From owner-freebsd-security Sun Dec 7 07:01:52 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id HAA02106 for security-outgoing; Sun, 7 Dec 1997 07:01:52 -0800 (PST) (envelope-from owner-freebsd-security) Received: from dumbwinter.logic.it (m2.logic.it [195.120.151.18]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id HAA02086 for ; Sun, 7 Dec 1997 07:01:10 -0800 (PST) (envelope-from molter@logic.it) Received: (qmail 1437 invoked by uid 1000); 7 Dec 1997 14:59:40 -0000 Date: Sun, 7 Dec 1997 15:59:40 +0100 (MET) From: Marco Molteni To: freebsd-security@freebsd.org Subject: [linux-security] New Program: Abacus Sentry - Port Scan Detector (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hi all, I though someone could be interested in this program, a port scanner which seems more featureful than strobe (a port scanner in the FreeBSD ports). This program is developed on Linux but, as the author said, should run on BSD variants also. Cheers Marco Molteni Computer Science student at the Universita' degli studi di Milano, Italy. "Whuffo you jump out of them airplanes?" ---------- Forwarded message ---------- Date: Fri, 5 Dec 1997 09:01:57 -0600 (CST) From: "Craig H. Rowland" Reply-To: linux-security@redhat.com To: linux-security@redhat.com Subject: [linux-security] New Program: Abacus Sentry - Port Scan Detector Resent-Date: 6 Dec 1997 21:59:37 -0000 Resent-From: linux-security@redhat.com Resent-cc: recipient list not shown: ; Hello, I just made available a beta version of a port scan detector that I've been working on. The program, called Abacus Sentry, is a port scan/probe detector that offers what I think are a number of unique and useful features: - Runs on TCP or UDP sockets. Configurable by the user to bind to multiples of sockets for increased detection coverage. - Adjustable scan detection value with "state" engine to track past host connections and alarm when a threshold of connections is past. - The ability to react to a port sweep in real time. Abacus Sentry will take any of the following actions when a port sweep is detected: - Add the target host to the local Linux filter list using ipfwadm. - Drop the route to the target host via the route command. - Add the target host to the local TCP wrappers hosts.deny file. - Execute an external program. - Fully log the attacking host IP and port numbers to syslog. - Uses essentially zero system resources when running. - It's Free. The software was developed on Linux, but uses code that is portable to many platforms. It has been tested on Linux, BSDI, and should compile on most BSD variants. I have personally tested it on Solaris 2.5.1, but there is a mod you need to make because of the use of snprintf's within the code (I will include a snprintf function in later releases). The code is currently in Beta and is version 0.08 at the time of this writing. The code is available for testing now and I'm especially looking for code reviews and suggestions to improve it. You can find the program at: http://www.psionic.com/abacus/abacus_sentry.html Thanks, -- Craig http://www.psionic.com Here is the configuration file to give you the idea of the options available: # Abacus Sentry Configuration # # $Id: abacus_sentry.conf,v 1.8 1997/12/05 07:31:38 crowland Exp crowland $ # # IMPORTANT NOTE: You CAN NOT put spaces between your port arguments. # Be sure your DEAD_ROUTE points to a local subnet address that is dead. # # The default ports will catch a large number of common probes # # All entries must be in quotes. ####################### # Port Configurations # ####################### # # # Some example port configs # # I like to always keep some ports at the "low" end of the spectrum. # This will detect a sequential port sweep really quickly and usually # these ports are not in use (i.e. tcpmux port 1) # # Un-comment these if you are really anal: #TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,2000,2001,4000,4001,6000,6001,6667,32771,32772,32773,32774,31337" #UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,32770,32771,32772,32773,32774" # # Use these if you just want to be aware: TCP_PORTS="1,11,15,79,119,143,540,2000,6000,6667,31337,32771,32772,32773,32774" UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,32770,32771,32772,32773,32774" # # Use these for just bare-bones #TCP_PORTS="1,11,15,143,540,2000,6000,32771,32772,32773,32774" #UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774" ###################### # Configuration Files# ###################### # # Hosts to ignore IGNORE_FILE="/usr/local/abacus/abacus_sentry.ignore" # Hosts that have been denied BLOCKED_FILE="/usr/local/abacus/abacus_sentry.blocked" ################### # Response Options# ################### # Options to dispose of attacker. Each is an action that will # be run if an attack is detected. If you don't want a particular # option then comment it out and it will be skipped. # # The variable $TARGET$ will be substituted with the target attacking # host when an attack is detected. # ################### # Dropping Routes:# ################### # This command is used to drop the route or add the host into # a local filter table. # # If you are going to use the route command to do this you MUST # MAKE SURE THE GATEWAY IS A DEAD HOST (333.444.555,666) on the # local network or you may get bizarre results on the local segment. # Generic Linux KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666" # Generic BSD (BSDI) #KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666" # Generic Sun #KILL_ROUTE="/usr/sbin/route add $TARGET$ 333.444.555.666 1" # Generic #KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666" # For those of you running Linux with ipfwadm installed you may like # this better as it drops the host into the packet filter. # You can only have one KILL_ROUTE turned on at a time though. # If you want both (why?) then add this command to the KILL_RUN_CMD # section. This I think is the best method for Linux hosts. # #KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$ -o ############### # TCP Wrappers# ############### # This text will be dropped into the hosts.deny file for wrappers # to use. There are two formats for TCP wrappers: # # Format One: Old Style - The default when extended host processing # options are not enabled. # KILL_HOSTS_DENY="ALL: $TARGET$" # # Format Two: New Style - The format used when extended option # processing is enabled. You can drop in extended processing # options, but be sure you escape all '%' symbols with a backslash # to prevent problems writing out (i.e. \%c \%h ) # #KILL_HOSTS_DENY="ALL: $TARGET$ : DENY" ################### # External Command# ################### # This is a command that is run when a host connects, it can be whatever # you want it to be (ping of death, winnuke, death threat, etc.), but # use this with caution. This command is executed before the route is # dropped to ensure that your "package" is delivered whatever that may # be. It is disabled by default. # #KILL_RUN_CMD="/some/path/here/ping_of_death $TARGET$" ##################### # Scan trigger value# ##################### # Enter in the number of port connects you will allow before an # alarm is given. The default is 0 which will react immediately. # A value of 1 or 2 will reduce false alarms. Anything higher is # probably not necessary. This value must always be specified. # SCAN_TRIGGER="0" ###################### # Port Banner Section# ###################### # # Enter text in here you want displayed to a person tripping the Sentry. # I *don't* recommend taunting the person as this will aggravate them. # Leave this commented out to disable the feature # #PORT_BANNER="** UNAUTHORIZED ACCESS PROHIBITED *** Administrators alerted to your connection. Go Away." # EOF -- ---------------------------------------------------------------------- Please