From owner-freebsd-security@FreeBSD.ORG Sun May 16 02:31:51 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C58E116A4CE for ; Sun, 16 May 2004 02:31:51 -0700 (PDT) Received: from terpsi.otenet.gr (terpsi.otenet.gr [195.170.0.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9D45E43D3F for ; Sun, 16 May 2004 02:31:48 -0700 (PDT) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.gr (patr530-b145.otenet.gr [212.205.244.153]) by terpsi.otenet.gr (8.12.10/8.12.10) with ESMTP id i4G9VIti009440; Sun, 16 May 2004 12:31:35 +0300 (EEST) Received: from gothmog.gr (gothmog [127.0.0.1]) by gothmog.gr (8.12.11/8.12.11) with ESMTP id i4G9VEHX055892; Sun, 16 May 2004 12:31:14 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.gr (8.12.11/8.12.11/Submit) id i4G9UxPU055887; Sun, 16 May 2004 12:30:59 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Sun, 16 May 2004 12:30:59 +0300 From: Giorgos Keramidas To: Anton Alin-Adrian Message-ID: <20040516093059.GA55860@gothmog.gr> References: <40A69DDD.30603@reversedhell.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <40A69DDD.30603@reversedhell.net> cc: freebsd-security@freebsd.org Subject: Re: How do fix a good solution against spam.. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 May 2004 09:31:51 -0000 On 2004-05-16 01:46, Anton Alin-Adrian wrote: > M.Jessa> Not only it's way faster than perl based messagewall, amavisd and > M.Jessa> mailscanner etc but it also has neat stuff like making connections > M.Jessa> back to the sender's MX checking for validity of the sender's > M.Jessa> email. > > So far I can only release this code. It implements exactly what was > mentioned about exim. I use it with qmail because qmail I have, but > can be used with postfix/sendmail with ease. So now not only exim can > do that hack. Similar functionality to the one described above can be added to Sendmail with a milter. Anyway, you surely can't be using the program you sent. It doesn't even build here: giorgos@gothmog[11:31]/tmp/mxcheck$ cc -O2 -ggdb check.c check.c: In function `filtervalidmail': check.c:443: error: syntax error at end of input giorgos@gothmog[11:31]/tmp/mxcheck$ _ > PS - this is how i use it: > .qmail-file: > > | /usr/local/bin/check /usr/local/bin/safecat /path/to/Maildir/tmp > /path/to/Maildir/new > > #the above after | is on a single line. Putting aside the facts that the source is entirely undocumented, that it doesn't even build, that it has a million style bugs, that the comments aren't really helpful in understanding how it works, and that it's entirely undocumented... - What does each one of these parameters exactly do? - What is safecat and why is it run with a full pathname? - Why are you using an internal Maildir/ path like 'tmp'? - Does this work in a .forward file too? I know, I know that RTFS for such a small program documentation is most of the time unnecessary for the experienced hacker, but IMHO this is something that simple FreeBSD users might want to install too. Without any sort of documentation or other hint about the way it works, you don't really expect anyone to run this or do you? :-/ - Giorgos From owner-freebsd-security@FreeBSD.ORG Sun May 16 07:12:22 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA4AF16A5B0 for ; Sun, 16 May 2004 07:12:22 -0700 (PDT) Received: from web61310.mail.yahoo.com (web61310.mail.yahoo.com [216.155.196.153]) by mx1.FreeBSD.org (Postfix) with SMTP id 2247343D49 for ; Sun, 16 May 2004 07:12:22 -0700 (PDT) (envelope-from richard_bejtlich@yahoo.com) Message-ID: <20040516141221.68945.qmail@web61310.mail.yahoo.com> Received: from [68.50.168.243] by web61310.mail.yahoo.com via HTTP; Sun, 16 May 2004 07:12:21 PDT Date: Sun, 16 May 2004 07:12:21 -0700 (PDT) From: Richard Bejtlich To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Way to ignore portaudit results? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 May 2004 14:12:22 -0000 Hello, The mysql40-client port currently reports a security problem when I try to install it: neely:/usr/ports/databases/mysql40-client$ make ===> mysql-client-4.0.18_1 has known vulnerabilities: >> MySQL insecure temporary file creation (mysqlbug). Reference: >> Please update your ports tree and try again. This is a minor problem affecting only the 'mysqlbug' script, not core mysql client functionality. We may not see a fix in the MySQL distribution until 4.0.19. Is there a way to force installation of a port, even though portaudit reports a security problem? Thank you, Richard http://www.taosecurity.com __________________________________ Do you Yahoo!? SBC Yahoo! - Internet access at a great low price. http://promo.yahoo.com/sbc/ From owner-freebsd-security@FreeBSD.ORG Sun May 16 07:13:00 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0781016A4D6 for ; Sun, 16 May 2004 07:13:00 -0700 (PDT) Received: from mail.1plan.net (ns1.1plan.net [216.240.143.74]) by mx1.FreeBSD.org (Postfix) with SMTP id 024C143D41 for ; Sun, 16 May 2004 07:12:59 -0700 (PDT) (envelope-from aanton@reversedhell.net) Received: (qmail 68071 invoked by uid 98); 16 May 2004 14:19:55 -0000 Received: from aanton@reversedhell.net by cp by uid 101 with qmail-scanner-1.20 (clamscan: 0.65. Clear:RC:1(81.196.32.25):SA:0(-100.0/4.7):. Processed in 6.103228 secs); 16 May 2004 14:19:55 -0000 X-Spam-Status: No, hits=-100.0 required=4.7 X-Qmail-Scanner-Mail-From: aanton@reversedhell.net via cp X-Qmail-Scanner: 1.20 (Clear:RC:1(81.196.32.25):SA:0(-100.0/4.7):. Processed in 6.103228 secs) Received: from unknown (HELO reversedhell.net) (81.196.32.25) by ns1.1plan.net with SMTP; 16 May 2004 14:19:49 -0000 Message-ID: <40A776E0.4070405@reversedhell.net> Date: Sun, 16 May 2004 17:12:48 +0300 From: Anton Alin-Adrian User-Agent: Mozilla Thunderbird 0.5 (X11/20040503) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Giorgos Keramidas References: <40A69DDD.30603@reversedhell.net> <20040516093059.GA55860@gothmog.gr> In-Reply-To: <20040516093059.GA55860@gothmog.gr> X-Enigmail-Version: 0.83.6.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: How do fix a good solution against spam.. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 May 2004 14:13:00 -0000 Giorgos Keramidas wrote: > On 2004-05-16 01:46, Anton Alin-Adrian wrote: > >>M.Jessa> Not only it's way faster than perl based messagewall, amavisd and >>M.Jessa> mailscanner etc but it also has neat stuff like making connections >>M.Jessa> back to the sender's MX checking for validity of the sender's >>M.Jessa> email. >> >>So far I can only release this code. It implements exactly what was >>mentioned about exim. I use it with qmail because qmail I have, but >>can be used with postfix/sendmail with ease. So now not only exim can >>do that hack. > > > Similar functionality to the one described above can be added to > Sendmail with a milter. > > Anyway, you surely can't be using the program you sent. It doesn't even > build here: > > giorgos@gothmog[11:31]/tmp/mxcheck$ cc -O2 -ggdb check.c > check.c: In function `filtervalidmail': > check.c:443: error: syntax error at end of input > giorgos@gothmog[11:31]/tmp/mxcheck$ _ > > >>PS - this is how i use it: >>.qmail-file: >> >>| /usr/local/bin/check /usr/local/bin/safecat /path/to/Maildir/tmp >>/path/to/Maildir/new >> >>#the above after | is on a single line. > > > Putting aside the facts that the source is entirely undocumented, that > it doesn't even build, that it has a million style bugs, that the > comments aren't really helpful in understanding how it works, and that > it's entirely undocumented... > > - What does each one of these parameters exactly do? > - What is safecat and why is it run with a full pathname? > - Why are you using an internal Maildir/ path like 'tmp'? > - Does this work in a .forward file too? > > I know, I know that RTFS for such a small program documentation is most > of the time unnecessary for the experienced hacker, but IMHO this is > something that simple FreeBSD users might want to install too. Without > any sort of documentation or other hint about the way it works, you > don't really expect anyone to run this or do you? :-/ > > - Giorgos > > > ---dump--- %ls -l total 10 -rw------- 1 bu bu 10180 May 16 16:57 lacheck.tar.gz %tar -zxvf * gpl.txt check.c %ls -l total 38 -rw-r--r-- 1 bu bu 9626 May 16 02:49 check.c -rw-r--r-- 1 bu bu 18009 May 16 02:49 gpl.txt -rw------- 1 bu bu 10180 May 16 16:57 lacheck.tar.gz %cc -o check check.c %ls -l total 50 -rwxr-xr-x 1 bu bu 11518 May 16 16:58 check -rw-r--r-- 1 bu bu 9626 May 16 02:49 check.c -rw-r--r-- 1 bu bu 18009 May 16 02:49 gpl.txt -rw------- 1 bu bu 10180 May 16 16:57 lacheck.tar.gz % ---dump--- It builds fine on both FreeBSD 4.x and FreeBSD 5.x. You said it has millions of style bugs. Indeed. It is *not a program*, it is *snippet* who's functions are going to be used inside a large-scale anti-spam project, placed in ANSI-C header files and modularized. Obviously there's no doc for code snippet as this is not intended to be a 'real public release' for God's sake, it's *snipper*, I just thought it may be usefull for someone who knows how to use code. As for docs, well yes, it's gonna have docs, but I doubt I'll write docs for a snippet till I add some more code and clean it up.As you can easely see the homepage of the project has no code released. And yes, the snippet is for the hackers. Though I don't think one has to be a hacker to use it, if he wants. Can be adjusted to anything he/she likes. The comments around the functions are written at different times, for private-circle purposes, and they served well. -- Alin-Adrian Anton Reversed Hell Networks GPG keyID 0x1E2FFF2E (2963 0C11 1AF1 96F6 0030 6EE9 D323 639D 1E2F FF2E) gpg --keyserver pgp.mit.edu --recv-keys 1E2FFF2E From owner-freebsd-security@FreeBSD.ORG Sun May 16 07:17:42 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AEBBD16A4CE for ; Sun, 16 May 2004 07:17:42 -0700 (PDT) Received: from mail.1plan.net (ns1.1plan.net [216.240.143.74]) by mx1.FreeBSD.org (Postfix) with SMTP id 577B343D39 for ; Sun, 16 May 2004 07:17:42 -0700 (PDT) (envelope-from aanton@reversedhell.net) Received: (qmail 68752 invoked by uid 98); 16 May 2004 14:24:39 -0000 Received: from aanton@reversedhell.net by cp by uid 101 with qmail-scanner-1.20 (clamscan: 0.65. Clear:RC:1(81.196.32.25):SA:0(-100.0/4.7):. Processed in 0.385351 secs); 16 May 2004 14:24:39 -0000 X-Spam-Status: No, hits=-100.0 required=4.7 X-Qmail-Scanner-Mail-From: aanton@reversedhell.net via cp X-Qmail-Scanner: 1.20 (Clear:RC:1(81.196.32.25):SA:0(-100.0/4.7):. Processed in 0.385351 secs) Received: from unknown (HELO reversedhell.net) (81.196.32.25) by ns1.1plan.net with SMTP; 16 May 2004 14:24:38 -0000 Message-ID: <40A77804.2030005@reversedhell.net> Date: Sun, 16 May 2004 17:17:40 +0300 From: Anton Alin-Adrian User-Agent: Mozilla Thunderbird 0.5 (X11/20040503) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Giorgos Keramidas References: <40A69DDD.30603@reversedhell.net> <20040516093059.GA55860@gothmog.gr> In-Reply-To: <20040516093059.GA55860@gothmog.gr> X-Enigmail-Version: 0.83.6.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: How do fix a good solution against spam.. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 May 2004 14:17:42 -0000 Hmm it seems there is a bit of confusion here. 3 of my mails were blocked by some spam filter on the mailinglist, probably because of attachement. I never thought they passed it to the list because I got messages that they were blocked. Now I understand that they were probably queued. damn. So I sent a mail with: http://laura.reversedhell.net/lacheck.tar.gz . I replied before noticing this confusion. -- Alin-Adrian Anton Reversed Hell Networks GPG keyID 0x1E2FFF2E (2963 0C11 1AF1 96F6 0030 6EE9 D323 639D 1E2F FF2E) gpg --keyserver pgp.mit.edu --recv-keys 1E2FFF2E From owner-freebsd-security@FreeBSD.ORG Sun May 16 07:19:54 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E2A0416A4CE for ; Sun, 16 May 2004 07:19:54 -0700 (PDT) Received: from meitner.wh.uni-dortmund.de (meitner.wh.uni-dortmund.de [129.217.129.133]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8447743D48 for ; Sun, 16 May 2004 07:19:54 -0700 (PDT) (envelope-from michaelnottebrock@gmx.net) Received: from lofi.dyndns.org (pc2-105.intern.meitner [10.3.12.105]) by meitner.wh.uni-dortmund.de (Postfix) with ESMTP id C868B167590; Sun, 16 May 2004 16:19:53 +0200 (CEST) Received: from [192.168.8.4] (kiste.my.domain [192.168.8.4]) (authenticated bits=0) by lofi.dyndns.org (8.12.10/8.12.10) with ESMTP id i4GEJq84097520 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Sun, 16 May 2004 16:19:52 +0200 (CEST) (envelope-from michaelnottebrock@gmx.net) From: Michael Nottebrock To: freebsd-security@freebsd.org Date: Sun, 16 May 2004 16:19:48 +0200 User-Agent: KMail/1.6.2 References: <20040516141221.68945.qmail@web61310.mail.yahoo.com> In-Reply-To: <20040516141221.68945.qmail@web61310.mail.yahoo.com> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Boundary-02=_Ii3pAHYjJs0MVJB"; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200405161619.52293.michaelnottebrock@gmx.net> X-Virus-Scanned: by amavisd-new cc: Richard Bejtlich Subject: Re: Way to ignore portaudit results? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 May 2004 14:19:55 -0000 --Boundary-02=_Ii3pAHYjJs0MVJB Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sunday 16 May 2004 16:12, Richard Bejtlich wrote: > Is there a way to force installation of a port, even > though portaudit reports a security problem? make -DDISABLE_VULNERABILITIES =2D-=20 ,_, | Michael Nottebrock | lofi@freebsd.org (/^ ^\) | FreeBSD - The Power to Serve | http://www.freebsd.org \u/ | K Desktop Environment on FreeBSD | http://freebsd.kde.org --Boundary-02=_Ii3pAHYjJs0MVJB Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQBAp3iIXhc68WspdLARAt4bAKCphWy69+tIKF7lUWhXAsdtSsZy0QCeIn3U 03+7cRODOpwDNCrv2DqNzFg= =qCYQ -----END PGP SIGNATURE----- --Boundary-02=_Ii3pAHYjJs0MVJB-- From owner-freebsd-security@FreeBSD.ORG Sun May 16 16:35:49 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CBB4D16A4CE for ; Sun, 16 May 2004 16:35:49 -0700 (PDT) Received: from mail.1plan.net (ns1.1plan.net [216.240.143.74]) by mx1.FreeBSD.org (Postfix) with SMTP id 7F1E243D1F for ; Sun, 16 May 2004 16:35:47 -0700 (PDT) (envelope-from aanton@reversedhell.net) Received: (qmail 44640 invoked by uid 98); 16 May 2004 23:42:45 -0000 Received: from aanton@reversedhell.net by cp by uid 101 with qmail-scanner-1.20 (clamscan: 0.65. Clear:RC:1(81.196.32.25):SA:0(-100.0/4.7):. Processed in 0.39766 secs); 16 May 2004 23:42:45 -0000 X-Spam-Status: No, hits=-100.0 required=4.7 X-Qmail-Scanner-Mail-From: aanton@reversedhell.net via cp X-Qmail-Scanner: 1.20 (Clear:RC:1(81.196.32.25):SA:0(-100.0/4.7):. Processed in 0.39766 secs) Received: from unknown (HELO ?10.0.0.2?) (81.196.32.25) by ns1.1plan.net with SMTP; 16 May 2004 23:42:44 -0000 Message-ID: <40A7FAD3.9080508@reversedhell.net> Date: Mon, 17 May 2004 02:35:47 +0300 From: Anton Alin-Adrian User-Agent: Mozilla Thunderbird 0.6 (X11/20040516) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <40A69DDD.30603@reversedhell.net> <20040516093059.GA55860@gothmog.gr> In-Reply-To: <20040516093059.GA55860@gothmog.gr> X-Enigmail-Version: 0.84.