On Thu, 31 Dec 2009, Jeremy Chadwick wrote:
> On Thu, Dec 31, 2009 at 04:16:07AM +1100, Ian Smith wrote:
> > On Tue, 29 Dec 2009, David Wolfskill wrote:
> > > On Tue, Dec 29, 2009 at 03:20:37AM -0800, Jeremy Chadwick wrote:
> > > > ...
> > > > I've written my own script to do all of this.
On Thu, Dec 31, 2009 at 04:16:07AM +1100, Ian Smith wrote:
> On Tue, 29 Dec 2009, David Wolfskill wrote:
> > On Tue, Dec 29, 2009 at 03:20:37AM -0800, Jeremy Chadwick wrote:
> > > ...
> > > I've written my own script to do all of this. It parses periodic
> > > security mails (on a daily basis)
On Tue, 29 Dec 2009, David Wolfskill wrote:
> On Tue, Dec 29, 2009 at 03:20:37AM -0800, Jeremy Chadwick wrote:
> > ...
> > I've written my own script to do all of this. It parses periodic
> > security mails (on a daily basis), and does WHOIS lookups + parses the
> > results to tell me what ne
On Tue, Dec 29, 2009 at 08:10:42AM -0800, Brian W. wrote:
> On 12/29/2009 3:45 AM, Edwin Groothuis wrote:
> >mpt to pass a Turing test or something.
> >
> >On all systems which need to be accessible from the public Internet:
> >Run sshd on port 22 and port 8022. Block incoming traffic on port
>
On Tue, Dec 29, 2009 at 08:46:57PM +0100, Oliver Fromme wrote:
> Brian W. wrote:
[...]
> That's probably because OpenBSD doesn't have mac_portacl(4). ;-)
[...]
Arf, but pf allow to regulate traffic according to the user that own
the socket, e.g., pass from any to any port www user www :p
--
Ste
On Tue, Dec 29, 2009 at 02:30:11PM -0500, Lowell Gilbert wrote:
> > On Mon, Dec 28, 2009 at 10:44:41AM -0500, Andresen, Jason R. wrote:
> >> The point is, if your machine is on the internet, then bots are
> >> going to try password attacks on any open port they can find. It's
> >> just the sad fac
Brian W. wrote:
> On 12/29/2009 3:45 AM, Edwin Groothuis wrote:
> > On all systems which need to be accessible from the public Internet:
> > Run sshd on port 22 and port 8022. Block incoming traffic on port
> > 22 on your firewall.
> >
> > Everybody coming from the outside world needs to kn
Edwin Groothuis writes:
> On Mon, Dec 28, 2009 at 10:44:41AM -0500, Andresen, Jason R. wrote:
>> The point is, if your machine is on the internet, then bots are
>> going to try password attacks on any open port they can find. It's
>> just the sad fact of life on the current internet. Unfortunat
Tuesday, December 29, 2009, 6:20:37 AM, you wrote:
> On Mon, Dec 28, 2009 at 05:50:23PM -0600, Adam Vande More wrote:
>> On Mon, Dec 28, 2009 at 4:59 PM, Chris H wrote:
>>
>> >
>> > My point here was that by increasing the verbosity, you will more easily be
>> > able
>> > to grep against login
On Tue, Dec 29, 2009 at 03:20:37AM -0800, Jeremy Chadwick wrote:
> ...
> I've written my own script to do all of this. It parses periodic
> security mails (on a daily basis), and does WHOIS lookups + parses the
> results to tell me what netblocks/CIDRs I should consider blocking. For
> example, f
On Dec 29, 2009, at 10:10 , Brian W. wrote:
> On 12/29/2009 3:45 AM, Edwin Groothuis wrote:
>> mpt to pass a Turing test or something.
>> On all systems which need to be accessible from the public Internet:
>> Run sshd on port 22 and port 8022. Block incoming traffic on port
>> 22 on your firewa
On 12/29/2009 3:45 AM, Edwin Groothuis wrote:
mpt to pass a Turing test or something.
On all systems which need to be accessible from the public Internet:
Run sshd on port 22 and port 8022. Block incoming traffic on port
22 on your firewall.
Everybody coming from the outside world needs to
Adam Vande More wrote:
> I use security/denyhosts for this, very simple to setup like 5 minutes if
> you're a fast reader. There are other options as well that offer similar
> functionality.
