From owner-freebsd-security Fri Jun 1 11:42:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 0E27A37B423 for ; Fri, 1 Jun 2001 11:42:48 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 20425 invoked by uid 1000); 1 Jun 2001 18:43:09 -0000 Date: Fri, 1 Jun 2001 20:43:09 +0200 From: "Karsten W. Rohrbach" To: Brian Behlendorf Cc: Dag-Erling Smorgrav , freebsd-security@FreeBSD.ORG Subject: Re: Apache Software Foundation Server compromised, resecured. (fwd) Message-ID: <20010601204309.K10477@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Brian Behlendorf , Dag-Erling Smorgrav , freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="BFVE2HhgxTpCzM8t" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from brian@collab.net on Fri, Jun 01, 2001 at 08:56:44AM -0700 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --BFVE2HhgxTpCzM8t Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Brian Behlendorf(brian@collab.net)@2001.06.01 08:56:44 +0000: > On 1 Jun 2001, Dag-Erling Smorgrav wrote: > > Brian Behlendorf writes: > > > The shell machine at SF didn't have reverse DNS (or at least it wasn't > > > recorded in the wtmp), so you might want to look for 216.136.171.252 = (the > > > machine our friend came in from) or maybe even 216.136/24. > > > > I hope you meant 216.136.171/24, and not 216.136/16: >=20 > Er, yeah; preferably someone could get a list of IP addresses SF.net has > ever had public shell machines on. as a direct consequence of the incident it would be a prudent choice of the sourceforge folks to have already done it. that said (i do not know anyone at their site personally) could somebody with good connections the them propagate this list to -security, please? >=20 > > Oh, and .252 does have reverse DNS: > > > > des@des ~% host 216.136.171.252 > > 252.171.136.216.IN-ADDR.ARPA domain name pointer usw-sf-fw2.sourceforge= .net >=20 > OK, but it wasn't recorded in my wtmp, so I suspect it might not get > recorded in others'. reverse dns is not a security measure. it is the opposite ;-) dns can be easily manipulated in thousand ways. one should never rely on reverse dns or dns in general. /k --=20 > The more we disagree, the more chance there is that at least one of us > is right. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ karsten&rohrbach.de -- alpha&ngenn.net -- alpha&scene.org -- catch@spam.de GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 --BFVE2HhgxTpCzM8t Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7F+I9M0BPTilkv0YRAhBkAJ9Sp8uYJVnBcHkyLEU6zgvAwTXnGQCeOEmB zeg/gpmDJ5436z/M5smjAs4= =Thnu -----END PGP SIGNATURE----- --BFVE2HhgxTpCzM8t-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message