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: How do fix a good solution against spam.. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 May 2004 23:35:49 -0000 A more user friendly release of the confusing code discussed above, at: http://laura.reversedhell.net/laura-0.0.1p2.tar.gz Yours Sincerely, -- Alin-Adrian Anton Reversed Hell Networks GPG keyID 0x1E2FFF2E (2963 0C11 1AF1 96F6 0030 6EE9 D323 639D 1E2F FF2E) gpg --keyserver pgp.mit.edu --recv-keys 1E2FFF2E From owner-freebsd-security@FreeBSD.ORG Mon May 17 05:08:42 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F30B16A4CE for ; Mon, 17 May 2004 05:08:42 -0700 (PDT) Received: from serv03.inetworx.ch (serv03.inetworx.ch [212.254.227.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id F0CEC43D5E for ; Mon, 17 May 2004 05:08:41 -0700 (PDT) (envelope-from dev@eth0.ch) Received: from localhost (localhost.localdomain [127.0.0.1]) by serv03.inetworx.ch (Postfix) with ESMTP id 8D7D8252D6D for ; Mon, 17 May 2004 14:08:40 +0200 (CEST) Received: from serv03.inetworx.ch ([127.0.0.1]) by localhost (serv03.inetworx.ch [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 19997-03-2 for ; Mon, 17 May 2004 14:08:40 +0200 (CEST) Received: from serv04.inetworx.ch (serv04.inetworx.ch [212.254.227.197]) by serv03.inetworx.ch (Postfix) with SMTP id 5F0EF252D63 for ; Mon, 17 May 2004 14:08:40 +0200 (CEST) Received: from 217.162.71.141 (SquirrelMail authenticated user dev.eth0) by serv04.inetworx.ch with HTTP; Mon, 17 May 2004 14:08:40 +0200 (CEST) Message-ID: <4985.217.162.71.141.1084795720.squirrel@serv04.inetworx.ch> Date: Mon, 17 May 2004 14:08:40 +0200 (CEST) From: "David E. Meier" To: freebsd-security@freebsd.org User-Agent: SquirrelMail/1.4.2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 Importance: Normal X-Virus-Scanned: by amavisd-new at inetworx.ch Subject: Multi-User Security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 May 2004 12:08:42 -0000 Hello list. I would like to get your opinion on what is a safe multi-user environment. The scenario: We would like to offer to some customers of ours some sort of network backup/archive. They would put daily or weekly backups from their local machine on our server using rsync and SSH. Therefore, they all have a user account on our server. However, we must ensure that they would absolutely not be able to access any data of each other at all. What is the "best and safest" way to do so? Regular UNIX permission settings? File system ACL's? User jails? Restricting commands in their path environment? Or would it even make sense to encrypt the file system? How would some of the solutions affect data backups/restore on our side? Any comment on this is welcome. Thanks. Dave. From owner-freebsd-security@FreeBSD.ORG Mon May 17 06:10:36 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3FAE416A4CE for ; Mon, 17 May 2004 06:10:36 -0700 (PDT) Received: from mail.xensia.net (colo1.xensia.net [217.158.173.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 60FA343D5A for ; Mon, 17 May 2004 06:10:35 -0700 (PDT) (envelope-from listsucker@ipv5.net) Received: from 81-174-5-192.f5.ngi.it ([81.174.5.192] helo=godzilla) by mail.xensia.net with asmtp (TLSv1:DES-CBC3-SHA:168) id 1BPht3-000An0-00; Mon, 17 May 2004 14:10:33 +0100 Date: Mon, 17 May 2004 15:10:16 +0200 From: Frankye - ML To: freebsd-security@freebsd.org Message-Id: <20040517151016.7b83fbe9@godzilla> In-Reply-To: <4985.217.162.71.141.1084795720.squirrel@serv04.inetworx.ch> References: <4985.217.162.71.141.1084795720.squirrel@serv04.inetworx.ch> X-Mailer: Sylpheed version 0.9.10claws (GTK+ 1.2.10; i386-portbld-freebsd4.10) X-Face: =3I@Jvohf91[b8M]~KUNFaCt}pnTO2K^E#_P4`uCU]D"pHw List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 May 2004 13:10:36 -0000 On Mon, 17 May 2004 14:08:40 +0200 (CEST) "David E. Meier" wrote: | We would like to offer to some customers of ours some sort of network | backup/archive. They would put daily or weekly backups from their local | machine on our server using rsync and SSH. Therefore, they all have a | user account on our server. However, we must ensure that they would | absolutely not be able to access any data of each other at all. Just my 2 cents: I've found very useful some shells that permits just some subset of commands, for example shells/scponly, sysutils/bksh or sendmail's smrsh. Since you're using ssh you might also find useful the command= statement in .ssh/authorized_keys HTH Frankye From owner-freebsd-security@FreeBSD.ORG Mon May 17 06:27:01 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E61616A4CE for ; Mon, 17 May 2004 06:27:01 -0700 (PDT) Received: from dire.bris.ac.uk (dire.bris.ac.uk [137.222.10.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id E5D4743D39 for ; Mon, 17 May 2004 06:27:00 -0700 (PDT) (envelope-from Jan.Grant@bristol.ac.uk) Received: from mail.ilrt.bris.ac.uk ([137.222.16.62]) by dire.bris.ac.uk with esmtp (Exim 4.34) id 1BPi8v-0001sj-Fh; Mon, 17 May 2004 14:26:59 +0100 Received: from cmjg (helo=localhost) by mail.ilrt.bris.ac.uk with local-esmtp (Exim 3.16 #1) id 1BPi6X-0004b1-00; Mon, 17 May 2004 14:24:29 +0100 Date: Mon, 17 May 2004 14:24:29 +0100 (BST) From: Jan Grant X-X-Sender: cmjg@mail.ilrt.bris.ac.uk To: Frankye - ML In-Reply-To: <20040517151016.7b83fbe9@godzilla> Message-ID: References: <4985.217.162.71.141.1084795720.squirrel@serv04.inetworx.ch> <20040517151016.7b83fbe9@godzilla> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Jan Grant X-Spam-Score: 0.0 X-Spam-Level: / cc: freebsd-security@freebsd.org Subject: Re: Multi-User Security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 May 2004 13:27:01 -0000 On Mon, 17 May 2004, Frankye - ML wrote: > On Mon, 17 May 2004 14:08:40 +0200 (CEST) > "David E. Meier" wrote: > > | We would like to offer to some customers of ours some sort of network > | backup/archive. They would put daily or weekly backups from their local > | machine on our server using rsync and SSH. Therefore, they all have a > | user account on our server. However, we must ensure that they would > | absolutely not be able to access any data of each other at all. > > Just my 2 cents: I've found very useful some shells that permits just some > subset of commands, for example shells/scponly, sysutils/bksh or > sendmail's smrsh. > > Since you're using ssh you might also find useful the command= statement > in .ssh/authorized_keys However, if you are using rsync or some other complex endpoint on the server, you are also reliant on that having no way to subvert its protocol or operation from the client side. "command=" settings in the ssh config are a good starting point, but for defense in depth you probably want careful control of filesystem access, be it through a jail or some other mechanism. -- jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/ Tel +44(0)117 9287088 Fax +44 (0)117 9287112 http://ioctl.org/jan/ Not as randy or clumsom as a blaster. From owner-freebsd-security@FreeBSD.ORG Mon May 17 06:56:58 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 25B4016A4D1 for ; Mon, 17 May 2004 06:56:58 -0700 (PDT) Received: from saturn.criticalmagic.com (saturn.criticalmagic.com [64.74.124.105]) by mx1.FreeBSD.org (Postfix) with ESMTP id A877043D5E for ; Mon, 17 May 2004 06:56:57 -0700 (PDT) (envelope-from richardcoleman@mindspring.com) Received: from mindspring.com (c-24-99-11-212.atl.client2.attbi.com [24.99.11.212]) by saturn.criticalmagic.com (Postfix) with ESMTP id 3A2F83BD10; Mon, 17 May 2004 09:56:57 -0400 (EDT) Message-ID: <40A8C4A9.2000705@mindspring.com> Date: Mon, 17 May 2004 09:56:57 -0400 From: Richard Coleman Organization: Critical Magic, Inc. User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "David E. Meier" References: <4985.217.162.71.141.1084795720.squirrel@serv04.inetworx.ch> In-Reply-To: <4985.217.162.71.141.1084795720.squirrel@serv04.inetworx.ch> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: Multi-User Security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: richardcoleman@mindspring.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 May 2004 13:56:58 -0000 David E. Meier wrote: > Hello list. > > I would like to get your opinion on what is a safe multi-user environment. > The scenario: > > We would like to offer to some customers of ours some sort of network > backup/archive. They would put daily or weekly backups from their local > machine on our server using rsync and SSH. Therefore, they all have a user > account on our server. However, we must ensure that they would absolutely > not be able to access any data of each other at all. > > What is the "best and safest" way to do so? Regular UNIX permission > settings? File system ACL's? User jails? Restricting commands in their > path environment? Or would it even make sense to encrypt the file system? > How would some of the solutions affect data backups/restore on our side? > > Any comment on this is welcome. Thanks. Dave. Using a chroot or a jail is the way to go if possible. If you can't use that, then unix permissions or ACL's is the next bet. Restricting commands is the most fragile solution since in many cases it can be subverted. Encrypting the data is also useful if you have the horsepower. Richard Coleman richardcoleman@mindspring.com From owner-freebsd-security@FreeBSD.ORG Mon May 17 16:41:31 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C69016A4CE for ; Mon, 17 May 2004 16:41:31 -0700 (PDT) Received: from testequity.com (mach2.testequity.net [205.147.14.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8DB7543D39 for ; Mon, 17 May 2004 16:41:30 -0700 (PDT) (envelope-from metrol@metrol.net) Received: from metwork.priv.testequity.com [192.168.3.50] by testequity.com with ESMTP (SMTPD32-7.13) id AC84B46D00B2; Mon, 17 May 2004 16:36:36 -0700 From: Michael Collette To: freebsd-security@freebsd.org Date: Mon, 17 May 2004 16:39:08 -0700 User-Agent: KMail/1.6.2 MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <200405171639.08701.metrol@metrol.net> Subject: Mail Server in the DMZ question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 May 2004 23:41:31 -0000 Been trying to puzzle through a firewall layout here involving E-Mail. Would have thought this was a more common kind of scenario, but I haven't been able to Google me up an answer to this one. At present I have an SMTP server (Postfix) in my DMZ that is simply re-routing mail into my secure network. This is a less than optimal setup simply due to having to allow traffic from the DMZ into my secure network without a proceeding request for that data. I want to have all the mail held on the server in the DMZ, then have it be pulled into the secure network for all my users by some means. Originally I thought I could just setup a multi-drop box, pull in the mail with Fetchmail, then have it delivered to my internal server for processing. Seems that there are way too many pitfalls for this setup to reasonably support all my users. I then looked into configuring the DMZ server to hold all mail, then release on an ETRN request. From what I've read on this I'm really no better off, as I still have to allow port 25 requests into my secure network. Thanks, -- "In theory, there is no difference between theory and practice. In practice, there is." - Yogi Berra From owner-freebsd-security@FreeBSD.ORG Mon May 17 21:41:26 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 02A8B16A4CE for ; Mon, 17 May 2004 21:41:26 -0700 (PDT) Received: from mail.sharmannetworks.com (mail.sharmannetworks.com [210.8.93.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id F39A743D58 for ; Mon, 17 May 2004 21:41:22 -0700 (PDT) (envelope-from freebsd@meijome.net) Received: from meijome.net ([192.168.1.129]) by mail.sharmannetworks.com over TLS secured channel with Microsoft SMTPSVC(5.0.2195.5329); Tue, 18 May 2004 14:41:20 +1000 Message-ID: <40A993F0.2040806@meijome.net> Date: Tue, 18 May 2004 14:41:20 +1000 From: Norberto Meijome User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113 X-Accept-Language: en-au, en, es, es-ar MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <4985.217.162.71.141.1084795720.squirrel@serv04.inetworx.ch> <40A8C4A9.2000705@mindspring.com> In-Reply-To: <40A8C4A9.2000705@mindspring.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 18 May 2004 04:41:20.0323 (UTC) FILETIME=[5D686130:01C43C92] Subject: Re: Multi-User Security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 May 2004 04:41:26 -0000 Richard Coleman wrote: > Using a chroot or a jail is the way to go if possible. If you can't use > that, then unix permissions or ACL's is the next bet. Restricting > commands is the most fragile solution since in many cases it can be > subverted. Excuse my ignorance, could you quickly tell me the difference (or point me to a good reference article/book) between chroot + jail? is it that a jail is always chrooted but not the other way around? is a jail more encompassing than chroot only? thanks in advance, B From owner-freebsd-security@FreeBSD.ORG Mon May 17 22:57:36 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8E98916A4CE for ; Mon, 17 May 2004 22:57:36 -0700 (PDT) Received: from amaunetsgothique.com (31.amaunetsgothique.com [69.17.34.