July 1999 - openSUSE Security - openSUSE Mailing Lists

passwd
by Dieter M�ller 29 Jul '99

29 Jul '99

Hello, I already sent this message a few days ago, but I didn't saw it on the list, if I only missed it I have to say sorry in advance. I need a one-time-password authentication system which allows me to log in via an untrusted terminal, p.ex via telnet from win-xy. The problem is that I can't disable telnet on my pc thince I still need it to log in from my secure network. The very best would be a telnet-alike protocol which allows to choose between giving a normal or a one-time password. Dieter _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com

10 10

problems with passwd
by Jean Luc Laborde 29 Jul '99

29 Jul '99

1 0

Secure-Linux extensions for Kernel 2.2.x?
by Markus Gaugusch 28 Jul '99

28 Jul '99

Hi there! Maybe you've heard about the secure-linux-patches for kernel versions 2.0.x, which hide foreign processes from normal users. Only root can see all processes running. Has anyone of you found the equivalent (proc-fs patches, etc.) for the 2.2.x series?? TIA Markus ____________________________________ Markus Gaugusch m.gaugusch(a)xpoint.at ICQ-ID: 11374583 [www.mirabilis.com] *** *** *** Hi! I'm a .signature virus! *** *** *** Copy me into your .signature file to help me spread!

1 0

Re: [suse-security] passwd
by Michael Salmon 28 Jul '99

28 Jul '99

+----- On Tue, 27 Jul 1999 03:17:02 PDT, Dieter "Müller" writes: | Hello, | | I already sent this message a few days ago, but I didn't saw it on the | list, if I only missed it I have to say sorry in advance. | | I need a one-time-password authentication system which allows me to log | in via an untrusted terminal, p.ex via telnet from win-xy. | The problem is that I can't disable telnet on my pc thince I still need | it to log in from my secure network. | | The very best would be a telnet-alike protocol which allows to choose | between giving a normal or a one-time password. You could try s-key or opie (which is derived from s-key). With s-key you generate 100 passwords that you use in turn. I believe that s-key can be broken if enough passwords are collected but I am unsure of the details. Another alternative is kerberos but that is probably an overkill, as I guess that you aren't a US resident you will need to fetch it from KTH in Stockholm. Sorry no URL's. /Michael

1 0

Help: our system has been hacked...!
by Josef Frohn 28 Jul '99

28 Jul '99

Dear all, I am using Suse5.2 with the according security-patches from the Suse server. We have a valid IP, which means that our server is accessible from the Internet. The server acts as a gateway for a small company network. Now it looks as if our system has been hacked. I had several imapd reports during the last time and it ended up with the following sequence in my /var/log/messages: ---------------------------- Jul 14 13:24:52 server imapd[1819]: connect from root@<IP1> Jul 14 13:25:22 server in.telnetd[1820]: connect from <IP2> Jul 14 13:25:35 server login[1821]: no shadow password for `slovaka' on `ttyp3' from `pool051-max3.ds36-ca-us.dialup.<some-net> Jul 14 13:25:45 server su: (to r00t) slovaka on /dev/ttyp3 -------------------------- I checked with Yast the list of users and found the user "slovaka" and the user r00t (with root permissions!) as well. Besides that I can't see any further changes to the system. How did slovaka/r00t enter my system? How can I find out what he did? The numerical uid of him was the same as my personal account (500), so I can't use the id... I deleted those accounts and forced all users to change their passwords. But who enters the system within seconds once, will be able to do it a 2nd time as well, so how can I close this hole? Nobody uses imap in our group. Wouldn't it be best to stop imapd? I find no entry in rc.config and I don't know how to remove it from the startup scripts (can I just remove the imp<#> lines from /etc/services?) Any hint is appreciated! Josef BTW: I am using a different system to write this email.... -- -- Dr. J. Frohn - S.I.S. GmbH email: frohn(a)sis-gmbh.com Kaiserstr. 100 http:\\www.sis-gmbh.com 52134 Herzogenrath - GERMANY T +49 (0) 2407 96147 -- F +49 (0) 2407 96275 --

18 18

Leafnode problems?
by Nick Zentena 27 Jul '99

27 Jul '99

Hi, I spent some time checking my messages log file last night and noticed a couple of connects to leafnode from outside. Now these connection don't show a username just a IP address. Is there a known problem with leafnode? [I'm running leafnode 1.9.3] I've edited my host.allow/deny files to stop any non-local access but I'm curious. Thanks Nick -- --------------------- Nick Zentena SuSE 6.1 Linux 2.2.10 ---------------------

2 1

AW: [suse-security] Help: our system has been hacked...! (IMAPD-H ACK)
by Wyss Clemens 27 Jul '99

27 Jul '99

Found the following links http://www.lh.umu.se/~bjorn/mhonarc-files/linux-security/msg00652.html http://www.lh.umu.se/~bjorn/mhonarc-files/linux-security/msg01155.html http://www.lh.umu.se/~bjorn/mhonarc-files/linux-security/msg01149.html and there are even more articles on that site (Viel Glück) Clemens -----Ursprüngliche Nachricht----- Von: Josef Frohn [mailto:frohn@sis-gmbh.com] Gesendet am: Montag, 26. Juli 1999 16:12 An: suse-security(a)suse.com Betreff: [suse-security] Help: our system has been hacked...! Dear all, I am using Suse5.2 with the according security-patches from the Suse server. We have a valid IP, which means that our server is accessible from the Internet. The server acts as a gateway for a small company network. Now it looks as if our system has been hacked. I had several imapd reports during the last time and it ended up with the following sequence in my /var/log/messages: ---------------------------- Jul 14 13:24:52 server imapd[1819]: connect from root@<IP1> Jul 14 13:25:22 server in.telnetd[1820]: connect from <IP2> Jul 14 13:25:35 server login[1821]: no shadow password for `slovaka' on `ttyp3' from `pool051-max3.ds36-ca-us.dialup.<some-net> Jul 14 13:25:45 server su: (to r00t) slovaka on /dev/ttyp3 -------------------------- I checked with Yast the list of users and found the user "slovaka" and the user r00t (with root permissions!) as well. Besides that I can't see any further changes to the system. How did slovaka/r00t enter my system? How can I find out what he did? The numerical uid of him was the same as my personal account (500), so I can't use the id... I deleted those accounts and forced all users to change their passwords. But who enters the system within seconds once, will be able to do it a 2nd time as well, so how can I close this hole? Nobody uses imap in our group. Wouldn't it be best to stop imapd? I find no entry in rc.config and I don't know how to remove it from the startup scripts (can I just remove the imp<#> lines from /etc/services?) Any hint is appreciated! Josef BTW: I am using a different system to write this email.... -- -- Dr. J. Frohn - S.I.S. GmbH email: frohn(a)sis-gmbh.com Kaiserstr. 100 http:\\www.sis-gmbh.com 52134 Herzogenrath - GERMANY T +49 (0) 2407 96147 -- F +49 (0) 2407 96275 -- --------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com For additional commands, e-mail: suse-security-help(a)suse.com

1 0