similar to: Kernel-loadable Root Kits

Hi all again, I must add, there are no log entries after June 9, 2004. "LKM" message first apeared June 8, 2004, after this day, there is nothing in /var/messages, /var/security ..... How could I look for suspicious LKM module ? How could I find it, if the machine is hacked and I can not believe "ls", "find" etc. commands ? Peter Rosa

Hi, I recently noticed that kldstat(8) started to dump core for me on RELENG_7. I traced the problem down to kldstat(2). r182231 (DTrace MFC) introduced a new version of kld_file_stat struct and added some code to support the old version of the structure in kldstat(). In the new code the old structure is known as kld_file_stat_1. Unfortunately there's a bug in this code: kldstat() copies

Hi! I'm trying to increase security on my FreeBSD 4.8 firewall/DSL router/VPN router. My problem is with firewalling the VPN part. I'm using a tunnel to a RedHat 7.1 box running FreeS/WAN. This tunnel allows traffic from my internal net (172.17.0.0/24) to that box only: spdadd 172.17.0.0/24 $REDHAT/32 any -P out ipsec esp/tunnel/$MYADDR-$REDHAT/unique; spdadd $REDHAT/32 172.17.0.0/24

has anyone played with the securelevel variable in the kernel and the immutable flags in the ext2 file system? The only way I have found to change the flag is by patching sched.c from int securelevel=0 to int securelevel=1 The sysctrl code seems to allow the setting of the flag only by init (PID=1) and only upwards (0->1, etc). The problem is that I haven''t found a way to get init

I've read about securelevel in the mailing list archive, and found some pitfalls (and seems to me to be discarded soon). But According to me, the following configuration should offer a good security: - mount root fs read only at boot; - set securelevel to 3; - do not permit to unmount/remount roots fs read-write (now it is possible by means of "mount -uw /"); - the only way to make

> > systems which no longer seem to have this. This file contained an archive of > > the trojan''s that were inserted into the compromised system - does anybody know > > what is in these trojans? > > Check the Linux RootKit ... (LRK).. > > Typically LRK to use config-files.. (and typically LRK-users to place > files in /dev.. find /dev -type f | grep -v

running (4-Stable) Hi, short form question: how does one run XDM under securelevel>0 ? long version: i've searched for an answer on how to run Xfree/Xorg at a securelevel the X server likes access to /dev/io and some other resources but is not granted access after security is switched on. one way of doing it seems to be to start it before setting the securelevel, but then is doesnt

2011/2/15 Lupe Christoph > On Monday, 2011-02-14 at 21:54:20 -0000, Arnaud Quette wrote: > > I definitely need more info! > > please reply to ALL: > > > - what is the exact model and date of manufacturing? > > SmartUPS 300I NET. I have the serial number (GS9809283199) but no date. > it seems to be a recent model. > - are you sure this unit is ok? > >

2011/2/15 Lupe Christoph > On Monday, 2011-02-14 at 21:54:20 -0000, Arnaud Quette wrote: > > I definitely need more info! > > please reply to ALL: > > > - what is the exact model and date of manufacturing? > > SmartUPS 300I NET. I have the serial number (GS9809283199) but no date. > it seems to be a recent model. > - are you sure this unit is ok? > >

I'm currently administering a machine about 1500mi from me with nobody local to the machine to assist me. Anyways, my only access to this machine is via SSH, no remote serial console or anything. When I try to do a "make installworld" I end up with install: rename: /lib/INS@aTxk to /lib/libcrypt.so.3: Operation not permitted very shortly thereafter. I cannot boot

Hey there, I'm looking for someone to implement each of the following: (1) Make pkg_add(1) not use system(3) to execute external programs to do things that it can implement internally (i.e. calling out to tar(1) is fine, calling out to mkdir(1) is not.) Alternately, rewrite pkg_add as a sh(1) shell script, with perhaps a minimal utility written in C (pkg_admin?) to muck with /var/db/pkg.

I've been using IPSec and racoon alot lately creating tunnels between FreeBSD machines. Everything works as it should once I've got it running. I do however seem to get delays when one, or both ends of the tunnel drop or are rebooted. On reboot, once the machine starts racoon, it takes two or three minutes for the tunnel to come back up. If I stop and restart racoon, it takes only 60

I observed that following could cause machine lockup since at least 8-CURRENT. Now I'm on 9-STABLE No usb in kernel, attached mouse pointer. # kldload usb ums ehci # kldload uhci or # kldload uhci usb ums ehci uhci is required for working mouse. Can anyone confirm? Please test few different iterations, as it's probably not easily reproducible. Most times nothing happens, if

Hi all, please, tell me about security of Darkstat. Is it good idea to install it on firewall/gateway ? I'd like to measure our company traffic, but I do not have Apache running on the gateway. How could I redirect Darkstat's output to web-server inside company ? Or is there some other tool, which can measure in/out traffic and send output to another machine ? I know MRTG, but it uses

Hi all, I moved from 8.0-RELEASE to last week's -STABLE: $ uname -v FreeBSD 8.1-STABLE #0: Thu Sep 2 16:38:02 SAST 2010 root@XXXXX:/usr/obj/usr/src/sys/GENERIC and all seems well except my network card is unusable. On boot up: em0: <Intel(R) PRO/1000 Network Connection 7.0.5> port 0x3040-0x305f mem 0xe3200000-0xe321ffff,0xe3220000-0xe3220fff irq 10 at device 25.0 on pci0 em0: Setup

-----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-98:02 Security Advisory FreeBSD, Inc. Topic: security compromise via mmap Category: core Module: kernel Announced: 1998-03-12 Affects:

-----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:77 Security Advisory FreeBSD, Inc. Topic: Several vulnerabilities in procfs Category: core Module: procfs Announced: 2000-12-18

Greetings list, As a newbie to security I would like to ask any recommendation that the list might have. We are about to "install" a new box with 4.9 stable to the nice and innocent internet world. :-P The box has no services running expect apache and we telnet to it via SSH. Main function of this box will be graphing various interfaces via rrdtool. So, I would like to ask if there is

root@vigilante /root cuaa1# man init |tail -n 130 |head -n 5 3 Network secure mode - same as highly secure mode, plus IP packet filter rules (see ipfw(8) and ipfirewall(4)) cannot be changed and dummynet(4) configuration cannot be adjusted. root@vigilante /root cuaa1# sysctl -a |grep secure kern.securelevel: 3 root@vigilante /root cuaa1# ipfw show 00100 0 0 allow

FYI, looks like support for Racoon is ending. Does anyone have any experience with the version in ipsec-tools ? ---Mike >Racoon users, > >This is the announcement that the kame project will quit providing >a key management daemon, the racoon, and that "ipsec-tools" will become >the formal team to release the racoon. >The final release of the racoon in the