PDT) Received: from mail1.panaso.com (mail.panaso.com [199.60.48.162]) by mx1.FreeBSD.org (Postfix) with SMTP id C894043FF9 for ; Sun, 7 Sep 2003 20:03:03 -0700 (PDT) (envelope-from tbaur@panaso.com) Received: (qmail 35859 invoked from network); 8 Sep 2003 03:03:03 -0000 Received: from unknown (HELO localhost) (127.0.0.1) by localhost.panaso.com with SMTP; 8 Sep 2003 03:03:03 -0000 Date: Sun, 7 Sep 2003 20:03:03 -0700 (PDT) From: Tim Baur To: freebsd-security@freebsd.org In-Reply-To: Message-ID: <0309071953580.70467@neobe.cnanfb.pbz> References: X-PGP: 0x44DB0D83 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: @LongLink X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2003 03:03:04 -0000 On Sun, 7 Sep 2003, Randy Bush wrote: > what the heck is > > # ls -li /usr/\@LongLink > 3 ---------- 1 root wheel 111 Jan 1 1970 /usr/@LongLink I've seen this file on every 4.8 box I have installed from cdrom. While it seemed odd, I just wrote it off to a minor mistake in the dist and deleted it promptly due to the Annoyance Factor(tm). -tbaur From owner-freebsd-security@FreeBSD.ORG Sun Sep 7 13:06:51 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E3FB216A4BF for ; Sun, 7 Sep 2003 13:06:51 -0700 (PDT) Received: from norton.palomine.net (norton.palomine.net [66.93.48.52]) by mx1.FreeBSD.org (Postfix) with SMTP id 393D643FD7 for ; Sun, 7 Sep 2003 13:06:51 -0700 (PDT) (envelope-from cjohnson@palomine.net) Received: (qmail 21867 invoked by uid 1000); 7 Sep 2003 20:06:50 -0000 Date: Sun, 7 Sep 2003 16:06:50 -0400 From: Chris Johnson To: freebsd-security@freebsd.org Message-ID: <20030907200650.GA21828@norton.palomine.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i X-Mailman-Approved-At: Mon, 08 Sep 2003 05:54:35 -0700 Subject: Re: @LongLink X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Sep 2003 20:06:52 -0000 On Sun, Sep 07, 2003 at 12:51:20PM -0700, Randy Bush wrote: > what the heck is > > # ls -li /usr/\@LongLink > 3 ---------- 1 root wheel 111 Jan 1 1970 /usr/@LongLink I have no idea what it is, but it was easy enough to use Google to find out: http://docs.freebsd.org/cgi/getmsg.cgi?fetch=11224+0+archive/2002/freebsd-qa/20020127.freebsd-qa Chris From owner-freebsd-security@FreeBSD.ORG Mon Sep 8 06:36:09 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 01CD116A4BF; Mon, 8 Sep 2003 06:36:09 -0700 (PDT) Received: from plusmx1.polkomtel.com.pl (plusmx1.polkomtel.com.pl [212.2.96.51]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B11144001; Mon, 8 Sep 2003 06:36:07 -0700 (PDT) (envelope-from jaroslaw.nozderko@polkomtel.com.pl) Received: from mswwaw1.corp.plusnet (plus-96-118.polkomtel.com.pl [212.2.96.118]) by plusmx1.polkomtel.com.pl (Postfix) with ESMTP id 4DD9D38038; Mon, 8 Sep 2003 15:36:03 +0200 (CEST) Received: from E2K2.corp.plusnet (unverified) by mswwaw1.corp.plusnet ; Mon, 8 Sep 2003 15:36:02 +0200 X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Mon, 8 Sep 2003 15:36:02 +0200 Message-ID: <2A857CE92C11FE40858689CAEC7BED49056D5B7A@E2K2.corp.plusnet> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: MAC problems Thread-Index: AcNyhOGaYEjllsGmR9e4V6BnG8+IyQDiOvFg From: "Jaroslaw Nozderko" To: "Robert Watson" cc: freebsd-security@freebsd.org Subject: RE: MAC problems X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2003 13:36:09 -0000 Hi Robert, thanks a lot for your help. Regards, Jarek Jaroslaw Nozderko GSM +48 601131870 / Kapsch (22) 6075013 jaroslaw.nozderko@polkomtel.com.pl IT/CCBS/RS - Analyst Programmer > -----Original Message----- > From: Robert Watson [mailto:rwatson@freebsd.org] > Sent: Thursday, September 04, 2003 3:35 AM > To: Jaros=B3aw Nozderko > Cc: freebsd-security@freebsd.org > Subject: Re: MAC problems > > > > On Wed, 3 Sep 2003, [iso-8859-2] Jaros=B3aw Nozderko wrote: > > > I'm quite new to FreeBSD. I've check list archives and > read a handbook, > > but I didn't find solution to my problem and I hope this is not > > off-topic. I've installed 5.1-RELEASE, enabled ACLs on the > filesystems > > and I wanted to test MAC features. I'm also new to MAC, so > perhaps this > > is some my mistake. When I enable mac_biba or mac_lomac (in > > loader.conf) without any configuration, it seems to block > networking: > >=20 > > jarek@skorpion jarek> ping 192.168.65.100 > > PING 192.168.65.100 (192.168.65.100): 56 data bytes > > ping: sendto: Permission denied > > ping: sendto: Permission denied > > ping: sendto: Permission denied > > ^C > > --- 192.168.65.100 ping statistics --- > > 3 packets transmitted, 0 packets received, 100% packet loss > > The default process label when you haven't configured > per-user labels is a > high integrity label in the Biba policy. The default label on network > interfaces is low integrity. The result is