>
> (I hope you don't mind if I publish our correspondence in Linux Gazette,
> http://linuxgazette.net/ .)
>
No problem at all.
Kevin Bailey
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
hi ya thomas
On Wed, 30 Nov 2005, Thomas Hochstein wrote:
> Alvin Oga schrieb:
>
> > - fresh installs means you have to configure everything
> > again from nothing .. maybe 1hr ..maybe 1 day .. maybe 1 week
>
> No, you don't; you can just review the configuration file(s) manually
> or
Quoting Thomas Hochstein ([EMAIL PROTECTED]):
> That is not a good idea in a typical hosting environment; if you push
> your backup and the machine to be backupped is compromised, the
> attacker has access to your backups too because the automatic backup
> process has to have the necessary credent
Alvin Oga schrieb:
> - fresh installs means you have to configure everything
> again from nothing .. maybe 1hr ..maybe 1 day .. maybe 1 week
No, you don't; you can just review the configuration file(s) manually
or check them against a known good backup.
> always push backups, since r
hi ya kevin
On Tue, 29 Nov 2005, kevin bailey wrote:
> i have tried out lots of different things on this server and have made the
> mistake of leaving unnecessary services running.
everybody does that, one forgets to "undo the experiment environment"
and restore back to secure mode
> in this c
Rick Moen wrote:
>
> Unsafe data passed to eval(). Sheesh!
And awstats is so large, that it would require a lot of effort to do a
proper audit of it. Are their any automated tools for auditing perl code?
Or I wonder what would happen if you just switced on taint mode?
>
>>I would agree
Quoting Geoff Crompton ([EMAIL PROTECTED]):
> The most recent vulnerability that I was aware of in Awstats can still
> work even in static mode. http://www.securityfocus.com/bid/14525. The
> referrer in the log file is not sanity checked.
Hmm. I note: "It should be noted this vulnerability is o
> So, here's my favourite example of the "bad implementation" problem:
> AWstats. It's had a long history of:
>
> o Someone finds yet another way its stats-generating CGI can be subverted by
>sending it aberrant URL information from the public.
> o The upstream maintainer issues an update.
On Tuesday 29 November 2005 14.04, kevin bailey wrote:
> if backing up to another server get that server to pull backups out. on
> my new machines i was pushing out the backups from the primary server -
> this would mean a cracker would then have an easy way in to the backup
> machine because i wa
Quoting kevin bailey ([EMAIL PROTECTED]):
> what with it being several different symptoms i tend to think this is not a
> false positive.
Concur.
> cause:
>
> this is an old server which has been running for 4 years.
If such an old server is maintained and administered properly, and if
you do
thanks for the replies.
what with it being several different symptoms i tend to think this is not a
false positive.
cause:
this is an old server which has been running for 4 years.
i have tried out lots of different things on this server and have made the
mistake of leaving unnecessary services
On Tue, Nov 29, 2005 at 04:34:11AM +, kevin bailey wrote:
> hi,
>
> the following output looks like i've been rooted.
Yes, it doesn't look like a false positive:
> Checking `ls'... INFECTED
> Checking `netstat'... INFECTED
> Checking `ps'... INFECTED
> Checking `top'... INFECTED
Nasty.
> S
and..
:/usr/local/sbin# /usr/lib/chkrootkit/chkproc -v
PID 4: not in ps output
PID 1769: not in ps output
PID 15688: not in ps output
PID 15690: not in ps output
PID 17760: not in ps output
PID 17762: not in ps output
PID 21583: not in ps output
PID 21585: not in ps output
PID 21919: not in p
hi,
the following output looks like i've been rooted.
i'm in the process of moving all services to another machine and restoring
from backups etc.
could anyone provide any analysis of what attack caused the problem - i
would guess that it's possibly something o do with zope.
thanks,
kev
:/usr
14 matches
Mail list logo