refere to the information about this list as well as general information about Linux security at http://www.aoy.com/Linux/Security. ---------------------------------------------------------------------- To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null From owner-freebsd-security Sun Dec 7 08:33:29 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id IAA06600 for security-outgoing; Sun, 7 Dec 1997 08:33:29 -0800 (PST) (envelope-from owner-freebsd-security) Received: from iq.org (proff@profane.iq.org [203.4.184.222]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id IAA06555 for ; Sun, 7 Dec 1997 08:32:48 -0800 (PST) (envelope-from proff@iq.org) Received: (qmail 12978 invoked by uid 110); 7 Dec 1997 16:30:43 -0000 To: Marco Molteni Cc: freebsd-security@FreeBSD.ORG Subject: Re: [linux-security] New Program: Abacus Sentry - Port Scan Detector (fwd) References: From: Julian Assange Date: 08 Dec 1997 03:30:42 +1100 In-Reply-To: Marco Molteni's message of "Sun, 7 Dec 1997 15:59:40 +0100 (MET)" Message-ID: Lines: 26 X-Mailer: Gnus v5.5/XEmacs 20.3 - "Vatican City" Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Marco Molteni writes: > Hi all, > > I though someone could be interested in this program, a port scanner > which seems more featureful than strobe (a port scanner in the > FreeBSD ports). > > This program is developed on Linux but, as the author said, should > run on BSD variants also. > > Cheers > > Marco Molteni > Computer Science student at the Universita' degli studi di Milano, Italy. > "Whuffo you jump out of them airplanes?" Well, it's actually a port-scan detector, so I don't think the feature comparison via-a-vis strobe really stacks up :) -- Prof. Julian Assange |"Don't worry about people stealing your ideas. If your | Ideas are any good, you'll have to ram them down proff@iq.org | people's throats." -- Stolen quote from Howard Aiken proff@gnu.ai.mit.edu | http://underground.org/book From owner-freebsd-security Sun Dec 7 09:24:57 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id JAA09620 for security-outgoing; Sun, 7 Dec 1997 09:24:57 -0800 (PST) (envelope-from owner-freebsd-security) Received: from gvr.gvr.org (root@gvr.gvr.org [194.151.74.97]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id JAA09614 for ; Sun, 7 Dec 1997 09:24:52 -0800 (PST) (envelope-from guido@gvr.org) Received: (from guido@localhost) by gvr.gvr.org (8.8.6/8.8.5) id SAA25469; Sun, 7 Dec 1997 18:24:44 +0100 (MET) From: Guido van Rooij Message-Id: <199712071724.SAA25469@gvr.gvr.org> Subject: Re: CERT Advisory CA-97.26 - statd (fwd) In-Reply-To: from Robert Watson at "Dec 5, 97 08:50:12 pm" To: robert+freebsd@cyrus.watson.org Date: Sun, 7 Dec 1997 18:24:44 +0100 (MET) Cc: security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Robert Watson wrote: [There is text before PGP section.] > > Does this affect the rpc.statd included with FreeBSD? The other two BSD's > listed appear to be fine.. No. The reported bug does not apply to the statd shipped with FreeBSD. -Guido From owner-freebsd-security Sun Dec 7 12:40:20 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id MAA20561 for security-outgoing; Sun, 7 Dec 1997 12:40:20 -0800 (PST) (envelope-from owner-freebsd-security) Received: from joshua.enteract.com (joshua.enteract.com [207.229.129.5]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id MAA20554 for ; Sun, 7 Dec 1997 12:40:15 -0800 (PST) (envelope-from tqbf@joshua.enteract.com) From: tqbf@joshua.enteract.com Received: (qmail 7136 invoked by uid 1004); 7 Dec 1997 20:40:13 -0000 Date: 7 Dec 1997 20:40:13 -0000 Message-ID: <19971207204013.7135.qmail@joshua.enteract.com> To: molter@logic.it, freebsd-security@freebsd.org Subject: Re: [linux-security] New Program: Abacus Sentry - Port Scan Detector (fwd) In-Reply-To: Reply-To: tqbf@enteract.com Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In muc.lists.freebsd.security, you wrote: >I though someone could be interested in this program, a port scanner >which seems more featureful than strobe (a port scanner in the >FreeBSD ports). It's not a port scanner. It's a bad port-scan detector; it's designed to tell you when things like strobe (excellent program) are run against your host. It also doesn't work. In general, you need low-level network access (packet capture) to really detect port-scans, because it's not hard to find out of a TCB exists without tickling accept(). "Sentry" just binds to a bunch of ports and trusts that if someone probes one of them, it'll notice. -- ----------------------------------------------------------------------------- Thomas H. Ptacek Secure Networks, Inc. ----------------------------------------------------------------------------- http://www.enteract.com/~tqbf "mmm... sacrilicious" From owner-freebsd-security Sun Dec 7 13:02:48 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id NAA22623 for security-outgoing; Sun, 7 Dec 1997 13:02:48 -0800 (PST) (envelope-from owner-freebsd-security) Received: from dumbwinter.logic.it (m1.logic.it [195.120.151.17]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id NAA22611 for ; Sun, 7 Dec 1997 13:02:24 -0800 (PST) (envelope-from molter@logic.it) Received: (qmail 2200 invoked by uid 1000); 7 Dec 1997 21:01:23 -0000 Date: Sun, 7 Dec 1997 22:01:22 +0100 (MET) From: Marco Molteni Reply-To: Marco Molteni To: freebsd-security@FreeBSD.ORG cc: tqbf@enteract.com, Julian Assange Subject: Re: [linux-security] New Program: Abacus Sentry - Port Scan Detector (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On 8 Dec 1997, Julian Assange wrote: > Marco Molteni writes: > > > I though someone could be interested in this program, a port scanner > > which seems more featureful than strobe (a port scanner in the > > FreeBSD ports). > > Well, it's actually a port-scan detector, so I don't think the feature > comparison via-a-vis strobe really stacks up :) (Also Thomas H. Ptacek did similar observations to my previous message) Well, I'm *ashamed*. I should at least have read better the original message before forwarding it. Thanks for pointing it out. Marco Molteni Computer Science student at the Universita' degli studi di Milano, Italy. "Whuffo you jump out of them airplanes?" From owner-freebsd-security Sun Dec 7 15:47:04 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id PAA04313 for security-outgoing; Sun, 7 Dec 1997 15:47:04 -0800 (PST) (envelope-from owner-freebsd-security) Received: from ihnp4.cirr.com (ihnp4.cirr.com [192.67.63.8]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id PAA04305 for ; Sun, 7 Dec 1997 15:46:59 -0800 (PST) (envelope-from sdf!idiot@ihnp4.cirr.com) Received: from sdf.UUCP (Usdf@localhost) by ihnp4.cirr.com (8.7.5/8.7.3/$Revision: 1.18.2 $) with UUCP id RAA08079 for freebsd.org!freebsd-security; Sun, 7 Dec 1997 17:23:44 -0600 (CST) Received: med sdf.lonestar.org via sendmail vid stdio Message-Id: Date: Sondag, 7-DEC-97 17:19:02 -0600 (CST) From: idiot@sdf.lonestar.org (Damien Treffs) To: freebsd-security@freebsd.org Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk unsubscribe From owner-freebsd-security Sun Dec 7 16:12:49 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id QAA06054 for security-outgoing; Sun, 7 Dec 1997 16:12:49 -0800 (PST) (envelope-from owner-freebsd-security) Received: from cheops.anu.edu.au (avalon@cheops.anu.edu.au [150.203.76.24]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id QAA06040 for ; Sun, 7 Dec 1997 16:12:45 -0800 (PST) (envelope-from avalon@coombs.anu.edu.au) Message-Id: <199712080012.QAA06040@hub.freebsd.org> Received: by cheops.anu.edu.au (1.37.109.16/16.2) id AA194869905; Mon, 8 Dec 1997 11:11:45 +1100 From: Darren Reed Subject: Re: [linux-security] New Program: Abacus Sentry - Port Scan Detector (fwd) To: proff@iq.org (Julian