Re: Kernel Crash Bug????

t execute it. > > Does PHP allow executing arbitary binaries? > [snip] Yes, unless in your php.ini you have something along the lines of: disable_functions = system,passthru,shell_exec,popen,proc_open Regards, David. -- .''`. David Ramsden <[EMAIL PROTECTED]> : :&

Re: securing PHP (was: Kernel Crash Bug????)

On Tue, Jun 15, 2004 at 11:20:35AM +0200, Jeroen van Wolffelaar wrote: > On Tue, Jun 15, 2004 at 10:35:33AM +0200, Rudy Gevaert wrote: > > On Tue, Jun 15, 2004 at 09:23:33AM +0100, David Ramsden wrote: > > > On Tue, Jun 15, 2004 at 05:52:18PM +1000, Russell Coker wrote: > >

Re: Advice needed, trying to find the vulnerable code on Debian webserver.

How about running a packet sniffer on port 80 too and monitor the traffic. Log to a text file and grep that? HTH. David. -- .''`. David Ramsden <[EMAIL PROTECTED]> : :' :http://david.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgpgtxFBKrBuW.pgp Description: PGP signature

Re: ptrace bug: ipsec exploit makes itself suid(0)

ng itself suid(0)). I'm using Debain 3.0 (Stable) with kernel 2.2.19 (standard Debian install). The additional printk() I added, to help "spot potential abusers" did log to /var/log/messages as: [date/time] host: kernel: ptrace(): uid=0, comm= But as I've said... it has had no effect in blocking ptrace() as a workaround for this exploit. Regards, David. -- David Ramsden http://portal.hexstream.eu.org/

Re: [d-security] ptrace bug: ipsec exploit makes itself suid(0)

- Original Message - From: "Christian Hammers" <[EMAIL PROTECTED]> To: "David Ramsden" <[EMAIL PROTECTED]> Cc: Sent: Friday, March 21, 2003 3:20 PM Subject: Re: [d-security] Re: ptrace bug: ipsec exploit makes itself suid(0) [snipped] > ... > >

Re: determining which patches to apply...

mulate --assume-yes upgrade apt-get autoclean Every day, this will simulate an upgrade of your packages with the latest. You can see what will be installed, what will be upgraded, if it'll work etc. etc. HTH. Regards, David. -- David Ramsden http://portal.hexstream.eu.org/

Re: Port 635

x27;d use this dietlibc? Maybe it's related to that, maybe it's not. According to sans.org [1] RPC services are the number 1 exploitable part to UNIX systems so it may just be one of those standard 'scans' you get now and then. [1] http://www.sans.org/top20/#index David. -- David Ramsden http://portal.hexstream.eu.org/

Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

d "make oldconfig" without having to re-do the config again. Downloading the source from kernel.org and trying to use the config in /boot has 'new features' and things. (I'm not too confident at compiling the kernel and the default Debian one is fine!). Regards, David. -- David Ramsden http://portal.hexstream.eu.org/

Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

- Original Message - From: "Christian Hammers" <[EMAIL PROTECTED]> To: "David Ramsden" <[EMAIL PROTECTED]> Cc: Sent: Tuesday, April 01, 2003 4:48 PM Subject: Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

iptables with no module support?

an option to allow ipchains compatibility either - Does this no longer exist? So any workarounds, fixes etc. etc. would be most welcome. Thanks and regards, David. -- .''`. David Ramsden <[EMAIL PROTECTED]> : :' :http://portal.hexstream.eu.org/ `. `'` `- Deb

Re: iptables with no module support?

er error :-p] (delete as appropriate). Kind regards, David. -- .''`. David Ramsden <[EMAIL PROTECTED]> : :' :http://portal.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgp1Njr77LGlD.pgp Description: PGP signature

Re: HELP, my Debian Server was hacked!

;t actually apply it. With any output to STDOUT from cron, you get an email about it so this way I can look at these everyday and see which servers have updates availble for them and what will happen if I apply them. HTH, David. -- .''`. David Ramsden <[EMAIL PROTEC

Re: HELP, my Debian Server was hacked!

t; > as would i :). > eric > Me too please - Sorry for replying to the list. Lost the original posters email address. Thanks and regards, David. -- .''`. David Ramsden <[EMAIL PROTECTED]> : :' :http://portal.hexstream.eu.org/ `. `'` PGP key ID: 507B37

Snort exploit in wild.

etc/apt/sources.list? And how easy is it to downgrade to the stable version if something goes wrong or a patch is released from Debian? Thanks for all the help and regards, David. -- .''`. David Ramsden <[EMAIL PROTECTED]> : :' :http://portal.hexstream.e

Re: Snort exploit in wild.