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 23DC343D5D for ; Mon, 17 May 2004 22:57:33 -0700 (PDT) (envelope-from chort@amaunetsgothique.com) Received: from ([10.8.1.3]) by phalanx.amaunetsgothique.com with ESMTP ; Mon, 17 May 2004 22:57:05 -0700 Received: from [10.8.1.3] (abydos.amaunetsgothique.com [10.8.1.3]) by abydos.amaunetsgothique.com (Postfix) with ESMTP id C22031A479 for ; Mon, 17 May 2004 22:57:04 -0700 (PDT) From: Brian Keefer To: freebsd-security@freebsd.org In-Reply-To: <200405171639.08701.metrol@metrol.net> References: <200405171639.08701.metrol@metrol.net> Content-Type: text/plain Organization: Message-Id: <1084859824.28107.680.camel@abydos.amaunetsgothique.com> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.4 Date: 17 May 2004 22:57:04 -0700 Content-Transfer-Encoding: 7bit Subject: Re: Mail Server in the DMZ question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 May 2004 05:57:36 -0000 On Mon, 2004-05-17 at 16:39, Michael Collette wrote: > Been trying to puzzle through a firewall layout here involving E-Mail. Would > have thought this was a more common kind of scenario, but I haven't been able > to Google me up an answer to this one. > > At present I have an SMTP server (Postfix) in my DMZ that is simply re-routing > mail into my secure network. This is a less than optimal setup simply due to > having to allow traffic from the DMZ into my secure network without a > proceeding request for that data. > > I want to have all the mail held on the server in the DMZ, then have it be > pulled into the secure network for all my users by some means. > > Originally I thought I could just setup a multi-drop box, pull in the mail > with Fetchmail, then have it delivered to my internal server for processing. > Seems that there are way too many pitfalls for this setup to reasonably > support all my users. > > I then looked into configuring the DMZ server to hold all mail, then release > on an ETRN request. From what I've read on this I'm really no better off, as > I still have to allow port 25 requests into my secure network. > > Thanks, I've seen one site implement UUCP for exactly this reason, but I think the potential problems with a flaw in UUCP outweigh just using an SMTP push. As long as you've locked down your firewall to only allow the mail gateway to open a connection through to your trusted net on port 25 (i.e. no other DMZ hosts are allow through in this manner) that's about as good as you can do. Look at it this way, what are you protecting against? If you're protecting against mail being sent in, well clearly that will happen either way. If you're protecting against an attacker that would hijack the DMZ host and try to attack your internal machine via port 25, well yes it will stop that, but if the attacker manages to hijack the machine they're going to be able to do a lot worse things (snoop on all your mail, possibly capture passwords, etc). Really, the possibility that an attack would be able to make a successful attack using only port 25 of your internal host is very remote, and the possibility that they couldn't do anything else malicious even though they had hijacked a host is even more remote. Make sure you're not over architecting your environment and introducing unnecessary complications for very minimal potential benefit. -- Brian Keefer, CISSP Systems Engineer CipherTrust Inc, www.CipherTrust.com From owner-freebsd-security@FreeBSD.ORG Mon May 17 23:44:32 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D5D916A4CF for ; Mon, 17 May 2004 23:44:32 -0700 (PDT) Received: from mail.sharmannetworks.com (mail.sharmannetworks.com [210.8.93.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3AC3443D3F for ; Mon, 17 May 2004 23:44:28 -0700 (PDT) (envelope-from freebsd@meijome.net) Received: from meijome.net ([192.168.1.129]) by mail.sharmannetworks.com over TLS secured channel with Microsoft SMTPSVC(5.0.2195.5329); Tue, 18 May 2004 16:44:25 +1000 Message-ID: <40A9B0C9.4040208@meijome.net> Date: Tue, 18 May 2004 16:44:25 +1000 From: Norberto Meijome User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113 X-Accept-Language: en-au, en, es, es-ar MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 18 May 2004 06:44:25.0870 (UTC) FILETIME=[8F896AE0:01C43CA3] Subject: Confirming my understanding of an ipf log line X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 May 2004 06:44:32 -0000 Hi list, I saw this in my ipf.log (using ipfmon): 18/05/2004 15:57:21.092537 fxp0 @25:1 S w.x.y.z -> a.b.c.d PR tcp len 20 (40) frag 20@8 IN where : - fpx0 is my interface connected to the outside world - w.x.y.z is an IP not related to any system under our control - a.b.c.d is the public IP used for NATed traffic from our LAN. - @25:1 is : @1 block in log quick from any to any with short group 25 Does the "S" after @25:1 mean it was a packet too short to be true? What does the frag 20@8 mean? Thanks!! Beto From owner-freebsd-security@FreeBSD.ORG Mon May 17 23:59:40 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C74D16A4CE for ; Mon, 17 May 2004 23:59:40 -0700 (PDT) Received: from mailhub01.unibe.ch (mailhub01.unibe.ch [130.92.9.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0A78943D54 for ; Mon, 17 May 2004 23:59:37 -0700 (PDT) (envelope-from roth@speedy.unibe.ch) Received: from localhost (scanhub02-eth0.unibe.ch [130.92.254.66]) by mailhub01.unibe.ch (Postfix) with ESMTP id CDE7625BB97 for ; Tue, 18 May 2004 08:59:35 +0200 (MEST) Received: from mailhub01.unibe.ch ([130.92.9.52]) by localhost (scanhub02 [130.92.254.66]) (amavisd-new, port 10024) with LMTP id 17134-02-24 for ; Tue, 18 May 2004 08:59:36 +0200 (CEST) Received: from asterix.unibe.ch (asterix.unibe.ch [130.92.64.4]) by mailhub01.unibe.ch (Postfix) with ESMTP id 95EB825BB92 for ; Tue, 18 May 2004 08:59:34 +0200 (MEST) Received: from speedy.unibe.ch (speedy [130.92.64.35]) by asterix.unibe.ch (8.11.7p1+Sun/8.11.7) with ESMTP id i4I6xYu09517 for ; Tue, 18 May 2004 08:59:34 +0200 (MET DST) Received: (from roth@localhost) by speedy.unibe.ch (8.12.10+Sun/8.12.9/Submit) id i4I6xXFC020644 for freebsd-security@freebsd.org; Tue, 18 May 2004 08:59:33 +0200 (MEST) Date: Tue, 18 May 2004 08:59:33 +0200 From: Tobias Roth To: freebsd-security@freebsd.org Message-ID: <20040518065933.GA20587@speedy.unibe.ch> Mail-Followup-To: freebsd-security@freebsd.org References: <40A9B0C9.4040208@meijome.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <40A9B0C9.4040208@meijome.net> User-Agent: Mutt/1.4i X-message-flag: Warning! Using Outlook is insecure and promotes virus distribution. Please use a different email client. X-Virus-checked: by University of Berne Subject: on- and offtopic [was: Confirming my understanding...] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 May 2004 06:59:40 -0000 On Tue, May 18, 2004 at 04:44:25PM +1000, Norberto Meijome wrote: > > Does the "S" after @25:1 mean it was a packet too short to be true? > > What does the frag 20@8 mean? guys, please, recently the list tends to turn into a security help list once again... everyone please bear in mind that freebsd-security is not intended for general help, even if the question is somehow related to security. for those unsure about what to post and what not, see the list charter: http://lists.freebsd.org/mailman/listinfo/freebsd-security cheers, t. disclaimer: - Norbert, I don't take this personal, it is nothing but coincidence that I replied to your mail and not to any other of the recent off-topic mails. - Everyone else: I am not officially responsible for freebsd-security, so feel free to flame me or start another discussion on what freebsd-security is for. I will not reply. From owner-freebsd-security@FreeBSD.ORG Tue May 18 01:35:29 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 61D0716A4CE for ; Tue, 18 May 2004 01:35:29 -0700 (PDT) Received: from mail1.zer0.org (klapaucius.zer0.org [204.152.186.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D0F343D62 for ; Tue, 18 May 2004 01:35:28 -0700 (PDT) (envelope-from gsutter@zer0.org) Received: from localhost (localhost [127.0.0.1]) by mail1.zer0.org (Postfix) with ESMTP id 34FDC239AE3; Tue, 18 May 2004 01:35:28 -0700 (PDT) Received: from mail1.zer0.org ([127.0.0.1]) by localhost (klapaucius.zer0.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 97006-05; Tue, 18 May 2004 01:35:28 -0700 (PDT) Received: by mail1.zer0.org (Postfix, from userid 1001) id 0807A239AE0; Tue, 18 May 2004 01:35:28 -0700 (PDT) Date: Tue, 18 May 2004 01:35:27 -0700 From: Gregory Sutter To: Norberto Meijome Message-ID: <20040518083527.GE73800@klapaucius.zer0.org> References: <4985.217.162.71.141.1084795720.squirrel@serv04.inetworx.ch> <40A8C4A9.2000705@mindspring.com> <40A993F0.2040806@meijome.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="7CZp05NP8/gJM8Cl" Content-Disposition: inline In-Reply-To: <40A993F0.2040806@meijome.net> Organization: Zer0 X-Purpose: For great justice! Mail-Copies-To: poster X-PGP-Fingerprint: D161 E4EA 4BFA 2427 F3F9 5B1F 2015 31D5 845D FEDD X-PGP-Key: http://zer0.org/~gsutter/gsutter.pgp X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . User-Agent: Mutt/1.5.5.1i X-Virus-Scanned: by amavisd-new at zer0.org cc: freebsd-security@freebsd.org Subject: Re: Multi-User Security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 May 2004 08:35:30 -0000 --7CZp05NP8/gJM8Cl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2004-05-18 14:41 +1000, Norberto Meijome wrote: > Richard Coleman wrote: >=20 > >Using a chroot or a jail is the way to go if possible. If you can't use= =20 > >that, then unix permissions or ACL's is the next bet. Restricting=20 > >commands is the most fragile solution since in many cases it can be=20 > >subverted. >=20 > Excuse my ignorance, could you quickly tell me the difference (or point= =20 > me to a good reference article/book) between chroot + jail? > is it that a jail is always chrooted but not the other way around? > is a jail more encompassing than chroot only? If you had typed "freebsd jail" into Google, this paper would have been the first of several hundred useful links. The answer to your question is in its introduction. http://docs.freebsd.org/44doc/papers/jail/jail.html Greg --=20 Gregory S. Sutter Was Jimi's modem a Purple Hayes? mailto:gsutter@zer0.org=20 http://zer0.org/~gsutter/=20 --7CZp05NP8/gJM8Cl Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- iD8DBQFAqcrPIBUx1YRd/t0RAjBVAKCK7VHyRRiOu/9OAS2Pw7kW8wXp+wCfegz6 oAfwPZEqXodpUSJzc64kD54= =GL/a -----END PGP SIGNATURE----- --7CZp05NP8/gJM8Cl-- From owner-freebsd-security@FreeBSD.ORG Tue May 18 09:05:43 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E06CE16A51A for ; Tue, 18 May 2004 09:05:42 -0700 (PDT) Received: from therub.org (pantheon-ws-13.direct.hickorytech.net [216.114.200.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5F13F43D3F for ; Tue, 18 May 2004 09:05:23 -0700 (PDT) (envelope-from drue@therub.org) Received: from drue by therub.org with local (Exim 3.35 #1 (Debian)) id 1BQ75h-0002r5-00; Tue, 18 May 2004 11:05:17 -0500 Date: Tue, 18 May 2004 11:05:17 -0500 To: "David E. Meier" Message-ID: <20040518160517.GA10067@therub.org> References: <4985.217.162.71.141.1084795720.squirrel@serv04.inetworx.ch> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4985.217.162.71.141.1084795720.squirrel@serv04.inetworx.ch> User-Agent: Mutt/1.3.28i From: Dan Rue cc: freebsd-security@freebsd.org Subject: Re: Multi-User Security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 May 2004 16:05:43 -0000 On Mon, May 17, 2004 at 02:08:40PM +0200, David E. Meier wrote: > Hello list. > > I would like to get your opinion on what is a safe multi-user environment. > The scenario: > > We would like to offer to some customers of ours some sort of network > backup/archive. They would put daily or weekly backups from their local > machine on our server using rsync and SSH. Therefore, they all have a user > account on our server. However, we must ensure that they would absolutely > not be able to access any data of each other at all. > > What is the "best and safest" way to do so? Regular UNIX permission > settings? File system ACL's? User jails? Restricting commands in their > path environment? Or would it even make sense to encrypt the file system? > How would some of the solutions affect data backups/restore on our side? You generally would like to avoid giving people shell (ssh) access if you can avoid it. If you must give shell access, it is best to set up a jail. However, if you're just doing backup/file access - shell access isn't necessary. You can do ftps, (ports/ftp/bsdftpd-ssl), and easily use that to chroot users. You can do sftp (without ssh shell access), but that's trickier to set up. One popular solution these days is WebDAV. You use it along with apache, run it over https, and users can access their files with IE or other clients. dan From owner-freebsd-security@FreeBSD.ORG Tue May 18 09:10:42 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC33E16A4CE for ; Tue, 18 May 2004 09:10:42 -0700 (PDT) Received: from mail.elvandar.org (cust.94.120.adsl.cistron.nl [195.64.94.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id D38AE43D78 for ; Tue, 18 May 2004 09:08:59 -0700 (PDT) (envelope-from remko@elvandar.org) From: "Remko Lodder" To: "Dan Rue" , "David E. Meier" Date: Tue, 18 May 2004 18:08:52 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) Importance: Normal In-Reply-To: <20040518160517.GA10067@therub.org> X-Virus-Scanned: by amavisd-new at elvandar.org cc: freebsd-security@freebsd.org Subject: RE: [Freebsd-security] Re: Multi-User Security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 May 2004 16:10:42 -0000 Ahem, On Mon, May 17, 2004 at 02:08:40PM +0200, David E. Meier wrote: > Hello list. > > I would like to get your opinion on what is a safe multi-user environment. > The scenario: > > We would like to offer to some customers of ours some sort of network > backup/archive. They would put daily or weekly backups from their local > machine on our server using rsync and SSH. Therefore, they all have a user > account on our server. However, we must ensure that they would absolutely > not be able to access any data of each other at all. > > What is the "best and safest" way to do so? Regular UNIX permission > settings? File system ACL's? User jails? Restricting commands in their > path environment? Or would it even make sense to encrypt the file system? > How would some of the solutions affect data backups/restore on our side? D> You generally would like to avoid giving people shell (ssh) access if D> you can avoid it. If you must give shell access, it is best to set up a D> jail. D> However, if you're just doing backup/file access - shell access isn't D> necessary. You can do ftps, (ports/ftp/bsdftpd-ssl), and easily use D> that to chroot users. You can do sftp (without ssh shell access), but D> that's trickier to set up. real tricky :-> scponly-3.8_1|/usr/ports/shells/scponly|/usr/local|A tiny shell that only permits scp and sftp|/usr/ports/shells/scponly/pkg-descr|rushani@FreeBSD.org|shells|||http:/ /www.sublimation.org/scponly/ But not that hard.... ;-) -- Kind regards, Remko Lodder Elvandar.org/DSINet.org www.mostly-harmless.nl Dutch community for helping newcomers on the hackerscene mrtg.grunn.org Dutch mirror of MRTG From owner-freebsd-security@FreeBSD.ORG Tue May 18 09:32:36 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C43A16A4CE for ; Tue, 18 May 2004 09:32:36 -0700 (PDT) Received: from serv03.inetworx.ch (serv03.inetworx.ch [212.254.227.