SpaceMan007ultra | 1 Feb 11:34 2004

Re: [sentinix-list] Announcement regarding upcoming release of SENTINIX

Hi

I was wondering why you have not added webmin to Sentinix ?

Cheers
Adrian Kriel

----- Original Message ----- 
From: "Michel Blomgren" <michel@...>
To: <sentinix@...>
Sent: Thursday, January 29, 2004 2:47 AM
Subject: [sentinix-list] Announcement regarding upcoming release of SENTINIX

Hi list!

I just wanted to tell everyone what I (and Chris Hammond and Xavier) am
working on right now.

Major changes in SENTINIX (probably v 0.80):

##KERNELS##

Linux 2.4.21 will still be used, but the do_brk and the do_mremap bugs have
been patched out.  I have experienced the best result with the 2.4.21
openMosix kernel, that's why I'll stick with it.  I _might_ try and add
2.6.0
(but patched against the do_mremap bug) as the "plain" and "smp" kernel. The
kernel headers would however be 2.4.21.

I will add more kernels in the future, for example openMosix 2.4.22. But
(Continue reading)

Hugo Teso Torío | 1 Feb 14:18 2004

Re: [sentinix-list] Announcement regarding upcoming release ofSENTINIX

Hi,

I think this question is directly related to me, because I'm adapting Webmin
to Sentinix. I'm working on it for one month, but with the new year at my
company everybody has lots of things to do and I have less time for working
on Webmin. Actulay I have modified the install script adding new files for a
best adaptation with sentinix and now I'm working on the build script;
hopfully I will finish it sooner.

Any aditional help will be wellcome.

Best regards

Hugo Teso Torío
MkZ Soluciones de Ingeniería
HugoT@...

----- Original Message ----- 
From: "SpaceMan007ultra" <root@...>
To: "The SENTINIX Mailing List" <sentinix@...>
Sent: Sunday, February 01, 2004 11:34 AM
Subject: Re: [sentinix-list] Announcement regarding upcoming release
ofSENTINIX

> Hi
>
> I was wondering why you have not added webmin to Sentinix ?
>
> Cheers
> Adrian Kriel
(Continue reading)

SpaceMan007ultra | 1 Feb 14:31 2004

Re: [sentinix-list] Announcement regarding upcoming release ofSENTINIX

That should be excellent..

Are you going to include usermin aswell, one small request , please remove
all the non-used modules.

----- Original Message ----- 
From: "Hugo Teso Torío" <HugoT@...>
To: "The SENTINIX Mailing List" <sentinix@...>
Sent: Sunday, February 01, 2004 3:18 PM
Subject: Re: [sentinix-list] Announcement regarding upcoming release
ofSENTINIX

> Hi,
>
> I think this question is directly related to me, because I'm adapting
Webmin
> to Sentinix. I'm working on it for one month, but with the new year at my
> company everybody has lots of things to do and I have less time for
working
> on Webmin. Actulay I have modified the install script adding new files for
a
> best adaptation with sentinix and now I'm working on the build script;
> hopfully I will finish it sooner.
>
> Any aditional help will be wellcome.
>
> Best regards
>
> Hugo Teso Torío
> MkZ Soluciones de Ingeniería
(Continue reading)

Marlon.Richards | 2 Feb 19:59 2004

[sentinix-list] Anyone ever heard of darkprofits.net or darkprofits.com?


Hi guys. I know this is the Sentinix mailing list but i am just wondering
if i could get some help here. I found that my DNS server is being asked to
make numerous resolutions of darkprofits.com and darkrpofits.net. None of
my internal clients are making these requests. My Sniffer shows me that the
requests are being made from outside my network and that my DNS server is
making a request for this domain to external hosts. Does anyone know where
this may be coming from and how to stop it?

Regards
M. Morgan | 2 Feb 20:23 2004
Picon

Re: [sentinix-list] Anyone ever heard of darkprofits.net or darkprofits.com?

Marlon,
 I'm going to make a couple of guesses here but it seems that "darkprofits.com and .net are dDOS targets of the
MiMail.C virus.
 Per Symantec:

"Performs a Denial of Service (DoS) with the following characteristics:

Randomly selects a site from the names below:

a. darkprofits.net
b. www.darkprofits.net
c. darkprofits.com
d. www.darkprofits.com

The DoS routine is designed to have 15 attacking threads active at any moment. 
Each thread performs one TCP connection or an ICMP attack, and then sleeps for five seconds. 
Randomly chooses to perform a TCP connection on port 80 or to perform an ICMP attack. 
The packets sent to the victim carry a 2k payload filled with random data. 
Uses a random ICMP type when performing the ICMP attack. 
The data sent is either the GET request or some random data when performing the HTTP connection."

details here:
http://securityresponse.symantec.com/avcenter/venc/data/w32.mimail.c-tYGDv3plIkE <at> public.gmane.org

And both domains are registered to:

02/02/04 14:19:31 whois www.darkprofits.net
.net is a domain of Network services
Searches for .net can be run at http://www.crsnic.net/

(Continue reading)

Travis Albrecht | 2 Feb 20:26 2004

RE: [sentinix-list] Anyone ever heard of darkprofits.net ordarkprofits.com?