Assange) Date: Mon, 8 Dec 1997 11:11:45 +1100 (EDT) Cc: molter@logic.it, freebsd-security@FreeBSD.ORG In-Reply-To: from "Julian Assange" at Dec 8, 97 03:30:42 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk In some mail from Julian Assange, sie said: > > Marco Molteni writes: > > > Hi all, > > > > I though someone could be interested in this program, a port scanner > > which seems more featureful than strobe (a port scanner in the > > FreeBSD ports). > > > > This program is developed on Linux but, as the author said, should > > run on BSD variants also. > > > > Cheers > > > > Marco Molteni > > Computer Science student at the Universita' degli studi di Milano, Italy. > > "Whuffo you jump out of them airplanes?" > > > Well, it's actually a port-scan detector, so I don't think the feature > comparison via-a-vis strobe really stacks up :) There's already a port scan detector in the source tree: src/contrib/ipfilter/ipsd although it's probably not in very good shape as it was written as a "proof of concept" rather than to actually make it work. Darren From owner-freebsd-security Sun Dec 7 16:24:35 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id QAA07090 for security-outgoing; Sun, 7 Dec 1997 16:24:35 -0800 (PST) (envelope-from owner-freebsd-security) Received: from nemesis.psionic.com (nemesis.bipolar.net [209.30.119.58]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id QAA07078 for ; Sun, 7 Dec 1997 16:24:28 -0800 (PST) (envelope-from crowland@psionic.com) Received: (from maildrop@localhost) by nemesis.psionic.com (8.8.8/8.8.5) id SAA12557 for ; Sun, 7 Dec 1997 18:24:31 -0600 X-Authentication-Warning: nemesis.psionic.com: maildrop set sender to using -f Received: from nemesis(209.30.119.58) by nemesis.psionic.com via smap (V2.0) id xma012532; Sun, 7 Dec 97 18:24:13 -0600 Date: Sun, 7 Dec 1997 18:24:13 -0600 (CST) From: "Craig H. Rowland" To: freebsd-security@freebsd.org Subject: Re: [linux-security] New Program: Abacus Sentry - Port Scan Detector Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- Hello, >>I though someone could be interested in this program, a port scanner >>which seems more featureful than strobe (a port scanner in the >>FreeBSD ports). > >It's not a port scanner. It's a bad port-scan detector; it's designed to >tell you when things like strobe (excellent program) are run against your >host. It also doesn't work. In general, you need low-level network access >(packet capture) to really detect port-scans, because it's not hard to >find out of a TCB exists without tickling accept(). "Sentry" just binds to >a bunch of ports and trusts that if someone probes one of them, it'll >notice. > I'm the author and have a few points of contention here. This will be my only post to this thread and I apologize for the intrusion. 1) Whether it is a "bad port-scan detector" is open for speculation, although the initial reception has been favorable. It is doing nothing out of the ordinary that other scan detectors do, so I'll just assume I'm average instead of bad. 2) It does work, and works against TCP and UDP scans. Stealth scans are not detected by this program, nor were they designed to be detected. This is clearly stated in the documentation with my reasons as to why I made this deliberate choice. 3) A large number of network probing that I've seen of late does not scan the entire host, but rather targets specific services. It was this light that Sentry was designed. Not to be a true scan detector in the typical sense, but to be a port *probing* detector. 4) Low-level network access is one way to detect a port sweep of a host, but also the most expensive. While I would like to detect all manner of port sweeps, this would violate several of the guidelines used as a base for designing the program. Specifically these were: - Have a simple construction. - Portability. - Use few system resources. - React in real-time to stop probes. This is early release code (version 0.08) and aside from the snprintf calls I use throughout, the code itself will compile on virtually all Unix platforms with no porting. Indeed it was developed on Linux (where the original posting for Beta testers went to), but compiled straight away on BSDI, and other variants. With a minor snprintf tweak, it compiled on Solaris too. All without additional code. The other criteria have been full-filled as well. It uses very little ram, essentially zero CPU time, and can stop probes of a host in real-time. If readers are interested in a network sniffing port scan detector that is capable of detecting stealth scans then you may want to look at synlog: http://www.whitefang.com/synlog.html I've not tried it yet, but from the web page it looks very good. Please bear in mind that Sentry is a new program (0.08) and is in very early testing. I know it's not perfect, but it is improving. I appreciate any comments good or bad. >-- >----------------------------------------------------------------------------- >Thomas H. Ptacek Secure Networks, >Inc. >----------------------------------------------------------------------------- >http://www.enteract.com/~tqbf "mmm... >sacrilicious" Thanks for listening, - -- Craig http://www.psionic.com -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBNIs9o65kS8WYq/59AQF/cAP/f2hjJeisX1bMC0giChmJg9EDlAVJkkjo wfJSNEfXobs6YnLbFmt4gZfZh0xQVRVB8Ia3gy6UpdjEH1dJlHoibkODHMc87DIG 8FsKB0ecztZyHiS8jcQqGdFe8onHSbvVIeV6LTTbHwT81Mr/wHE8PAvwx4CiBtNr cHplc6pU8SE= =QsXm -----END PGP SIGNATURE----- From owner-freebsd-security Sun Dec 7 23:05:07 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id XAA07032 for security-outgoing; Sun, 7 Dec 1997 23:05:07 -0800 (PST) (envelope-from owner-freebsd-security) Received: from ns.mt.sri.com (sri-gw.MT.net [206.127.105.141]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id XAA07021 for ; Sun, 7 Dec 1997 23:05:01 -0800 (PST) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.8/8.8.8) with SMTP id AAA18865; Mon, 8 Dec 1997 00:04:56 -0700 (MST) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id AAA10395; Mon, 8 Dec 1997 00:04:54 -0700 Date: Mon, 8 Dec 1997 00:04:54 -0700 Message-Id: <199712080704.AAA10395@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: tqbf@enteract.com Cc: molter@logic.it, freebsd-security@FreeBSD.ORG Subject: Re: [linux-security] New Program: Abacus Sentry - Port Scan Detector (fwd) In-Reply-To: <19971207204013.7135.qmail@joshua.enteract.com> References: <19971207204013.7135.qmail@joshua.enteract.com> X-Mailer: VM 6.29 under 19.15 XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > In muc.lists.freebsd.security, you wrote: > >I though someone could be interested in this program, a port scanner > >which seems more featureful than strobe (a port scanner in the > >FreeBSD ports). > > It's not a port scanner. It's a bad port-scan detector; it's designed to > tell you when things like strobe (excellent program) are run against your > host. > It also doesn't work. In general, you need low-level network access > (packet capture) to really detect port-scans.... You mean something like IPFW in 'paranoid' mode? *grin* I've gotten probed a couple of times, and even on ports that have active processes running on them. IPFW is *great* for that sort of thing, even if you aren't paranoid. (But you should be nowadays...) Nate From owner-freebsd-security Mon Dec 8 01:15:36 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id BAA20482 for security-outgoing; Mon, 8 Dec 1997 01:15:36 -0800 (PST) (envelope-from owner-freebsd-security) Received: from shell6.ba.best.com (jkb@shell6.ba.best.com [206.184.139.137]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id BAA20471 for ; Mon, 8 Dec 1997 01:15:33 -0800 (PST) (envelope-from jkb@best.com) Received: from localhost (jkb@localhost) by shell6.ba.best.com (8.8.8/8.7.3) with SMTP id BAA26571; Mon, 8 Dec 1997 01:15:31 -0800 (PST) X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs Date: Mon, 8 Dec 1997 01:15:31 -0800 (PST) From: Jan Koum X-Sender: jkb@shell6.ba.best.com To: Nate Williams cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw WAS: Re: [linux-security] New Program: Abacus Sentry In-Reply-To: <199712080704.AAA10395@mt.sri.