Like security/bruteblock
--
Tuomo
... The way to a man's heart is through the left ventricle
On Tue, 29 Dec 2009 12:45:36 +0100, Edwin Groothuis
wrote:
On Mon, Dec 28, 2009 at 10:44:41AM -0500, Andresen, Jason R. wrote:
The point is, if your machine is on the internet, then bots are
going to try password attacks on any open port they can find. It's
just the sad fact of life on the
On Mon, Dec 28, 2009 at 10:44:41AM -0500, Andresen, Jason R. wrote:
> The point is, if your machine is on the internet, then bots are
> going to try password attacks on any open port they can find. It's
> just the sad fact of life on the current internet. Unfortunately,
> this activity will also
On Mon, Dec 28, 2009 at 05:50:23PM -0600, Adam Vande More wrote:
> On Mon, Dec 28, 2009 at 4:59 PM, Chris H wrote:
>
> >
> > My point here was that by increasing the verbosity, you will more easily be
> > able
> > to grep against login /failures/, and more easily discover dictionary/
> > brute-fo
# pfctl -sr | grep ssh_brutes
block drop quick from to any
pass quick on em1 inet proto tcp from any to xxx.xxx.xxx.0/23 port = ssh
flags S/SA keep state (source-track rule, max-src-conn 20,
max-src-conn-rate 3/12, overload flush global, src.track 12)
pass quick on em0 inet proto tcp from any
On Mon, Dec 28, 2009 at 4:59 PM, Chris H wrote:
>
> My point here was that by increasing the verbosity, you will more easily be
> able
> to grep against login /failures/, and more easily discover dictionary/
> brute-force
> attacks. It's certainly made my job easier, and hasn't required any
> mod
On Mon, December 28, 2009 7:44 am, Andresen, Jason R. wrote:
>> From: Chris H
>>
>>
>> On Tue, December 22, 2009 8:35 am, Andresen, Jason R. wrote:
>>
>>> Squirrel wrote:
>>>
>>>
most likely could be some kind of remote code execution or SQLi
>> executed in
the context of some php scripts
>From: Chris H
>
>On Tue, December 22, 2009 8:35 am, Andresen, Jason R. wrote:
>> Squirrel wrote:
>>
>>> most likely could be some kind of remote code execution or SQLi
>executed in
>>> the context of some php scripts, you should audit php code of your
>web
>>> interface and of the websites you hos
Chris H wrote:
On Tue, December 22, 2009 8:35 am, Andresen, Jason R. wrote:
Squirrel wrote:
most likely could be some kind of remote code execution or SQLi executed in
the context of some php scripts, you should audit php code of your web
interface and of the websites you host. also consider t
On Tue, December 22, 2009 8:35 am, Andresen, Jason R. wrote:
> Squirrel wrote:
>
>> most likely could be some kind of remote code execution or SQLi executed in
>> the context of some php scripts, you should audit php code of your web
>> interface and of the websites you host. also consider the stre
praeparet bellum!!!
Epitoma Rei Militaris
-Original Message-
From: owner-freebsd-sta...@freebsd.org
[mailto:owner-freebsd-sta...@freebsd.org] On Behalf Of Andresen, Jason R.
Sent: Tuesday, December 22, 2009 8:36 AM
To: FreeBSD-STABLE Mailing List
Subject: RE: Hacked - FreeBSD 7
Squirrel wrote:
>most likely could be some kind of remote code execution or SQLi executed
>in the context of some php scripts, you should audit php code of your
>web interface and of the websites you host.
>also consider the strenght of your passwords, lots of login attempts to
>ssh/ftp may mean a
gt; > Thanks for info.
> >
> >
> > -Original message-
> > From: Matthew Seaman m.sea...@infracaninophile.co.uk
> > Date: Thu, 10 Dec 2009 02:24:34 -0600
> > To: squir...@isot.com
> > Subject: Re: Hacked - FreeBSD 7.1-Release
> >
> &
Don't forget to check vulnerable php codes for SQL injection, LFI/RFI,
problematic file uploads etc.
Ganbold
> Thanks for info.
>
>
> -Original message-
> From: Matthew Seaman m.sea...@infracaninophile.co.uk
> Date: Thu, 10 Dec 2009 02:24:34 -0600
> To: sq
-
From: Matthew Seaman m.sea...@infracaninophile.co.uk
Date: Thu, 10 Dec 2009 02:24:34 -0600
To: squir...@isot.com
Subject: Re: Hacked - FreeBSD 7.1-Release
> Squirrel wrote:
> > I've just finished the rtld patch. Now in process of regenerating
> > all the keys and certs. Nex
As long as you have to re-install everything from scratch, you can
consider installing 8.0 and having your services jailed. The new jail is
announced to be much improved.
Markiyan.
Paul Procacci wrote:
>> But far as rtld vulnerability, doesn't it require at least a local
user account?
No, i
>> But far as rtld vulnerability, doesn't it require at least a local
user account?
No, it requires a script and a kiddie. ;) You'd expect your
"index.php" (or similar) files would require a ftp/ssh/telnet
connection, but useful "kids" have useful resources 'n which these
things are not always
On Wed, Dec 09, 2009 at 06:40:17PM -0600, Squirrel wrote:
> My server was hacked, and the hacker was nice enough to not cause damage
> except changing index.php of couple of my websites. The index.php had the
> following info:
>
> "Hacked By Top
> First Warning That's Bug From Your Servers
> Ne
Squirrel wrote:
My server was hacked, and the hacker was nice enough to not cause
damage except changing index.php of couple of my websites. The
index.php had the following info:
"Hacked By Top First Warning That's Bug From Your Servers Next Time
You Must Be Careful And Fixed Your Site Before C
Squirrel wrote:
I've just finished the rtld patch. Now in process of regenerating
all the keys and certs. Next will look into php. But far as rtld
vulnerability, doesn't it require at least a local user account?
Looking at all the authentication, there wasn't any authenticated
session during t
Taking your advice and checking all ports for problems.
Thanks.
-Original message-
From: Xin LI delp...@delphij.net
Date: Wed, 09 Dec 2009 20:18:13 -0600
To: squir...@isot.com
Subject: Re: Hacked - FreeBSD 7.1-Release
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
&
the time frame. So I'm leaning
more towards php 5.2.9, and checking all my ports.
Thanks for info.
-Original message-
From: Chuck Swiger cswi...@mac.com
Date: Wed, 09 Dec 2009 20:12:08 -0600
To: squir...@isot.com
Subject: Re: Hacked - FreeBSD 7.1-Release
> On Dec 9, 200
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Squirrel wrote:
> My server was hacked, and the hacker was nice enough to not cause damage
> except changing index.php of couple of my websites. The index.php had the
> following info:
>
> "Hacked By Top
> First Warning That's Bug From Your Servers
On Dec 9, 2009, at 4:40 PM, Squirrel wrote:
> My server was hacked, and the hacker was nice enough to not cause damage
> except changing index.php of couple of my websites. The index.php had the
> following info:
>
> "Hacked By Top
> First Warning That's Bug From Your Servers
> Next Time You Mu
36 matches
Mail list logo