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 86EC143D48 for ; Tue, 18 May 2004 09:32:31 -0700 (PDT) (envelope-from dev@eth0.ch) Received: from localhost (localhost.localdomain [127.0.0.1]) by serv03.inetworx.ch (Postfix) with ESMTP id A97CA252D6E for ; Tue, 18 May 2004 18:32:30 +0200 (CEST) Received: from serv03.inetworx.ch ([127.0.0.1]) by localhost (serv03.inetworx.ch [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 31937-02 for ; Tue, 18 May 2004 18:32:30 +0200 (CEST) Received: from serv04.inetworx.ch (serv04.inetworx.ch [212.254.227.197]) by serv03.inetworx.ch (Postfix) with SMTP id 758BF252D66 for ; Tue, 18 May 2004 18:32:30 +0200 (CEST) Received: from 217.162.71.141 (SquirrelMail authenticated user dev.eth0) by serv04.inetworx.ch with HTTP; Tue, 18 May 2004 18:32:30 +0200 (CEST) Message-ID: <1434.217.162.71.141.1084897950.squirrel@serv04.inetworx.ch> In-Reply-To: <20040518160517.GA10067@therub.org> References: <4985.217.162.71.141.1084795720.squirrel@serv04.inetworx.ch> <20040518160517.GA10067@therub.org> Date: Tue, 18 May 2004 18:32:30 +0200 (CEST) From: "David E. Meier" To: freebsd-security@freebsd.org User-Agent: SquirrelMail/1.4.2 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 Importance: Normal X-Virus-Scanned: by amavisd-new at inetworx.ch Subject: Re: Multi-User Security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 May 2004 16:32:36 -0000 > On Mon, May 17, 2004 at 02:08:40PM +0200, David E. Meier wrote: >> Hello list. >> >> I would like to get your opinion on what is a safe multi-user >> environment. >> The scenario: >> >> We would like to offer to some customers of ours some sort of network >> backup/archive. They would put daily or weekly backups from their local >> machine on our server using rsync and SSH. Therefore, they all have a >> user >> account on our server. However, we must ensure that they would >> absolutely >> not be able to access any data of each other at all. >> >> What is the "best and safest" way to do so? Regular UNIX permission >> settings? File system ACL's? User jails? Restricting commands in their >> path environment? Or would it even make sense to encrypt the file >> system? >> How would some of the solutions affect data backups/restore on our side? > > You generally would like to avoid giving people shell (ssh) access if > you can avoid it. If you must give shell access, it is best to set up a > jail. > > However, if you're just doing backup/file access - shell access isn't > necessary. You can do ftps, (ports/ftp/bsdftpd-ssl), and easily use > that to chroot users. You can do sftp (without ssh shell access), but > that's trickier to set up. Unfortunately we will be using rsync and AFAIK it uses SSH for its communication. This way we only transfer the modified files and thus greatly reducing traffic. > One popular solution these days is WebDAV. You use it along with > apache, run it over https, and users can access their files with IE or > other clients. That's true. In theory at least. ;-) Unfortunately again, IE and File Explorer have either bugs or incompatibilities built in that prevents using them in a production environment with Linux/Unix. I tried this setup before and sometimes it stalls, sometimes it works normal then again it takes 2 minutes to transfer some 2KB document... Third-party clients like webdrive worked without any complaints though. Dave From owner-freebsd-security@FreeBSD.ORG Tue May 18 16:12:16 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AA14B16A545 for ; Tue, 18 May 2004 16:12:13 -0700 (PDT) Received: from testequity.com (mach2.testequity.net [205.147.14.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1641A43EC9 for ; Tue, 18 May 2004 11:25:52 -0700 (PDT) (envelope-from metrol@metrol.net) Received: from metwork.priv.testequity.com [192.168.3.50] by testequity.com with ESMTP (SMTPD32-7.13) id A37B89DD00F6; Tue, 18 May 2004 11:18:35 -0700 From: Michael Collette To: freebsd-security@freebsd.org Date: Tue, 18 May 2004 11:21:57 -0700 User-Agent: KMail/1.6.2 References: <200405171639.08701.metrol@metrol.net> <1084859824.28107.680.camel@abydos.amaunetsgothique.com> In-Reply-To: <1084859824.28107.680.camel@abydos.amaunetsgothique.com> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200405181121.57675.metrol@metrol.net> Subject: Re: Mail Server in the DMZ question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 May 2004 23:12:16 -0000 Many thanks to everyone who replied to my query. Lot of great ideas I've got to mull through here. On Monday 17 May 2004 10:57 pm, Brian Keefer wrote: > I've seen one site implement UUCP for exactly this reason, but I think > the potential problems with a flaw in UUCP outweigh just using an SMTP > push. Seeing as how I've seen a number of folks suggest UUCP, and I'm dirt ignorant on the subject, could you explain what the pitfalls are of using it? > As long as you've locked down your firewall to only allow the mail > gateway to open a connection through to your trusted net on port 25 > (i.e. no other DMZ hosts are allow through in this manner) that's about > as good as you can do. > > Look at it this way, what are you protecting against? Nothing specifically. Just the notion of allowing any kind of request to come from the DMZ into the secure network didn't seem right. In an ideal setup nothing should be allowed to make a request to the internal network. At least that's been my thinking on the matter. > If you're > protecting against mail being sent in, well clearly that will happen > either way. If you're protecting against an attacker that would hijack > the DMZ host and try to attack your internal machine via port 25, well > yes it will stop that, but if the attacker manages to hijack the machine > they're going to be able to do a lot worse things (snoop on all your > mail, possibly capture passwords, etc). > > Really, the possibility that an attack would be able to make a > successful attack using only port 25 of your internal host is very > remote, and the possibility that they couldn't do anything else > malicious even though they had hijacked a host is even more remote. > Make sure you're not over architecting your environment and introducing > unnecessary complications for very minimal potential benefit. I can fully appreciate your concern about over architecting this thing. As I began researching this and kept seeing UUCP getting mentioned my arms went up in the air. I hadn't imagined it was going to get this "clever" to spool up mail in the DMZ then request it down into the secure network. Yet another protocol was not the solution I was hoping for. Right at the moment I'm pretty much set up as you suggest. The purpose of my question was to see if I could lock things down a bit tighter. Thanks, -- "In theory, there is no difference between theory and practice. In practice, there is." - Yogi Berra From owner-freebsd-security@FreeBSD.ORG Tue May 18 16:12:31 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D796716A606 for ; Tue, 18 May 2004 16:12:23 -0700 (PDT) Received: from webmail.sutton.com (smtpx.sutton.com [216.187.85.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id DE37A43F43 for ; Tue, 18 May 2004 12:00:24 -0700 (PDT) (envelope-from benwong@tummytech.com) Received: (qmail 55986 invoked from network); 13 May 2004 23:38:25 -0000 Received: from 207-232-98-198.ip.van.radiant.net (HELO tummytech.com) (benwong@suttoncity.com@[207.232.98.198]) (envelope-sender ) by 0 (qmail-ldap-1.03) with SMTP for ; 13 May 2004 23:38:25 -0000 Message-ID: <40A40689.3010006@tummytech.com> Date: Thu, 13 May 2004 16:36:41 -0700 From: Benson Wong User-Agent: Mozilla Thunderbird 0.5 (Windows/20040207) X-Accept-Language: en-us, en MIME-Version: 1.0 References: <200405132039.i4DKd8Ms098147@mail.gits.dyndns.org> <40A40107.1010207@xsb.com> In-Reply-To: <40A40107.1010207@xsb.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit cc: freebsd security Subject: Re: How do fix a good solution against spam.. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 May 2004 23:12:39 -0000 Mine too. At my company we use the Barracuda 400 spam firewall. Which uses SpamAssassin and some custom stuff. Does spam/virus filtering. Really easy to setup, but is more expensive than free. :) It does a really great job of filtering spam vs administrative work to get it going. Ben. > hehe ... my SpamAssassin marked this as spam :-) > > Cyrille Lefevre wrote: > >> take a look here : >> >> http://www.merchantsoverseas.com/wwwroot/gorilla >> >> then let's try the attached script and patch which may not be up to >> date. >> >> PS : I don't use it since my machine is too slow and this makes >> mimedefang >> to give up (timeout) to often. >> >> Cyrille Lefevre >> >> >> ------------------------------------------------------------------------ >> >> diff -u orig/sa_body.cf sa/sa_body.cf >> --- orig/sa_body.cf Thu Feb 19 14:56:29 2004 >> +++ sa/sa_body.cf Sat Jan 31 01:57:22 2004 >> @@ -4,21 +4,20 @@ >> >> # submitted by Yorkshire Dave. >> -> "Dear Fellow Opportunist" (my favorite ;-) >> +# "Dear Fellow Opportunist" (my favorite ;-) >> >> body L_OPPORT /\bfellow.opportunist/i describe L_OPPORT fellow >> opportunist >> >> -> "You need to act now or you will miss out on a great offer" >> +# "You need to act now or you will miss out on a great offer" >> >> body L_ACTMISS /\bact.now.{1,30}or.{5,20}miss\b/i describe >> L_ACTMISS act now or miss >> >> -body L_MISSOFFER >> -/\bmiss.{1,20}(great|fantastic|unbeatable).{1.20}offer/i >> +body L_MISSOFFER >> /\bmiss.{1,20}(great|fantastic|unbeatable).{1.20}offer/i >> describe L_MISSOFFER miss great offer >> >> -> "CASH FOREVER" >> +# "CASH FOREVER" >> >> body L_CASHFOREVER /\bcash.{1,3}forever\b/ describe L_CASHFOREVER >> cash forever >> @@ -419,8 +418,7 @@ >> >> # The following rules submitted by Kai MacTane. >> >> -body HIDDEN_VIAGRA >> -/v[\s{1,5}\-\.\*_]i[\s{1,5}\-\.\*_]a[\s{1,5}\-\.\*_]g[\s{1,5}\-\.\*_]r[\s{1,5}\-\.\*_]a/i >> >> +body HIDDEN_VIAGRA >> /v[\s{1,5}\-\.\*_]i[\s{1,5}\-\.\*_]a[\s{1,5}\-\.\*_]g[\s{1,5}\-\.\*_]r[\s{1,5}\-\.\*_]a/i >> >> describe HIDDEN_VIAGRA Uses obfuscated version of "Viagra" >> score HIDDEN_VIAGRA 2.00 >> >> @@ -1011,7 +1009,7 @@ >> describe CAREER_BACK_ON_TRACK (LOCAL RULE) Talks about getting >> a career back on track >> score CAREER_BACK_ON_TRACK 3 3 3 3 >> -raw 123X456 /123x456/i >> +rawbody 123X456 /123x456/i >> describe 123X456 (LOCAL RULE) 123X456 is a marker for the SoBig.E >> worm >> score 123X456 99 99 99 99 >> >> diff -u orig/sa_header_other.cf sa/sa_header_other.cf >> --- orig/sa_header_other.cf Thu Feb 19 14:56:29 2004 >> +++ sa/sa_header_other.cf Sat Jan 31 02:18:10 2004 >> @@ -9,8 +9,8 @@ >> header HINET Received =~ /bHINET-IP/i >> describe HINET Received line contains HINET-IP (common spam >> gate from pacrim) >> >> -header TO-EVERYONE To:addr =~ /every(?:one|body)/i >> -describe TO-EVERYONE To: everyone or everybody >> +header TO_EVERYONE To:addr =~ /every(?:one|body)/i >> +describe TO_EVERYONE To: everyone or everybody >> >> >> # The following rules submitted by Daniel Bird. >> @@ -97,27 +97,27 @@ >> score L_f_Refi 0.4 >> >> # Spamsign in misc headers >> -Header L_hR_NOREPLY Return-path =~ /<>/ >> +header L_hR_NOREPLY Return-path =~ /<>/ >> describe L_hR_NOREPLY Return path is set to empty (common for >> bounces) (RM) >> score L_hR_NOREPLY 1.1 >> >> -Header L_hr_clkheremail Received =~ /clkheremail\.com/ >> +header L_hr_clkheremail Received =~ /clkheremail\.com/ >> describe L_hr_clkheremail Spam passed through clkheremail.com >> relay (RM) >> score L_hr_clkheremail 3.1 >> >> -Header L_hr_HeloIP Received =~ >> /helo=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/i >> +header L_hr_HeloIP Received =~ >> /helo=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/i >> describe L_hr_HeloIP Received has helo=IP - may be valid DSL >> router w/nat - may be spam (RM) >> score L_hr_HeloIP 0.5 >> >> -Header L_hx_PSSBulk X-Mailer =~ /PSS\ Bulk\ Mailer/ >> +header L_hx_PSSBulk X-Mailer =~ /PSS\ Bulk\ Mailer/ >> describe L_hx_PSSBulk Uses PSS Bulk Mailer (RM) >> score L_hx_PSSBulk 1.1 >> >> -Header L_hx_XaM3API exists:X-XaM3-API-Version >> +header L_hx_XaM3API exists:X-XaM3-API-Version >> describe L_hx_XaM3API X-XaM3-API-Version header found, often >> spamsign (RM) >> score L_hx_XaM3API 1.1 >> >> -Header L_hx_JLH exists:X-JLH >> +header L_hx_JLH exists:X-JLH >> describe L_hx_JLH X-JLH header found, possible spamsign (RM) >> score L_hx_JLH 1.1 >> >> diff -u orig/sa_header_subject.cf sa/sa_header_subject.cf >> --- orig/sa_header_subject.cf Thu Feb 19 14:56:29 2004 >> +++ sa/sa_header_subject.cf Sat Jan 31 02:08:47 2004 >> @@ -27,59 +27,59 @@ >> # The following rules submitted by Robert Menschel. >> >> # Spamsign subjects >> -Header L_s_casino Subject =~ /c[a\@]sin[o0]/i >> +header L_s_casino Subject =~ /c[a\@]sin[o0]/i >> describe L_s_casino Subject mentions a casino (RM) >> score L_s_casino 1.1 >> >> -Header L_s_CopyDVD Subject =~ /c[o0]py\ dvd/i >> +header L_s_CopyDVD Subject =~ /c[o0]py\ dvd/i >> describe L_s_CopyDVD Subject mentions copying DVDs (RM) >> score L_s_CopyDVD 3.1 >> >> -Header L_s_Drugs Subject =~ >> /V[i1][A\@]GR[A\@]|ph[a\@]rm[a\@]c/i >> +header L_s_Drugs Subject =~ >> /V[i1][A\@]GR[A\@]|ph[a\@]rm[a\@]c/i >> describe L_s_Drugs Subject mentions known spam subject (RM) >> score L_s_Drugs 2.1 >> >> -Header L_s_GetPaid Subject =~ /Get\ P[a\@]id/i >> +header L_s_GetPaid Subject =~ /Get\ P[a\@]id/i >> describe L_s_GetPaid Subject mentions getting paid for something >> (RM) >> score L_s_GetPaid 1.1 >> >> -Header L_s_HelpInvest Subject =~ /help.{1,10}invest/i >> +header L_s_HelpInvest Subject =~ /help.