generally a > failure to be able > to send on the network interfaces, although the failure mode > varies a bit > depending on the socket type, etc. For experimentation > purposes, you'll > probably want to set the following flag in loader.conf: > > security.mac.biba.trust_all_interfaces=3D"1" > > This will tell mac_biba that you want interfaces to be labeled as high > integrity by default. You can also selectively change the > security labels > on interfaces using ifconfig: > > paprika# ifconfig wi0 maclabel 'biba/high(low-high)' > paprika# ifconfig wi0 > wi0: flags=3D8843 mtu 1500 > inet6 fe80::209:5bff:fe31:27a4%wi0 prefixlen 64 scopeid 0x4 > inet 192.168.5.3 netmask 0xffffff00 broadcast 192.168.5.255 > ether 00:09:5b:31:27:a4 > media: IEEE 802.11 Wireless Ethernet autoselect (DS/11Mbps) > status: associated > ssid more-80211-in-bethesda 1:more-80211-in-bethesda > stationname "FreeBSD WaveLAN/IEEE node" > channel 3 authmode OPEN powersavemode OFF powersavesleep 100 > wepmode MIXED weptxkey 1 > wepkey 1:128-bit > maclabel biba/high(low-high) > > In the Biba policy, network interface labels have three > elements: a single > (effective) label, and low and high ends of a range. The > single element > is the default label for packets sourced from the interface; > the low and > high range elements place a bound on data allowed out the > interface. The > above labels incoming packets as high, and permits packets of > any labels > out the interface. > > > On the other side, when mac_mls is loaded, networking works, but > > starting X server fails with message "Couldn't mmap > /dev/vga" (I don't > > see /dev/vga device regardless of MAC policy loaded) > > I seem to recall that the error message given by X is > actually inaccurate: > it reports a failure to mmap /dev/vga, but it's actually > failing to mmap > system memory. The default MLS label on user processes is mls/low -- > since direct access to hardware of your system may leak > information about > higher confidentiality processes or data. As a result, the policy > prevents you from doing so, which breaks X11. There are several > approaches to resolving this: > > (1) Assign bypass labels to the special devices X accesses, so that > processes can access the resources regardless of the > label. This is a > security hole, but for experimentation purposes, can be > quite useful. > I generally run the following script at boot on systems where this > approach is used: > > # Configure multilabel md-backed /tmp > mdconfig -a -t swap -s 30m -u 10 > newfs /dev/md10 > tunefs -l enable /dev/md10 > mount /dev/md10 /tmp > mkdir /tmp/.X11-unix /tmp/.ICE-unix > chmod 01777 /tmp /tmp/.X11-unix /tmp/.ICE-unix > setfmac biba/equal,mls/equal /tmp /tmp/.X11-unix > /tmp/.ICE-unix > # Relabel entries in /dev so that X11 works (bypass > protections) > setpmac biba/equal,mls/equal setfmac > biba/equal,mls/equal /dev/pci \ > /dev/io /dev/mem /dev/kmem /dev/sysmouse > /dev/agpgart \ > /dev/dri > > This assigns an "equal" (bypass) label to a bunch of device nodes > accessed by X11. It also sets up /tmp with bypass labels > so that X11 > can dump its sockets there. > > (2) Assign a bypass label to the X server, so that it can access these > resources while communicating with arbitrary user processes. > > To do this, the X server has to be started using: > > setpmac mls/equal /usr/X11R6/bin/startx > > Note that this also has the effect of bypassing MLS > protection, but > has different properties than (1). Your system resources > are still > protected by MLS, but the X server can now communicate > with arbitrary > processes, which might allow for information flow via the > X server. > Also, if your X server is compromised, the exploit code > runs with a > high level of privilege -- of course, that applies to (1) as well. > > (3) Only use the X server when running as mls/high, which > will allow X to > do what it needs to, but will limit what processes can talk to X, > effectively meaning you can only X apps at mls/high. > > Currently, there is no open source multi-level X server that > I know of, so > if you run X on the machine, you do have to either play by > the rules of > MLS by running at a single level, or by bypassing the MLS policy > selectively. I think it would be great to have open source > MLS X server > support, but it would be a fair amount of work. > > > Is it normal, or is something wrong ? Is any additional > documentation > > about MAC available, more than papers at > http://www.trustedbsd.org ? I'd > > like to learn a bit more. > > There are man pages for each policy, a brief section in the FreeBSD > Handbook summarizing the MAC policies, and several > implementation papers. > Currently, there are no tutorials for getting a system up and > running -- > these features are still considered experimental, and we've > placed most of > our focus on getting the features productionable and > complete. However, > we'd be happy to answer questions and fix bugs, as well as > work towards > having better documentation as we go along :-). > > Robert N M Watson FreeBSD Core Team, TrustedBSD Projects > robert@fledge.watson.org Network Associates Laboratories > >=20 From owner-freebsd-security@FreeBSD.ORG Mon Sep 8 12:29:30 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 74CFC16A4BF for ; Mon, 8 Sep 2003 12:29:30 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C25143FE5 for ; Mon, 8 Sep 2003 12:29:29 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id EDDFD54861 for ; Mon, 8 Sep 2003 14:29:25 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 839AB704AA; Mon, 8 Sep 2003 14:29:25 -0500 (CDT) Date: Mon, 8 Sep 2003 14:29:25 -0500 From: "Jacques A. Vidrine" To: freebsd-security@freebsd.org Message-ID: <20030908192925.GB20553@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 Subject: @BSDcon: FreeBSD Security Officer BoF X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Sep 2003 19:29:30 -0000 Hello, I have scheduled a birds-of-a-feather (BoF) meeting at BSDcon to discuss the FreeBSD Security Officer role. Details such as time, location, and topics are posted on the BSDcon unofficial Wiki . Please attend if you are interested in what the SO team does currently and in participating in and improving its `services'. The Wiki lists some topics for discussion, and it is editable if you would like to make other contributions. Please *do not* attend expecting to discuss general FreeBSD security issues. Although we may well have time to take some tangents, this BoF is primarily for `security-officer business', such as security advisories, security branches, vulnerability reporting, auditing, project infrastructure, and the like. I expect that by Wednesday afternoon I will have formed a two-part agenda for our two hour meeting to give it a little structure. We could really benefit from someone taking notes during the meeting, either for publishing later, and/or published realtime on IRC or the Wiki. If you would like to volunteer to take notes for one hour or two, please drop me a line! Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Mon Sep 8 22:20:41 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B49F216A4BF for ; Mon, 8 Sep 2003 22:20:41 -0700 (PDT) Received: from ran.psg.com (ip166.usw12.rb1.bel.nwlink.com [209.20.253.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id E19EA43FEC for ; Mon, 8 Sep 2003 22:20:39 -0700 (PDT) (envelope-from randy@psg.com) Received: from localhost ([127.0.0.1] helo=ran.psg.com) by ran.psg.com with esmtp (Exim 4.22) id 19wavc-000LTN-VI for freebsd-security@freebsd.org; Mon, 08 Sep 2003 22:20:37 -0700 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Mon, 8 Sep 2003 22:20:36 -0700 To: freebsd-security@freebsd.org Message-Id: Subject: is one of my hosts a scanner? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2003 05:20:41 -0000 so i just found that one of my hosts is GENERATING these probe pairs, maybe every minute or two (note the sequence numbers): seq my host victim(s) --- ---------------- --------------- 24) 192.168.0.2:1121 <--> 216.52.3.2:2703 25) 192.168.0.2:1122 <--> 216.52.3.4:2703 39) 192.168.0.2:1124 <--> 216.52.3.2:2703 40) 192.168.0.2:1125 <--> 216.52.3.4:2703 49) 192.168.0.2:1129 <--> 216.52.3.2:2703 50) 192.168.0.2:1130 <--> 216.52.3.4:2703 71) 192.168.0.2:1136 <--> 216.52.3.2:2703 72) 192.168.0.2:1137 <--> 216.52.3.4:2703 83) 192.168.0.2:1141 <--> 216.52.3.2:2703 84) 192.168.0.2:1142 <--> 216.52.3.4:2703 the host in the 1918 space is mine. the gap in the sequential scan is because those ports were otherwise occupied. a single probe looks like 21:30:32.310999 192.168.0.2.1141 > 216.52.3.2.2703: S 2059265893:2059265893(0) win 57344 (DF) 21:30:32.477021 216.52.3.2.2703 > 192.168.0.2.1141: S 1009079948:1009079948(0) ack 2059265894 win 5792 (DF) 21:30:32.477061 192.168.0.2.1141 > 216.52.3.2.2703: . ack 1 win 57920 (DF) 21:30:32.687121 216.52.3.2.2703 > 192.168.0.2.1141: P 1:36(35) ack 1 win 5792 (DF) 21:30:32.687728 192.168.0.2.1141 > 216.52.3.2.2703: P 1:13(12) ack 36 win 57920 (DF) 21:30:33.027105 216.52.3.2.2703 > 192.168.0.2.1141: . ack 13 win 5792 (DF) 21:30:33.028032 216.52.3.2.2703 > 192.168.0.2.1141: P 36:90(54) ack 13 win 5792 (DF) 21:30:33.028724 192.168.0.2.1141 > 216.52.3.2.2703: P 13:25(12) ack 90 win 57920 (DF) 21:30:33.187272 216.52.3.2.2703 > 192.168.0.2.1141: P 90:141(51) ack 25 win 5792 (DF) 21:30:33.196247 192.168.0.2.1141 > 216.52.3.2.2703: P 25:30(5) ack 141 win 57920 (DF) 21:30:33.427044 216.52.3.2.2703 > 192.168.0.2.1141: R 141:141(0) ack 