On Jan 5, 2012, at 11:13 PM, email builder wrote:
I don't mean to thread-hijack, but I'm curious, if apache runs as its
own non-root user and /etc/shadow is root-owned and 0400, then
how could any exploit of software not running as root ever have
access to that file??
To listen on the default
On Fri, Jan 6, 2012 at 1:52 PM, email builder wrote:
>>
>> Apache starts as root so it can open port 80. Certain bugs might
>> happen before it switched to a non-privileged user. But, a more
>> likely scenario would be to get the ability to run some arbitrary
>> command through an apache, app, o
>>> 1.) Attacker uses apache remote exploit (or other means) to obtain
>>> your /etc/shadow file (not a remote shell, just GET the file
>>> without that fact being logged);
>>
>> I don't mean to thread-hijack, but I'm curious, if apache runs as
>> its
>> own non-root user and /etc/shadow i
On Jan 5, 2012, at 6:34 PM, Johnny Hughes wrote:
> On 01/05/2012 02:51 PM, Bennett Haselton wrote:
>> On 1/5/2012 6:53 AM, Johnny Hughes wrote:
>>> On 01/04/2012 07:47 PM, Bennett Haselton wrote:
On 1/4/2012 1:59 PM, Lamar Owen wrote:
> [Distilling to the core matter; everything else is
On Thu, Jan 5, 2012 at 10:13 PM, email builder wrote:
>> 1.) Attacker uses apache remote exploit (or other means) to obtain
>
>> your /etc/shadow file (not a remote shell, just GET the file
>> without that fact being logged);
>
> I don't mean to thread-hijack, but I'm curious, if apache runs as i
On 1/5/2012 9:13 PM, email builder wrote:
>> 1.) Attacker uses apache remote exploit (or other means) to obtain
>
>> your /etc/shadow file (not a remote shell, just GET the file
>> without that fact being logged);
>
> I don't mean to thread-hijack, but I'm curious, if apache runs as its
> own non
> 1.) Attacker uses apache remote exploit (or other means) to obtain
> your /etc/shadow file (not a remote shell, just GET the file
> without that fact being logged);
I don't mean to thread-hijack, but I'm curious, if apache runs as its
own non-root user and /etc/shadow is root-owned and 0400,
On 01/05/2012 02:51 PM, Bennett Haselton wrote:
> On 1/5/2012 6:53 AM, Johnny Hughes wrote:
>> On 01/04/2012 07:47 PM, Bennett Haselton wrote:
>>> On 1/4/2012 1:59 PM, Lamar Owen wrote:
[Distilling to the core matter; everything else is peripheral.]
On Jan 4, 2012, at 2:58 PM, Bennet
On 1/5/2012 6:53 AM, Johnny Hughes wrote:
> On 01/04/2012 07:47 PM, Bennett Haselton wrote:
>> On 1/4/2012 1:59 PM, Lamar Owen wrote:
>>> [Distilling to the core matter; everything else is peripheral.]
>>>
>>> On Jan 4, 2012, at 2:58 PM, Bennett Haselton wrote:
To be absolutely clear: Do you,
On 01/05/2012 08:58 PM, Lamar Owen wrote:
> 1.) Boot and run the bastion hosts from customized LiveCD or LiveDVD on real
> DVD-ROM read-only drives with no persistent storage (updating the LiveCD/DVD
> image periodically with updates and with additional authentication users/data
> as needed; DVD
On Thursday, January 05, 2012 02:25:50 PM Ljubomir Ljubojevic wrote:
> What is sentiment about having dedicated box with only ssh, and then use
> that one to raise ssh tunnels to inside systems? So there is no exploits
> to be used, denyhosts in affect?
Without being too specific, I already do t
On 01/05/2012 07:56 PM, Lamar Owen wrote:
> On Wednesday, January 04, 2012 08:47:47 PM Bennett Haselton wrote:
>> Well yes, on average, password-authentication is going to be worse
>> because it includes people in the sample who are using passwords like
>> "Patricia". Did they compare the break-in
On Wednesday, January 04, 2012 08:47:47 PM Bennett Haselton wrote:
> Well yes, on average, password-authentication is going to be worse
> because it includes people in the sample who are using passwords like
> "Patricia". Did they compare the break-in rate for systems with 12-char
> passwords v
On Wed, Jan 4, 2012 at 8:12 PM, Bennett Haselton wrote:
>>
>>> Yes, the totality of SELinux restrictions sounds like it could make a
>>> system more secure if it helps to guard against exploits in the services
>>> and the OS. My point was that some individual restrictions may not make
>>> sense.