{1,10}invest/i >> describe L_s_HelpInvest Subject mentions help in investing >> something (RM) >> score L_s_HelpInvest 1.1 >> >> -Header L_s_MaskedWords1 Subject =~ >> /Ga,ng|L0SE|W\@rning|si0n|t(?:\|0|\|o|i0)n/i >> +header L_s_MaskedWords1 Subject =~ >> /Ga,ng|L0SE|W\@rning|si0n|t(?:\|0|\|o|i0)n/i >> describe L_s_MaskedWords1 masked spam word(s) in subject (RM) >> score L_s_MaskedWords1 9.1 >> >> -Header L_s_MaskedWords2 Subject =~ >> /che\@p|F0r|d0main|Ple\@se|m0ve/i >> +header L_s_MaskedWords2 Subject =~ >> /che\@p|F0r|d0main|Ple\@se|m0ve/i >> describe L_s_MaskedWords2 masked spam word(s) in subject (RM) >> score L_s_MaskedWords2 9.1 >> >> -Header L_s_MaskedWords3 Subject =~ >> /p\@tients|ph0t0|b0y|g1rl|vide0/i >> +header L_s_MaskedWords3 Subject =~ >> /p\@tients|ph0t0|b0y|g1rl|vide0/i >> describe L_s_MaskedWords3 masked spam word(s) in subject (RM) >> score L_s_MaskedWords3 9.1 >> >> -Header L_s_MaskedWords4 Subject =~ /5emin|ch[à\@]rge|Êbãy|pen1s/i >> +header L_s_MaskedWords4 Subject =~ /5emin|ch[à\@]rge|Êbãy|pen1s/i >> describe L_s_MaskedWords4 masked spam word(s) in subject (RM) >> score L_s_MaskedWords4 7.1 >> >> -Header L_s_MaskedWordsC Subject =~ /reaI|excIusive/ >> +header L_s_MaskedWordsC Subject =~ /reaI|excIusive/ >> describe L_s_MaskedWordsC masked spam word(s) in subject - case >> sensitive (RM) >> score L_s_MaskedWordsC 9.1 >> >> -Header L_s_PleaseRead Subject =~ /please\ re[a\@]d/i >> +header L_s_PleaseRead Subject =~ /please\ re[a\@]d/i >> describe L_s_PleaseRead Subject includes request to please read the >> message (RM) >> score L_s_PleaseRead 0.6 >> >> -Header L_s_profile Subject =~ /I\ saw\ your\ profile/i >> +header L_s_profile Subject =~ /I\ saw\ your\ profile/i >> describe L_s_profile Subject mentions your profile (RM) >> score L_s_profile 1.1 >> >> -Header L_s_porn Subject =~ /p[o0]rn|fuck|violenced|jerk\ off/i >> +header L_s_porn Subject =~ /p[o0]rn|fuck|violenced|jerk\ off/i >> describe L_s_porn Subject seems to be about porn (RM) >> score L_s_porn 2.1 >> >> -Header L_s_Tax Subject =~ /T[a\@]x/i >> +header L_s_Tax Subject =~ /T[a\@]x/i >> describe L_s_Tax Subject mentions taxes (RM) >> score L_s_Tax 1.1 >> >> diff -u orig/sa_meta.cf sa/sa_meta.cf >> --- orig/sa_meta.cf Thu Feb 19 14:56:29 2004 >> +++ sa/sa_meta.cf Sat Jan 31 03:00:13 2004 >> @@ -9,9 +9,11 @@ >> >> #Check for a beginning HTML tag >> rawbody __MK_HTML_TAG_START /\> +describe > >> #Check for a closing HTML tag >> rawbody __MK_HTML_TAG_END /\<\/html\>/i >> +describe >> >> #Check to see if the HTML message is made correctly. Seeing a lot >> of SPAM that isn't >> meta MK_BAD_HTML_4 HTML_MESSAGE && !__MK_HTML_TAG_START && >> !__MK_HTML_TAG_END >> @@ -102,8 +104,7 @@ >> >> header __THEBAT_UA User-Agent =~ /The Bat/ >> meta L_FORGED_MUA_THEBAT ( __THEBAT_UA && !__THEBAT_MSGID ) >> -describe L_FORGED_MUA_THEBAT Forged message pretending to be from the >> -bat! >> +describe L_FORGED_MUA_THEBAT Forged message pretending to be from >> the bat! >> >> #spewing virus reports to forged sender addresses is spamming, talking >> # about them on mailing lists isn't. >> @@ -111,7 +112,8 @@ >> body __VIRUS_WARNING_FWD >> /(attachment|email|file|message|scanner).{0,50}(contain(s|ed)|infect(ion|ed)|report(s|ed)|detected).{0,50}virus/is >> >> body __VIRUS_WARNING_REV >> /virus.{0,50}(found|infect(ion|ed)|reported|detected).{0,50}(attachment|email|file|message)/is >> >> body __FORGING_VIRUS /(braid.a|bugbear|klez|sobig|winevar|yaha.e)/i >> -meta L_BROKEN_ANTIVIRUS ((__VIRUS_WARNING_FWD || >> __VIRUS_WARNING_REV) && __FORGING_VIRUS && ! (REFERENCES || >> IN_REP_TO)) describe L_BROKEN_ANTIVIRUS UBE from dysfunctional virus >> scanner >> +meta L_BROKEN_ANTIVIRUS ((__VIRUS_WARNING_FWD || >> __VIRUS_WARNING_REV) && __FORGING_VIRUS && ! (REFERENCES || IN_REP_TO)) >> +describe L_BROKEN_ANTIVIRUS UBE from dysfunctional virus scanner >> >> # The following rules were submitted by Sandy S. (The last S is for >> Secret!) >> >> diff -u orig/sa_oct03_rules.cf sa/sa_oct03_rules.cf >> --- orig/sa_oct03_rules.cf Thu Feb 19 14:56:29 2004 >> +++ sa/sa_oct03_rules.cf Sat Jan 31 02:57:16 2004 >> @@ -223,7 +223,7 @@ >> >> rawbody MY_ONECHAR_SCRIPT /\/..?\.(pl|plx|cgi|asp)/ >> describe MY_ONECHAR_SCRIPT 1 or 2 letter script name found. >> -score MY_ONE_CHAR_SCRIPT .33 >> +score MY_ONECHAR_SCRIPT .33 >> >> rawbody MY_THISIS /this is spam/i >> describe MY_THISIS They said this is spam themselves! >> diff -u orig/sa_uri.cf sa/sa_uri.cf >> --- orig/sa_uri.cf Thu Feb 19 14:56:29 2004 >> +++ sa/sa_uri.cf Sat Jan 31 02:10:42 2004 >> @@ -358,8 +358,7 @@ >> >> uri MY_BLUETABS /fastbluetabs\.com/i >> score MY_BLUETABS 5.000 >> -describe MY_BLUETABS Message contains a link or email address to >> -fastbluetabs.com >> +describe MY_BLUETABS Message contains a link or email address to >> fastbluetabs.com >> >> uri MY_CERTREWARDS /certrewards\.com/i >> score MY_CERTREWARDS 5.000 >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to >> "freebsd-security-unsubscribe@freebsd.org" > > > >------------------------------------------------------------------------ > >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > From owner-freebsd-security@FreeBSD.ORG Tue May 18 17:07:34 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 03CB516A4CF for ; Tue, 18 May 2004 17:07:34 -0700 (PDT) Received: from pursued-with.net (adsl-66-125-9-242.dsl.sndg02.pacbell.net [66.125.9.242]) by mx1.FreeBSD.org (Postfix) with ESMTP id A578D43D4C for ; Tue, 18 May 2004 17:07:33 -0700 (PDT) (envelope-from freebsd@pursued-with.net) Received: from babelfish.pursued-with.net (babelfish.pursued-with.net [192.168.168.42]) by pursued-with.net (Postfix) with ESMTP id E919313E59F; Tue, 18 May 2004 17:07:23 -0700 (PDT) Date: Tue, 18 May 2004 17:07:23 -0700 (PDT) From: Kevin Stevens To: Michael Collette In-Reply-To: <200405181121.57675.metrol@metrol.net> Message-ID: References: <200405171639.08701.metrol@metrol.net> <1084859824.28107.680.camel@abydos.amaunetsgothique.com> <200405181121.57675.metrol@metrol.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: Mail Server in the DMZ question X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd@pursued-with.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 May 2004 00:07:34 -0000 > Nothing specifically. Just the notion of allowing any kind of request > to come from the DMZ into the secure network didn't seem right. In an > ideal setup nothing should be allowed to make a request to the internal > network. At least that's been my thinking on the matter. > > > If you're > > protecting against mail being sent in, well clearly that will happen > > either way. If you're protecting against an attacker that would hijack > > the DMZ host and try to attack your internal machine via port 25, well > > yes it will stop that, but if the attacker manages to hijack the machine > > they're going to be able to do a lot worse things (snoop on all your > > mail, possibly capture passwords, etc). > > > > Really, the possibility that an attack would be able to make a > > successful attack using only port 25 of your internal host is very > > remote, and the possibility that they couldn't do anything else > > malicious even though they had hijacked a host is even more remote. > > Make sure you're not over architecting your environment and introducing > > unnecessary complications for very minimal potential benefit. > > I can fully appreciate your concern about over architecting this thing. As I > began researching this and kept seeing UUCP getting mentioned my arms went up > in the air. I hadn't imagined it was going to get this "clever" to spool up > mail in the DMZ then request it down into the secure network. Yet another > protocol was not the solution I was hoping for. All UUCP offers is that it's a "pull" technology, so you don't have to permit a session to be initiated from your DMZ to get the mail in. SMTP is "push", so you have to open the firewall enough to allow the bastion mailhost in to deliver. The downside is that it's a pull technology - anyone who can hack your uucp account on the bastion can get all your mail. Plus I'm not sure how thoroughly inspected the UUCP code is; all my experience is with using it over dialup or frame serial circuits, not over IP. KeS From owner-freebsd-security@FreeBSD.ORG Wed May 19 00:26:03 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E50FC16A4D0; Wed, 19 May 2004 00:26:03 -0700 (PDT) Received: from smtp.des.no (flood.des.no [217.116.83.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0514243D39; Wed, 19 May 2004 00:26:03 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: by smtp.des.no (Pony Express, from userid 666) id C3E915318; Wed, 19 May 2004 09:25:53 +0200 (CEST) Received: from dwp.des.no (des.no [80.203.228.37]) by smtp.des.no (Pony Express) with ESMTP id 24F395312; Wed, 19 May 2004 09:25:16 +0200 (CEST) Received: by dwp.des.no (Postfix, from userid 2602) id 5771133CAE; Wed, 19 May 2004 09:25:16 +0200 (CEST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Message-Id: <20040519072516.5771133CAE@dwp.des.no> Date: Wed, 19 May 2004 09:25:16 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on flood.des.no X-Spam-Level: s X-Spam-Status: No, hits=1.8 required=5.0 tests=ADDR_FREE autolearn=no version=2.63 Subject: FreeBSD Security Advisory FreeBSD-SA-04:10.cvs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 May 2004 07:26:04 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-04:10.cvs Security Advisory The FreeBSD Project Topic: CVS pserver protocol parser errors Category: contrib Module: contrib_cvs Announced: 2004-05-19 Credits: Stefan Esser Affects: All FreeBSD versions Corrected: 2004-05-18 07:21:57 UTC (RELENG_4, 4.10-PRERELEASE) 2004-05-18 07:16:53 UTC (RELENG_4_10, 4.10-RC) 2004-05-18 07:19:55 UTC (RELENG_4_9, 4.9-RELEASE-p8) 2004-05-18 07:19:55 UTC (RELENG_4_8, 4.8-RELEASE-p21) 2004-05-18 07:19:54 UTC (RELENG_4_7, 4.7-RELEASE-p27) 2004-05-18 07:19:57 UTC (RELENG_5_2, 5.2.1-RELEASE-p7) 2004-05-18 07:19:57 UTC (RELENG_5_1, 5.1-RELEASE-p17) 2004-05-18 07:19:56 UTC (RELENG_5_0, 5.0-RELEASE-p21) CVE Name: CAN-2004-0396 FreeBSD only: NO For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The Concurrent Versions System (CVS) is a version control system. It may be used to access a repository locally, or to access a `remote repository' using a number of different methods. When accessing a remote repository, the target machine runs the CVS server to fulfill client requests. II. Problem Description Due to a programming error in code used to parse data received from the client, malformed data can cause a heap buffer to overflow, allowing the client to overwrite arbitrary portions of the server's memory. III. Impact A malicious CVS client may run arbitrary code on the server at the privilege level of the CVS server software. IV. Workaround Administrators of CVS repositories should disable remote access through the "pserver" mechanism. CVS servers which only allow remote access through the "ext" mechanism (using RSH or SSH) are not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE; or to the RELENG_5_2, RELENG_4_9, or RELENG_4_8 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.7, 4.8, 4.9, 4.10, 5.0, 5.1, and 5.2 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:10/cvs.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:10/cvs.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/gnu/usr.bin/cvs # make obj && make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - - ------------------------------------------------------------------------- RELENG_4 src/contrib/cvs/src/server.c 1.13.2.6 RELENG_4_10 src/contrib/cvs/src/server.c 1.13.2.5.6.1 RELENG_4_9 src/UPDATING 1.73.2.89.2.9 src/sys/conf/newvers.sh 1.44.2.32.2.9 src/contrib/cvs/src/server.c 1.13.2.5.4.1 RELENG_4_8 src/UPDATING 1.73.2.80.2.24 src/sys/conf/newvers.sh 1.44.2.29.2.22 src/contrib/cvs/src/server.c 1.13.2.5.2.1 RELENG_4_7 src/UPDATING 1.73.2.74.2.31 src/sys/conf/newvers.sh 1.44.2.26.2.29 src/contrib/cvs/src/server.c 1.13.2.2.6.2 RELENG_5_2 src/UPDATING 1.282.2.15 src/sys/conf/newvers.sh 1.56.2.14 src/contrib/cvs/src/server.c 1.19.4.2 RELENG_5_1 src/UPDATING 1.251.2.19 src/sys/conf/newvers.sh 1.50.2.19 src/contrib/cvs/src/server.c 1.19.2.1 RELENG_5_0 src/UPDATING 1.229.2.27 src/sys/conf/newvers.sh 1.48.2.22 src/contrib/cvs/src/server.c 1.17.2.2 - - ------------------------------------------------------------------------- VII. References http://ccvs.cvshome.org/servlets/NewsItemView?newsID=104 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAqwkQFdaIBMps37IRArhZAJsGIEXbfY6Lsaf4Ox76A0SIBNG9swCfRSGB SPFgXGZog6YaYxDO7V4juKc= =oIAh -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed May 19 03:15:01 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 936AE16A4CE for ; Wed, 19 May 2004 03:15:01 -0700 (PDT) Received: from smtp.des.no (flood.des.no [217.116.83.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 48EAC43D41 for ; Wed, 19 May 2004 03:15:01 -0700 (PDT) (envelope-from des@des.no) Received: by smtp.des.no (Pony Express, from userid 666) id 3A57A5312; Wed, 19 May 2004 12:14:38 +0200 (CEST) Received: from dwp.des.no (des.no [80.203.228.37]) by smtp.des.no (Pony Express) with ESMTP id A00C45313; Wed, 19 May 2004 12:14:30 +0200 (CEST) Received: by dwp.des.no (Postfix, from userid 2602) id 89EA233CAA; Wed, 19 May 2004 12:14:30 +0200 (CEST) To: Eugene Grosbein References: <20040519072516.5771133CAE@dwp.des.no> <40AB1734.BB7A8BC2@kuzbass.ru> From: des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=) Date: Wed, 19 May 2004 12:14:30 +0200 In-Reply-To: <40AB1734.BB7A8BC2@kuzbass.ru> (Eugene Grosbein's message of "Wed, 19 May 2004 16:13:40 +0800") Message-ID: User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on flood.des.no X-Spam-Level: X-Spam-Status: No, hits=0.0 required=5.0 tests=AWL autolearn=no version=2.63 cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-04:10.cvs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 May 2004 10:15:01 -0000 [redirected to the freebsd-security list] Eugene Grosbein writes: > FreeBSD Security Advisories wrote: > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:10/cvs.pat= ch > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:10/cvs.pat= ch.asc > The directory does not exist (yet?) I created the directory on ftp-master before I released the advisory, but it always takes time for mirrors to catch up. We sometimes upload the patches in advance to give the mirrors time to catch up before the advisory goes out, but in this case (as in many others) we had a schedule to adhere to, and releasing the patches ahead of schedule might have placed other vendors at risk. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Wed May 19 04:31:24 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 20C4516A4CE for ; Wed, 19 May 2004 04:31:24 -0700 (PDT) Received: from mail.droso.net (koala.droso.net [193.88.12.