30 win 5792 (DF) iana says port 2703 is sms-chat. google for "sms-chat protocol" produces two hacker texts in deutsch, which i tried to wade through but it was a lot of cryptic twisty passages. sms seems to be some sort of microsloth protocol. and, from samba-land docs "The version of netmon that ships with SMS allows for dumping packets between any two computers (i.e. placing the network interface in promiscuous mode)" now the host doing the probes o is the only one of my hosts doing it o is the only one of my hosts running samba, 2.2.8a no ports are in promiscuous mode, that i can see (i.e. ifconfig could have been hacked). clues? randy From owner-freebsd-security@FreeBSD.ORG Tue Sep 9 01:13:13 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0E2E216A4BF for ; Tue, 9 Sep 2003 01:13:13 -0700 (PDT) Received: from strontium.bh.smithurst.org (bsmithurst.plus.com [81.174.183.63]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3131C43FD7 for ; Tue, 9 Sep 2003 01:13:12 -0700 (PDT) (envelope-from ben@FreeBSD.org) Received: from ben by strontium.bh.smithurst.org with local (Exim 4.20) id 19wdcb-0005zk-UP; Tue, 09 Sep 2003 09:13:09 +0100 Date: Tue, 9 Sep 2003 09:13:09 +0100 From: Ben Smithurst To: Randy Bush Message-ID: <20030909081309.GA22828@strontium.bh.smithurst.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="G4iJoqBmSsgzjUCe" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i X-PGP-Key: http://www.smithurst.org/ben/pgp-key.txt Sender: Ben Smithurst cc: freebsd-security@freebsd.org Subject: Re: is one of my hosts a scanner? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2003 08:13:13 -0000 --G4iJoqBmSsgzjUCe Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Randy Bush wrote: > seq my host victim(s) > --- ---------------- --------------- > 24) 192.168.0.2:1121 <--> 216.52.3.2:2703=20 > 25) 192.168.0.2:1122 <--> 216.52.3.4:2703=20 > 39) 192.168.0.2:1124 <--> 216.52.3.2:2703=20 Those hosts are at cloudmark.com, which gets used by spamassassin (or some part of it). Port 2703 is Razor2 - so that fits as well. Unless you're not using spamassassin or razor2 or something similar, don't think there's anything to worry about... Do the times of the probes match up with times when mail is received? --=20 Ben Smithurst / ben@FreeBSD.org FreeBSD: The Power To Serve http://www.FreeBSD.org/ --G4iJoqBmSsgzjUCe Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE/XYuVbPzJ+yzvRCwRAo4vAJ465CqxzLLKobLWuJy+dp8E/dArXQCgu3qK oIhrsr06jEEjBhJBaujdZvI= =2J3M -----END PGP SIGNATURE----- --G4iJoqBmSsgzjUCe-- From owner-freebsd-security@FreeBSD.ORG Tue Sep 9 01:15:54 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 80AC016A4BF for ; Tue, 9 Sep 2003 01:15:54 -0700 (PDT) Received: from mail-pm.star.spb.ru (mail-pm.star.spb.ru [217.195.82.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id B579543FE1 for ; Tue, 9 Sep 2003 01:15:44 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from pink.star.spb.ru ([217.195.82.10]) by mail-pm.star.spb.ru (8.12.9/8.12.8) with ESMTP id h898Ffr5075269; Tue, 9 Sep 2003 12:15:42 +0400 (MSD) Received: from IBMKA ([217.195.82.7]) by pink.star.spb.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id SK41D8LR; Tue, 9 Sep 2003 12:15:41 +0400 Date: Tue, 9 Sep 2003 12:15:37 +0400 From: "Nickolay A. Kritsky" X-Mailer: The Bat! (v1.49) Personal X-Priority: 3 (Normal) Message-ID: <28136359484.20030909121537@internethelp.ru> To: Randy Bush In-reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: is one of my hosts a scanner? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Nickolay A. Kritsky" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2003 08:15:54 -0000 Hello Randy, Tuesday, September 09, 2003, 9:20:36 AM, you wrote: RB> clues? try to identify process that sends this packets. Use lsof or sockstat for that. ;------------------------------------------- ; NKritsky ; mailto:nkritsky@internethelp.ru From owner-freebsd-security@FreeBSD.ORG Tue Sep 9 08:25:50 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 25D9916A4BF; Tue, 9 Sep 2003 08:25:50 -0700 (PDT) Received: from ran.psg.com (ip166.usw12.rb1.bel.nwlink.com [209.20.253.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7995243FEC; Tue, 9 Sep 2003 08:25:49 -0700 (PDT) (envelope-from randy@psg.com) Received: from localhost ([127.0.0.1] helo=ran.psg.com) by ran.psg.com with esmtp (Exim 4.22) id 19wkNI-000BVo-Hp; Tue, 09 Sep 2003 08:25:48 -0700 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Tue, 9 Sep 2003 08:25:47 -0700 To: Ben Smithurst References: <20030909081309.GA22828@strontium.bh.smithurst.org> Message-Id: cc: freebsd-security@freebsd.org Subject: Re: is one of my hosts a scanner? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2003 15:25:50 -0000 >> seq my host victim(s) >> --- ---------------- --------------- >> 24) 192.168.0.2:1121 <--> 216.52.3.2:2703 >> 25) 192.168.0.2:1122 <--> 216.52.3.4:2703 >> 39) 192.168.0.2:1124 <--> 216.52.3.2:2703 > > Those hosts are at cloudmark.com, which gets used by > spamassassin (or some part of it). Port 2703 is Razor2 > - so > that fits as well. thanks. so tell me, why does the iana think port 2703 is sms-chat? i.e., why is the port used by razor2 not properly registered as a well known port? randy From owner-freebsd-security@FreeBSD.ORG Tue Sep 9 13:23:06 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9A43016A4BF; Tue, 9 Sep 2003 13:23:06 -0700 (PDT) Received: from smtpout.mac.com (A17-250-248-87.apple.com [17.250.248.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id E25B543FA3; Tue, 9 Sep 2003 13:23:05 -0700 (PDT) (envelope-from lomion@mac.com) Received: from mac.com (smtpin07-en2 [10.13.10.152]) by smtpout.mac.com (Xserve/MantshX 2.0) with ESMTP id h89KN55u022266; Tue, 9 Sep 2003 13:23:05 -0700 (PDT) Received: from mac.com ([67.98.154.9]) (authenticated bits=0) by mac.com (Xserve/8.12.9/MantshX 2.0) with ESMTP id h89KN1wq004977; Tue, 9 Sep 2003 13:23:03 -0700 (PDT) Date: Tue, 9 Sep 2003 16:23:02 -0400 Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v552) To: Randy Bush From: Lawrence Sica In-Reply-To: Message-Id: <69749FD8-E303-11D7-AF9F-000393A335A2@mac.com> Content-Transfer-Encoding: 7bit X-Mailer: Apple Mail (2.552) cc: freebsd-security@freebsd.org Subject: Re: is one of my hosts a scanner? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2003 20:23:06 -0000 On Tuesday, September 9, 2003, at 11:25 AM, Randy Bush wrote: >>> seq my host victim(s) >>> --- ---------------- --------------- >>> 24) 192.168.0.2:1121 <--> 216.52.3.2:2703 >>> 25) 192.168.0.2:1122 <--> 216.52.3.4:2703 >>> 39) 192.168.0.2:1124 <--> 216.52.3.2:2703 >> >> Those hosts are at cloudmark.com, which gets used by >> spamassassin (or some part of it). Port 2703 is Razor2 >> - so >> that fits as well. > > thanks. > > so tell me, why does the iana think port 2703 is sms-chat? i.e., > why is the port used by razor2 not properly registered as a well > known port? > Maybe razor2 is using the port without checking if it was already assigned for sms-chat? IANA doesn't automagically know who uses what port unless someone tells them I thought. --Larry From owner-freebsd-security@FreeBSD.ORG Tue Sep 9 13:43:22 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CD57616A4BF; Tue, 9 Sep 2003 13:43:22 -0700 (PDT) Received: from ran.psg.com (ip166.usw12.rb1.bel.nwlink.com [209.20.253.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id E519143FE9; Tue, 9 Sep 2003 13:43:21 -0700 (PDT) (envelope-from randy@psg.com) Received: from localhost ([127.0.0.1] helo=ran.psg.com) by ran.psg.com with esmtp (Exim 4.22) id 19wpKa-000PYB-SW; Tue, 09 Sep 2003 13:43:20 -0700 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Tue, 9 Sep 2003 13:43:20 -0700 To: Lawrence Sica References: <69749FD8-E303-11D7-AF9F-000393A335A2@mac.com> Message-Id: cc: freebsd-security@freebsd.org Subject: Re: is one of my hosts a scanner? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2003 20:43:22 -0000 >> so tell me, why does the iana think port 2703 is sms-chat? i.e., >> why is the port used by razor2 not properly registered as a well >> known port? > Maybe razor2 is using the port without checking if it was already > assigned for sms-chat? clearly > IANA doesn't automagically know who uses what port unless > someone tells them I thought. exactly. there is a process to get a port number assigned. randy From owner-freebsd-security@FreeBSD.ORG Tue Sep 9 14:32:25 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 83BCF16A4BF for ; Tue, 9 Sep 2003 14:32:25 -0700 (PDT) Received: from hotmail.com (sea1-dav62.sea1.hotmail.com [207.68.162.197]) by mx1.FreeBSD.org (Postfix) with ESMTP id ECC4243FA3 for ; Tue, 9 Sep 2003 14:32:24 -0700 (PDT) (envelope-from kenzo_chin@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 9 Sep 2003 14:32:24 -0700 Received: from 209.187.233.158 by sea1-dav62.sea1.hotmail.com with DAV; Tue, 09 Sep 2003 21:32:24 +0000 X-Originating-IP: [209.187.233.158] X-Originating-Email: [kenzo_chin@hotmail.com] From: "Kenzo" To: Date: Tue, 9 Sep 2003 16:32:24 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Message-ID: X-OriginalArrivalTime: 09 Sep 2003 21:32:24.0738 (UTC) FILETIME=[DC1E8020:01C37719] Subject: WEB SCANNER X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2003 21:32:25 -0000 I was wondering what was a good web scanner to scan IIS servers. I played with nikto, but i'm not sure if it does IIS or not. It seems to only look for CGI stuff. Thanks. From owner-freebsd-security@FreeBSD.ORG Tue Sep 9 14:38:07 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A140116A4BF for ; Tue, 9 Sep 2003 14:38:07 -0700 (PDT) Received: from tenebras.com (blade.tenebras.com [66.92.188.175]) by mx1.FreeBSD.org (Postfix) with SMTP id C597943F93 for ; Tue, 9 Sep 2003 14:38:06 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 1349 invoked from network); 9 Sep 2003 21:37:59 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by laptop.tenebras.com with SMTP; 9 Sep 2003 21:37:59 -0000 Message-ID: <3F5E4834.4060409@tenebras.com> Date: Tue, 09 Sep 2003 14:37:56 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <69749FD8-E303-11D7-AF9F-000393A335A2@mac.com> In-Reply-To: <69749FD8-E303-11D7-AF9F-000393A335A2@mac.