On 01/04/2012 07:47 PM, Bennett Haselton wrote:
> On 1/4/2012 1:59 PM, Lamar Owen wrote:
>> [Distilling to the core matter; everything else is peripheral.]
>>
>> On Jan 4, 2012, at 2:58 PM, Bennett Haselton wrote:
>>> To be absolutely clear: Do you, personally, believe there is more than a
>>> 1 in
On 1/4/2012 3:01 PM, Marko Vojinovic wrote:
> On Wednesday 04 January 2012 11:58:07 Bennett Haselton wrote:
>> If *everyone* used a 12-char random password, then the odds are that
>> *none* of the 10 million machines attacking 100 million servers would
>> hit on a success, not when there are 10^21
On 1/4/2012 1:59 PM, Lamar Owen wrote:
> [Distilling to the core matter; everything else is peripheral.]
>
> On Jan 4, 2012, at 2:58 PM, Bennett Haselton wrote:
>> To be absolutely clear: Do you, personally, believe there is more than a
>> 1 in a million chance that the attacker who got into my mac
On Wednesday 04 January 2012 11:58:07 Bennett Haselton wrote:
> If *everyone* used a 12-char random password, then the odds are that
> *none* of the 10 million machines attacking 100 million servers would
> hit on a success, not when there are 10^21 possible passwords to choose
> from.
It is too n
On 01/04/2012 10:59 PM, Lamar Owen wrote:
> [Distilling to the core matter; everything else is peripheral.]
>
>
> It is a safe assumption that there are httpd exploits in the wild, that
> are not known by the apache project, that specifically attempt to grab
> /etc/shadow and send to the attacker.
On Wed, Jan 4, 2012 at 4:13 PM, Markus Falb wrote:
>>
>> To be absolutely clear: Do you, personally, believe there is more than a
>> 1 in a million chance that the attacker who got into my machine, got it
>> by brute-forcing the password?
>
> I think it was Lamar trying to point out that statistic
On 4.1.2012 20:58, Bennett Haselton wrote:
> On 1/4/2012 9:32 AM, Lamar Owen wrote:
>> The slow brute-forcers are at work, and are spreading. ...
> Well yes of course an attacker can try *particular* 12-character
> passwords, I never said they couldn't :) ...
If you enforce use of ssh keys an a
[Distilling to the core matter; everything else is peripheral.]
On Jan 4, 2012, at 2:58 PM, Bennett Haselton wrote:
To be absolutely clear: Do you, personally, believe there is more
than a
1 in a million chance that the attacker who got into my machine, got
it
by brute-forcing the password?
On 1/4/2012 9:32 AM, Lamar Owen wrote:
> On Tuesday, January 03, 2012 06:12:10 PM Bennett Haselton wrote:
>> I'm not sure what their logic is for recommending 80. But 72 bits
>> already means that any attack is so improbable that you'd *literally*
>> have to be more worried about the sun going sup
On Thu, Jan 5, 2012 at 1:32 AM, Lamar Owen wrote:
> root:LdP9cdON88yW
> root:u2x2bz
> root:6e51R12B3Wr0
> root:nb0M4uHbI6M
> root:c3qLzdl2ojFB
> root:LX5ktj
> root:34KQ
> root:8kLKwwpPD
> root:Bl95X1nU
> root:3zSlRG73r17
> root:fDb8
> root:cAeM1KurR
> root:MXf3RX7
> root:4jpk
> root:j00U3bG1VuA
>
On Tuesday, January 03, 2012 06:12:10 PM Bennett Haselton wrote:
> I'm not sure what their logic is for recommending 80. But 72 bits
> already means that any attack is so improbable that you'd *literally*
> have to be more worried about the sun going supernova.
I'd be more worried about Eta Car
>> If attack A is 1,000 times more likely
>> to work than attack B, you don't think it's more important to guard
>> against attack A?
>
> It's not either/or here. You could be the guy who gets hit by lightning.
I'm not sure I entirely agree with you there Les.
I'm not going to delve into the int
On Wed, Jan 4, 2012 at 11:40 AM, Les Mikesell wrote:
> Do you lock your doors or just leave them open because anyone who
> wants in can break a window anyway?
>
Hi Benneth,
In conclusion, IMHO, I think you are worried too much :)
Don't be afraid just because it's a dangerous world out there.
