similar to: Checking remote servers

As halflife demonstrated in Phrack 50 with his linspy project, it is trivial to patch any system call under Linux from within a module. This means that once your system has been compromised at the root level, it is possible for an intruder to hide completely _without_ modifying any binaries or leaving any visible backdoors behind. Because such tools are likely to be in use within the hacker

There is a lot of talk about the vulnerable Linux kernel. I'm simply wondering the telltale signs if a given system has been hacked? What, specifically, does a person look for? Thanks. Scott

We just had a security application vendor come in. We asked about Linux support and he said that putting a security application on top of an insecure OS was useless. When I asked what he meant by insecure he replied that Linux does not have a true Auditing capability - as opposed to HP-UX & Solaris which they do support. Can anyone explain to me what he was talking about? Thanks, Marty

Hi, I have a 4.9-STABLE FreeBSD box apparently hacked! Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs. Those are: chfn ... INFECTED chsh ... INFECTED date ... INFECTED ls ... INFECTED ps ... INFECTED But all the rest is NOT PROMISC, NOT INFECTED, NOTHING FOUND, NOTHING DELETED, or NOTHING DETECTED. I know by the FreeBSD-Security archives that

Does anyone have any experience using a zip drive as a read-only medium for storing things like tripwire files, PGP signed keys and kernels? Is there a way to switch it to read/write mode without ejecting it? Scott Kaplan SF Legal Net 346 Fair Oaks Street San Francisco, CA 94110 Voice: (415) 643-8700 Fax: (415) 643-8777

Someone I was speaking with this evening claimed they have installed the latest named rpms yet they are still getting exploited daily and being hacked. Do the latest rpm''s for the named 4.9.x stuff fix all the root exploits or is this person just an idiot who probably has holes elsewhere in the system?

> > systems which no longer seem to have this. This file contained an archive of > > the trojan''s that were inserted into the compromised system - does anybody know > > what is in these trojans? > > Check the Linux RootKit ... (LRK).. > > Typically LRK to use config-files.. (and typically LRK-users to place > files in /dev.. find /dev -type f | grep -v

Actually I just looked at my RH 5.2 dist and it looks as if Tripwire 1.3 is shipped with it.

I picked up the following from Bugtraq. -----Forwarded message from David Phillips <phillips@PCISYS.NET>----- MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-ID: <01BC5D8D.679DD4A0@frank56.pcisys.net> Date: Sat, 10 May 1997 21:56:05 -0600 Reply-To: David Phillips <phillips@PCISYS.NET> Sender: Bugtraq List

On Tue, 14 Jul 1998, cfb wrote: > The main problem seems to be with the way that debian starts bind using > the script /etc/init.d/bind. I thought it would be really neat to just > change the #!/bin/sh at the top of the script to something like : > #!/usr/sbin/chroot /chroot-dns/ /bin/sh > or > #!/usr/sbin/chroot /chroot-dns/ /chroot-dns/bin/sh try changing

Hello everybody, I'm a newbie in this list, so I don't know if it's the appropriate place for my question. Anyway, I'd be happy to find out the solution. Please, has anyone simple answer for: I'm looking for an exact list of files, which: 1. MUST have... 2. HAVE FROM BSD INSTALLATION... 3. DO NOT NEED... 4. NEVER MAY... ...the suid-bit set. Of course, it's no problem to

Hi all, I need to install an anti-rootkid in a lot of servers. I know that there're several options: tripwire, aide, chkrootkit... ?What do you prefer? Obviously, I have to define my needs: - easy setup and configuration - actively developed -- Thanks, Jordi Espasa Clofent

I have discovered that a gamer has hacked into my web server through a backdoor left open by my predecessor. I have closed the door, but when I try to delete the folders left behind I receive "Access Denied", or when I try to take ownership I receive "Unable to Find File...". I have removed most of the files to obtain enough space to continue operations but would like to remove

The trojaned ssh client is nothing new to the hacker community, and the statement in the previous thread claiming "This type of man-in-the-middle attack (trojaned ssh) is not theoretical anymore, and password authentication is broken." is an example of how many poeple still think "hacking" is something very difficult and nothing short of a genius is required to make the

ugh :) Today I became infected with the bliss virus, any info on this would be appreciated! How do I scan for files infected and is it possible to remove it? I first noticed the infection when running a program (not as root) messages flashed on the screen about transversing directories and such. The program (gimp) had been working fine since I downloaded the binary for gimp from their main

Hi all. Why don't Asterisk support inband DTMF with G729? Is there a way to do that!? Are you using RFC2833? Doesn't it a security hole? Thanks. Denis.

[mod: Just to show you that people DO get bitten after a bugwarning has gone out on linux-security..... -- REW] -----BEGIN PGP SIGNED MESSAGE----- Content-Type: text/plain; charset=us-ascii Has anyone been hit with the Bind Inverse Query Buffer Overrun on their Linux servers? We have had 3 servers attacked using this expoit and all of the machines had several binaries replaced with trojan

George Brown sent this to my private Email address instead of to the list. Because I forwarded it, my addres is in the header. Roger. ----- Forwarded message from root ----- >From root@bull.bullnet.co.uk Mon Aug 24 16:20:29 1998 Received: from dutepp0.et.tudelft.nl by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by wolff) for <wolff@localhost> (single-drop); Mon Aug 24

There is a recent article in the German magazine C''t that may be of interest to those on this list. It describes a cracker program, Juggernaut, which can hijack telnet sessions. The program is written specifically to run under Linux. An english translation of the article is available at: http://www.ix.de/ct/english/9710142/ It also mentions that they are working on a version of the

On Nov 25, 2014, at 8:27 AM, Declan Kelly <flac-dev at groov.ie> wrote: > > On Tue, Nov 25, 2014 at 12:29:33AM -0800, mle+la at mega-nerd.com wrote: >> >> CVE-2014-9028 : Heap buffer write overflow >> CVE-2014-8962 : Heap buffer read overflow > > Is it known what other FLAC decoding software or firmware is vulnerable > to these overflows? > >