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Hi all, Talking about ipfw. I have a rather stupid questions. Say I am host a.b.c.d and I am running ipfw. I am denying a lot of stuff and it is also logging. Now, I don't have limit on the logging set in the kernel, which means that if I get a lot of denied connections logged, my system message buffer doesn't have enough room to log it by default. The question is: how do I increase it? The space for system message buffer that is. So when I do 'dmesg', I don't see last lines of ipfw logging. Actually, the above can also be considered security problem since people can't see if they were attacked two days or weeks ago. Too much stuff gets logged in and gets pushed from the dmesg buffer. It would be really nice to be able to log ipfw to hard drive with the date/time of packets being denied. Man page for ipfw SEE ALSO reffers to syslog(8), but: % grep syslog /usr/src/sbin/ipfw/ipfw.c % -- Yan P.S. Any clues on how to log ipfw somewhere other then kernel buffer will be great. :) On Mon, 8 Dec 1997, Nate Williams wrote: >> In muc.lists.freebsd.security, you wrote: >> >I though someone could be interested in this program, a port scanner >> >which seems more featureful than strobe (a port scanner in the >> >FreeBSD ports). >> >> It's not a port scanner. It's a bad port-scan detector; it's designed to >> tell you when things like strobe (excellent program) are run against your >> host. > >> It also doesn't work. In general, you need low-level network access >> (packet capture) to really detect port-scans.... > >You mean something like IPFW in 'paranoid' mode? *grin* > >I've gotten probed a couple of times, and even on ports that have active >processes running on them. IPFW is *great* for that sort of thing, >even if you aren't paranoid. (But you should be nowadays...) > > > > >Nate > From owner-freebsd-security Mon Dec 8 07:20:12 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id HAA13546 for security-outgoing; Mon, 8 Dec 1997 07:20:12 -0800 (PST) (envelope-from owner-freebsd-security) Received: from ns.mt.sri.com (sri-gw.MT.net [206.127.105.141]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id HAA13494 for ; Mon, 8 Dec 1997 07:20:04 -0800 (PST) (envelope-from nate@mt.sri.com) Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100]) by ns.mt.sri.com (8.8.8/8.8.8) with SMTP id IAA21657; Mon, 8 Dec 1997 08:20:02 -0700 (MST) (envelope-from nate@rocky.mt.sri.com) Received: by mt.sri.com (SMI-8.6/SMI-SVR4) id IAA11375; Mon, 8 Dec 1997 08:20:01 -0700 Date: Mon, 8 Dec 1997 08:20:01 -0700 Message-Id: <199712081520.IAA11375@mt.sri.com> From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: Jan Koum Cc: Nate Williams , freebsd-security@FreeBSD.ORG Subject: Re: ipfw WAS: Re: [linux-security] New Program: Abacus Sentry In-Reply-To: References: <199712080704.AAA10395@mt.sri.com> X-Mailer: VM 6.29 under 19.15 XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > Talking about ipfw. I have a rather stupid questions. Say I am > host a.b.c.d and I am running ipfw. I am denying a lot of stuff and it is > also logging. Now, I don't have limit on the logging set in the kernel, > which means that if I get a lot of denied connections logged, my system > message buffer doesn't have enough room to log it by default. Why you don't limit the # of logging attempts per/rule? > The question > is: how do I increase it? The space for system message buffer that is. So > when I do 'dmesg', I don't see last lines of ipfw logging. No matter how big you make it, sooner or later you're going to run into the limit. What I do is to monitor it (which you should anyway) on a regular basis, and then 'flush' the ipfw stats, thus allowing you to log another X messages/rule. > Actually, the above can also be considered security problem since > people can't see if they were attacked two days or weeks ago. Too much > stuff gets logged in and gets pushed from the dmesg buffer. The stuff also gets logged in /var/log/syslog as well, but is still has some limits. W/out any limits a hacker can fill up *all* of your kernel logging memory and thus cause your computer to quit working, causing a wonder Denial of Service attack. Also, if you don't monitor your system more often than every two weeks, IPFW isn't doing you any good since it's not giving you any 'advance' warning that something is going on, but telling you that something may have already happened. Monitor often and you can prevent things from occurring. Nate From owner-freebsd-security Mon Dec 8 07:56:42 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id HAA16626 for security-outgoing; Mon, 8 Dec 1997 07:56:42 -0800 (PST) (envelope-from owner-freebsd-security) Received: from Kitten.mcs.com (Kitten.mcs.com [192.160.127.90]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id HAA16621 for ; Mon, 8 Dec 1997 07:56:40 -0800 (PST) (envelope-from nash@Venus.mcs.net) Received: from Venus.mcs.net (nash@Venus.mcs.net [192.160.127.92]) by Kitten.mcs.com (8.8.7/8.8.2) with ESMTP id JAA04939; Mon, 8 Dec 1997 09:56:39 -0600 (CST) Received: from localhost (nash@localhost) by Venus.mcs.net (8.8.7/8.8.2) with SMTP id JAA26173; Mon, 8 Dec 1997 09:56:38 -0600 (CST) Date: Mon, 8 Dec 1997 09:56:38 -0600 (CST) From: Alex Nash To: Jan Koum cc: Nate Williams , freebsd-security@FreeBSD.ORG Subject: Re: ipfw WAS: Re: [linux-security] New Program: Abacus Sentry In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 8 Dec 1997, Jan Koum wrote: > Actually, the above can also be considered security problem since > people can't see if they were attacked two days or weeks ago. Too much > stuff gets logged in and gets pushed from the dmesg buffer. > It would be really nice to be able to log ipfw to hard drive with > the date/time of packets being denied. Man page for ipfw SEE ALSO reffers > to syslog(8), but: > % grep syslog /usr/src/sbin/ipfw/ipfw.c > % You're looking in the wrong place, see /usr/src/sys/netinet/ip_fw.c instead. ipfw uses the kernel's printf, which does get picked up by syslog. Alex From owner-freebsd-security Mon Dec 8 10:04:40 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id KAA25111 for security-outgoing; Mon, 8 Dec 1997 10:04:40 -0800 (PST) (envelope-from owner-freebsd-security) Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id KAA24848 for security@freebsd.org; Mon, 8 Dec 1997 10:01:38 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 8 Dec 1997 10:01:38 -0800 (PST) Message-Id: <199712081801.KAA24848@hub.freebsd.org> From: FreeBSD bugmaster To: security Subject: Current problem reports assigned to you Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [1997/11/20] kern/5103 security-officerIt appears to be possible to lockup a Fre 1 problem total. Non-critical problems From owner-freebsd-security Tue Dec 9 12:09:01 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id MAA29636 for security-outgoing; Tue, 9 Dec 1997 12:09:01 -0800 (PST) (envelope-from owner-freebsd-security) Received: from gvr.gvr.org (root@gvr.gvr.org [194.151.74.97]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id MAA29601; Tue, 9 Dec 1997 12:08:48 -0800 (PST) (envelope-from security-officer@freebsd.org) Received: (from guido@localhost) by gvr.gvr.org (8.8.6/8.8.5) id VAA05371; Tue, 9 Dec 1997 21:08:45 +0100 (MET) Message-Id: <199712092008.VAA05371@gvr.gvr.org> From: FreeBSD Security Officer To: freebsd-security-notifications@FreeBSD.ORG, freebsd-announce@FreeBSD.ORG, freebsd-security@FreeBSD.ORG, first-teams@first.org Subject: FreeBSD Security Advisory: FreeBSD-SA-97:06.f00f Date: Tue, 9 Dec 1997 21:09:00 +0100 (MET) Reply-To: security-officer@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-97:06 Security Advisory FreeBSD, Inc. Topic: Pentium processors have flaw allowing unpriviledged crashes Category: core Module: kern Announced: 1997-12-09 Affects: FreeBSD 2.1.