- S
On Tue, Jan 3, 2012 at 6:49 PM, Bennett Haselton wrote:
>
>>> Of the compromised machines on the Internet, what proportion do you
>>> think were hacked via MITM-and-advanced-crypto, compared to exploits in
>>> the services?
>> Proportions don't matter. Unless you have something extremely
>> valua
On 1/3/2012 4:21 PM, Les Mikesell wrote:
> On Tue, Jan 3, 2012 at 5:12 PM, Bennett Haselton
> wrote:
>>> The critical thing to remember is that in key auth the authenticating key
>>> never leaves the client system, rather an encrypted 'nonce' is sent (the
>>> nonce is encrypted by the authentic
On 1/3/2012 2:13 PM, Lamar Owen wrote:
> On Sunday, January 01, 2012 06:27:32 PM Bennett Haselton wrote:
>> (I have already practically worn out my keyboard explaining the math behind
>> why I think a 12-character alphanumeric password is secure enough :) )
> Also see:
> https://lwn.net/Articles/36
On Tue, Jan 3, 2012 at 5:12 PM, Bennett Haselton wrote:
>>
>> The critical thing to remember is that in key auth the authenticating key
>> never leaves the client system, rather an encrypted 'nonce' is sent (the
>> nonce is encrypted by the authenticating key), which only the server,
>> possess
On 1/3/2012 2:10 PM, Pete Travis wrote:
> Here's the qualifying statement I made, in an attempt to preempt pedantic
> squabbles over my choice of arbitrary figures and oversimplified math:
>>> I am not a statistician, but
> Here is a statement intended to startle you into re-examining your positio
On 1/3/2012 2:04 PM, Lamar Owen wrote:
> On Tuesday, January 03, 2012 03:24:34 PM Bennett Haselton wrote:
>> That there are 10^21 possible random 12-character alphanumeric passwords
>> -- making it secure against brute-forcing -- is a fact, not an opinion.
>
>> To date, *nobody* on this thread has
Bennett Haselton wrote:
> On 1/3/2012 12:32 PM, m.r...@5-cent.us wrote:
>> Bennett Haselton wrote:
>>> mark wrote:
>>
> 1. How will you generate "truly random"? Clicks on a Geiger counter?
> There is no such thing as a random number generator.
>>>
>>> To date, *nobody* on this thread has
On Sunday, January 01, 2012 06:27:32 PM Bennett Haselton wrote:
> (I have already practically worn out my keyboard explaining the math behind
> why I think a 12-character alphanumeric password is secure enough :) )
Also see:
https://lwn.net/Articles/369703/
___
Here's the qualifying statement I made, in an attempt to preempt pedantic
squabbles over my choice of arbitrary figures and oversimplified math:
> > I am not a statistician, but
Here is a statement intended to startle you into re-examining your position:
> > Simplistic probability puts the odds o
On Tuesday, January 03, 2012 03:24:34 PM Bennett Haselton wrote:
> That there are 10^21 possible random 12-character alphanumeric passwords
> -- making it secure against brute-forcing -- is a fact, not an opinion.
> To date, *nobody* on this thread has ever responded when I said that
> there ar
On 1/3/2012 12:32 PM, m.r...@5-cent.us wrote:
> Bennett Haselton wrote:
>> mark wrote:
>
1. How will you generate "truly random"? Clicks on a Geiger counter?
There is no such thing as a random number generator.
>
>> That there are 10^21 possible random 12-character alphanumeric password
On 1/3/2012 12:31 PM, Pete Travis wrote:
> On Jan 3, 2012 12:36 PM, "Ljubomir Ljubojevic" wrote:
>> On 01/03/2012 04:47 PM, m.r...@5-cent.us wrote:
>>> Having been on vacation, I'm coming in very late in this
>>>
>>> Les Mikesell wrote:
On Tue, Jan 3, 2012 at 4:28 AM, Bennett Haselton
>>>
Bennett Haselton wrote:
> mark wrote:
>>> 1. How will you generate "truly random"? Clicks on a Geiger counter?
>>> There is no such thing as a random number generator.