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: is one of my hosts a scanner? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2003 21:38:07 -0000 >> so tell me, why does the iana think port 2703 is sms-chat? i.e., >> why is the port used by razor2 not properly registered as a well >> known port? IANA *assigns* port numbers 0-1023, and *registers* port numbers 1024-49151. There is no port registered for razor2, and it's definitely a bug to use a port registered to another service. sms-rcinfo 2701/tcp SMS RCINFO sms-rcinfo 2701/udp SMS RCINFO sms-xfer 2702/tcp SMS XFER sms-xfer 2702/udp SMS XFER sms-chat 2703/tcp SMS CHAT sms-chat 2703/udp SMS CHAT sms-remctrl 2704/tcp SMS REMCTRL sms-remctrl 2704/udp SMS REMCTRL # Tom Friend The above was clearly assigned before Jan 2002 razor 3555/tcp Vipul's Razor razor 3555/udp Vipul's Razor # Vipul Ved Prakash July 2002 From owner-freebsd-security@FreeBSD.ORG Tue Sep 9 14:47:14 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 93B4116A4BF for ; Tue, 9 Sep 2003 14:47:14 -0700 (PDT) Received: from mordrede.visionsix.com (mordrede.visionsix.com [65.202.119.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id C2CD443FDD for ; Tue, 9 Sep 2003 14:47:11 -0700 (PDT) (envelope-from lists@visionsix.com) Received: from vsis169 (unverified [65.202.119.169]) by mordrede.visionsix.com (Vircom SMTPRS 2.1.258) with SMTP id ; Tue, 9 Sep 2003 16:47:10 -0500 Message-ID: <00f201c3771b$e5ff6c10$df0a0a0a@vsis169> From: "Lewis Watson" To: "Kenzo" , References: Date: Tue, 9 Sep 2003 16:47:00 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: Re: WEB SCANNER X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2003 21:47:14 -0000 > I was wondering what was a good web scanner to scan IIS servers. > I played with nikto, but i'm not sure if it does IIS or not. It seems to > only look for CGI stuff. Not sure how this is related to BSD at all but anything to help IIS.. Here is a m'sft tool to scan with, Good luck. Lewis http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/Tools/MBSAhome.asp Also, you may want to check out more stuff here... www.microsoft.com/security From owner-freebsd-security@FreeBSD.ORG Tue Sep 9 15:03:00 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA79116A4BF for ; Tue, 9 Sep 2003 15:03:00 -0700 (PDT) Received: from hysteria.spc.org (hysteria.spc.org [195.206.69.234]) by mx1.FreeBSD.org (Postfix) with SMTP id AD9FA43FE9 for ; Tue, 9 Sep 2003 15:02:58 -0700 (PDT) (envelope-from bms@hysteria.spc.org) Received: (qmail 31738 invoked by uid 5013); 9 Sep 2003 21:59:30 -0000 Date: Tue, 9 Sep 2003 22:59:30 +0100 From: Bruce M Simpson To: Michael Sierchio Message-ID: <20030909215930.GS1417@spc.org> Mail-Followup-To: Bruce M Simpson , Michael Sierchio , freebsd-security@freebsd.org References: <69749FD8-E303-11D7-AF9F-000393A335A2@mac.com> <3F5E4834.4060409@tenebras.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3F5E4834.4060409@tenebras.com> User-Agent: Mutt/1.4.1i Organization: SPC cc: freebsd-security@freebsd.org Subject: Re: is one of my hosts a scanner? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2003 22:03:01 -0000 On Tue, Sep 09, 2003 at 02:37:56PM -0700, Michael Sierchio wrote: > IANA *assigns* port numbers 0-1023, and *registers* port numbers 1024-49151. > > There is no port registered for razor2, and it's definitely a bug > to use a port registered to another service. Perhaps you should take it up with Cloudmark, as they maintain SpamNet commercially. They may have had good reasons, though, so don't be too quick to jump on them for doing it. One reason I can think of is to be a bit more obfuscated about how the SpamNet operates, but given that it's a network for *reporting* spam whose components has deterministic behaviour, it doesn't really throw spammers off the scent, if they were to sit down and analyse the product. BMS From owner-freebsd-security@FreeBSD.ORG Tue Sep 9 16:46:18 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D0A116A4BF; Tue, 9 Sep 2003 16:46:18 -0700 (PDT) Received: from ran.psg.com (ip166.usw12.rb1.bel.nwlink.com [209.20.253.