openSUSE Security July 1999

security@lists.opensuse.org

50 participants
17 discussions

passwd
by Dieter M�ller 29 Jul '99

29 Jul '99

Hello, I already sent this message a few days ago, but I didn't saw it on the list, if I only missed it I have to say sorry in advance. I need a one-time-password authentication system which allows me to log in via an untrusted terminal, p.ex via telnet from win-xy. The problem is that I can't disable telnet on my pc thince I still need it to log in from my secure network. The very best would be a telnet-alike protocol which allows to choose between giving a normal or a one-time password. Dieter _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com

10 10

problems with passwd
by Jean Luc Laborde 29 Jul '99

29 Jul '99

1 0

Secure-Linux extensions for Kernel 2.2.x?
by Markus Gaugusch 28 Jul '99

28 Jul '99

Hi there! Maybe you've heard about the secure-linux-patches for kernel versions 2.0.x, which hide foreign processes from normal users. Only root can see all processes running. Has anyone of you found the equivalent (proc-fs patches, etc.) for the 2.2.x series?? TIA Markus ____________________________________ Markus Gaugusch m.gaugusch(a)xpoint.at ICQ-ID: 11374583 [www.mirabilis.com] *** *** *** Hi! I'm a .signature virus! *** *** *** Copy me into your .signature file to help me spread!

1 0

Re: [suse-security] passwd
by Michael Salmon 28 Jul '99

28 Jul '99

+----- On Tue, 27 Jul 1999 03:17:02 PDT, Dieter "Müller" writes: | Hello, | | I already sent this message a few days ago, but I didn't saw it on the | list, if I only missed it I have to say sorry in advance. | | I need a one-time-password authentication system which allows me to log | in via an untrusted terminal, p.ex via telnet from win-xy. | The problem is that I can't disable telnet on my pc thince I still need | it to log in from my secure network. | | The very best would be a telnet-alike protocol which allows to choose | between giving a normal or a one-time password. You could try s-key or opie (which is derived from s-key). With s-key you generate 100 passwords that you use in turn. I believe that s-key can be broken if enough passwords are collected but I am unsure of the details. Another alternative is kerberos but that is probably an overkill, as I guess that you aren't a US resident you will need to fetch it from KTH in Stockholm. Sorry no URL's. /Michael

1 0

Help: our system has been hacked...!
by Josef Frohn 28 Jul '99

28 Jul '99

Dear all, I am using Suse5.2 with the according security-patches from the Suse server. We have a valid IP, which means that our server is accessible from the Internet. The server acts as a gateway for a small company network. Now it looks as if our system has been hacked. I had several imapd reports during the last time and it ended up with the following sequence in my /var/log/messages: ---------------------------- Jul 14 13:24:52 server imapd[1819]: connect from root@<IP1> Jul 14 13:25:22 server in.telnetd[1820]: connect from <IP2> Jul 14 13:25:35 server login[1821]: no shadow password for `slovaka' on `ttyp3' from `pool051-max3.ds36-ca-us.dialup.<some-net> Jul 14 13:25:45 server su: (to r00t) slovaka on /dev/ttyp3 -------------------------- I checked with Yast the list of users and found the user "slovaka" and the user r00t (with root permissions!) as well. Besides that I can't see any further changes to the system. How did slovaka/r00t enter my system? How can I find out what he did? The numerical uid of him was the same as my personal account (500), so I can't use the id... I deleted those accounts and forced all users to change their passwords. But who enters the system within seconds once, will be able to do it a 2nd time as well, so how can I close this hole? Nobody uses imap in our group. Wouldn't it be best to stop imapd? I find no entry in rc.config and I don't know how to remove it from the startup scripts (can I just remove the imp<#> lines from /etc/services?) Any hint is appreciated! Josef BTW: I am using a different system to write this email.... -- -- Dr. J. Frohn - S.I.S. GmbH email: frohn(a)sis-gmbh.com Kaiserstr. 100 http:\\www.sis-gmbh.com 52134 Herzogenrath - GERMANY T +49 (0) 2407 96147 -- F +49 (0) 2407 96275 --

18 18

Leafnode problems?
by Nick Zentena 27 Jul '99

27 Jul '99

Hi, I spent some time checking my messages log file last night and noticed a couple of connects to leafnode from outside. Now these connection don't show a username just a IP address. Is there a known problem with leafnode? [I'm running leafnode 1.9.3] I've edited my host.allow/deny files to stop any non-local access but I'm curious. Thanks Nick -- --------------------- Nick Zentena SuSE 6.1 Linux 2.2.10 ---------------------

2 1

AW: [suse-security] Help: our system has been hacked...! (IMAPD-H ACK)
by Wyss Clemens 27 Jul '99

27 Jul '99

Found the following links http://www.lh.umu.se/~bjorn/mhonarc-files/linux-security/msg00652.html http://www.lh.umu.se/~bjorn/mhonarc-files/linux-security/msg01155.html http://www.lh.umu.se/~bjorn/mhonarc-files/linux-security/msg01149.html and there are even more articles on that site (Viel Glück) Clemens -----Ursprüngliche Nachricht----- Von: Josef Frohn [mailto:frohn@sis-gmbh.com] Gesendet am: Montag, 26. Juli 1999 16:12 An: suse-security(a)suse.com Betreff: [suse-security] Help: our system has been hacked...! Dear all, I am using Suse5.2 with the according security-patches from the Suse server. We have a valid IP, which means that our server is accessible from the Internet. The server acts as a gateway for a small company network. Now it looks as if our system has been hacked. I had several imapd reports during the last time and it ended up with the following sequence in my /var/log/messages: ---------------------------- Jul 14 13:24:52 server imapd[1819]: connect from root@<IP1> Jul 14 13:25:22 server in.telnetd[1820]: connect from <IP2> Jul 14 13:25:35 server login[1821]: no shadow password for `slovaka' on `ttyp3' from `pool051-max3.ds36-ca-us.dialup.<some-net> Jul 14 13:25:45 server su: (to r00t) slovaka on /dev/ttyp3 -------------------------- I checked with Yast the list of users and found the user "slovaka" and the user r00t (with root permissions!) as well. Besides that I can't see any further changes to the system. How did slovaka/r00t enter my system? How can I find out what he did? The numerical uid of him was the same as my personal account (500), so I can't use the id... I deleted those accounts and forced all users to change their passwords. But who enters the system within seconds once, will be able to do it a 2nd time as well, so how can I close this hole? Nobody uses imap in our group. Wouldn't it be best to stop imapd? I find no entry in rc.config and I don't know how to remove it from the startup scripts (can I just remove the imp<#> lines from /etc/services?) Any hint is appreciated! Josef BTW: I am using a different system to write this email.... -- -- Dr. J. Frohn - S.I.S. GmbH email: frohn(a)sis-gmbh.com Kaiserstr. 100 http:\\www.sis-gmbh.com 52134 Herzogenrath - GERMANY T +49 (0) 2407 96147 -- F +49 (0) 2407 96275 -- --------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com For additional commands, e-mail: suse-security-help(a)suse.com

1 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

1997

1996

openSUSE Security July 1999