> That there are 10^21 possible random 12-character alphanumeric passwords
> -- making it secure against brute-forcing -- is a fa
On Jan 3, 2012 12:36 PM, "Ljubomir Ljubojevic" wrote:
>
> On 01/03/2012 04:47 PM, m.r...@5-cent.us wrote:
> > Having been on vacation, I'm coming in very late in this
> >
> > Les Mikesell wrote:
> >> On Tue, Jan 3, 2012 at 4:28 AM, Bennett Haselton
> >> wrote:
> >
> >>> OK but those are *user
On 1/3/2012 11:36 AM, Ljubomir Ljubojevic wrote:
> On 01/03/2012 04:47 PM, m.r...@5-cent.us wrote:
>> Having been on vacation, I'm coming in very late in this
>>
>> Les Mikesell wrote:
>>> On Tue, Jan 3, 2012 at 4:28 AM, Bennett Haselton
>>> wrote:
>>
OK but those are *users* who have the
Whoops, sorry, thought this was offlist.
mark, not reading closely enough.
m.r...@5-cent.us wrote:
> Ljubomir,
>
> Ljubomir Ljubojevic wrote:
>> On 01/03/2012 04:47 PM, m.r...@5-cent.us wrote:
>>> Having been on vacation, I'm coming in very late in this
>>>
>>> Les Mikesell wrote:
Ljubomir,
Ljubomir Ljubojevic wrote:
> On 01/03/2012 04:47 PM, m.r...@5-cent.us wrote:
>> Having been on vacation, I'm coming in very late in this
>>
>> Les Mikesell wrote:
>>> On Tue, Jan 3, 2012 at 4:28 AM, Bennett Haselton
>>> wrote:
>>
OK but those are *users* who have their own pass
On 01/03/2012 04:47 PM, m.r...@5-cent.us wrote:
> Having been on vacation, I'm coming in very late in this
>
> Les Mikesell wrote:
>> On Tue, Jan 3, 2012 at 4:28 AM, Bennett Haselton
>> wrote:
>
>>> OK but those are *users* who have their own passwords that they have
>>> chosen, presumably. U
On Tue, Jan 3, 2012 at 3:14 AM, Rudi Ahlers wrote:
>
>>> Very often, a single user with a
>>> weak password has his account cracked and then a hacker can get a copy
>>> of /etc/shadow and brute force the root password.
>>
>> This is incorrect. The whole reasoning behind /etc/shadow is to hide the
On Tue, Jan 3, 2012 at 12:48 AM, Bennett Haselton wrote:
>
>> You can also set up openvpn on the server and control ports like ssh to
>> only be open to you if you are using an openvpn client to connect to the
>> machine.
>
> True but I travel a lot and sometimes need to connect to the machines
>
On Tue, Jan 3, 2012 at 9:31 AM, Marc Deop wrote:
>
>> Openvpn runs over UDP. With the tls-auth option it won't respond to
>> an unsigned packet. So without the key you can't tell the difference
>> between a listening openvpn or a firewall that drops packets silently.
>> That is, you can't 'find
Having been on vacation, I'm coming in very late in this
Les Mikesell wrote:
> On Tue, Jan 3, 2012 at 4:28 AM, Bennett Haselton
> wrote:
>> OK but those are *users* who have their own passwords that they have
>> chosen, presumably. User-chosen passwords cannot be assumed to be
>> secure aga
On Tuesday 03 January 2012 07:57:47 Les Mikesell wrote:
> On Tue, Jan 3, 2012 at 4:28 AM, Bennett Haselton
> wrote:
> >
> > But assuming the attacker is targeting my production system, suppose
> > they find a vulnerability and obtain the ability to run commands as root
> > on the system. Then wo
On Tue, Jan 3, 2012 at 4:28 AM, Bennett Haselton wrote:
>
> But assuming the attacker is targeting my production system, suppose
> they find a vulnerability and obtain the ability to run commands as root
> on the system. Then wouldn't their first action be to remove
> restrictions on where you ca
On 1/3/2012 12:50 AM, Nataraj wrote:
> On 01/02/2012 10:48 PM, Bennett Haselton wrote:
>> True but I travel a lot and sometimes need to connect to the machines
>> from subnets that I don't know about in advance.
> You could secure another system somewhere on the internet (could be a
> $20/month vir
Hello Rudi,
On Tue, 2012-01-03 at 11:14 +0200, Rudi Ahlers wrote:
> How does something like c99shell allow a local user (not root) to read
> the /etc/shadow file?