*, FreeBSD 2.2.*, FreeBSD-stable and FreeBSD-current Corrected: FreeBSD-current as of 1997-12-04 FreeBSD-stable as of 1997-12-04 FreeBSD only: no Patches: ftp://freebsd.org/pub/CERT/patches/SA-97:06/ ============================================================================= I. Background Intel processors have instruction combiniations that, when executed, produce illegal instruction traps. This is a normal part of every cpu manufactured and is how new instructions are generally emulated on older hardware. II. Problem Description A specific sequence of instructions, starting with the byte codes F0 0F (hex) cause Pentium processors to lock up. This lockup wedges the entire system, requiring a hard reset to correct. Systems that allow users to run arbitrary code are vulnerable to this attack. III. Impact An unpriviledged user can crash your system. IV. Workaround None is available. V. Solution The following patch corrects the problem for FreeBSD-current systems before 1997-12-04, for FreeBSD 2.2-stable before 1997-12-04 and for FreeBSD 2.2.5. We urge users of FreeBSD 2.1.* to upgrade to the more stable and more powerfull FreeBSD 2.2.5 release. Index: identcpu.c =================================================================== RCS file: /home/cvsup/freebsd/CVS/src/sys/i386/i386/identcpu.c,v retrieving revision 1.33 retrieving revision 1.35 diff -u -r1.33 -r1.35 --- identcpu.c 1997/11/07 08:52:27 1.33 +++ identcpu.c 1997/12/04 14:35:38 1.35 @@ -107,6 +107,10 @@ ); } +#if defined(I586_CPU) && !defined(NO_F00F_HACK) +int has_f00f_bug = 0; +#endif + void printcpuinfo(void) { @@ -136,6 +140,14 @@ break; case 0x500: strcat(cpu_model, "Pentium"); /* nb no space */ +#if defined(I586_CPU) && !defined(NO_F00F_HACK) + /* + * XXX - If/when Intel fixes the bug, this + * should also check the version of the + * CPU, not just that it's a Pentium. + */ + has_f00f_bug = 1; +#endif break; case 0x600: strcat(cpu_model, "Pentium Pro"); Index: machdep.c =================================================================== RCS file: /home/cvsup/freebsd/CVS/src/sys/i386/i386/machdep.c,v retrieving revision 1.274 retrieving revision 1.278 diff -u -r1.274 -r1.278 --- machdep.c 1997/11/24 18:35:11 1.274 +++ machdep.c 1997/12/04 21:21:24 1.278 @@ -866,6 +867,11 @@ #endif /* VM86 */ #endif +#if defined(I586_CPU) && !defined(NO_F00F_HACK) +struct gate_descriptor *t_idt; +extern int has_f00f_bug; +#endif + static struct i386tss dblfault_tss; static char dblfault_stack[PAGE_SIZE]; @@ -1533,6 +1539,40 @@ proc0.p_addr->u_pcb.pcb_mpnest = 1; proc0.p_addr->u_pcb.pcb_ext = 0; } + +#if defined(I586_CPU) && !defined(NO_F00F_HACK) +void f00f_hack(void); +SYSINIT(f00f_hack, SI_SUB_INTRINSIC, SI_ORDER_FIRST, f00f_hack, NULL); + +void +f00f_hack(void) { + struct region_descriptor r_idt; + unsigned char *tmp; + int i; + + if (!has_f00f_bug) + return; + + printf("Intel Pentium F00F detected, installing workaround\n"); + + r_idt.rd_limit = sizeof(idt) - 1; + + tmp = kmem_alloc(kernel_map, PAGE_SIZE * 2); + if (tmp == 0) + panic("kmem_alloc returned 0"); + if (((unsigned int)tmp & (PAGE_SIZE-1)) != 0) + panic("kmem_alloc returned non-page-aligned memory"); + /* Put the first seven entries in the lower page */ + t_idt = (struct gate_descriptor*)(tmp + PAGE_SIZE - (7*8)); + bcopy(idt, t_idt, sizeof(idt)); + r_idt.rd_base = (int)t_idt; + lidt(&r_idt); + if (vm_map_protect(kernel_map, tmp, tmp + PAGE_SIZE, + VM_PROT_READ, FALSE) != KERN_SUCCESS) + panic("vm_map_protect failed"); + return; +} +#endif /* defined(I586_CPU) && !NO_F00F_HACK */ int ptrace_set_pc(p, addr) Index: trap.c =================================================================== RCS file: /home/cvsup/freebsd/CVS/src/sys/i386/i386/trap.c,v retrieving revision 1.115 retrieving revision 1.118 diff -u -r1.115 -r1.118 --- trap.c 1997/11/24 13:25:37 1.115 +++ trap.c 1997/12/04 21:21:26 1.118 @@ -142,6 +143,11 @@ static void userret __P((struct proc *p, struct trapframe *frame, u_quad_t oticks)); +#if defined(I586_CPU) && !defined(NO_F00F_HACK) +extern struct gate_descriptor *t_idt; +extern int has_f00f_bug; +#endif + static inline void userret(p, frame, oticks) struct proc *p; @@ -211,6 +217,9 @@ u_long eva; #endif +#if defined(I586_CPU) && !defined(NO_F00F_HACK) +restart: +#endif type = frame.tf_trapno; code = frame.tf_err; @@ -276,6 +285,10 @@ i = trap_pfault(&frame, TRUE); if (i == -1) return; +#if defined(I586_CPU) && !defined(NO_F00F_HACK) + if (i == -2) + goto restart; +#endif if (i == 0) goto out; @@ -642,7 +655,18 @@ if (va >= KERNBASE) { /* * Don't allow user-mode faults in kernel address space. + * An exception: if the faulting address is the invalid + * instruction entry in the IDT, then the Intel Pentium + * F00F bug workaround was triggered, and we need to + * treat it is as an illegal instruction, and not a page + * fault. */ +#if defined(I586_CPU) && !defined(NO_F00F_HACK) + if ((eva == (unsigned int)&t_idt[6]) && has_f00f_bug) { + frame->tf_trapno = T_PRIVINFLT; + return -2; + } +#endif if (usermode) goto nogo; ============================================================================= FreeBSD, Inc. Web Site: http://www.freebsd.org/ Confidential contacts: security-officer@freebsd.org PGP Key: ftp://freebsd.org/pub/CERT/public_key.asc Security notifications: security-notifications@freebsd.org Security public discussion: security@freebsd.org Notice: Any patches in this document may not apply cleanly due to modifications caused by digital signature or mailer software. Please reference the URL listed at the top of this document for original copies of all patches if necessary. ============================================================================= -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNI2g9VUuHi5z0oilAQGFnAP/R4bArrM7+NZKbrJEK+9UpNYBPhsakAF6 4/U1wJJdbBJPl5j4udZki8ZUEPJvM2mSnrs9UevQMYGSoirl92h/0SEgVgjIfhcJ tcyY97Js6biHAZzib4i/TKoN47wBNjgRLF6SfafuIxfVQYk6RMFB5EUdYBdseVz/ 5RgYqQz4m/k= =xvTs -----END PGP SIGNATURE----- From owner-freebsd-security Tue Dec 9 17:05:05 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id RAA25577 for security-outgoing; Tue, 9 Dec 1997 17:05:05 -0800 (PST) (envelope-from owner-freebsd-security) Received: from burka.rdy.com (dima@burka.rdy.com [205.149.163.30]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id RAA25566 for ; Tue, 9 Dec 1997 17:05:00 -0800 (PST) (envelope-from dima@burka.rdy.com) Received: by burka.rdy.com id RAA04572; (8.8.8/RDY) Tue, 9 Dec 1997 17:04:55 -0800 (PST) Message-Id: <199712100104.RAA04572@burka.rdy.com> Subject: krb5 patches To: security@freebsd.org Date: Tue, 9 Dec 1997 17:04:54 -0800 (PST) X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk I've updated my krb5 patches to work with krb5-1.0.4. ftp path and directory are the same. -- dima From owner-freebsd-security Tue Dec 9 17:25:43 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id RAA27509 for security-outgoing; Tue, 9 Dec 1997 17:25:43 -0800 (PST) (envelope-from owner-freebsd-security) Received: from pollux.or.signature.nl (pollux.or.signature.nl [194.229.138.194]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id RAA27489 for ; Tue, 9 Dec 1997 17:25:32 -0800 (PST) (envelope-from bit@signature.nl) Received: from pc03.or.signature.nl (pc03.or.signature.nl [194.229.138.197]) by pollux.or.signature.nl (8.8.7/bs) with SMTP id CAA29061; Wed, 10 Dec 1997 02:23:59 +0100 (MET) Message-Id: <1.5.4.16.19971210022410.288f9b14@pollux.or.signature.nl> X-Sender: bit@pollux.or.signature.nl X-Mailer: Windows Eudora Light Version 1.5.4 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Wed, 10 Dec 1997 02:24:10 +0000 To: security@FreeBSD.ORG From: Bart Smit Subject: Re: Possible problem with ftpd 6.00 Cc: Cy Schubert - ITSD Open Systems Group Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk OK. forgot who started this, but it's been enough. I mean, SHEESH, could we PLEASE get rid of this non-discussion. It doesn't belong to FreeBSD security. (You can stop reading now. Delete this mail, and try to do do something useful. If you're stubborn, read on...) --Bart If someone thinks that it would be good&sensible to require that ftpd doesn't password when anon, then it's also sensible to forbid ANY (bogus) password-prompting program, which clearly is impossible. So STOP whining. It makes a lot more sense to find a way for ppl to verify the integrity of the *whatever* that wants a password *whenever*. That's a tricky subject, and ALSO DOESN'T BELONG ON FreeBSD-SECURITY!!!! Cy, sorry that you have to be the target of my anger, but this was the mail and the time. I'm much more annoyed with the guy (m/f) who initiated this thread (but also annoyed with the ppl who felt like reacting at all). --Bart Smit Systeembeheerder Stichting Signature At 07:12 5-12-97 -0800, you wrote: >You have stumbled across aguably (IMHO) the best anonymous FTP server out >there. Netscape sends USER and PASS commands, regardless of the prompt. If >you want to run a read-only anonymous FTP server, this is the one to use. >Because anonftp doesn't handle "regular" FTP, you would need to put your >"regular" FTP server on another port. > >The reason anonftpd is so good is that it does only one thing: Anonymous FTP, >that's it. Maybe there should be a port for it (and some other of Daniel >Bernstien's work such as Qmail). Then people who want to run a secure >anonymous FTP server can. > > > >Regards, Phone: (250)387-8437 >Cy Schubert Fax: (250)387-5766 >UNIX Support OV/VM: BCSC02(CSCHUBER) >ITSD BITNET: CSCHUBER@BCSC02.BITNET >Government of BC Internet: cschuber@uumail.gov.bc.ca > Cy.Schubert@gems8.gov.bc.ca From owner-freebsd-security Thu Dec 11 19:15:26 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id TAA09374 for security-outgoing; Thu, 11 Dec 1997 19:15:26 -0800 (PST) (envelope-from owner-freebsd-security) Received: from send1a.yahoomail.com (send1a.yahoomail.com [205.180.60.22]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id TAA09368 for ; Thu, 11 Dec 1997 19:15:23 -0800 (PST) (envelope-from osiris2002@yahoo.com) Message-ID: <19971212031505.23074.rocketmail@send1a.yahoomail.com> Received: from [194.79.98.71] by send1a; Thu, 11 Dec 1997 19:15:05 PST Date: Thu, 11 Dec 1997 19:15:05 -0800 (PST) From: Charlie Roots Subject: Re: FreeBSD Security To: dg@root.com Cc: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Thanks for reply, I understand the significance of CERT and also I highly appreciate the FreeBSD team and their efforts, but two things to notice here: 1. They did not tell us what that hacker did to BREAK that Very Secure system, and is that hole unfixed, as current, and that's why everybody is keeping it undercover ? 2.Is there a Hacker-Simulator team working day or night to try break the system security as the normal hacker would ????? because if there is no such group, its high time the FreeBSD gather such a group, which should be formed with ONE REASON IN MIND, BREAK FREEBSD SECURITY. Especially many, current, and future ISPs are planning the Shift to FreeBSD, since it now supports SMP Monsters. Please Comment . ---David Greenman wrote: > > >I was wondering HOW secure is FreeBSD in comparison to > >other unix flavours, especiallt I have been reading the > >CERT recommendations, and I heard the announcement at > >the time FreeBSD Master Sites were penetrated DEEPLY. > > > >How far is the prolem really dangerous. > > FreeBSD is very secure. We have spent a great amount of effort towards > making it even more secure over the past 6 months. The reason that you see > the CERT announcements is because we are so serious about security and > want to make the problems and fixes known as quickly as possible. > > -DG > > David Greenman > Core-team/Principal Architect, The FreeBSD Project > == MAY THE FORCE BE WITH YOU. _________________________________________________________ DO YOU YAHOO!? Get your free @yahoo.com address at http://mail.yahoo.com From owner-freebsd-security Thu Dec 11 21:51:59 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id VAA20833 for security-outgoing; Thu, 11 Dec 1997 21:51:59 -0800 (PST) (envelope-from owner-freebsd-security) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id VAA20816 for ; Thu, 11 Dec 1997 21:51:54 -0800 (PST) (envelope-from imp@village.org) Received: from harmony [10.0.0.6] by rover.village.org with esmtp (Exim 1.71 #1) id 0xgO0u-00055o-00; Thu, 11 Dec 1997 22:51:52 -0700 Received: from harmony.village.org (localhost [127.0.0.1]) by harmony.village.org (8.8.8/8.8.3) with ESMTP id WAA18569 for ; Thu, 11 Dec 1997 22:52:39 -0700 (MST) Message-Id: <199712120552.WAA18569@harmony.village.org> To: freebsd-security@freebsd.org Subject: YAHOO Date: Thu, 11 Dec 1997 22:52:39 -0700 From: Warner Losh Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk OK. While suffering from mild insomnia caused by jet lag in the hotel in London, I was watching CNN Europe's report about cyber crime. While most of it was typical media tripe, there was a refrence to a recent break-in at YAHOO. Anybody know anything about this? Do we have another hole to worry about? Also, what is the status of things. Looks like from the mail that was sent while I was gone that the f00f bug has gone out (but that alan cox sent us an improvement for the intel workaround that i wasn't sure if it was integrated, plus bde comments). Also looks like land is waiting to firm up before it is being sent out. Guido, anything else pending that I missed in the 2000 mail messages I got while I was gone? Warner From owner-freebsd-security Thu Dec 11 22:44:02 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id WAA24248 for security-outgoing; Thu, 11 Dec 1997 22:44:02 -0800 (PST) (envelope-from owner-freebsd-security) Received: from burka.rdy.com (dima@burka.rdy.com [205.149.163.30]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id WAA24225 for ; Thu, 11 Dec 1997 22:44:00 -0800 (PST) (envelope-from dima@burka.rdy.com) Received: by burka.rdy.com id WAA25571; (8.8.8/RDY) Thu, 11 Dec 1997 22:43:50 -0800 (PST) Message-Id: <199712120643.WAA25571@burka.rdy.com> Subject: Re: YAHOO In-Reply-To: <199712120552.WAA18569@harmony.village.org> from Warner Losh at "Dec 11, 97 10:52:39 pm" To: imp@village.org (Warner Losh) Date: Thu, 11 Dec 1997 22:43:50 -0800 (PST) Cc: freebsd-security@FreeBSD.ORG X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Warner Losh writes: > > OK. While suffering from mild insomnia caused by jet lag in the hotel > in London, I was watching CNN Europe's report about cyber crime. > While most of it was typical media tripe, there was a refrence to a > recent break-in at YAHOO. Anybody know anything about this? Do we > have another hole to worry about? I've heard that it was modem breakin (lousy user password). I don't know all the details and I'm pretty sure - nobody knows. And if somebody knows - they sure, as hell, won't tell us :-) > Also, what is the status of things. Looks like from the mail that was > sent while I was gone that the f00f bug has gone out (but that alan > cox sent us an improvement for the intel workaround that i wasn't sure > if it was integrated, plus bde comments). Also looks like land is > waiting to firm up before it is being sent out. > > Guido, anything