On Fri, Apr 25, 2003 at 12:13:38PM +0200, Marcel Weber wrote: > David Ramsden wrote: > [snip] > > Following the advice from heise.de [1] it should be enough to comment > out the line: > > preprocessor stream4_reassemble > > in your /etc/snort/snort.conf > >

Re: Snort exploit in wild.

- Forwarded message from Marcel Weber <[EMAIL PROTECTED]> - From: Marcel Weber <[EMAIL PROTECTED]> To: David Ramsden <[EMAIL PROTECTED]> Cc: debian-security@lists.debian.org Subject: Re: Snort exploit in wild. X-Virus-Scanned: by AMaViS and OpenAntivirus ScannerDaemon

Re: Have I been hacked?

x27;t remember exactly) it normally gets rotated. If you "cd /var/log" and then "ls -l |grep wtmp" you'll probably see wtmp.X - Where X is a number, like 1 where the file has been rotated. HTH, David. -- .''`. David Ramsden <[EMAIL PROTECTED]> :

NIS (mis)configuration and MySQL alternative.

and one that uses MySQL and nsswitch came up. It's also possible to use encryption (SSL/SSH IIRC) for the connection. Has anyone tried this? Feedback most welcome :) Thanks and regards, David. -- .''`. David Ramsden <[EMAIL PROTECTED]> : :' :http://portal.hexstream.e

Re: Advice Needed On Recent Rootings

(ntoe to self: look at running Apache in chroot jail :-p). So maybe they gained access to a system via something like the above, then found out a common username/password (root, for example) and is able to login to the other machines via SSH - No need to exploit. Some things to think about possibly

Re: recommendations for FTP server

they'll need though, like ls, pwd etc. etc. in their home directory as they are running in a chroot (if you take that option - It is possible without the chroot). HTH, David. -- .''`. David Ramsden <[EMAIL PROTECTED]> : :' :http://portal.hexstream.eu.org/ `. `

Re: execute permissions in /tmp

d other permissions. Although I believe there is tmpfs for this? > It may seem like putting a pebble in front of a tank, but the only > defense we have is a many-layered security policy. Security by obscurity isn't it? At least you'd have the little bit of extra padding th

Re: tty's messages

/klogd and add "-c 4" (for example) to KLOGD="" so it reads: KLOGD="-c 4" Then "/etc/init.d/klogd restart" - Adjust the 4 (which refers to the loglevel, such as warn, crit etc.) to your needs. HTH, David. -- .''`. David Ramsden <[EMAI

Re: ptrace bug: ipsec exploit makes itself suid(0)

than once, due to making itself suid(0)). I'm using Debain 3.0 (Stable) with kernel 2.2.19 (standard Debian install). The additional printk() I added, to help "spot potential abusers" did log to /var/log/messages as: [date/time] host: kernel: ptrace(): uid=0, comm= But

Re: [d-security] ptrace bug: ipsec exploit makes itself suid(0)

- Original Message - From: "Christian Hammers" <[EMAIL PROTECTED]> To: "David Ramsden" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, March 21, 2003 3:20 PM Subject: Re: [d-security] Re: ptrace bug: ipsec exploit makes itself suid(0) [s

Re: determining which patches to apply...

-get update apt-get --simulate --assume-yes upgrade apt-get autoclean Every day, this will simulate an upgrade of your packages with the latest. You can see what will be installed, what will be upgraded, if it'll work etc. etc. HTH. Regards, David. -- David Ramsden http://portal.hexstream.eu.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Port 635

Sun, so I'd imagine it'd use this dietlibc? Maybe it's related to that, maybe it's not. According to sans.org [1] RPC services are the number 1 exploitable part to UNIX systems so it may just be one of those standard 'scans' you get now and then. [1] http://www.sa

Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

st apply the kernel patch and "make oldconfig" without having to re-do the config again. Downloading the source from kernel.org and trying to use the config in /boot has 'new features' and things. (I'm not too confident at compiling the kernel and the default Debian one is fine!). Regards, David. -- David Ramsden http://portal.hexstream.eu.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnerability in 2.2 and 2.4 kernels]

- Original Message - From: "Christian Hammers" <[EMAIL PROTECTED]> To: "David Ramsden" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, April 01, 2003 4:48 PM Subject: Re: [d-security] Re: [d-security] Re: [Fwd: Re: LWN: Ptrace vulnera

Re: recommendations for FTP server

they'll need though, like ls, pwd etc. etc. in their home directory as they are running in a chroot (if you take that option - It is possible without the chroot). HTH, David. -- .''`. David Ramsden <[EMAIL PROTECTED]> : :' :http://portal.hexstream.eu.org/ `.

Re: execute permissions in /tmp

d other permissions. Although I believe there is tmpfs for this? > It may seem like putting a pebble in front of a tank, but the only > defense we have is a many-layered security policy. Security by obscurity isn't it? At least you'd have the little bit of extra padding th

Re: tty's messages

/klogd and add "-c 4" (for example) to KLOGD="" so it reads: KLOGD="-c 4" Then "/etc/init.d/klogd restart" - Adjust the 4 (which refers to the loglevel, such as warn, crit etc.) to your needs. HTH, David. -- .''`. David Ramsden <[EMAI

Re: Kernel Crash Bug????

t execute it. > > Does PHP allow executing arbitary binaries? > [snip] Yes, unless in your php.ini you have something along the lines of: disable_functions = system,passthru,shell_exec,popen,proc_open Regards, David. -- .''`. David Ramsden <[EMAIL PROTECTED]> : :&

Re: securing PHP (was: Kernel Crash Bug????)

On Tue, Jun 15, 2004 at 11:20:35AM +0200, Jeroen van Wolffelaar wrote: > On Tue, Jun 15, 2004 at 10:35:33AM +0200, Rudy Gevaert wrote: > > On Tue, Jun 15, 2004 at 09:23:33AM +0100, David Ramsden wrote: > > > On Tue, Jun 15, 2004 at 05:52:18PM +1000, Russell Coker wrote: > >

Re: Advice needed, trying to find the vulnerable code on Debian webserver.

How about running a packet sniffer on port 80 too and monitor the traffic. Log to a text file and grep that? HTH. David. -- .''`. David Ramsden <[EMAIL PROTECTED]> : :' :http://david.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better things to do than to fix a system. pgpmDaMQVSeGi.pgp Description: PGP signature

Re: telnetd vulnerability from BUGTRAQ

any complaints or problems. I also use scponly with scpjailer [1] which creates a nice chroot environment based on BusyBox. [1] http://tjw.org/scpjailer/ David. -- .''`. David Ramsden <[EMAIL PROTECTED]> : :' :http://david.hexstream.eu.org/ `. `'` PGP key

Re: Providing secure file access on a colo-server

it. > [snip] http://filezilla.sf.net/ is a great SFTP client. Check it out. Regards, David. -- .''`. David Ramsden <[EMAIL PROTECTED]> : :' :http://david.hexstream.eu.org/ `. `'` PGP key ID: 507B379B on wwwkeys.pgp.net `- Debian - when you have better thing

Re: Kernel Vulnerabilities

one is at: http://www.k-otik.com/exploits/2004.elfdump.c.php There is a reference in the changelog for 2.4.28-rc3: "binfmt_elf: handle partial reads gracefully" I'm not sure if that's the one or not? HTH. David. -- .''`. David Ramsden <[EMAIL PROTECTED]> :

"root login denied". But by what?

he latest release of stable. Does anyone know what generated the above log entries? And why is there "no ip"? Regards, David. -- .''`. David Ramsden <[EMAIL PROTECTED]> : :' :http://david.hexstream.co.uk/ `. `'` PGP key ID: 507B379B on wwwkeys.pg

Re: "root login denied". But by what?

On Fri, Jun 17, 2005 at 10:47:49PM +0200, Marcin Owsiany wrote: > On Fri, Jun 17, 2005 at 07:33:02PM +0100, David Ramsden wrote: > > Does anyone know what generated the above log entries? > > try: > > find /usr/sbin /sbin /usr/local/sbin \ > /usr/bin /usr/local/bin