On Tue, Dec 21, 2010 at 11:19:37PM +0100, Martin Zobel-Helas wrote:
> # cat apt.conf.d/01remount
> DPkg::Pre-Invoke {"if mount | awk '{print $3}' | grep -q '^/tmp$'; then
> /bin/mount -o remount,exec /tmp; fi";};
> DPkg::Post-Invoke {"if mount | awk '{print $3}' | grep -q '^/tmp$'; then
> /bin/mo
On Thu, Dec 23, 2010 at 12:54:44PM +0100, Bernhard R. Link wrote:
> * Bastian Blank [101222 11:30]:
> > On Wed, Dec 22, 2010 at 10:18:50AM +0100, Bernhard R. Link wrote:
> > > That said, having /tmp noexec,nosuid and /var nosuid will only make some
> > > script-kiddies slower and the more people u
* Bastian Blank [101222 11:30]:
> On Wed, Dec 22, 2010 at 10:18:50AM +0100, Bernhard R. Link wrote:
> > That said, having /tmp noexec,nosuid and /var nosuid will only make some
> > script-kiddies slower and the more people use it the less it helps.
>
> It is a start.
I'd not call it a start. It i
On Tue, 21 Dec 2010 23:07:37 +0100
Vladislav Kurz wrote:
> Hello all,
>
> first, I apologize for a long mail. Don't read if you don't like long
> e-mails. But as Thorsten was already affected by exim exploit I
> thought this might be interesting for all debian-exim users:
>
Very interesting,
t
Anno domini 2010 Izak Burger scripsit:
Hi!
Nice reports :)
> But there is one bit that gets me. It does this:
> mkdir -p /usr/include/mysql
> echo dropbear >> /usr/include/mysql/mysql.hh1
> It never does anything with that file, and that file does not exist on
> a real system, so its almost li
http://www.reddit.com/r/netsec/comments/en650/details_of_the_root_kit_that_go
With the exception of replacing /etc/exim4/exim.conf, its pretty much
exactly what happened to me :-)
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Cont
On Wed, Dec 22, 2010 at 2:06 PM, Bastian Blank wrote:
> This looks like the rootkit I found somewhere in the internet:
> | 137a3bbda16034d34307a9d686e6fdb45b3c8683 procps/free
> | 5db25350dd15d3f1e63a4ff44fa85b72c21df72d procps/kill
> | eeab165a2cf06feb327fa996f35271c076e992bc procps/pgrep
> |
On Wed, Dec 22, 2010 at 01:42:03PM +0200, Izak Burger wrote:
> The usual process related things replaced:
> free pgrep pmap skillsnice tload uptime w
> kill pkill psslabtop sysctl topvmstat watch
This looks like the rootkit I found somewhere in the internet:
| 137a3bbda1603
This is a me too email.
I found one overlooked machine that was compromised on 16th of December.
The usual process related things replaced:
free pgrep pmap skillsnice tload uptime w
kill pkill psslabtop sysctl topvmstat watch
All of these were chattr +ai, as if that was
On Wed, Dec 22, 2010 at 10:18:50AM +0100, Bernhard R. Link wrote:
> That said, having /tmp noexec,nosuid and /var nosuid will only make some
> script-kiddies slower and the more people use it the less it helps.
It is a start.
> As long as you have things like /dev/shm world-writeable and not
> mo
* Vladislav Kurz [101221 23:09]:
> As for point 2. it's a pity that dpkg is using /tmp and /var/lib/dpkg/ to run
> scripts during installation and removal of packages. It would be nice if
> whole /var could be mounted noexec.
AFAIK dpkg does not run things in /tmp. The only thing running things i
Hi,
On Tue Dec 21, 2010 at 23:07:37 +0100, Vladislav Kurz wrote:
>
> Lessons learned:
> 1. subscribe to DSA and run apt-get
> 2. /var/spool, /var/tmp, /tmp and other places where unprivileged users can
> write, should be mounted nosuid and even better noexec. It seems that this
> could preven
12 matches
Mail list logo