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id D09A143FB1; Tue, 9 Sep 2003 16:46:17 -0700 (PDT) (envelope-from randy@psg.com) Received: from localhost ([127.0.0.1] helo=ran.psg.com) by ran.psg.com with esmtp (Exim 4.22) id 19wsBc-0008JG-H6; Tue, 09 Sep 2003 16:46:16 -0700 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Tue, 9 Sep 2003 16:46:16 -0700 To: Doug Barton References: <69749FD8-E303-11D7-AF9F-000393A335A2@mac.com> <20030909163926.K42161@12-234-22-23.pyvrag.nggov.pbz> Message-Id: cc: freebsd-security@freebsd.org Subject: Re: is one of my hosts a scanner? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2003 23:46:18 -0000 >>> IANA doesn't automagically know who uses what port unless >>> someone tells them I thought. >> exactly. there is a process to get a port number assigned. >> > Thanks for following up to your own message Randy, you saved me > the trouble. I was actually kind of confused by your message this > morning, since you of all people should have known the answers to > your own questions. :) it's my form of a troll. > The only thing I'd add to this is that the sockstat utility in > freebsd makes it trivial to determine what application is holding > a given port. the connection was flying by very quickly. and the operator was many hours from coffee. randy From owner-freebsd-security@FreeBSD.ORG Tue Sep 9 17:42:21 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 58C1116A4BF for ; Tue, 9 Sep 2003 17:42:21 -0700 (PDT) Received: from tenebras.com (blade.tenebras.com [66.92.188.175]) by mx1.FreeBSD.org (Postfix) with SMTP id 2F9AB43FF2 for ; Tue, 9 Sep 2003 17:42:19 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 4726 invoked from network); 10 Sep 2003 00:42:17 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by laptop.tenebras.com with SMTP; 10 Sep 2003 00:42:17 -0000 Message-ID: <3F5E7364.7010605@tenebras.com> Date: Tue, 09 Sep 2003 17:42:12 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: Bruce M Simpson References: <69749FD8-E303-11D7-AF9F-000393A335A2@mac.com> <3F5E4834.4060409@tenebras.com> <20030909215930.GS1417@spc.org> In-Reply-To: <20030909215930.GS1417@spc.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: is one of my hosts a scanner? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Sep 2003 00:42:21 -0000 Bruce M Simpson wrote: >>IANA *assigns* port numbers 0-1023, and *registers* port numbers 1024-49151. >> >> ... it's definitely a bug >>to use a port registered to another service. > > Perhaps you should take it up with Cloudmark, as they maintain SpamNet > commercially. They may have had good reasons, though, so don't be too > quick to jump on them for doing it. I have no intention of taking it up with Cloudmark, I'm giving up training people for free. > One reason I can think of is to be a bit more obfuscated about how the > SpamNet operates, but given that it's a network for *reporting* spam whose > components has deterministic behaviour, it doesn't really throw spammers > off the scent, if they were to sit down and analyse the product. Shall I speculate why you speculate? I speculate that they don't know what IANA is. For starters. -- "Well," Brahma said, "even after ten thousand explanations, a fool is no wiser, but an intelligent man requires only two thousand five hundred." - The Mahabharata From owner-freebsd-security@FreeBSD.ORG Wed Sep 10 23:57:39 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A96416A4BF for ; Wed, 10 Sep 2003 23:57:39 -0700 (PDT) Received: from techno.sub.ru (webmail.sub.ru [213.247.139.22]) by mx1.FreeBSD.org (Postfix) with SMTP id 32B4443FBF for ; Wed, 10 Sep 2003 23:57:38 -0700 (PDT) (envelope-from tarkhil@webmail.sub.ru) Received: (qmail 12256 invoked by uid 0); 11 Sep 2003 06:57:31 -0000 Received: from unknown (HELO tarkhil.over.ru) (213.148.23.65) by webmail.sub.ru with SMTP; 11 Sep 2003 06:57:31 -0000 Date: Thu, 11 Sep 2003 10:57:44 +0400 From: Alex Povolotsky To: security@freebsd.org Message-Id: <20030911105744.240e66be.tarkhil@webmail.sub.ru> Organization: sub.ru X-Mailer: Sylpheed version 0.9.3claws (GTK+ 1.2.10; i386-portbld-freebsd4.6) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: chkrotkit 4.1 and FreeBSD 4.5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Sep 2003 06:57:39 -0000 Hello! I've found that on two FreeBSD 4.5-RELEASE boxes chkrootkit finds: Checking `chfn'... INFECTED Checking `chsh'... INFECTED Checking `date'... INFECTED Checking `ls'... INFECTED Checking `ps'... INFECTED recompiling, say, ls from souces didn't help. False positive or source changed as well? -- Alex. From owner-freebsd-security@FreeBSD.ORG Thu Sep 11 01:49:58 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 05BFE16A4BF for ; Thu, 11 Sep 2003 01:49:58 -0700 (PDT) Received: from techno.sub.ru (webmail.sub.ru [213.247.139.22]) by mx1.FreeBSD.org (Postfix) with SMTP id 96C9843FDD for ; Thu, 11 Sep 2003 01:49:56 -0700 (PDT) (envelope-from tarkhil@webmail.sub.ru) Received: (qmail 18236 invoked by uid 0); 11 Sep 2003 08:49:49 -0000 Received: from unknown (HELO tarkhil.over.ru) (213.148.23.65) by webmail.sub.ru with SMTP; 11 Sep 2003 08:49:49 -0000 Date: Thu, 11 Sep 2003 12:50:02 +0400 From: Alex Povolotsky To: freebsd-security@freebsd.org Message-Id: <20030911125002.5f643aaf.tarkhil@webmail.sub.ru> In-Reply-To: <20030911105744.240e66be.tarkhil@webmail.sub.ru> References: <20030911105744.240e66be.tarkhil@webmail.sub.ru> Organization: sub.ru X-Mailer: Sylpheed version 0.9.3claws (GTK+ 1.2.10; i386-portbld-freebsd4.6) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: chkrotkit 4.1 and FreeBSD 4.5 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Sep 2003 08:49:58 -0000 On Thu, 11 Sep 2003 10:57:44 +0400 Alex Povolotsky wrote: AP> Hello! AP> AP> I've found that on two FreeBSD 4.5-RELEASE boxes chkrootkit finds: AP> AP> Checking `chfn'... INFECTED AP> Checking `chsh'... INFECTED AP> Checking `date'... INFECTED AP> Checking `ls'... INFECTED AP> Checking `ps'... INFECTED AP> AP> recompiling, say, ls from souces didn't help. False positive or AP> source changed as well? False positive. chkrootkit for some reason I could not understand thinks that 4.5-RELEASE is 5.* -- Alex. From owner-freebsd-security@FreeBSD.ORG Thu Sep 11 09:32:03 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BCECD16A4BF for ; Thu, 11 Sep 2003 09:32:03 -0700 (PDT) Received: from hysteria.spc.org (hysteria.spc.org [195.206.69.234]) by mx1.FreeBSD.org (Postfix) with SMTP id 8114743FCB for ; Thu, 11 Sep 2003 09:32:02 -0700 (PDT) (envelope-from bms@hysteria.spc.org) Received: (qmail 22655 invoked by uid 5013); 11 Sep 2003 16:28:31 -0000 Date: Thu, 11 Sep 2003 17:28:31 +0100 From: Bruce M Simpson To: Michael Sierchio Message-ID: <20030911162831.GX18428@spc.org> Mail-Followup-To: Bruce M Simpson , Michael Sierchio , freebsd-security@freebsd.org References: <69749FD8-E303-11D7-AF9F-000393A335A2@mac.com> <3F5E4834.4060409@tenebras.com> <20030909215930.GS1417@spc.org> <3F5E7364.7010605@tenebras.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3F5E7364.7010605@tenebras.com> User-Agent: Mutt/1.4.1i Organization: SPC cc: freebsd-security@freebsd.org Subject: Re: is one of my hosts a scanner? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Sep 2003 16:32:03 -0000 On Tue, Sep 09, 2003 at 05:42:12PM -0700, Michael Sierchio wrote: > I have no intention of taking it up with Cloudmark, I'm giving up > training people for free. You needn't, and I've already made an inquiry. I am reliably informed by their CTO that they have an IANA allocation, and plan to migrate to it at a suitable time. BMS From owner-freebsd-security@FreeBSD.ORG Thu Sep 11 20:59:19 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5227116A4BF; Thu, 11 Sep 2003 20:59:19 -0700 (PDT) Received: from arginine.spc.org (arginine.spc.org [195.206.69.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 28B7E43FE1; Thu, 11 Sep 2003 20:59:18 -0700 (PDT) (envelope-from bms@spc.org) Received: from localhost (localhost [127.0.0.1]) by arginine.spc.org (Postfix) with ESMTP id 0937865203; Fri, 12 Sep 2003 04:59:17 +0100 (BST) Received: from arginine.spc.org ([127.0.0.1]) by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 41575-02; Fri, 12 Sep 2003 04:59:16 +0100 (BST) Received: by arginine.spc.org (Postfix, from userid 1078) id 8840F651FF; Fri, 12 Sep 2003 04:59:16 +0100 (BST) Date: Fri, 12 Sep 2003 04:59:16 +0100 From: Bruce M Simpson To: freebsd-security@freebsd.org Message-ID: <20030912035916.GA41681@spc.org> Mail-Followup-To: Bruce M Simpson , freebsd-security@freebsd.org, edwin@freebsd.org, kris@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.4.1i Organization: SPC cc: edwin@freebsd.org Subject: Cyrus SASL 2 fixes for MySQL X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Sep 2003 03:59:19 -0000 Hi all, I have been trying to get SMTP AUTH working in a hosting setup which I manage. Tonight I succeeded. In the course of so doing I've come up with a few patches which seem to work well for me. Please see: http://people.freebsd.org/~bms/cyrus-sasl-improvements.diff The features are: improved debugging messages, optional use of an SSL transport, and the ability to use MD5 hashes with MySQL or other auxprop plugins. Credit is due to Branko GrÄnar for the last two features. I have tidied there to make a cleaner diff for 2.1.15. At the moment this is a diff which can be applied to the cyrus-sasl2 port. If there's further interest I'll roll the patches into the port itself with toggle switches. BMS