From owner-freebsd-security@FreeBSD.ORG Tue Aug 30 04:11:23 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 14CE8106566C for ; Tue, 30 Aug 2011 04:11:23 +0000 (UTC) (envelope-from zkolic@sbb.rs) Received: from smtp9.sbb.rs (smtp9.sbb.rs [89.216.2.41]) by mx1.freebsd.org (Postfix) with ESMTP id 84A9B8FC0C for ; Tue, 30 Aug 2011 04:11:22 +0000 (UTC) Received: from faust (cable-188-2-16-54.dynamic.sbb.rs [188.2.16.54]) by smtp9.sbb.rs (8.14.0/8.14.0) with ESMTP id p7U3cAR3012924 for ; Tue, 30 Aug 2011 05:38:10 +0200 Received: by faust (Postfix, from userid 1001) id EDC811701D; Tue, 30 Aug 2011 05:38:54 +0200 (CEST) Date: Tue, 30 Aug 2011 05:38:54 +0200 From: Zoran Kolic To: freebsd-security@freebsd.org Message-ID: <20110830033854.GA1064@faust> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-SMTP-Vilter-Version: 1.3.2 X-SBB-Virus-Status: clean X-SBB-Spam-Score: -1.8 Subject: turtle rootkit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Aug 2011 04:11:23 -0000 Someone has seen an article on this on PacketStormSecurity? http://packetstorm.unixteacher.org/UNIX/penetration/rootkits/Turtle2.tar.gz Best regards all Zoran From owner-freebsd-security@FreeBSD.ORG Tue Aug 30 10:17:21 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6CC8A106564A for ; Tue, 30 Aug 2011 10:17:21 +0000 (UTC) (envelope-from clemun@gmail.com) Received: from mail-gx0-f182.google.com (mail-gx0-f182.google.com [209.85.161.182]) by mx1.freebsd.org (Postfix) with ESMTP id 2FE7B8FC13 for ; Tue, 30 Aug 2011 10:17:20 +0000 (UTC) Received: by gxk28 with SMTP id 28so6623472gxk.13 for ; Tue, 30 Aug 2011 03:17:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=4dxI7TLYFCuTI/xnOaXqWIjnkK1zGM7Rhg7CrttBYlg=; b=OpZ8Psdzwg3g2+89XGmB6UXGTSE5xLdQXcPm4cbk6+PE6hOhnwkWtFTA0NVaYQzFoz 8dyG2V65pcKqR8bhkY3gXCTbWySscZ4XN7eqKMniW7XDdTzHn+lz3CWrsCzja8Ey16mm eoRgr+ow/6BGj866NMaOAXHzk6LW62c4mKKXU= MIME-Version: 1.0 Received: by 10.236.146.65 with SMTP id q41mr31712705yhj.84.1314697992589; Tue, 30 Aug 2011 02:53:12 -0700 (PDT) Received: by 10.236.110.34 with HTTP; Tue, 30 Aug 2011 02:53:12 -0700 (PDT) In-Reply-To: <20110830033854.GA1064@faust> References: <20110830033854.GA1064@faust> Date: Tue, 30 Aug 2011 11:53:12 +0200 Message-ID: From: =?ISO-8859-1?Q?Cl=E9ment_Lecigne?= To: Zoran Kolic Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: turtle rootkit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Aug 2011 10:17:21 -0000 Hi, 2011/8/30 Zoran Kolic : > Someone has seen an article on this on PacketStormSecurity? > http://packetstorm.unixteacher.org/UNIX/penetration/rootkits/Turtle2.tar.= gz > Best regards all What do you want? It's just a basic rootkit that hooks some specific entries inside the sysent table. It can be detected by checking if a device /dev/turtle2dev exists or by sending an ICMP echo request with a payload starting with a double '_' and if rootkit is loaded no reply will be returned. [root@clem1 ~/koda/Turtle2/module]# hping -c 1 -n 127.0.0.1 -e "__foo" -1 HPING 127.0.0.1 (lo0 127.0.0.1): icmp mode set, 28 headers + 5 data bytes [main] memlockall(): No such file or directory Warning: can't disable memory paging! --- 127.0.0.1 hping statistic --- 1 packets tramitted, 0 packets received, 100% packet loss These tricks can be implemented inside rkhunter or/and chkrootkit. Best regards, --=20 Cl=E9ment LECIGNE, "In Python, how do you create a string of random characters? Read a Perl fi= le!" From owner-freebsd-security@FreeBSD.ORG Sat Sep 3 18:05:11 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BB4DF106566C for ; Sat, 3 Sep 2011 18:05:11 +0000 (UTC) (envelope-from sidetripping@gmail.com) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id 515CF8FC13 for ; Sat, 3 Sep 2011 18:05:11 +0000 (UTC) Received: by fxe4 with SMTP id 4so3288608fxe.13 for ; Sat, 03 Sep 2011 11:05:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=EOkFvSEh9yUsmKFpsEjhbfk1WMOjyb/SvSFFyQmJpAU=; b=wdDhrDeZqOZun/1J91CbXsXfJtTzGyR5cqsDxYmSis3/4KwWw/0iyrab7LWOPumeJr neNxNeLOtNJKYvV70DnWFm6yyu8I0HJd6PoMzvNL02voSArbWwTHkVbOrvIj8pjgNw6j sLzZCNs/3on58Mhm5HFyewbOuTWzGQAyvjx3M= MIME-Version: 1.0 Received: by 10.223.26.20 with SMTP id b20mr152396fac.50.1315071157289; Sat, 03 Sep 2011 10:32:37 -0700 (PDT) Received: by 10.152.23.10 with HTTP; Sat, 3 Sep 2011 10:32:37 -0700 (PDT) Date: Sat, 3 Sep 2011 19:32:37 +0200 Message-ID: From: ian ivy To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Mailman-Approved-At: Sat, 03 Sep 2011 19:22:07 +0000 Subject: Which algorithm is used for IP fragmentation ID? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Sep 2011 18:05:11 -0000 Hello everyone. It is my first post on this mailinglist. As we know in FreeBSD there is the pseudo random number generator (PRNG) for random IP fragmentation ID. It is available when "net.inet.ip.random_id" sysctl variable is set to 1 (default 0). I would like to know, which algorithm (X2, X3 or A0 or another one) is used in FreeBSD 8.1-RELEASE or better in 8 branch? Which algorithm is used in FreeBSD for packet filtering (IP packet normalization, or e.g. scrub on $ext_if ... random-id for the PF ruleset), pfsync interface protocol and (if the kernel flag "net.inet.ip.random_id" is set to 1) for "regular" IP traffic (with TCP/UDP), IP multicast routing... etc? Best regards!