similar to: Re: Re: Re: Bind Overrun Bug and Linux (fwd)

[mod: Just to show you that people DO get bitten after a bugwarning has gone out on linux-security..... -- REW] -----BEGIN PGP SIGNED MESSAGE----- Content-Type: text/plain; charset=us-ascii Has anyone been hit with the Bind Inverse Query Buffer Overrun on their Linux servers? We have had 3 servers attacked using this expoit and all of the machines had several binaries replaced with trojan

I rebuilt rkhunter-1.2.8-1.noarch.rpm by using the spec and tgz from the rkhunter site (www.rootkit.nl). (I rebuilt it using his instructions.) However rkhunter does not do an md5 check. The box used to have fedora and each time there were updates it would complain that the some of the md5's don't match. I contacted the author using his contact feature on Wednesday but he hasn't

I am not sure if I had a compromise but I am not sure I wanted some other input. I noticed in this in my daily security run output: pc1 setuid diffs: 19c19 < 365635 -rwsr-xr-x 1 root wheel 204232 Sep 27 21:23:19 2003 /usr/X11R6/bin/xscreensaver --- > 365781 -rwsr-xr-x 1 root wheel 205320 Dec 4 07:55:59 2003 /usr/X11R6/bin/xscreensaver It was the only file listed and I didn't

has anyone played with the securelevel variable in the kernel and the immutable flags in the ext2 file system? The only way I have found to change the flag is by patching sched.c from int securelevel=0 to int securelevel=1 The sysctrl code seems to allow the setting of the flag only by init (PID=1) and only upwards (0->1, etc). The problem is that I haven''t found a way to get init

I've read about securelevel in the mailing list archive, and found some pitfalls (and seems to me to be discarded soon). But According to me, the following configuration should offer a good security: - mount root fs read only at boot; - set securelevel to 3; - do not permit to unmount/remount roots fs read-write (now it is possible by means of "mount -uw /"); - the only way to make

This patch adds the ability to kinit to allow the dropping of POSIX capabilities. kinit is modified by this change, such that it understands the new kernel command line "drop_capabilities=" that specifies a comma separated list of capability names that should be dropped before switching over to the next init in the boot strap (typically on the root disk). When processing capabilities

running (4-Stable) Hi, short form question: how does one run XDM under securelevel>0 ? long version: i've searched for an answer on how to run Xfree/Xorg at a securelevel the X server likes access to /dev/io and some other resources but is not granted access after security is switched on. one way of doing it seems to be to start it before setting the securelevel, but then is doesnt

I'm currently administering a machine about 1500mi from me with nobody local to the machine to assist me. Anyways, my only access to this machine is via SSH, no remote serial console or anything. When I try to do a "make installworld" I end up with install: rename: /lib/INS@aTxk to /lib/libcrypt.so.3: Operation not permitted very shortly thereafter. I cannot boot

I was wondering if anyone here has or knows how to implement ttysnoop w/ssh ?

Hi all, I moved from 8.0-RELEASE to last week's -STABLE: $ uname -v FreeBSD 8.1-STABLE #0: Thu Sep 2 16:38:02 SAST 2010 root@XXXXX:/usr/obj/usr/src/sys/GENERIC and all seems well except my network card is unusable. On boot up: em0: <Intel(R) PRO/1000 Network Connection 7.0.5> port 0x3040-0x305f mem 0xe3200000-0xe321ffff,0xe3220000-0xe3220fff irq 10 at device 25.0 on pci0 em0: Setup

-----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-98:02 Security Advisory FreeBSD, Inc. Topic: security compromise via mmap Category: core Module: kernel Announced: 1998-03-12 Affects:

Thanks for the module, I think its a good idea to commit it to FreeBSD for a few reasons: 1) Some folks just prefer more static kernels. 2) Securelevel is a great thing, but can be a pain to do upgrades around remotely. [A lot of folks use FreeBSD simply because its a breeze to run remotely]. 3) Until someone writes code to add modules to a kernel via /dev/mem and releases it to the script

This patchset applies to klibc mainline. As is it will probably collide with Maximilian's recent patch to rename run-init to switch_root posted last week. To boot an untrusted environment with certain capabilities locked out, we'd like to be able to drop the capabilities up front from early userspace, before we actually transition onto the root volume. This patchset implements this by

There is a recent article in the German magazine C''t that may be of interest to those on this list. It describes a cracker program, Juggernaut, which can hijack telnet sessions. The program is written specifically to run under Linux. An english translation of the article is available at: http://www.ix.de/ct/english/9710142/ It also mentions that they are working on a version of the

root@vigilante /root cuaa1# man init |tail -n 130 |head -n 5 3 Network secure mode - same as highly secure mode, plus IP packet filter rules (see ipfw(8) and ipfirewall(4)) cannot be changed and dummynet(4) configuration cannot be adjusted. root@vigilante /root cuaa1# sysctl -a |grep secure kern.securelevel: 3 root@vigilante /root cuaa1# ipfw show 00100 0 0 allow

Hi all again, I must add, there are no log entries after June 9, 2004. "LKM" message first apeared June 8, 2004, after this day, there is nothing in /var/messages, /var/security ..... How could I look for suspicious LKM module ? How could I find it, if the machine is hacked and I can not believe "ls", "find" etc. commands ? Peter Rosa

So pretty sure one of my boxes has been owned. Just wanted some advise on what to do next. Obviously, i'll need to nuke the fecker and start over but it would be really nice to find out how they got in as its a CentOS 4.3 which is bang up to date. So i found: PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND 7052 apache 25 0 27320 5348 8 R 99.0 0.5

Following Situation: Having an intranet-application that needs to know the ip-Address of the clients before running. Clients anywere in the Internet with any ip-address. So I thought about using masquerading the opposite way than normal. But then anybody could use this application. Dos anybody know how to make it a little bit more secure, like proofing the mac-address of the client, or something

Hi, I'm running 4.8-STABLE but I'm having some problems installing a new kernel. (in /usr/src make installkernel). mv /kernel /kernel.old operation not permitted My securelevel is currently set to -1 (kern_securelevel=-1) and kern_securelevel_enable="NO" I have already executed chflags noschg /kernel and /kernel.old (while in single user mode). What am I missing? Thanks.

On 03/25/09 12:30, James Carlson wrote: > Girish Moodalbail writes: > >> bash-3.2# dladm show-link >> LINK CLASS MTU STATE PROMISC OVER >> e1000g0 phys 1501 up off -- >> e1000g1 phys 1502 up on -- >> > > That (plus or minus some column alignment) seems