else pending that I missed in the 2000 mail messages I > got while I was gone? > > Warner > -- dima From owner-freebsd-security Thu Dec 11 23:03:36 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id XAA25523 for security-outgoing; Thu, 11 Dec 1997 23:03:36 -0800 (PST) (envelope-from owner-freebsd-security) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id XAA25512; Thu, 11 Dec 1997 23:03:24 -0800 (PST) (envelope-from cy@cschuber.net.gov.bc.ca) Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.8.8/8.6.10) id XAA22661; Thu, 11 Dec 1997 23:03:22 -0800 (PST) Received: from cschuber.net.gov.bc.ca(142.31.240.113), claiming to be "cwsys.cwsent.com" via SMTP by passer.osg.gov.bc.ca, id smtpdaavjqa; Thu Dec 11 23:02:42 1997 Received: (from uucp@localhost) by cwsys.cwsent.com (8.8.8/8.6.10) id XAA12938; Thu, 11 Dec 1997 23:00:57 -0800 (PST) Message-Id: <199712120700.XAA12938@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpd012929; Fri Dec 12 07:00:28 1997 X-Mailer: exmh version 2.0gamma 1/27/96 Reply-to: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: cy To: freebsd-security@freebsd.org cc: security-officer@freebsd.org Subject: Re: Yahoo hacked Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 11 Dec 1997 23:00:26 -0800 Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Enclosed is a posting by Aleph One to BUGTRAQ. Considering that a weak password may have contributed to the hack, if the account had access to their Web pages, a root compromise may have not occured. Having said that, the first rule of investigating a compromise is to assume that root had been compromised, until it can be proven otherwise. I don't think this is the time to panic. I'm sure that someone in the core team has already spoken to the Yahoo security officer to find out more and to offer assistance. That's probably the quickest way they will be able to get enough information about the breakin to determine whether a FreeBSD bug had contributed to the breakin. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 UNIX Support OV/VM: BCSC02(CSCHUBER) ITSD BITNET: CSCHUBER@BCSC02.BITNET Government of BC Internet: cschuber@uumail.gov.bc.ca Cy.Schubert@gems8.gov.bc.ca "Quit spooling around, JES do it." ------- Forwarded Message Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.8.8/8.6.10) id UAA09994 for ; Wed, 10 Dec 1997 20:32:47 -0800 (PST) X-UIDL: 881850684.021 Resent-Message-Id: <199712110432.UAA09994@passer.osg.gov.bc.ca> Received: from localhost(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" via SMTP by localhost, id smtpdaaCmha; Wed Dec 10 20:32:38 1997 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.8.8/8.6.10) id UAA02173 for ; Wed, 10 Dec 1997 20:32:27 -0800 (PST) Received: from orca.gov.bc.ca(142.32.102.25) via SMTP by passer.osg.gov.bc.ca, id smtpdaacCoa; Wed Dec 10 20:32:17 1997 Received: from brimstone.netspace.org by orca.gov.bc.ca (5.4R3.10/200.1.1.4) id AA10772; Wed, 10 Dec 1997 20:32:10 -0800 Received: from unknown@netspace.org (port 38928 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <69868-6243>; Wed, 10 Dec 1997 22:59:05 -0500 Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with spool id 6098196 for BUGTRAQ@NETSPACE.ORG; Wed, 10 Dec 1997 22:55:34 -0500 Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id WAA29637 for ; Wed, 10 Dec 1997 22:54:12 -0500 Received: from unknown@netspace.org (port 38928 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <1668-6242>; Wed, 10 Dec 1997 22:54:11 -0500 Approved-By: aleph1@UNDERGROUND.ORG Received: from dfw.dfw.net (dfw.dfw.net [198.175.15.10]) by netspace.org (8.8.7/8.8.2) with SMTP id WAA29188 for ; Wed, 10 Dec 1997 22:50:50 -0500 Received: from localhost by dfw.dfw.net (4.1/SMI-4.1) id AA10771; Wed, 10 Dec 97 21:50:52 CST Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-Id: Date: Wed, 10 Dec 1997 21:50:52 -0600 Reply-To: Aleph One Sender: Bugtraq List From: Aleph One Subject: Re: Yahoo hacked To: BUGTRAQ@netspace.org Resent-To: cy@passer.osg.gov.bc.ca Resent-Date: Wed, 10 Dec 1997 20:32:27 -0800 Resent-From: Cy Schubert - ITSD Open Systems Group Here are some more rumors. It was not DNS related. It seems Yahoo uses a system where different web browsers are sent to different web servers. Thats why only lynx users (and maybe users of very old version versions of Netscape) saw the page. Only the lynx server was affected. The boxes affected where located in the GlobalCenter data center. They provide web hosting for Yahoo (and some other very large web sites). My informant claims that the attack actually came from behind the firewall via a dialup modem. He claimed that password to a users account on the machines had been compromissed. After the web page was modified all types of automatic bells and whistles went off and they restored from backup in fifteen minutes. You can view a copy of the hacked homepage at http://www.clipper.net/~skully/yahoo/ Notice that the page had a link to http://www.yahoo.com/yahooz-el8-search-engine-src.zip Wonder it the source code for yahoo's search engine was really there and if anyone got to download it ;) Aleph One / aleph1@dfw.net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 ------- End of Forwarded Message From owner-freebsd-security Thu Dec 11 23:38:52 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id XAA28324 for security-outgoing; Thu, 11 Dec 1997 23:38:52 -0800 (PST) (envelope-from owner-freebsd-security) Received: from voltage.net (voltage.net [208.15.104.65]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id XAA28306 for ; Thu, 11 Dec 1997 23:38:46 -0800 (PST) (envelope-from sward@voltage.net) Received: from arky.voltage.net (ArkyLady@arky.voltage.net [208.15.104.72]) by voltage.net (8.8.8/8.8.8) with SMTP id BAA09652; Fri, 12 Dec 1997 01:42:52 -0600 (CST) Message-Id: <3.0.5.32.19971212013720.007ba930@voltage.net> X-Sender: sward@voltage.net X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Fri, 12 Dec 1997 01:37:20 -0600 To: Warner Losh , freebsd-security@freebsd.org From: Susie Ward Subject: Re: YAHOO In-Reply-To: <199712120552.WAA18569@harmony.village.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk At 10:52 PM 12/11/97 -0700, Warner Losh wrote: > >OK. While suffering from mild insomnia caused by jet lag in the hotel >in London, I was watching CNN Europe's report about cyber crime. >While most of it was typical media tripe, there was a refrence to a >recent break-in at YAHOO. Anybody know anything about this? Do we >have another hole to worry about? I was told this is a copy of the text that was there during the "break-in" http://www.wwiv.com/mirror/index.txt Don't know how accurate that is or how it happened tho. Susie From owner-freebsd-security Fri Dec 12 00:35:43 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id AAA02827 for security-outgoing; Fri, 12 Dec 1997 00:35:43 -0800 (PST) (envelope-from owner-freebsd-security) Received: from implode.root.com (implode.root.com [198.145.90.17]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id AAA02796; Fri, 12 Dec 1997 00:35:30 -0800 (PST) (envelope-from root@implode.root.com) Received: from implode.root.com (localhost [127.0.0.1]) by implode.root.com (8.8.5/8.8.5) with ESMTP id AAA02763; Fri, 12 Dec 1997 00:38:26 -0800 (PST) Message-Id: <199712120838.AAA02763@implode.root.com> To: Cy Schubert - ITSD Open Systems Group cc: freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG Subject: Re: Yahoo hacked In-reply-to: Your message of "Thu, 11 Dec 1997 23:00:26 PST." <199712120700.XAA12938@cwsys.cwsent.com> From: David Greenman Reply-To: dg@root.com Date: Fri, 12 Dec 1997 00:38:26 -0800 Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk >I don't think this is the time to panic. I'm sure that someone in the core >team has already spoken to the Yahoo security