Mike Tangolics | 1 Feb 20:34 2004
Picon

Re: Security without obscurity


This may be a tad offtopic but I had to mention it.  There actually
already has been a case of people setting up faux ATM's.

http://www.globetechnology.com/servlet/story/RTGAM.20030812.gtatmm0812/BNStory/Technology/

Andrew Ross wrote:
| Stewart Honsberger wrote:
|
|> I don't send anything back to any unexpected port probes because I
|> don't want to.
|>
|> Sure, to some extent it is security through obscurity, but the old
|> addage isn't entirely correct. If not for security through obscurity
|> we'd all have our PIN numbers sharpie'd on our ATM cards.
|
|
| Actually, keeping my PIN secret isn't security through obscurity.
|
| The idea of security without obscurity focuses on keeping the number of
| secrets at an absolute minimum. Systems designed around security through
| obscurity tend to rely on the secrecy of certain procedures or
| algorithms - once these are discovered by third parties, the security of
| the system has been reduced.
|
| Moving back to the PIN/ATM example:
|
| Ideally, your PIN should be the ONLY secret involved - the encryption
| algorithms and communication protocols could all be public. In the real
| world, this isn't feasible (eg. ATMs do not authenticate themselves to
(Continue reading)

Matthias F. Brandstetter | 3 Feb 02:06 2004
Picon

hacked via Apache/PHP/CGI/...?

Hi all security gurus,

recently I had a sec. issue with an Apache install. This box is hosting 
several virtual domains, one was hacked last night :(

I found this in my apache-error:

===<snip>========================================================
sh: line 1: cd: conf: No such file or directory
sh: line 1: cd: conf: No such file or directory
sh: line 1: cd: conf: No such file or directory
sh: line 1: cd: conf: No such file or directory
sh: line 1: work.txt: Permission denied
cat: /tmp/cmdtemp: No such file or directory
rm: cannot remove `/tmp/cmdtemp': No such file or directory
--00:11:27--  http://www.massdesign.hpg.com.br/index/index2.htt
           => `index2.htt'
Resolving www.massdesign.hpg.com.br... done.
Connecting to www.massdesign.hpg.com.br[200.226.137.9]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://www.massdesign.hpg.ig.com.br/index/index2.htt [following]
--00:11:28--  http://www.massdesign.hpg.ig.com.br/index/index2.htt
           => `index2.htt'
Resolving www.massdesign.hpg.ig.com.br... done.
Connecting to www.massdesign.hpg.ig.com.br[200.226.137.10]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 871 [text/plain]

    0K                                                       100%  850.59 
KB/s
(Continue reading)

Ned Ludd | 3 Feb 04:03 2004
Picon

Re: hacked via Apache/PHP/CGI/...?

On Mon, 2004-02-02 at 20:06, Matthias F. Brandstetter wrote:
> Hi all security gurus,
> 
> recently I had a sec. issue with an Apache install. This box is hosting 
> several virtual domains, one was hacked last night :(
[snip]

> 
> Until I can update the webserver, I need to know 3 things:
You really should not wait on getting this thing updated.
And in reality you should also halted this box now and a dd backup
should be made for later examination.
If you need to look around poke around at all it should all be done
while the disk is mounted read-only.

> 1.) how could this guy(s) could get access to this machine,
(this guy could be a worm)

> 2.) how can one get shell access after exploitng Apache, and
It depends on the attack vector that was used.
Without knowing versions of anything here it's hard to answer this
question. See #3

> 3.) how to prevent similar attacks in the future?
For a second lets assume it was the this 
arbitrary code execution via the stack or heap. If that the case then
your going to want something like PaX && || Grsec.
depending on your needs. http://pax.grsecurity.net &
http://grsecurity.net
Note: PaX is included with grsecurity
(Continue reading)

Tom Hosiawa | 3 Feb 00:47 2004

my security faqs?

The previous message about his apache machine being hacked brings up a
question I have. How does one tell they've been hacked from just looking
at the logs?

I know it depends on what service is running, but how do you know what
to look for? Do you routinely scan logs? Is there some program that
automatically scans logs for obvious things?

Which brings me to another question. I've been getting some returned
mails, that I know I didn't send, saying undeliverable mail to such and
such (mostly from aol, hotmail, etc). This one particular returned email
I got on my university account worries me a little more, because it got
returned from another university mail server, saying the possibility the
message contained a virus. How do I make sure this isn't coming from one
of my home computers?

It should be noted that my home network consists of my server (gentoo),
laptop (gentoo 99%, winxp the other time), and a desktop that runs
WinXP. My home network is behind a router, with only ssh port forwarded
to the server. I used to use djbdns, until a ping to my domain once
returned a 192 address, so I shut it down (will move to bind in the
future). I only check email on gentoo laptop, so I'm thinking it's more
likely than not that my email address is being spoofed.

