similar to: Re: Chrooting bind 8.1.2 under debian 2.0

I just had a remote root break-in on my machine (x86 running Red Hat Linux 5.0 with all the updates except for kernel-2.0.32-3) this morning at 06:03:28 EDT. From what I''ve been able to gather, it appears to have been through snmpd, which I missed when I was weeding out unused daemons. Sorry for the feeble message, but all I know (or at least strongly suspect) is that there''s a

> > systems which no longer seem to have this. This file contained an archive of > > the trojan''s that were inserted into the compromised system - does anybody know > > what is in these trojans? > > Check the Linux RootKit ... (LRK).. > > Typically LRK to use config-files.. (and typically LRK-users to place > files in /dev.. find /dev -type f | grep -v

While logging in via ssh (versions 1.2.17 and 1.2.12) under Linux 2.0, I found that limits weren''t being set (as shown by the output of "limit" (tcsh) or "ulimit -a" (bash). Since /etc/profile, /etc/csh.cshrc, and /etc/limits were ignored, I made /etc/sshrc and put "ulimit" statements in it. However, I was unable to limit the number of processes this way,

RH4.2 Linux Intel Last night I got three of these log messages: Two in a row, one a bit later. May 8 00:35:15 osg-gw imapd[4307]: warning: can''t get client address: Connectio n reset by peer May 8 00:35:15 osg-gw imapd[4307]: refused connect from unknown Now, I have imapd blocked to non-local users using tcpd wrappers, so tcpd is trying to find the address of the remote machine (all

Someone I was speaking with this evening claimed they have installed the latest named rpms yet they are still getting exploited daily and being hacked. Do the latest rpm''s for the named 4.9.x stuff fix all the root exploits or is this person just an idiot who probably has holes elsewhere in the system?

> > The main problem seems to be with the way that debian starts bind > > using > > the script /etc/init.d/bind. I thought it would be really neat to > > just > > change the #!/bin/sh at the top of the script to something like : > > #!/usr/sbin/chroot /chroot-dns/ /bin/sh > > or > > #!/usr/sbin/chroot /chroot-dns/

Greetings all, I''m forwarding a copy of an email I sent reporting attempted break-ins on my main server, earth.terran.org. I am forwarding this because I think it is relevant that folks watch for this kind of activity in their logs to catch people who "try doorknobs" in the middle of the night. After sending this email, I sent a talk request to the user, who was still logged

---------- Forwarded message ---------- Date: Tue, 30 Jun 1998 15:10:47 +0800 From: David Luyer <luyer@UCS.UWA.EDU.AU> To: BUGTRAQ@NETSPACE.ORG Subject: Serious Linux 2.0.34 security problem I just saw this mentioned on linux-kernel and confirmed it; #include <fcntl.h> #include <errno.h> #include <stdio.h> #include <stdlib.h> #include <unistd.h> int main(int

I''ve been poking around my system, and realized that having a tftp server would be handy. (I''m working with cisco routers, which have the capability to up and download configuration images via tftp.) However, I''m not content with the usual tftpd that comes with Linux. The whole "specify each directory you want" scheme is cock-eyed to me. I''d prefer

-----BEGIN PGP SIGNED MESSAGE----- Hi everyone - Someone I''m working with has a requirement to map ethernet card addresses to unique IP addresses, and then have a Linux IP masquerade server know of this mapping list and not allow any data to pass from any ethernet card that a) it doesn''t know about, or b) isn''t assigned the right IP. Ideally it would also log this

[mod: This discussion has been going on "offline" with an occasional CC to linux-security. By the time I got around to do another "moderation round" this one was the latest. Everyone is keeping good context, so I think you all will be able to follow the discussion. --REW] >>>>> <seifried@seifried.org> writes: >> The only thing I can see coming out

I picked up the following from Bugtraq. -----Forwarded message from David Phillips <phillips@PCISYS.NET>----- MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-ID: <01BC5D8D.679DD4A0@frank56.pcisys.net> Date: Sat, 10 May 1997 21:56:05 -0600 Reply-To: David Phillips <phillips@PCISYS.NET> Sender: Bugtraq List

Are there any known vulnerabilities in portmap (redhat''s portmap-4.0-7b)? I''ve been receiving a lot of attempts to access the portmap port on some linuxppc machines I administer by various machines which clearly have no business with mine, and I wonder if this is an attempt to break in to my machines. I''ve searched some archives, but I haven''t yet found any

I'm getting a "bad address" error which is causing my rsync process to bomb out. I'm running RsyncX 2.1, in daemon mode on the source machine, with a script to pull the information to the backup server. Both servers are Xserves running OS X Server 10.2.8. Rsync target is on an Xserve RAID. The RAID has 350GB free, so I'm not running into a disk full situation. My command

Not sure if this is the right place to come to, but I don't have "RHN" support.....I'm hoping someone can help me out here. I have downloaded the RHEL .ios file and burned it to DVD/CD, my laptop is primed to Boot From CD/ROM Drive, I start the installation using the semi-graphical interface, and the first few options are a breeze, then it gets to identifying the CD drive

This series of patches makes Xen pass a (somewhat) valid device tree to dom0. The device tree for dom0 is the same as the one supplied to Xen except the memory and chosen nodes are adjusted appropriately. We don''t yet make use of the device tree to map MMIO regions or setup interrupts for the guest and we still include the UART used for Xen''s console. Note that loading Linux

Biggest change is to switch the new DTB node to /xen-core-devices instead of /xen at Stefano''s request. I also dropped the few patches title HACK etc which weren''t supposed to be there and fixed up some bits and pieces which folks commented on. George, WRT the freeze I think this is functionality which we cannot ship Xen 4.4 without. The impact is entirely constrained to the

I''ve addressed all (I think/hope) of the review comments. The main change is to expose the guest virtual platform (e.g. memory layout and interrupt usage etc) to the toolstack via the public interface. This is then used during FDT generation. I have just codified the current defacto standard layout, it''s probably not the best layout but any change can be a separate patch/series.

I am trying to extract and combine the various pieces of information found in [1] and its sub-pages and the Xen in-tree documentation in order to make xen boot (potentially non-smp without some later changes). But since I am not familiar enough with Arm I think I am stuck doing something wrong. I compiled the hypervisor with debug and early printk for midway and use the xen.bin file (I could get

-----BEGIN PGP SIGNED MESSAGE----- > Date: Fri, 2 May 1997 12:33:00 -0500 > From: "Thomas H. Ptacek" <tqbf@ENTERACT.COM> > On almost all Unix operating systems, having superuser access in a > chroot() jail is still dangerous. In some recent revisions of 4.4BSD > operating systems, root can trivially escape chroot(), as well. I was thinking about possible attacks