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id D8EA343D54 for ; Wed, 19 May 2004 04:31:23 -0700 (PDT) (envelope-from erwin@mail.droso.net) Received: by mail.droso.net (Postfix, from userid 1001) id 494302285D; Wed, 19 May 2004 13:31:06 +0200 (CEST) Date: Wed, 19 May 2004 13:31:06 +0200 From: Erwin Lansing To: freebsd-security@freebsd.org Message-ID: <20040519113106.GB21714@droso.net> References: <20040519072516.5771133CAE@dwp.des.no> <40AB1734.BB7A8BC2@kuzbass.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="XOIedfhf+7KOe/yw" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i Subject: Re: FreeBSD Security Advisory FreeBSD-SA-04:10.cvs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 May 2004 11:31:24 -0000 --XOIedfhf+7KOe/yw Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 19, 2004 at 12:14:30PM +0200, Dag-Erling Sm=F8rgrav wrote: > [redirected to the freebsd-security list] >=20 > Eugene Grosbein writes: > > FreeBSD Security Advisories wrote: > > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:10/cvs.p= atch > > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:10/cvs.p= atch.asc > > The directory does not exist (yet?) >=20 > I created the directory on ftp-master before I released the advisory, > but it always takes time for mirrors to catch up. We sometimes upload > the patches in advance to give the mirrors time to catch up before the > advisory goes out, but in this case (as in many others) we had a > schedule to adhere to, and releasing the patches ahead of schedule > might have placed other vendors at risk. I just resync'et the danish half of ftp.freebsd.org by hand. It's there now. -erwin --=20 _._ _,-'""`-._ Erwin Lansing (,-.`._,'( |\`-/| erwin@lansing.dk http://droso.org `-.-' \ )-`( , o o) erwin@FreeBSD.org -bf- `- \`_`"'- --XOIedfhf+7KOe/yw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAq0V6qy9aWxUlaZARAll9AJsH5QmWCfXMuiD5+baYA2ZGJVBkSwCgh0q3 oVDbIYorg46+Srazq0Lwrp0= =ELCY -----END PGP SIGNATURE----- --XOIedfhf+7KOe/yw-- From owner-freebsd-security@FreeBSD.ORG Wed May 19 05:08:03 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 209D216A4CE for ; Wed, 19 May 2004 05:08:03 -0700 (PDT) Received: from shadowplay.nu (248-219.customer.cloud9.net [168.100.248.219]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8CD8A43D48 for ; Wed, 19 May 2004 05:08:00 -0700 (PDT) (envelope-from amal@shadowplay.nu) Received: by shadowplay.nu (Postfix, from userid 500) id A8AA512AB4C; Wed, 19 May 2004 08:07:48 -0400 (EDT) From: amal To: freebsd-security@freebsd.org Date: Wed, 19 May 2004 08:07:18 -0400 User-Agent: KMail/1.6.1 References: <20040519072516.5771133CAE@dwp.des.no> <20040519113106.GB21714@droso.net> In-Reply-To: <20040519113106.GB21714@droso.net> MIME-Version: 1.0 Content-Disposition: inline Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Message-Id: <200405190807.47669.ajasen@spamcop.net> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-04:10.cvs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 May 2004 12:08:03 -0000 =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =46YI: I found the patch on ftp5.freebsd.org My source tree was previously cvsuped to=20 5.2.1-RELEASE-p6. I found cvs=20 in /usr/src/contrib/cvs rather=20 than /usr/src/gnu/usr.bin/cvs, which is what the=20 advisory recommends. The commands I used follow: # cvs --version Concurrent Versions System (CVS) 1.11.5-FreeBSD=20 (client/server) # cd /usr/src # patch < /path/to/patch /* patch did not find the file to patch. */=20 # find /usr/src -name server.c | grep cvs /usr/src/contrib/cvs/src/server.c # cd /usr/src/contrib/cvs/src # patch < /patch/to/patch Hmm... Looks like a unified diff to me... The text leading up to this was: =2D -------------------------- |diff -Nur cvs-1.12.7.orig/src/server.c=20 cvs-1.12.7/src/server.c |--- cvs-1.12.7.orig/src/server.c Tue Apr 6=20 22:17:55 2004 |+++ cvs-1.12.7/src/server.c Sun May 2=20 19:32:17 2004 =2D -------------------------- Patching file server.c using Plan A... Hunk #1 succeeded at 1648 (offset 49 lines). Hunk #2 succeeded at 1643 (offset 1 line). done =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAq04DEnb2ZreqxQQRAgrkAJ4mG3Davy6faZzBdaA6pvxol+oKPwCfdMP1 0Y0AGa0xZak9Jr91c+4H+Ek=3D =3D1Mw0 =2D----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed May 19 05:32:16 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B34C16A4CE for ; Wed, 19 May 2004 05:32:16 -0700 (PDT) Received: from smtp.des.no (flood.des.no [217.116.83.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7924143D1D for ; Wed, 19 May 2004 05:32:15 -0700 (PDT) (envelope-from des@des.no) Received: by smtp.des.no (Pony Express, from userid 666) id 2BA8A5312; Wed, 19 May 2004 14:31:54 +0200 (CEST) Received: from dwp.des.no (des.no [80.203.228.37]) by smtp.des.no (Pony Express) with ESMTP id 5F4D95310; Wed, 19 May 2004 14:31:45 +0200 (CEST) Received: by dwp.des.no (Postfix, from userid 2602) id 183AE33CAA; Wed, 19 May 2004 14:31:45 +0200 (CEST) To: amal References: <20040519072516.5771133CAE@dwp.des.no> <20040519113106.GB21714@droso.net> <200405190807.47669.ajasen@spamcop.net> From: des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=) Date: Wed, 19 May 2004 14:31:45 +0200 In-Reply-To: <200405190807.47669.ajasen@spamcop.net> (ajasen@spamcop.net's message of "Wed, 19 May 2004 08:07:18 -0400") Message-ID: User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on flood.des.no X-Spam-Level: X-Spam-Status: No, hits=0.0 required=5.0 tests=AWL autolearn=no version=2.63 X-Content-Filtered-By: Mailman/MimeDel 2.1.1 cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-04:10.cvs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 May 2004 12:32:16 -0000 --=-=-= Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable amal writes: > My source tree was previously cvsuped to 5.2.1-RELEASE-p6. It's probably easier and safer for you to cvsup than to apply the patch manually. > I found cvs in /usr/src/contrib/cvs rather > than /usr/src/gnu/usr.bin/cvs, which is what the > advisory recommends. The sources are in contrib, but the build infrastructure is in gnu. Building and installing from /usr/src/contrib/cvs instead of /usr/src/gnu/usr.bin/cvs will *not* produce the correct results. > # cd /usr/src > # patch < /path/to/patch > > /* patch did not find the file to patch. */ Argh! I forgot to make sure the patch was relative to /usr/src. I'll upload a new patch (attached) ASAP. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=cvs.patch Index: contrib/cvs/src/server.c =================================================================== RCS file: /home/ncvs/src/contrib/cvs/src/server.c,v retrieving revision 1.21 retrieving revision 1.22 diff -u -r1.21 -r1.22 --- contrib/cvs/src/server.c 15 Apr 2004 01:17:27 -0000 1.21 +++ contrib/cvs/src/server.c 19 May 2004 06:17:52 -0000 1.22 @@ -1645,7 +1645,7 @@ && strncmp (arg, name, cp - name) == 0) { timefield = strchr (cp + 1, '/') + 1; - if (*timefield != '=') + if (*timefield == '/') { cp = timefield + strlen (timefield); cp[1] = '\0'; @@ -1689,7 +1689,7 @@ && strncmp (arg, name, cp - name) == 0) { timefield = strchr (cp + 1, '/') + 1; - if (!(timefield[0] == 'M' && timefield[1] == '/')) + if (*timefield == '/') { cp = timefield + strlen (timefield); cp[1] = '\0'; --=-=-=-- From owner-freebsd-security@FreeBSD.ORG Wed May 19 20:30:39 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE2C416A4CE for ; Wed, 19 May 2004 20:30:39 -0700 (PDT) Received: from therub.org (pantheon-ws-13.direct.hickorytech.net [216.114.200.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id 77D3143D49 for ; Wed, 19 May 2004 20:30:39 -0700 (PDT) (envelope-from drue@therub.org) Received: from drue by therub.org with local (Exim 3.35 #1 (Debian)) id 1BQeGH-0007EA-00; Wed, 19 May 2004 22:30:25 -0500 Date: Wed, 19 May 2004 22:30:25 -0500 From: Dan Rue To: Remko Lodder Message-ID: <20040520033024.GA26640@therub.org> References: <20040518160517.GA10067@therub.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.28i cc: freebsd-security@freebsd.org cc: "David E. Meier" Subject: Re: [Freebsd-security] Re: Multi-User Security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 May 2004 03:30:40 -0000 *Cough *Cough, On Tue, May 18, 2004 at 06:08:52PM +0200, Remko Lodder wrote: > Ahem, > > D> You generally would like to avoid giving people shell (ssh) access if > D> you can avoid it. If you must give shell access, it is best to set up a > D> jail. > > D> However, if you're just doing backup/file access - shell access isn't > D> necessary. You can do ftps, (ports/ftp/bsdftpd-ssl), and easily use > D> that to chroot users. You can do sftp (without ssh shell access), but > D> that's trickier to set up. > > real tricky :-> scponly-3.8_1|/usr/ports/shells/scponly|/usr/local|A tiny > shell that only permits scp and > sftp|/usr/ports/shells/scponly/pkg-descr|rushani@FreeBSD.org|shells|||http:/ > /www.sublimation.org/scponly/ > But not that hard.... ;-) You obviously havn't tried to chroot scponly users.. _that's_ the tricky part. Especially if you want it to scale up beyond a handful of users. If i'm wrong - fill me in i'd love to hear how to do it. Dan From owner-freebsd-security@FreeBSD.ORG Wed May 19 04:27:01 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E9DCC16A4CF for ; Wed, 19 May 2004 04:27:01 -0700 (PDT) Received: from mail.droso.net (koala.droso.net [193.88.12.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9D6DB43D45 for ; Wed, 19 May 2004 04:27:01 -0700 (PDT) (envelope-from erwin@mail.droso.net) Received: by mail.droso.net (Postfix, from userid 1001) id 208DF22871; Wed, 19 May 2004 13:26:46 +0200 (CEST) Date: Wed, 19 May 2004 13:26:46 +0200 From: Erwin Lansing To: freebsd-security@freebsd.org Message-ID: <20040519112645.GA21714@droso.net> References: <20040519072516.5771133CAE@dwp.des.no> <40AB1734.BB7A8BC2@kuzbass.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="huq684BweRXVnRxX" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i X-Operating-System: FreeBSD/i386 5.2.1-RELEASE-p1 X-Mailman-Approved-At: Thu, 20 May 2004 05:51:03 -0700 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-04:10.cvs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 May 2004 11:27:02 -0000 --huq684BweRXVnRxX Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, May 19, 2004 at 12:14:30PM +0200, Dag-Erling Sm=F8rgrav wrote: > [redirected to the freebsd-security list] >=20 > Eugene Grosbein writes: > > FreeBSD Security Advisories wrote: > > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:10/cvs.p= atch > > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:10/cvs.p= atch.asc > > The directory does not exist (yet?) >=20 > I created the directory on ftp-master before I released the advisory, > but it always takes time for mirrors to catch up. We sometimes upload > the patches in advance to give the mirrors time to catch up before the > advisory goes out, but in this case (as in many others) we had a > schedule to adhere to, and releasing the patches ahead of schedule > might have placed other vendors at risk. I just resync'et the danish half of ftp.freebsd.org by hand. It's there now. -erwin --=20 _._ _,-'""`-._ Erwin Lansing (,-.`._,'( |\`-/| erwin@lansing.dk http://droso.org `-.-' \ )-`( , o o) erwin@FreeBSD.org -bf- `- \`_`"'- --huq684BweRXVnRxX Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAq0R1qy9aWxUlaZARAjAxAJ4trQFnqU63YrKeVu6daPl3KHIxwACg+ZVL PkD2cIcjDiVZupgMGgDvCEk= =ZrPV -----END PGP SIGNATURE----- --huq684BweRXVnRxX-- From owner-freebsd-security@FreeBSD.ORG Thu May 20 13:47:14 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B04F816A4CE for ; Thu, 20 May 2004 13:47:14 -0700 (PDT) Received: from dragon.roe.ch (line-zh-102-185.adsl.econophone.ch [212.53.102.185]) by mx1.FreeBSD.org (Postfix) with ESMTP id F0D3643D54 for ; Thu, 20 May 2004 13:47:11 -0700 (PDT) (envelope-from daniel@roe.ch) Received: from roe by dragon.roe.ch with LOCAL id 1BQuRa-0003Ww-00 for freebsd-security@freebsd.org; Thu, 20 May 2004 22:47:10 +0200 Date: Thu, 20 May 2004 22:47:10 +0200 From: Daniel Roethlisberger To: freebsd-security@freebsd.org Message-ID: <20040520204710.GB12301@dragon.roe.ch> Mail-Followup-To: freebsd-security@freebsd.org References: <20040518160517.GA10067@therub.org> <20040520033024.GA26640@therub.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="EeQfGwPcQSOJBaQU" Content-Disposition: inline In-Reply-To: <20040520033024.GA26640@therub.org> User-Agent: Mutt/1.5.4i Subject: Re: [Freebsd-security] Re: Multi-User Security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 May 2004 20:47:14 -0000 --EeQfGwPcQSOJBaQU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Dan Rue [2004-05-19/22:30]: > You obviously havn't tried to chroot scponly users.. _that's_ the > tricky part. Especially if you want it to scale up beyond a handful > of users. If i'm wrong - fill me in i'd love to hear how to do it. I second that. I've been chrooting sftp-only users for a while now, with an approach similar to that of scponly, but I cannot say that my solution is scaling particularly well... :-/ Cheers, Dan --=20 Daniel Roethlisberger GnuPG key ID 0x804A06B1 (DSA/ElGamal) --EeQfGwPcQSOJBaQU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQFArRlNOXQOmIBKBrERAjMrAJ9b0RLPxQsCRnjfITMZ0s5xBS3ebgCgimlj cyeGx+HE5MXPMSuylHmyhQg= =8KPv -----END PGP SIGNATURE----- --EeQfGwPcQSOJBaQU-- From owner-freebsd-security@FreeBSD.ORG Thu May 20 13:56:15 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5913416A4CE for ; Thu, 20 May 2004 13:56:15 -0700 (PDT) Received: from mail.elvandar.org (cust.94.120.adsl.cistron.nl [195.64.94.