I do not vouch for every app that is written to break good security
practices. Try
$ ls -l /etc/shadow
If the tool you are using allo
On 1/2/2012 11:01 PM, John R. Dennison wrote:
> On Mon, Jan 02, 2012 at 10:41:15PM -0800, Bennett Haselton wrote:
>> Again, you don't have to take my word for it -- in the first 10 Google
>> hits of pages with people posting about the problem I ran into, none of
>> the people helping them, thought
On 01/03/12 1:14 AM, Rudi Ahlers wrote:
> How does something like c99shell allow a local user (not root) to read
> the /etc/shadow file?
presumably it uses a suid utility? i'm not familiar with c99shell, but
thats classically how you elevate privileges.
--
john r pierce
On 3 January 2012 02:30, Bennett Haselton wrote:
> In other words, when SELinux causes a problem, it can take hours or days
> to find out that SELinux is the cause -- and even then you're not done,
> because you have to figure out a workaround if you want to fix the
> problem while keeping SELinu
On Tue, Jan 3, 2012 at 11:08 AM, Leonard den Ottolander
wrote:
> Hello Craig,
>
> On Mon, 2012-01-02 at 01:04 -0700, Craig White wrote:
>> Very often, a single user with a
>> weak password has his account cracked and then a hacker can get a copy
>> of /etc/shadow and brute force the root password.
Hello Craig,
On Mon, 2012-01-02 at 01:04 -0700, Craig White wrote:
> Very often, a single user with a
> weak password has his account cracked and then a hacker can get a copy
> of /etc/shadow and brute force the root password.
This is incorrect. The whole reasoning behind /etc/shadow is to hide t
On 01/02/2012 10:48 PM, Bennett Haselton wrote:
>
> True but I travel a lot and sometimes need to connect to the machines
> from subnets that I don't know about in advance.
You could secure another system somewhere on the internet (could be a
$20/month virtual host), leave no pointers to your prod
On 1/2/2012 11:04 PM, Les Mikesell wrote:
> On Tue, Jan 3, 2012 at 12:41 AM, Bennett Haselton
> wrote:
>>> Standard/non-standard isn't the point. The point is to control what an
>>> app can do even if some unexpected flaw lets it execute arbitrary
>>> code.
>> What's the scenario where this port
On Tue, Jan 3, 2012 at 12:41 AM, Bennett Haselton wrote:
>> Standard/non-standard isn't the point. The point is to control what an
>> app can do even if some unexpected flaw lets it execute arbitrary
>> code.
> What's the scenario where this port restriction would make a
> difference? Suppose an
On Mon, Jan 02, 2012 at 10:41:15PM -0800, Bennett Haselton wrote:
>
> Again, you don't have to take my word for it -- in the first 10 Google
> hits of pages with people posting about the problem I ran into, none of
> the people helping them, thought to suggest SELinux as the cause of the
> prob
On 1/2/2012 7:29 AM, Johnny Hughes wrote:
> On 01/02/2012 02:04 AM, Craig White wrote:
>> On Sun, 2012-01-01 at 14:23 -0800, Bennett Haselton wrote:
>>> (Sorry, third time -- last one, promise, just giving it a subject line!)
>>>
>>> OK, a second machine hosted at the same hosting company has also
On Tue, Jan 3, 2012 at 12:23 AM, Bennett Haselton wrote:
>
> So I stand by the statement that SELinux is more likely to cause
> problems that are hard to figure out for people who aren't professional
> admins.
Don't think anyone claims otherwise. Or that security is easy.
> And then there's th
On 1/2/2012 7:48 PM, Les Mikesell wrote:
> On Mon, Jan 2, 2012 at 8:30 PM, Bennett Haselton
> wrote:
>
>>What apps are those (i.e. the ones that
>>> SELinux would have broken) and if they are open source, have those
>>> projects updated the app or the underlying language(s)/libraries since
>>
On 1/2/2012 8:11 PM, RILINDO FOSTER wrote:
> On Jan 2, 2012, at 9:30 PM, Bennett Haselton wrote:
>
>> On 1/2/2012 9:18 AM, Les Mikesell wrote:
>>> On Mon, Jan 2, 2012 at 6:03 AM, Bennett Haselton
>>> wrote:
I tried SELinux but it broke so much needed functionality on the server
that it
On Jan 2, 2012, at 9:30 PM, Bennett Haselton wrote:
> On 1/2/2012 9:18 AM, Les Mikesell wrote:
>> On Mon, Jan 2, 2012 at 6:03 AM, Bennett Haselton
>> wrote:
>>> I tried SELinux but it broke so much needed functionality on the server
>>> that it was not an option.
