From owner-freebsd-security@FreeBSD.ORG Sat May 22 02:13:50 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B8EE16A4CE for ; Sat, 22 May 2004 02:13:50 -0700 (PDT) Received: from mail.computerpech.nl (mail.rootkit.nl [62.177.200.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id D15BF43D46 for ; Sat, 22 May 2004 02:13:49 -0700 (PDT) (envelope-from michael@computerpech.nl) Received: from [217.123.72.121] (helo=computerpech.nl) by mail.computerpech.nl with asmtp (Exim 4.34; FreeBSD) id 1BRSZM-000CRO-5N; Sat, 22 May 2004 11:13:28 +0200 Message-ID: <40AF19B2.1090905@computerpech.nl> Date: Sat, 22 May 2004 11:13:22 +0200 From: "M. Boelen" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113 X-Accept-Language: en-us, en MIME-Version: 1.0 To: RazorOnFreeBSD References: <021f01c43f3a$e7eb7f40$0f01a8c0@razor> In-Reply-To: <021f01c43f3a$e7eb7f40$0f01a8c0@razor> Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Mon, 24 May 2004 02:37:13 -0700 cc: freebsd-security@freebsd.org Subject: Re: Hacked or not ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 May 2004 09:13:50 -0000 Hi, Someone else did already told you about Rootkit Hunter, but forget to say you can install it from the FreeBSD Ports collection (/usr/ports/security/rkhunter) ;-) (it's has been added this month, so a lot of FreeBSD users don't know it yet) Michael Boelen Author of Rootkit Hunter >Hi, > >I have a 4.9-STABLE FreeBSD box apparently hacked! >Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs. >Those are: >chfn ... INFECTED >chsh ... INFECTED >date ... INFECTED >ls ... INFECTED >ps ... INFECTED > >But all the rest is NOT PROMISC, NOT INFECTED, NOTHING FOUND, NOTHING DELETED, or NOTHING DETECTED. >I know by the FreeBSD-Security archives that chkrootkit isn't perfect with FreeBSD versions 5.x >But I'm not in that case. So I'm a little bit afraid and as a newbie I don't really know what to do.... >I tried "truss ls" to find something strange and here are the outputs with something... suspicious for me: > >ioctl(1,TIOCGETA,0xbfbff534) = 0 (0x0) >ioctl(1,TIOCGWINSZ,0xbfbff5a8) = 0 (0x0) >getuid() = 0 (0x0) >readlink("etc/malloc.conf",0xbfbff490,63) ERR#2 'No such file or directory' #SUSPICIOUS >mmap(0x0,4096,0x3,0x1002,-1,0x0) = 671666176 (0x2808d000) >break(0x809b000) = 0 (0x0) >break(0x809c000) = 0 (0x0) >break(0x809d000) = 0 (0x0) >break(0x809e000) = 0 (0x0) >...........................................................................................and so on! > >And if I am an intrusion victim.... what can I do ? How can I restore those files? and how can I find out how this cracker did to break my firewall? I mean where is the security hole? >PS: After verification on other commands declared not infected I found out this ERR#2 is common.... maybe I have another problem here! > >Thanks everyone! >razor. >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > > -- This is my mailbox. There are many like it but this one is mine. My mailbox is my best friend. It is my life. I must master it as I master my life. My mailbox, without me is useless. Without my mailbox, I am useless. I must empty my mailbox true. I must clean him before he gets full. I will.... From owner-freebsd-security@FreeBSD.ORG Wed May 26 04:33:38 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 48D6C16A4CF; Wed, 26 May 2004 04:33:38 -0700 (PDT) Received: from smtp.des.no (flood.des.no [217.116.83.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id DCBF143D2D; Wed, 26 May 2004 04:33:37 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: by smtp.des.no (Pony Express, from userid 666) id 3AA6A5312; Wed, 26 May 2004 13:33:26 +0200 (CEST) Received: from dwp.des.no (des.no [80.203.228.37]) by smtp.des.no (Pony Express) with ESMTP id 88DC0530C; Wed, 26 May 2004 13:32:52 +0200 (CEST) Received: by dwp.des.no (Postfix, from userid 2602) id E234533CAE; Wed, 26 May 2004 13:32:51 +0200 (CEST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Message-Id: <20040526113251.E234533CAE@dwp.des.no> Date: Wed, 26 May 2004 13:32:51 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on flood.des.no X-Spam-Level: s X-Spam-Status: No, hits=1.8 required=5.0 tests=ADDR_FREE autolearn=no version=2.63 Subject: FreeBSD Security Advisory FreeBSD-SA-04:11.msync X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 May 2004 11:33:38 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-04:11.msync Security Advisory The