Tom

--
gentoo-security <at> gentoo.org mailing list

(Continue reading)

Bill McCarty | 3 Feb 06:25 2004
Picon

Re: my security faqs?

Hi Tom and all,

--On Monday, February 02, 2004 11:47 PM +0000 Tom Hosiawa 
<tomek32 <at> rogers.com> wrote:

> The previous message about his apache machine being hacked brings up a
> question I have. How does one tell they've been hacked from just looking
> at the logs?

As a honeynet operator, I see many compromises. The two must common signs 
of compromise that I've found are:

* Outbound SYNs to odd ports or hosts
* Unexpected modification of sensitive files, especially programs

To detect these signs, I've written simple scripts that scan firewall logs 
for anomalies in near real time. I also use various host-based intrusion 
detection systems, such as Tripwire, Samhain, and AIDE. Monit, which 
monitors a variety of events, can be configured to work as a fairly 
effective host-based IDS that watches sensitive directories for changes.

I don't mean these comments as definitive. They're merely instances of 
measures that are simple to implement, but often effective.

> Which brings me to another question. I've been getting some returned
> mails, that I know I didn't send, saying undeliverable mail to such and
> such (mostly from aol, hotmail, etc). This one particular returned email
> I got on my university account worries me a little more, because it got
> returned from another university mail server, saying the possibility the
> message contained a virus. How do I make sure this isn't coming from one
(Continue reading)

Ned Ludd | 6 Feb 12:45 2004
Picon

RealOne Player and RealPlayer 8 vulnerabilities

Package here for which we have no solution.

http://bugs.gentoo.org/show_bug.cgi?id=40469

The current recommendation is complete package masking.
Please leave your comments on the bug on what you think should be done.

--

-- 
Ned Ludd <solar <at> gentoo.org>
Gentoo Linux Developer
Mike Tangolics | 6 Feb 13:07 2004
Picon

Re: RealOne Player and RealPlayer 8 vulnerabilities


I agree, the packages should be masked for the time being.

It appears that the Linux version is pretty much as vulnerable as the
Windows version.

Ned Ludd wrote:
| Package here for which we have no solution.
|
| http://bugs.gentoo.org/show_bug.cgi?id=40469
|
| The current recommendation is complete package masking.
| Please leave your comments on the bug on what you think should be done.
|
Calum | 9 Feb 13:11 2004
Picon

Idea for easily checking for security updates.

Hello all,

I have a suggestion which may be worth bandying around. Comments please.

At the moment, there are virtual classes of ebuilds, namely system, and world. 
(Sorry if I'm not using the right terminology here).

emerge -up world shows all possible packages for upgrading, whereas emerge -up 
system shows only system related packages.

Currently on one of my servers, emerge -up system shows:
foo root # emerge -up system | grep "\[ebuild" | wc -l
     50

Now, most of these are trivial:
sys-apps/man-pages-1.65 [1.56]
net-misc/dhcpcd-1.3.22_p4-r2 [1.3.22_p4-r1]
that don't affect the security of the running system. (I hope!)
On this server, I am only concerned with the security of the system, not 
making sure that I am upgrading apache, postfix, ssh, and others every time a 
new release comes out. (Unless of course I require some additional 
functionality.)

What I think would be a good idea is the creation and maintenance of say 4 new 
virtual packages:
remote-root
remote-shell
local-root
remote-dos
(Maybe there could be more, but these are the ones that I can think of).
(Continue reading)

Matt Steven | 9 Feb 13:34 2004

Re: Idea for easily checking for security updates.

On Monday 09 February 2004 01:11 pm, Calum wrote:
> What I think would be a good idea is the creation and maintenance of say 4
> new virtual packages:
> remote-root
> remote-shell
> local-root
> remote-dos

I like the idea of 

  emerge -u security

But specifying what sort of security threat it is seems a waste of time, I 
think for most of us a security hole is a security hole, and they should all 
be patched asap.

There is a discussion relating to offering a more stable portage tree going on 
in gentoo-server that might be of interest to you.  

See the thread "QA or an unchanging portage tree?"

--

-- 
Matt Steven
GeniusWeb.com
(712)580-2983

--
gentoo-security <at> gentoo.org mailing list

(Continue reading)

Calum | 9 Feb 14:06 2004
Picon

Re: Idea for easily checking for security updates.

On Monday 09 February 2004 12:34 pm, Matt Steven wrote:

> I like the idea of
>
>   emerge -u security
>
> But specifying what sort of security threat it is seems a waste of time, I
> think for most of us a security hole is a security hole, and they should
> all be patched asap.

I think it's nice to have the choice. And maybe some users run firewalls, or 
other servers where there are no local users. (I know I'd still upgrade the 
local stuff too, but...) Or maybe they run servers in intranet environments 
where they don't need to upgrade because of the chance of a DoS on Apache.

It's all about choice.

--
gentoo-security <at> gentoo.org mailing list


Gmane