>> Pretty much all of the stock
On Jan 2, 2012, at 9:37 PM, Bennett Haselton wrote:
> On 1/2/2012 9:18 AM, Les Mikesell wrote:
>> There have been many, many vulnerabilities that permit local user
>> privilege escalation to root (in the kernel, glibc, suid programs,
>> etc.) and there are probably many we still don't know about.
On Mon, Jan 2, 2012 at 8:30 PM, Bennett Haselton wrote:
> What apps are those (i.e. the ones that
>> SELinux would have broken) and if they are open source, have those
>> projects updated the app or the underlying language(s)/libraries since
>> you have?
>
> So here's a perfect example. I insta
On 1/2/2012 9:41 PM, Ljubomir Ljubojevic wrote:
> On 01/03/2012 03:30 AM, Bennett Haselton wrote:
>> In other words, when SELinux causes a problem, it can take hours or days
>> to find out that SELinux is the cause -- and even then you're not done,
>> because you have to figure out a workaround if
On 01/03/2012 03:30 AM, Bennett Haselton wrote:
> In other words, when SELinux causes a problem, it can take hours or days
> to find out that SELinux is the cause -- and even then you're not done,
> because you have to figure out a workaround if you want to fix the
> problem while keeping SELinux t
On 1/2/2012 9:18 AM, Les Mikesell wrote:
> There have been many, many vulnerabilities that permit local user
> privilege escalation to root (in the kernel, glibc, suid programs,
> etc.) and there are probably many we still don't know about. They
> often require writing to the filesystem. For examp
On 1/2/2012 9:18 AM, Les Mikesell wrote:
> On Mon, Jan 2, 2012 at 6:03 AM, Bennett Haselton
> wrote:
>> I tried SELinux but it broke so much needed functionality on the server
>> that it was not an option.
> Pretty much all of the stock programs work with SELinux, so this by
> itself implies that
Hello,
just if it helps, please find below these lines the steps I have used to
analyze several suspicious machines in some customers, to check if they
have been compromised or not:
* Chrootkit && rkhunter -> To search for known trojans and common linux
malware.
* unhide (http://www.unhide-for
On Mon, Jan 2, 2012 at 6:03 AM, Bennett Haselton wrote:
>
> I tried SELinux but it broke so much needed functionality on the server
> that it was not an option.
Pretty much all of the stock programs work with SELinux, so this by
itself implies that you are running 3rd party or local apps that hav
On 01/02/2012 02:04 AM, Craig White wrote:
> On Sun, 2012-01-01 at 14:23 -0800, Bennett Haselton wrote:
>> (Sorry, third time -- last one, promise, just giving it a subject line!)
>>
>> OK, a second machine hosted at the same hosting company has also apparently
>> been hacked. Since 2 of out of 3
On Sun, Jan 1, 2012 at 6:04 PM, Ljubomir Ljubojevic wrote:
> On 01/02/2012 02:50 AM, Bennett Haselton wrote:
> > I'm not sure what you mean by "an exploit from a web board which is
> > apparently designed to pull outside traffic". Like Ljubomir said, it
> looks
> > like a script that is used fro
On Mon, Jan 2, 2012 at 12:04 AM, Craig White wrote:
> On Sun, 2012-01-01 at 14:23 -0800, Bennett Haselton wrote:
> > (Sorry, third time -- last one, promise, just giving it a subject line!)
> >
> > OK, a second machine hosted at the same hosting company has also
> apparently
> > been hacked. Sin
On Sun, 2012-01-01 at 14:23 -0800, Bennett Haselton wrote:
> (Sorry, third time -- last one, promise, just giving it a subject line!)