FreeBSD Project Topic: buffer cache invalidation implementation issues Category: core Module: sys Announced: 2004-05-26 Credits: Stephan Uphoff Matt Dillon Affects: All FreeBSD versions prior to the correction date Corrected: 2004-05-25 22:46:38 UTC (RELENG_4, 4.10-STABLE) 2004-05-25 23:07:55 UTC (RELENG_5_2, 5.2.1-RELEASE-p8) 2004-05-22 23:09:19 UTC (RELENG_4_10, 4.10-RELEASE) 2004-05-25 23:01:21 UTC (RELENG_4_9, 4.9-RELEASE-p9) 2004-05-25 23:01:19 UTC (RELENG_4_8, 4.8-RELEASE-p22) CVE Name: CAN-2004-0435 FreeBSD only: YES For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The msync(2) system call is used by applications to request that modified memory pages are written to permanent storage. II. Problem Description Programming errors in the implementation of the msync(2) system call involving the MS_INVALIDATE operation lead to cache consistency problems between the virtual memory system and on-disk contents. III. Impact In some situations, a user with read access to a file may be able to prevent changes to that file from being committed to disk. IV. Workaround There is no workaround. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE; or to the RELENG_5_2, RELENG_4_10, RELENG_4_9, or RELENG_4_8 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.8, 4.9, 4.10 and 5.2 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 5.2] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:11/msync5.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:11/msync5.patch.asc [FreeBSD 4.8, 4.9, 4.10] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:11/msync4.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:11/msync4.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/sys/ufs/ufs/ufs_readwrite.c 1.65.2.16 src/sys/vm/vm_map.c 1.187.2.30 RELENG_4_10 src/sys/ufs/ufs/ufs_readwrite.c 1.65.2.14.4.1 src/sys/vm/vm_map.c 1.187.2.24.2.4 RELENG_4_9 src/UPDATING 1.73.2.89.2.10 src/sys/conf/newvers.sh 1.44.2.32.2.10 src/sys/ufs/ufs/ufs_readwrite.c 1.65.2.14.2.1 src/sys/vm/vm_map.c 1.187.2.23.2.1 RELENG_4_8 src/UPDATING 1.73.2.80.2.25 src/sys/conf/newvers.sh 1.44.2.29.2.23 src/sys/ufs/ufs/ufs_readwrite.c 1.65.2.13.2.1 src/sys/vm/vm_map.c 1.187.2.17.2.1 RELENG_5_2 src/UPDATING 1.282.2.16 src/sys/conf/newvers.sh 1.56.2.15 src/sys/ufs/ffs/ffs_vnops.c 1.119.2.1 src/sys/vm/vm_object.c 1.317.2.1 - ------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFAtH2pFdaIBMps37IRAmycAJ0cv/iG6NlGBsC1xT4gg/Gx3lF8DwCghfHl G2wdUNyfvhz0u3kFB9pH41c= =SK1u -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri May 28 20:43:35 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD26A16A4CE for ; Fri, 28 May 2004 20:43:35 -0700 (PDT) Received: from sqnork.irq.org (q.xs4all.nl [194.109.236.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id A167143D5C for ; Fri, 28 May 2004 20:43:34 -0700 (PDT) (envelope-from bofn@sqnork.irq.org) Received: by sqnork.irq.org (CommuniGate Pro PIPE 4.1.8) with PIPE id 3714610; Sat, 29 May 2004 05:43:26 +0200 X-MailScan: 7564953-0808528408 Received: from [203.79.96.107] (account bofn@sqnork.irq.org) by sqnork.irq.org (CommuniGate Pro WebUser 4.1.8) with HTTP id 3714609 for freebsd-security@freebsd.org; Sat, 29 May 2004 05:43:23 +0200 From: "bofn" To: freebsd-security@freebsd.org X-Mailer: CommuniGate Pro WebUser Interface v.4.1.8 Date: Sat, 29 May 2004 05:43:23 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit Subject: X & securelevel=3 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 May 2004 03:43:35 -0000 running (4-Stable) Hi, short form question: how does one run XDM under securelevel>0 ? long version: i've searched for an answer on how to run Xfree/Xorg at a securelevel the X server likes access to /dev/io and some other resources but is not granted access after security is switched on. one way of doing it seems to be to start it before setting the securelevel, but then is doesnt allow a restart of X. the other option seems to be the Aperture patch, ported in 2001 with no recent updates and no longer usable against the current software. 2nd part of the question.. cd writing needs direct access to /dev/ and that is also not allowed in secure more. how can one give selective access to only allow (RW) access to one or two devices ? if there is no way of doing these things with configs and such, can anyone point me at the relevant source code that controls these functions so i can add this specific functionality. Cheers * Anna