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id BBAAC43D1F for ; Thu, 20 May 2004 13:56:14 -0700 (PDT) (envelope-from remko@elvandar.org) Received: from [10.0.3.124] (aragorn.lan.elvandar.intranet [10.0.3.124]) by mail.elvandar.org (Postfix) with ESMTP id 394DF10689E for ; Thu, 20 May 2004 22:56:12 +0200 (CEST) Message-ID: <40AD1B6D.2050204@elvandar.org> Date: Thu, 20 May 2004 22:56:13 +0200 From: Remko Lodder X-Accept-Language: en-us, en MIME-Version: 1.0 Cc: freebsd-security@freebsd.org References: <20040518160517.GA10067@therub.org> <20040520033024.GA26640@therub.org> <20040520204710.GB12301@dragon.roe.ch> In-Reply-To: <20040520204710.GB12301@dragon.roe.ch> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at elvandar.org Subject: Re: [Freebsd-security] Re: Multi-User Security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 May 2004 20:56:15 -0000 Hey Daniel and Dan, Daniel Roethlisberger wrote: > Dan Rue [2004-05-19/22:30]: > >>You obviously havn't tried to chroot scponly users.. _that's_ the >>tricky part. Especially if you want it to scale up beyond a handful >>of users. If i'm wrong - fill me in i'd love to hear how to do it. > > > I second that. I've been chrooting sftp-only users for a while now, with > an approach similar to that of scponly, but I cannot say that my > solution is scaling particularly well... :-/ Well you are both correct that i did not implement the chroot thingy, but i just responded for the "non shell required" thingy, you can do that as well with thhe listed package. I personally dont have any scp only users so there is no need for me to implement the given thingy's. Excuse me if my information could be intrepetated differently then i ment. Cheers -- Kind regards, Remko Lodder Elvandar.org/DSINet.org www.mostly-harmless.nl Dutch community for helping newcomers on the hackerscene From owner-freebsd-security@FreeBSD.ORG Fri May 21 12:52:50 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3ED9B16A4CE for ; Fri, 21 May 2004 12:52:50 -0700 (PDT) Received: from prserv.net (asmtp1.prserv.net [32.97.166.51]) by mx1.FreeBSD.org (Postfix) with ESMTP id A805143D39 for ; Fri, 21 May 2004 12:52:49 -0700 (PDT) (envelope-from yann.luppo@attglobal.net) Received: from razor (130.wf21.bltm.wswdc01r18.dsl.att.net[12.103.21.130]) by prserv.net (asmtp1) with SMTP id <2004052119513825103jg6pme> (Authid: yann.luppo@attglobal.net); Fri, 21 May 2004 19:51:38 +0000 Message-ID: <021f01c43f3a$e7eb7f40$0f01a8c0@razor> From: "RazorOnFreeBSD" To: Date: Fri, 21 May 2004 15:52:45 +0200 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Hacked or not ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 May 2004 19:52:50 -0000 Hi,=20 I have a 4.9-STABLE FreeBSD box apparently hacked! Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs.=20 Those are: chfn ... INFECTED chsh ... INFECTED date ... INFECTED ls ... INFECTED ps ... INFECTED But all the rest is NOT PROMISC, NOT INFECTED, NOTHING FOUND, NOTHING = DELETED, or NOTHING DETECTED. I know by the FreeBSD-Security archives that chkrootkit isn't perfect = with FreeBSD versions 5.x But I'm not in that case. So I'm a little bit afraid and as a newbie I = don't really know what to do.... I tried "truss ls" to find something strange and here are the outputs = with something... suspicious for me: ioctl(1,TIOCGETA,0xbfbff534) =3D 0 (0x0) ioctl(1,TIOCGWINSZ,0xbfbff5a8) =3D 0 (0x0) getuid() =3D 0 = (0x0) readlink("etc/malloc.conf",0xbfbff490,63) ERR#2 'No such file or = directory' #SUSPICIOUS mmap(0x0,4096,0x3,0x1002,-1,0x0) =3D 671666176 (0x2808d000) break(0x809b000) =3D 0 (0x0) break(0x809c000) =3D 0 (0x0) break(0x809d000) =3D 0 (0x0) break(0x809e000) =3D 0 (0x0) .........................................................................= ..................and so on! And if I am an intrusion victim.... what can I do ? How can I restore = those files? and how can I find out how this cracker did to break my = firewall? I mean where is the security hole? PS: After verification on other commands declared not infected I found = out this ERR#2 is common.... maybe I have another problem here! Thanks everyone! razor. From owner-freebsd-security@FreeBSD.ORG Fri May 21 12:58:09 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B2DE716A4CE for ; Fri, 21 May 2004 12:58:09 -0700 (PDT) Received: from cowbert.2y.net (d46h180.public.uconn.edu [137.99.46.180]) by mx1.FreeBSD.org (Postfix) with SMTP id 4688343D31 for ; Fri, 21 May 2004 12:58:09 -0700 (PDT) (envelope-from sirmoo@cowbert.net) Received: (qmail 57251 invoked by uid 1001); 21 May 2004 19:57:46 -0000 Date: Fri, 21 May 2004 15:57:46 -0400 From: "Peter C. Lai" To: RazorOnFreeBSD Message-ID: <20040521195746.GE46542@cowbert.net> References: <021f01c43f3a$e7eb7f40$0f01a8c0@razor> Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="7LkOrbQMr4cezO2T" Content-Disposition: inline In-Reply-To: <021f01c43f3a$e7eb7f40$0f01a8c0@razor> User-Agent: Mutt/1.5.6i cc: freebsd-security@freebsd.org Subject: Re: Hacked or not ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 May 2004 19:58:09 -0000 --7LkOrbQMr4cezO2T Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > ioctl(1,TIOCGETA,0xbfbff534) =3D 0 (0x0) > ioctl(1,TIOCGWINSZ,0xbfbff5a8) =3D 0 (0x0) > getuid() =3D 0 (0x= 0) > readlink("etc/malloc.conf",0xbfbff490,63) ERR#2 'No such file or d= irectory' #SUSPICIOUS > mmap(0x0,4096,0x3,0x1002,-1,0x0) =3D 671666176 (0x2808d000) > break(0x809b000) =3D 0 (0x0) > break(0x809c000) =3D 0 (0x0) > break(0x809d000) =3D 0 (0x0) > break(0x809e000) =3D 0 (0x0) > .........................................................................= =2E.................and so on! Looks normal to me here...not really sure why that is suspicious to you. (it's just trying to load malloc.conf for malloc options). --=20 Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology Yale University School of Medicine SenseLab | Research Assistant http://cowbert.2y.net/ --7LkOrbQMr4cezO2T Content-Type: application/x-pkcs7-signature Content-Disposition: attachment; filename="smime.p7s" Content-Transfer-Encoding: base64 MIIIlAYJKoZIhvcNAQcCoIIIhTCCCIECAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC BhgwggLRMIICOqADAgECAgMMH+owDQYJKoZIhvcNAQEEBQAwYjELMAkGA1UEBhMCWkExJTAj BgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQ ZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA0MDQxNDA2NDI1N1oXDTA1MDQxNDA2 NDI1N1owRDEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEhMB8GCSqGSIb3DQEJ ARYSc2lybW9vQGNvd2JlcnQubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA xA5u/s2bmcc96AAzAw3xp1rBb3P0JHVzG5XtXTtIgMLZwVQJTQWYSo4bNS0Jl4x6sO7yHxOI B7eJ2eOx2pMPhdW3lLloukuQQI+1x9Ti3W4h0yxAhn867UPR1UWz0xp1PoO4j9wg9N6FZC+m ACdp/o74o/86FaTYlLXPM243VwfRaIQPfRjDGsFIMUga9yDQvWRizxKS0ucm3rtUohizhdtV 2DeXCYOOv1ojOaRpBcukJPXdhYcoOl4qxU/YBtou5n0RJzhggSvMKKJWIwwqF0RacYdGVMst crIlsMq4VTG/i+F+lPX5+ugHWPOZV3Fe17eTJ/BwTKe8Tr4QduA1rwIDAQABoy8wLTAdBgNV HREEFjAUgRJzaXJtb29AY293YmVydC5uZXQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQF AAOBgQCXEIquVkTtK1C/eWYFUIQP1+JRA2QT5LxBMlrPDfOHGvtMSNbLs7y2YJXur8KFkwCo 4XybEqfcGyyAss2A1gE1BvagvCeAXUqTEbtEklUEGsM1Fh/XS1c2ug/UMonKW54LrgXUGxwy Xjn6LdBSvH/w5/Fw6Yp1juayjvY2l5k46DCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEF BQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNh cGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmlj YXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVl bWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAe Fw0wMzA3MTcwMDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQK ExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29u YWwgRnJlZW1haWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8 VXNV+065yplaHmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7d yfArhVqqP3FWy688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUP SAR/p7bRPGEEQB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1Ud HwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVt YWlsQ0EuY3JsMAsGA1UdDwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0 ZUxhYmVsMi0xMzgwDQYJKoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOW lJ1/TCG4+DYfqi2fNi/A9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN 3amcOY6MIE9lX5Xa9/eH1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggJE MIICQAIBATBpMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAo UHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBD QQIDDB/qMAkGBSsOAwIaBQCggbEwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG 9w0BCQUxDxcNMDQwNTIxMTk1NzQ2WjAjBgkqhkiG9w0BCQQxFgQUBmf8obbd1Hl/+eQr1zv7 M3oy3WUwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYI KoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJKoZIhvcNAQEBBQAEggEA k4/KX7PCsKbpmHEDstehdp0fwXdZy1U+KAaKsgfeAqjSwQ4lzVs32VjxeSePTG+wKQ0TmIqF eMRYTq0JvNStdvQlg0x0+OxL5kBO/3TRZlMpstp/Ymy2jS+zfPlRFOJBSdpEJT7ffLTHBIEO 4+oJJ6wNa1AQa4Y5EqYQqzBYOk6LV4zDNoiAFBR/VO06hQAZt+VNAEiwIVy9Kk/11U9qjME1 LTTAOSTBV6wgZxmlBbj0gflYts19I1VPbR2+VBnTQqBbqMrzOKKCUdMh7zP6ZxjRN/EO8GJY BzL8LyTVw5Jg4uMUWj73ox0ngAB5hdQ0imkTKFkc8Um3CeZ6pINLeQ== --7LkOrbQMr4cezO2T-- From owner-freebsd-security@FreeBSD.ORG Fri May 21 13:03:07 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3404216A4CE for ; Fri, 21 May 2004 13:03:07 -0700 (PDT) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7221543D48 for ; Fri, 21 May 2004 13:03:06 -0700 (PDT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1])i4LK2sXE090299 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 21 May 2004 21:02:54 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)id i4LK2s1U090298; Fri, 21 May 2004 21:02:54 +0100 (BST) (envelope-from matthew) Date: Fri, 21 May 2004 21:02:54 +0100 From: Matthew Seaman To: RazorOnFreeBSD Message-ID: <20040521200254.GC89897@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: RazorOnFreeBSD , freebsd-security@freebsd.org References: <021f01c43f3a$e7eb7f40$0f01a8c0@razor> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="jy6Sn24JjFx/iggw" Content-Disposition: inline In-Reply-To: <021f01c43f3a$e7eb7f40$0f01a8c0@razor> User-Agent: Mutt/1.5.6i X-Virus-Scanned: clamd / ClamAV version devel-20040504, clamav-milter version 0.70u X-Virus-Status: Clean X-Spam-Status: No, hits=-4.8 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on happy-idiot-talk.infracaninophile.co.uk cc: freebsd-security@freebsd.org Subject: Re: Hacked or not ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 May 2004 20:03:07 -0000 --jy6Sn24JjFx/iggw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, May 21, 2004 at 03:52:45PM +0200, RazorOnFreeBSD wrote: > I have a 4.9-STABLE FreeBSD box apparently hacked! > Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs.=20 > Those are: > chfn ... INFECTED > chsh ... INFECTED > date ... INFECTED > ls ... INFECTED > ps ... INFECTED Sheesh. Not this *again*. This is a false alarm: chkrootkit is exceedingly sensitive to something about the way such programs work under FreeBSD and has to be continually futzed so that it knows not to complain on each successive version of FreeBSD. Comes up in this or other FreeBSD lists just about every week. Relax. You're not compromised. You just need better tools. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --jy6Sn24JjFx/iggw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFArmBuiD657aJF7eIRAllGAKCat/LLf51CqfM/KSrItVaIsPyL8ACeKk80 GnyGAmSPI8T38vi1QdUeMhQ= =CZVJ -----END PGP SIGNATURE----- --jy6Sn24JjFx/iggw-- From owner-freebsd-security@FreeBSD.ORG Fri May 21 13:10:35 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE35E16A4CE for ; Fri, 21 May 2004 13:10:35 -0700 (PDT) Received: from major.splatterworld.de (major.splatterworld.de [62.26.123.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 25E1D43D31 for ; Fri, 21 May 2004 13:10:35 -0700 (PDT) (envelope-from azze@bl0wf1sh.ath.cx) Received: (qmail 1282 invoked by uid 89); 21 May 2004 22:10:25 +0200 Received: from unknown (HELO blond) (195.143.12.42) by major.splatterworld.de with SMTP; 21 May 2004 22:10:25 +0200 Date: Fri, 21 May 2004 22:12:23 +0200 From: azze X-Mailer: The Bat! (v2.04.7) X-Priority: 3 (Normal) Message-ID: <1379674329.20040521221223@bl0wf1sh.ath.cx> To: yann.luppo@attglobal.net MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: Hacked or not ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: azze List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 May 2004 20:10:36 -0000 maybe you sould - grep the 4.9-STABLE sources of chfn,chsh,date,ls,ps build it and diff/md5 the builded stuff - ktrace(dump) the (current)ls, etc. with the (fresh) cvs version (rev for 4.9-S) - just reinstall the system :) R> Hi, R> I have a 4.9-STABLE FreeBSD box apparently hacked! R> Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs. R> Those are: R> chfn ... INFECTED R> chsh ... INFECTED R> date ... INFECTED R> ls ... INFECTED R> ps ... INFECTED R> But all the rest is NOT PROMISC, NOT INFECTED, NOTHING FOUND, NOTHING DELETED, or NOTHING DETECTED. R> I know by the FreeBSD-Security archives that chkrootkit isn't perfect with FreeBSD versions 5.x R> But I'm not in that case. So I'm a little bit afraid and as a newbie I don't really know what to do.... R> I tried "truss ls" to find something strange and here are the outputs with something... suspicious for me: R> ioctl(1,TIOCGETA,0xbfbff534) = 0 (0x0) R> ioctl(1,TIOCGWINSZ,0xbfbff5a8) = 0 (0x0) R> getuid() = 0 (0x0) R> readlink("etc/malloc.conf",0xbfbff490,63) ERR#2 'No such file or directory' #SUSPICIOUS R> mmap(0x0,4096,0x3,0x1002,-1,0x0) = 671666176 (0x2808d000) R> break(0x809b000) = 0 (0x0) R> break(0x809c000) = 0 (0x0) R> break(0x809d000) = 0 (0x0) R> break(0x809e000) = 0 (0x0) R> ...........................................................................................and so on! R> And if I am an intrusion victim.... what can I do ? How can I restore R> those files? and how can I find out how this cracker did to break my R> firewall? I mean where is the security hole? R> PS: After verification on other commands declared not infected I found R> out this ERR#2 is common.... maybe I have another problem here! R> Thanks everyone! R> razor. R> _______________________________________________ R> freebsd-security@freebsd.org mailing list R> http://lists.freebsd.org/mailman/listinfo/freebsd-security R> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Fri May 21 13:31:52 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6969D16A4CE for ; Fri, 21 May 2004 13:31:52 -0700 (PDT) Received: from prserv.net (asmtp2.prserv.net [32.97.166.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1937A43D1D for ; Fri, 21 May 2004 13:31:52 -0700 (PDT) (envelope-from yann.luppo@attglobal.net) Received: from razor (130.wf21.bltm.wswdc01r18.dsl.att.net[12.103.21.130]) by prserv.net (asmtp2) with SMTP id <2004052120315025200b4svce> (Authid: yann.luppo@attglobal.net); Fri, 21 May 2004 20:31:50 +0000 Message-ID: <026501c43f40$85493200$0f01a8c0@razor> From: "RazorOnFreeBSD" To: References: <021f01c43f3a$e7eb7f40$0f01a8c0@razor><20040521200254.GC89897@happy-idiot-talk.infracaninophile.co.uk> <20040521161133.080c23d7@localhost> Date: Fri, 21 May 2004 16:33:01 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Subject: Re: Hacked or not ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 May 2004 20:31:52 -0000 yes.... if you have any recommandation on something else? I'm currently moving from chkrootkit 0.41 ot 0.43 maybe it will help! I'll send the response for next people with this problem.... 