>
> OK, a second machine hosted at the same hosting company has also apparently
> been hacked. Since 2 of out of 3 machines hosted at that company have now
> been
On Sun, Jan 1, 2012 at 6:03 PM, Fajar Priyanto wrote:
> On Mon, Jan 2, 2012 at 9:33 AM, RILINDO FOSTER wrote:
> > The script in question is an exploit from a web board which is
> apparently designed to pull outside traffic. If you had SELinux, it would
> put httpd in its own context and by defau
On 01/02/2012 02:50 AM, Bennett Haselton wrote:
> I'm not sure what you mean by "an exploit from a web board which is
> apparently designed to pull outside traffic". Like Ljubomir said, it looks
> like a script that is used from machine X to DOS attack machine Y, if
> machine Y has the VBulletin b
On Mon, Jan 2, 2012 at 9:33 AM, RILINDO FOSTER wrote:
> The script in question is an exploit from a web board which is apparently
> designed to pull outside traffic. If you had SELinux, it would put httpd in
> its own context and by default, it will NOT allow connections from that
> context to
On Sun, Jan 1, 2012 at 5:01 PM, Les Mikesell wrote:
> On Sun, Jan 1, 2012 at 4:23 PM, Bennett Haselton
> wrote:
> >
> > So, following people's suggestions, the machine is disconnected and
> hooked
> > up to a KVM so I can still examine the files. I've found this file:
> > -rw-r--r-- 1 root root
On Jan 1, 2012, at 8:50 PM, Bennett Haselton wrote:
> On Sun, Jan 1, 2012 at 5:33 PM, RILINDO FOSTER wrote:
>
>> ≈On Jan 1, 2012, at 8:24 PM, Bennett Haselton wrote:
>>
>>> On Sun, Jan 1, 2012 at 4:57 PM, Rilindo Foster wrote:
>>>
On Jan 1, 2012, at 5:23 PM, Bennett Haselton
On Sun, Jan 1, 2012 at 5:33 PM, RILINDO FOSTER wrote:
> ≈On Jan 1, 2012, at 8:24 PM, Bennett Haselton wrote:
>
> > On Sun, Jan 1, 2012 at 4:57 PM, Rilindo Foster wrote:
> >
> >>
> >>
> >> On Jan 1, 2012, at 5:23 PM, Bennett Haselton
> >> wrote:
> >>
> >>> (Sorry, third time -- last one, promise
≈On Jan 1, 2012, at 8:24 PM, Bennett Haselton wrote:
> On Sun, Jan 1, 2012 at 4:57 PM, Rilindo Foster wrote:
>
>>
>>
>> On Jan 1, 2012, at 5:23 PM, Bennett Haselton
>> wrote:
>>
>>> (Sorry, third time -- last one, promise, just giving it a subject line!)
>>>
>>> OK, a second machine hosted
On Sun, Jan 1, 2012 at 4:57 PM, Rilindo Foster wrote:
>
>
> On Jan 1, 2012, at 5:23 PM, Bennett Haselton
> wrote:
>
> > (Sorry, third time -- last one, promise, just giving it a subject line!)
> >
> > OK, a second machine hosted at the same hosting company has also
> apparently
> > been hacked.
On 01/02/2012 12:27 AM, Bennett Haselton wrote:
> On Sun, Jan 1, 2012 at 2:55 PM, Eero Volotinenwrote:
>
>> 2012/1/2 Bennett Haselton:
>>> (Sorry, third time -- last one, promise, just giving it a subject line!)
>>>
>>> OK, a second machine hosted at the same hosting company has also
>> apparently
On Sun, Jan 1, 2012 at 4:23 PM, Bennett Haselton wrote:
>
> So, following people's suggestions, the machine is disconnected and hooked
> up to a KVM so I can still examine the files. I've found this file:
> -rw-r--r-- 1 root root 1358 Oct 21 17:40 /home/file.pl
> which appears to be a copy of thi
On Jan 1, 2012, at 5:23 PM, Bennett Haselton wrote:
> (Sorry, third time -- last one, promise, just giving it a subject line!)
>
> OK, a second machine hosted at the same hosting company has also apparently
> been hacked. Since 2 of out of 3 machines hosted at that company have now
> been hac
On Sun, Jan 1, 2012 at 2:55 PM, Eero Volotinen wrote:
> 2012/1/2 Bennett Haselton :
> > (Sorry, third time -- last one, promise, just giving it a subject line!)
> >
> > OK, a second machine hosted at the same hosting company has also
> apparently
> > been hacked. Since 2 of out of 3 machines host
2012/1/2 Bennett Haselton :
> (Sorry, third time -- last one, promise, just giving it a subject line!)
>
> OK, a second machine hosted at the same hosting company has also apparently
> been hacked. Since 2 of out of 3 machines hosted at that company have now
> been hacked, but this hasn't happened
(Sorry, third time -- last one, promise, just giving it a subject line!)
OK, a second machine hosted at the same hosting company has also apparently
been hacked. Since 2 of out of 3 machines hosted at that company have now
been hacked, but this hasn't happened to any of the other 37 dedicated
ser
93 matches
Mail list logo