officer to find out more and to >offer assistance. That's probably the quickest way they will be able to get >enough information about the breakin to determine whether a FreeBSD bug had >contributed to the breakin. Yes, very perceptive of you. -DG David Greenman Core-team/Principal Architect, The FreeBSD Project From owner-freebsd-security Fri Dec 12 00:45:24 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id AAA03423 for security-outgoing; Fri, 12 Dec 1997 00:45:24 -0800 (PST) (envelope-from owner-freebsd-security) Received: from gvr.gvr.org (root@gvr.gvr.org [194.151.74.97]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id AAA03407; Fri, 12 Dec 1997 00:45:14 -0800 (PST) (envelope-from guido@gvr.org) Received: (from guido@localhost) by gvr.gvr.org (8.8.6/8.8.5) id JAA17037; Fri, 12 Dec 1997 09:44:57 +0100 (MET) From: Guido van Rooij Message-Id: <199712120844.JAA17037@gvr.gvr.org> Subject: Re: Yahoo hacked In-Reply-To: <199712120838.AAA02763@implode.root.com> from David Greenman at "Dec 12, 97 00:38:26 am" To: dg@root.com Date: Fri, 12 Dec 1997 09:44:57 +0100 (MET) Cc: freebsd-security@FreeBSD.ORG, security-officer@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL32 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk David Greenman wrote: > >I don't think this is the time to panic. I'm sure that someone in the core > >team has already spoken to the Yahoo security officer to find out more and to > >offer assistance. That's probably the quickest way they will be able to get > >enough information about the breakin to determine whether a FreeBSD bug had > >contributed to the breakin. > > Yes, very perceptive of you. Jordan: do you know an email address I could use? -Guido From owner-freebsd-security Fri Dec 12 00:58:52 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id AAA04289 for security-outgoing; Fri, 12 Dec 1997 00:58:52 -0800 (PST) (envelope-from owner-freebsd-security) Received: from firewall.ftf.dk (root@mail.ftf.dk [129.142.64.2]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id AAA04284 for ; Fri, 12 Dec 1997 00:58:46 -0800 (PST) (envelope-from regnauld@deepo.prosa.dk) Received: from mail.prosa.dk ([192.168.100.2]) by firewall.ftf.dk (8.7.6/8.7.3) with ESMTP id LAA27657; Fri, 12 Dec 1997 11:36:29 +0100 Received: from deepo.prosa.dk (deepo.prosa.dk [192.168.100.10]) by mail.prosa.dk (8.8.5/8.8.5/prosa-1.1) with ESMTP id KAA21464; Fri, 12 Dec 1997 10:23:46 +0100 (CET) Received: (from regnauld@localhost) by deepo.prosa.dk (8.8.7/8.8.5/prosa-1.1) id JAA11892; Fri, 12 Dec 1997 09:57:10 +0100 (CET) Message-ID: <19971212095710.18707@deepo.prosa.dk> Date: Fri, 12 Dec 1997 09:57:10 +0100 From: Philippe Regnauld To: Charlie Roots Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security References: <19971212031505.23074.rocketmail@send1a.yahoomail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.88e In-Reply-To: <19971212031505.23074.rocketmail@send1a.yahoomail.com>; from Charlie Roots on Thu, Dec 11, 1997 at 07:15:05PM -0800 X-Operating-System: FreeBSD 2.2.5-RELEASE i386 Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Charlie Roots writes: > > 2.Is there a Hacker-Simulator team working day or night to try break > the system security as the normal hacker would ????? Not that we know of, no. But most everybody with some UNIX experience a) reads the advisories b) fixes any known caveats (i.e.: open() bug) c) fortifies / enhances the security of the said box (wrappers, ssh, tripwire, ipfw, etc...) ... which is what you do, whether the vendor is called HP, Sun, or FreeBSD. > because if there is no such group, its high time the FreeBSD gather > such a group, which should be formed with ONE REASON IN MIND, BREAK > FREEBSD SECURITY. Great! Who finances them ? Jordan, can you find more of those 4-room offices with a couple more of those paid full-time release engineers that you seem to have lying about ? >8-) > Especially many, current, and future ISPs are planning the Shift to > FreeBSD, since it now supports SMP Monsters. ISPs have _long ago_ (though not in a galaxy far far away) started to move some of their activities to freely availably Unices like like FreeBSD. SMP is just a natural step which they'll (hopefully) just take like the rest of us -- security is usually their own business. Like David said, everybody keeps an eye on his piece of code, trying to avoid the bugs crawling in. That's why you see advisories. -- -[ Philippe Regnauld / sysadmin / regnauld@deepo.prosa.dk / +55.4N +11.3E ]- "Pluto placed his bad dog at the entrance of Hades to keep the dead IN and the living OUT! The archetypical corporate firewall?" - S. Kelly Bootle, about Cerberus ["MYTHOLOGY", in Marutukku distrib] - From owner-freebsd-security Fri Dec 12 01:44:46 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id BAA07153 for security-outgoing; Fri, 12 Dec 1997 01:44:46 -0800 (PST) (envelope-from owner-freebsd-security) Received: from serenity.mcc.ac.uk (serenity.mcc.ac.uk [130.88.200.93]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id BAA07144 for ; Fri, 12 Dec 1997 01:44:43 -0800 (PST) (envelope-from 96092650@haac.ac.uk) Received: from sun1.haac.ac.uk [193.61.96.250] by serenity.mcc.ac.uk with smtp (Exim 1.73 #3) id 0xgReC-0000FG-00; Fri, 12 Dec 1997 09:44:40 +0000 Received: from adams.haac.ac.uk by sun1.haac.ac.uk (4.1/SMI-4.1) id AA03691; Fri, 12 Dec 97 08:28:59 GMT Received: from ADAMS/SpoolDir by adams.haac.ac.uk (Mercury 1.21); 12 Dec 97 09:54:44 0000 Received: from SpoolDir by ADAMS (Mercury 1.30); 12 Dec 97 09:54:35 0000 From: "Jim O'Neill" <96092650@haac.ac.uk> Organization: Harper Adams College To: security@freebsd.org Date: Fri, 12 Dec 1997 09:54:34 BST Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7BIT Subject: Re: FreeBSD Security Reply-To: 96092650@haac.ac.uk Priority: normal X-Mailer: Pegasus Mail for Windows (v2.42a) Message-Id: <2206A6F3BB3@adams.haac.ac.uk> Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk To: Charlie Roots Date: Fri, 12 Dec 1997 09:53:26 BST > I understand the significance of CERT and also I highly appreciate the > FreeBSD team and their efforts, but two things to notice here: > > 1. They did not tell us what that hacker did to BREAK that Very Secure > system, and is that hole unfixed, as current, and that's why everybody > is keeping it undercover ? IMHO Surely, the best way to do it, is _NOT_ to revel the methodology used until a patch or fix is available, ???? Jim MM1AKO/M-TF108NB 96092650@haac.ac.uk ----------------+-------------------------------+ Jim | 96092650@haac.ac.uk | [MM1AKO] | jim@earthalliance.com | [Team OS/2] +-------------------------------+ | Berwick-upon-Tweed | ------------------------------------------------+ From owner-freebsd-security Fri Dec 12 15:20:37 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id PAA04923 for security-outgoing; Fri, 12 Dec 1997 15:20:37 -0800 (PST) (envelope-from owner-freebsd-security) Received: from NUKOnotes.nuko.com (dummy1.nuko.com [207.82.229.6] (may be forged)) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id PAA04869; Fri, 12 Dec 1997 15:20:06 -0800 (PST) (envelope-from Stephen_Yap@nuko.com) From: Stephen_Yap@nuko.com Received: by NUKOnotes.nuko.com(Lotus SMTP MTA v1.06 (346.8 3-18-1997)) id 8825656B.00806B37 ; Fri, 12 Dec 1997 15:22:40 -0700 X-Lotus-FromDomain: NUKO To: security-officer@freebsd.org cc: freebsd-security-notifications@freebsd.org, freebsd-announce@freebsd.org, freebsd-security@freebsd.org, first-teams@first.org Message-ID: <8825656B.00805A93.00@NUKOnotes.nuko.com> Date: Fri, 12 Dec 1997 15:22:35 -0700 Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-97:06.f00f Mime-Version: 1.0 Content-type: text/plain; charset=US-ASCII Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk My new email address will be : Stephen_yap@mailexcite.com