More than likely those requests are coming from machines infected with
Mimail, how to stop it... I would need to know more about your DNS server and
environment.  

Sounds like you have the same server responding to queries for internal and
external.  If it's BIND you could set it to respond only for zones for which
it is authoritative, however that would break internal requests, unless you
are running 2 nics

See if this helps http://www.zytrax.com/books/dns/ch4/#stealth

Travis Albrecht

-----Original Message-----
From: sentinix-bounces@...
[mailto:sentinix-bounces@...] On Behalf Of
Marlon.Richards@...
Sent: Monday, February 02, 2004 1:00 PM
To: The SENTINIX Mailing List
Subject: [sentinix-list] Anyone ever heard of darkprofits.net
ordarkprofits.com?

Hi guys. I know this is the Sentinix mailing list but i am just wondering
if i could get some help here. I found that my DNS server is being asked to
make numerous resolutions of darkprofits.com and darkrpofits.net. None of
my internal clients are making these requests. My Sniffer shows me that the
requests are being made from outside my network and that my DNS server is
making a request for this domain to external hosts. Does anyone know where
this may be coming from and how to stop it?

(Continue reading)

Michel Blomgren | 4 Feb 02:02 2004

Re: [sentinix-list] Anyone ever heard of darkprofits.net ordarkprofits.com?

Also, if you're using BIND named and that nameserver of yours isn't used as a 
public caching name server, you could easily set up ACLs for who can querry 
the name server.
See 
http://www.learninglinux.com/HOWTO/Linux+IPv6-HOWTO/hints-daemons-bind.html
for more info.

Or, you could do as I do, put the port 53 tcp/udp behind Netfilter's stateful 
firewalling (it probably breaks the ns standards though).

	Michel

On Monday 02 February 2004 20:26, Travis Albrecht wrote:
> More than likely those requests are coming from machines infected with
> Mimail, how to stop it... I would need to know more about your DNS server
> and environment.
>
> Sounds like you have the same server responding to queries for internal and
> external.  If it's BIND you could set it to respond only for zones for
> which it is authoritative, however that would break internal requests,
> unless you are running 2 nics
>
> See if this helps http://www.zytrax.com/books/dns/ch4/#stealth
>
> Travis Albrecht
>
> -----Original Message-----
> From: sentinix-bounces@...
> [mailto:sentinix-bounces@...] On Behalf Of
> Marlon.Richards@...
(Continue reading)

M. Morgan | 4 Feb 20:50 2004
Picon

[sentinix-list] Email Alert Notification?

Hello list,
 Does anyone know of a tool that I can setup to send email notifications when I get certain alerts from my snort boxes?

thanks,
michael
Terkanian, Greg | 4 Feb 20:59 2004

RE: [sentinix-list] Email Alert Notification?

Check out the following link:
http://groups.google.com/groups?q=snort+email+notifications&hl=en&lr=lang_en&ie=UTF-8&oe=UTF-8&selm=a2noie%241m1l%241%40FreeBSD.csie.NCTU.edu.tw&rnum=5

-----Original Message-----
From: sentinix-bounces@...
[mailto:sentinix-bounces@...]On Behalf Of M. Morgan
Sent: Wednesday, February 04, 2004 1:50 PM
To: sentinix@...
Subject: [sentinix-list] Email Alert Notification?

Hello list,
 Does anyone know of a tool that I can setup to send email notifications when I get certain alerts from my snort boxes?

thanks,
michael
_______________________________________________
SENTINIX mailing list
SENTINIX@...
http://elevenprospect.com/mailman/listinfo/sentinix
M. Morgan | 4 Feb 21:49 2004
Picon

RE: [sentinix-list] Email Alert Notification?

Greg,
 Thats an interesting link but I should have been more specific in my request, I'm not sure if that would work
for me as it relies on syslog files...

 I have three remote snort sensors logging to a central mysql database. I'd like to configure notifications
based on the events in that databse (or does it have to be on each seperate machine?)

 This brings up some interesting questions for me:
-when the output plugin is directing snort output to a remote database will a "log watcher" like swatch
still work?

-does snort log to the sys logs AND the remote database?

 This is my first attempt at this trick and the options are many it seems but some work better than others.

Any other ideas?

Thanks for the help,
Michael

-----Original Message-----
From: "Terkanian, Greg" <GTerkanian@...>
Sent: Feb 4, 2004 2:59 PM
To: "M. Morgan" <mikemorgan@...>, 
	The SENTINIX Mailing List <sentinix@...>
Subject: RE: [sentinix-list] Email Alert Notification?

Check out the following link:
http://groups.google.com/groups?q=snort+email+notifications&hl=en&lr=lang_en&ie=UTF-8&oe=UTF-8&selm=a2noie%241m1l%241%40FreeBSD.csie.NCTU.edu.tw&rnum=5

(Continue reading)


Gmane