'cause I don't want to be anoying but after simple searches I didn't find accurate solution or right information for 4.x boxes! For sure I didn't type in the right words if this post pop up every week, but I'm a newbie and futur newbies will have the same problem and probably type the same key words.... and probably add another post on the same subject! Here I and they need a response to stop polluting the mailing list! Don't you think? PS: This was just sort of a notice, nothing aggressive or whatever else you would'nt like! I love everybody and everything on this planet even cows.... (can I except terrorist people? Those are shit!) Sorry for polluting. razor's trying chkrootkit 0.43. ----- Original Message ----- From: "Tom Rhodes" To: "Matthew Seaman" Cc: "RazorOnFreeBSD" ; Sent: Friday, May 21, 2004 10:11 PM Subject: Re: Hacked or not ? > On Fri, 21 May 2004 21:02:54 +0100 > Matthew Seaman wrote: > > > On Fri, May 21, 2004 at 03:52:45PM +0200, RazorOnFreeBSD wrote: > > > > > I have a 4.9-STABLE FreeBSD box apparently hacked! > > > Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs. > > > Those are: > > > chfn ... INFECTED > > > chsh ... INFECTED > > > date ... INFECTED > > > ls ... INFECTED > > > ps ... INFECTED > > > > Sheesh. Not this *again*. This is a false alarm: chkrootkit is > > exceedingly sensitive to something about the way such programs work > > under FreeBSD and has to be continually futzed so that it knows not to > > complain on each successive version of FreeBSD. Comes up in this or > > other FreeBSD lists just about every week. > > > > Relax. You're not compromised. You just need better tools. > > > > I love the "just need better tools." without any recommendation > for him. > > -- > Tom Rhodes > From owner-freebsd-security@FreeBSD.ORG Fri May 21 13:35:22 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8094316A4CE for ; Fri, 21 May 2004 13:35:22 -0700 (PDT) Received: from gi.sourcefire.com (gi.sourcefire.com [12.110.105.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0944A43D41 for ; Fri, 21 May 2004 13:35:22 -0700 (PDT) (envelope-from nigel@sourcefire.com) Received: from localhost ([10.4.10.172]) (AUTH: PLAIN nhoughton, TLS: TLSv1/SSLv3,168bits,DES-CBC3-SHA) by gi.sourcefire.com with esmtp; Fri, 21 May 2004 16:35:10 -0400 Date: Fri, 21 May 2004 16:36:58 -0400 From: Nigel Houghton To: RazorOnFreeBSD Message-ID: <20040521203658.GN513@enterprise.sfeng.sourcefire.com> References: <20040521161133.080c23d7@localhost> <026501c43f40$85493200$0f01a8c0@razor> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Disposition: inline In-Reply-To: <026501c43f40$85493200$0f01a8c0@razor> cc: freebsd-security@FreeBSD.org Subject: Re: Hacked or not ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 May 2004 20:35:22 -0000 On 0, RazorOnFreeBSD allegedly wrote: > yes.... if you have any recommandation on something else? You might like to check out rkhunter at http://www.rootkit.nl/projects/rootkit_hunter.html ------------------------------------------------------------- Nigel Houghton Research Engineer Sourcefire Inc. Vulnerability Research Team In an emergency situation involving two or more officers of equal rank, seniority will be granted to whichever officer can program a vcr. From owner-freebsd-security@FreeBSD.ORG Fri May 21 14:41:10 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E6AA816A4CE; Fri, 21 May 2004 14:41:10 -0700 (PDT) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 63BE143D45; Fri, 21 May 2004 14:41:09 -0700 (PDT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1])i4LLew6D096819 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 21 May 2004 22:40:58 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)id i4LLewup096818; Fri, 21 May 2004 22:40:58 +0100 (BST) (envelope-from matthew) Date: Fri, 21 May 2004 22:40:58 +0100 From: Matthew Seaman To: Tom Rhodes Message-ID: <20040521214058.GD89897@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Tom Rhodes , RazorOnFreeBSD , freebsd-security@FreeBSD.org References: <021f01c43f3a$e7eb7f40$0f01a8c0@razor> <20040521200254.GC89897@happy-idiot-talk.infracaninophile.co.uk> <20040521161133.080c23d7@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="iVCmgExH7+hIHJ1A" Content-Disposition: inline In-Reply-To: <20040521161133.080c23d7@localhost> User-Agent: Mutt/1.5.6i X-Virus-Scanned: clamd / ClamAV version devel-20040504, clamav-milter version 0.70u X-Virus-Status: Clean X-Spam-Status: No, hits=-4.8 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on happy-idiot-talk.infracaninophile.co.uk cc: freebsd-security@FreeBSD.org cc: RazorOnFreeBSD Subject: Re: Hacked or not ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 May 2004 21:41:11 -0000 --iVCmgExH7+hIHJ1A Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, May 21, 2004 at 04:11:33PM -0400, Tom Rhodes wrote: > On Fri, 21 May 2004 21:02:54 +0100 > Matthew Seaman wrote: >=20 > > On Fri, May 21, 2004 at 03:52:45PM +0200, RazorOnFreeBSD wrote: > >=20 > > > I have a 4.9-STABLE FreeBSD box apparently hacked! > > > Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs.= =20 > > > Those are: > > > chfn ... INFECTED > > > chsh ... INFECTED > > > date ... INFECTED > > > ls ... INFECTED > > > ps ... INFECTED > >=20 > > Sheesh. Not this *again*. This is a false alarm: chkrootkit is > > exceedingly sensitive to something about the way such programs work > > under FreeBSD and has to be continually futzed so that it knows not to > > complain on each successive version of FreeBSD. Comes up in this or > > other FreeBSD lists just about every week. > >=20 > > Relax. You're not compromised. You just need better tools. > >=20 >=20 > I love the "just need better tools." without any recommendation > for him. Well, the question was "has my machine been compromised", which I answered. =20 The current version of chkrootkit in ports (0.43) has a problem whereby it thinks FreeBSD 4.10 is a higher version than FreeBSD 5.0, which means that it reports certain programs are infected because they *don't* fail in the expected way found on 5.0 or above. Here's a patch: --- chkrootkit.orig Fri May 21 22:19:16 2004 +++ chkrootkit Fri May 21 22:36:29 2004 @@ -257,7 +257,7 @@ { prog=3D"" if [ \( "${SYSTEM}" =3D "Linux" -o \( "${SYSTEM}" =3D "FreeBSD" -a \ - ${V} -gt 43 \) \) -a "${ROOTDIR}" =3D "/" ]; then + ${V} -gt 403 \) \) -a "${ROOTDIR}" =3D "/" ]; then [ ! -x /usr/local/sbin/chkproc ] && prog=3D"/usr/local/sbin/chkproc" [ ! -x /usr/local/sbin/chkdirs ] && prog=3D"$prog /usr/local/sbin/ch= kdirs" if [ "$prog" !=3D "" ]; then @@ -1080,7 +1080,7 @@ STATUS=3D${INFECTED} fi;; FreeBSD) - [ $V -gt 50 ] && n=3D1 || n=3D2 + [ $V -gt 500 ] && n=3D1 || n=3D2 if [ `${strings} -a ${CMD} | \ ${egrep} -c "${GENERIC_ROOTKIT_LABEL}"` -ne $n ] then @@ -1114,7 +1114,7 @@ fi fi;; FreeBSD) - [ $V -gt 50 ] && n=3D1 || n=3D2 + [ $V -gt 500 ] && n=3D1 || n=3D2 if [ `${strings} -a ${CMD} | ${egrep} -c "${GENERIC_ROOTKIT_LABE= L}"` -ne $n ] then STATUS=3D${INFECTED} @@ -1145,10 +1145,10 @@ ret=3D`${strings} -a ${CMD} | ${egrep} -c "${GENERAL}"` if [ ${ret} -gt 0 ]; then case ${ret} in - 1) [ "${SYSTEM}" =3D "OpenBSD" -a ${V} -le 27 -o ${V} -ge 30 ] && \ + 1) [ "${SYSTEM}" =3D "OpenBSD" -a ${V} -le 207 -o ${V} -ge 300 ] &= & \ STATUS=3D${NOT_INFECTED} || STATUS=3D${INFECTED};; 2) [ "${SYSTEM}" =3D "FreeBSD" -o ${SYSTEM} =3D "NetBSD" -o ${SYS= TEM} =3D \ -"OpenBSD" -a ${V} -ge 28 ] && STATUS=3D${NOT_INFECTED} || STATUS=3D${INFE= CTED};; +"OpenBSD" -a ${V} -ge 208 ] && STATUS=3D${NOT_INFECTED} || STATUS=3D${INF= ECTED};; =20 *) STATUS=3D${INFECTED};; esac @@ -1622,7 +1622,7 @@ expertmode_output "${ls} -l ${CMD}" return 5 fi - [ "${SYSTEM}" =3D "FreeBSD" -a $V -gt 50 ] && + [ "${SYSTEM}" =3D "FreeBSD" -a $V -gt 500 ] && { if [ `${strings} -a ${CMD} | ${egrep} "${GENERIC_ROOTKIT_LABEL}" | \ ${egrep} -c "$S_L"` -ne 2 ]; then @@ -2398,9 +2398,9 @@ SYSTEM=3D`${uname} -s` VERSION=3D`${uname} -r` if [ "${SYSTEM}" !=3D "FreeBSD" -a ${SYSTEM} !=3D "OpenBSD" ] ; then - V=3D44 + V=3D404 else - V=3D`echo $VERSION | cut -d- -f 1 | ${sed} 's/\.//g'` + V=3D$(( `echo $VERSION | cut -d- -f 1 | ${sed} 's/\./ * 100 + /g'` )) fi =20 # ps command Better tools in this case: in this case, I'd say tripwire or one of the work-alikes. =20 Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --iVCmgExH7+hIHJ1A Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFArndqiD657aJF7eIRAiRxAKC1khe6tvA4zXKIK2Weh/TRZevaewCggUvh 2cOfVvjSgzeqZRzp6c07f10= =6uto -----END PGP SIGNATURE----- --iVCmgExH7+hIHJ1A-- From owner-freebsd-security@FreeBSD.ORG Fri May 21 21:30:02 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D49A016A4CE for ; Fri, 21 May 2004 21:30:02 -0700 (PDT) Received: from dreadful.org (dreadful.org [209.237.255.180]) by mx1.FreeBSD.org (Postfix) with ESMTP id C1EAE43D39 for ; Fri, 21 May 2004 21:30:02 -0700 (PDT) (envelope-from dan@dreadful.org) Received: from dreadful.org (localhost.servforce.com [127.0.0.1]) by dreadful.org (Postfix) with ESMTP id B22A611477; Fri, 21 May 2004 21:37:40 -0700 (PDT) Received: from localhost (dan@localhost) by dreadful.org (8.12.10/8.12.10/Submit) with ESMTP id i4M4bejl066898; Fri, 21 May 2004 21:37:40 -0700 (PDT) (envelope-from dan@dreadful.org) Date: Fri, 21 May 2004 21:37:40 -0700 (PDT) From: Daniel Spielman To: RazorOnFreeBSD In-Reply-To: <021f01c43f3a$e7eb7f40$0f01a8c0@razor> Message-ID: <20040521213623.D16177@dreadful.org> References: <021f01c43f3a$e7eb7f40$0f01a8c0@razor> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: Hacked or not ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 May 2004 04:30:03 -0000 Razor, Download the source and recompile those binaries and see if chkrootkit gives you the same 'INFECTED' messages. Daniel M. Spielman On Fri, 21 May 2004, RazorOnFreeBSD wrote: > Hi, > > I have a 4.9-STABLE FreeBSD box apparently hacked! > Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs. > Those are: > chfn ... INFECTED > chsh ... INFECTED > date ... INFECTED > ls ... INFECTED > ps ... INFECTED > > But all the rest is NOT PROMISC, NOT INFECTED, NOTHING FOUND, NOTHING DELETED, or NOTHING DETECTED. > I know by the FreeBSD-Security archives that chkrootkit isn't perfect with FreeBSD versions 5.x > But I'm not in that case. So I'm a little bit afraid and as a newbie I don't really know what to do.... > I tried "truss ls" to find something strange and here are the outputs with something... suspicious for me: > > ioctl(1,TIOCGETA,0xbfbff534) = 0 (0x0) > ioctl(1,TIOCGWINSZ,0xbfbff5a8) = 0 (0x0) > getuid() = 0 (0x0) > readlink("etc/malloc.conf",0xbfbff490,63) ERR#2 'No such file or directory' #SUSPICIOUS > mmap(0x0,4096,0x3,0x1002,-1,0x0) = 671666176 (0x2808d000) > break(0x809b000) = 0 (0x0) > break(0x809c000) = 0 (0x0) > break(0x809d000) = 0 (0x0) > break(0x809e000) = 0 (0x0) > ...........................................................................................and so on! > > And if I am an intrusion victim.... what can I do ? How can I restore those files? and how can I find out how this cracker did to break my firewall? I mean where is the security hole? > PS: After verification on other commands declared not infected I found out this ERR#2 is common.... maybe I have another problem here! > > Thanks everyone! > razor. > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Sat May 22 06:08:02 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B9DE716A4CE for ; Sat, 22 May 2004 06:08:02 -0700 (PDT) Received: from prserv.net (asmtp1.prserv.net [32.97.166.51]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7081C43D41 for ; Sat, 22 May 2004 06:08:02 -0700 (PDT) (envelope-from yann.luppo@attglobal.net) Received: from razor (130.wf21.bltm.wswdc01r18.dsl.att.net[12.103.21.130]) by prserv.net (asmtp1) with SMTP id <2004052213074225100j9e8oe> (Authid: yann.luppo@attglobal.net); Sat, 22 May 2004 13:07:42 +0000 Message-ID: <031a01c43fcb$a45fcfb0$0f01a8c0@razor> From: "RazorOnFreeBSD" To: References: <021f01c43f3a$e7eb7f40$0f01a8c0@razor> <40AF19B2.1090905@computerpech.nl> Date: Sat, 22 May 2004 09:08:53 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Subject: Re: Hacked or not ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 May 2004 13:08:03 -0000 Thanks a lot everyone I have enough to work on ;) You were really helpfull and for sure those who will use the mailing list search function will appreciate too! razor ----- Original Message ----- From: "M. Boelen" To: "RazorOnFreeBSD" Cc: Sent: Saturday, May 22, 2004 11:13 AM Subject: Re: Hacked or not ? > Hi, > > Someone else did already told you about Rootkit Hunter, but forget to > say you can install it from the FreeBSD Ports collection > (/usr/ports/security/rkhunter) ;-) > > (it's has been added this month, so a lot of FreeBSD users don't know it > yet) > > Michael Boelen > Author of Rootkit Hunter > > >Hi, > > > >I have a 4.9-STABLE FreeBSD box apparently hacked! > >Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs. > >Those are: > >chfn ... INFECTED > >chsh ... INFECTED > >date ... INFECTED > >ls ... INFECTED > >ps ... INFECTED > > > >But all the rest is NOT PROMISC, NOT INFECTED, NOTHING FOUND, NOTHING DELETED, or NOTHING DETECTED. > >I know by the FreeBSD-Security archives that chkrootkit isn't perfect with FreeBSD versions 5.x > >But I'm not in that case. So I'm a little bit afraid and as a newbie I don't really know what to do.... > >I tried "truss ls" to find something strange and here are the outputs with something... suspicious for me: > > > >ioctl(1,TIOCGETA,0xbfbff534) = 0 (0x0) > >ioctl(1,TIOCGWINSZ,0xbfbff5a8) = 0 (0x0) > >getuid() = 0 (0x0) > >readlink("etc/malloc.conf",0xbfbff490,63) ERR#2 'No such file or directory' #SUSPICIOUS > >mmap(0x0,4096,0x3,0x1002,-1,0x0) = 671666176 (0x2808d000) > >break(0x809b000) = 0 (0x0) > >break(0x809c000) = 0 (0x0) > >break(0x809d000) = 0 (0x0) > >break(0x809e000) = 0 (0x0) > >........................................................................... ................and so on! > > > >And if I am an intrusion victim.... what can I do ? How can I restore those files? and how can I find out how this cracker did to break my firewall? I mean where is the security hole? > >PS: After verification on other commands declared not infected I found out this ERR#2 is common.... maybe I have another problem here! > > > >Thanks everyone! > >razor. > >_______________________________________________ > >freebsd-security@freebsd.org mailing list > >http://lists.freebsd.org/mailman/listinfo/freebsd-security > >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > > > > > > > > -- > > This is my mailbox. There are many like it but this one is mine. > My mailbox is my best friend. It is my life. I must master it as I > master my life. > > My mailbox, without me is useless. Without my mailbox, I am useless. > I must empty my mailbox true. I must clean him before he gets full. > I will.... >