openSUSE Security June 2003

security@lists.opensuse.org

156 participants
147 discussions

Re: [suse-security] initsys prozess / rootkit? trojan?
by GentooRulez 03 Jun '03

03 Jun '03

> any hints are welcome to make my new system better. You might want to use things like these http://www.saintcorporation.com/saint/ Network security scanner http://www.nessus.org/ Network security scanner www.lids.org Local ID www.snort.org Network ID www.rsbac.org rule based acl www.stunnel.org https tunnel 4 unprotected protocols or, as a long list try these Top 75 Network Security Tools www.insecure.org/tools.html Hope that helps Michael PS: One of my special "bastard operator" friends is: www.dansguardian.org

1 0

Password settings and file permissions
by Puth Chan Choth 03 Jun '03

03 Jun '03

Hello all, Running yast command and then go to security settings we can set our password to use MD5, DES .... Which one is the best MD5 or DES? and why? And as for "Miscellaneous settings", I see "Setting of file permissions: Easy, Secure, Paranoid" and I do not know which one is the best. As for "User launching updatedb: nobody, root" and I do not know which one is best for security reasons. Thank you so much for your assistance. Best regards, Chan Choth

2 1

AW: [suse-security] snort & logsurfer
by mailinglists 03 Jun '03

03 Jun '03

> are there Spaces in $1 ? yes: Jun 3 11:59:23 gonzales snort: [117:1:1] (spp_portscan2) Portscan detected from 172.16.0.110: 1 targets 21 ports in 0 seconds <eth0> {TCP} 172.16.0.110:45 -> 172.16.0.180:3442 | /usr/bin/mail -c psnizek -s Security_Alert: Jun 3 11:59:23 gonzales snort: [117:1:1] (spp_portscan2) Portscan detected from 172.16.0.110: 1 targets 21 ports in 0 seconds <eth0> {TCP} 172.16.0.110:45 -> 172.16.0.180:3442 > "echo \"$1\" | ... > could help. see above output to shell. I must remove the echo ... Philipp

1 0

What does this mean [eth1]
by Ian David Laws 03 Jun '03

03 Jun '03

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello everyone, Can someone give me a hit at what this means? using ps -aux |grep eth root 409 0.0 0.0 0 0 ? SW Apr13 0:01 [eth1] lsof |grep eth eth1 409 root cwd DIR 8,3 4096 2 / eth1 409 root rtd DIR 8,3 4096 2 / eth1 409 root 10u FIFO 8,3 90923 /dev/initctl I have googled but the only thing I find is from Romania and it talks about Promiscuous mode (shame I do not speak the lingo). I do not understand this, as this machine is only a GW/FireWall. Nothing running on eth1 to make it go into promiscuous mode except maybe mrtg but that checks the interfaces for tfc. Ian - -- A child of five would understand this. Send someone to fetch a child of five. Groucho Marx - ---------------------------------------------------- This mail has been scanned for virus by AntiVir for UNIX Copyright (C) 1994-2003 by H+BEDV Datentechnik GmbH. PGP ID: 589F8449 Fingerprint: EB1C FACF 6BEB 540E 8AC0 F04E 2A25 A2F1 589F 8449 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+2+G2KiWi8VifhEkRAvKdAJ92HUEWVrhIWYCdDCg1XKsXocZp0wCdFc/L /EUV7i1d35wgFA27X5eZzR4= =WSup -----END PGP SIGNATURE-----

3 5

initsys prozess / rootkit? trojan?
by Robert Schelander 03 Jun '03

03 Jun '03

Does someone know what this 'initsys' process is good for? I've never seen in on any of my systems before. Could it be part of a rootkit? I found the binary in /usr/bin/initsys thanks in advance Robert USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.2 0.0 448 64 ? S 01:05 0:07 init [5] root 2 0.0 0.0 0 0 ? SW 01:05 0:00 [keventd] root 3 0.0 0.0 0 0 ? SW 01:05 0:00 [kapmd] root 4 0.0 0.0 0 0 ? SWN 01:05 0:00 [ksoftirqd_CPU0] root 5 0.0 0.0 0 0 ? SW 01:05 0:00 [kswapd] root 6 0.0 0.0 0 0 ? SW 01:05 0:00 [bdflush] root 7 0.0 0.0 0 0 ? SW 01:05 0:00 [kupdated] root 10 0.0 0.0 0 0 ? SW< 01:05 0:00 [mdrecoveryd] root 14 0.0 0.0 0 0 ? DW 01:05 0:00 [hpt_wt] root 15 0.0 0.0 0 0 ? SW 01:05 0:00 [kreiserfsd] root 23 0.0 0.2 1312 332 ? S 01:05 0:00 initsys root 256 0.0 0.5 1840 640 ? S 01:05 0:00 /usr/sbin/apmd root 410 0.0 0.5 1408 640 ? S 01:05 0:00 /sbin/syslogd root 413 0.0 0.8 1904 1116 ? S 01:05 0:00 /sbin/klogd -c 1 root 449 0.0 0.0 0 0 ? SW 01:05 0:00 [khubd] bin 693 0.0 0.3 1344 404 ? S 01:05 0:00 /sbin/portmap .....

9 9

AW: [suse-security] snort & logsurfer
by mailinglists 03 Jun '03

03 Jun '03

> Blind shot: ...missed, unfortunately :-( > '(.*snort:.*)' - - - 0 report "/usr/lib/sendmail -F ALERT(a)domain.com > psnizek \"security alert: $1\"" "$1" I tried that. Result is the string gets tokenized and every token becomes part of the receiver's email address, such as: security(a)domain.com alert(a)domain.com . . . snort(a)domain.com and later psnizek(a)domain.com Besides of that the mail body still is empty. Philipp > Dirk > > > > -----Original Message----- > > From: mailinglists [mailto:mailinglists@belfin.ch] > > Sent: Monday, June 02, 2003 9:57 PM > > To: suse-security(a)suse.com > > Subject: [suse-security] snort & logsurfer > > > > > > Hi > > > > I'm trying to build up an email alerting system with snort 2 > > and logsurfer 1.5. Basically it's working; I get the emails > > from the snort box when snort acction occurs in the messages > > log. Problem is, the mail bodies are empty. > > > > That's the logsurfer command: > > > > '(.*snort:.*)' - - - 0 report "/usr/lib/sendmail -F > > ALERT(a)domain.com psnizek "security alert: $1"" "$1" > > > > > > please, can anybody help? > > > > thanks a lot & kind regards, > > > > Philipp > > > > -- > > Check the headers for your unsubscription address > > For additional commands, e-mail: suse-security-help(a)suse.com > > Security-related bug reports go to security(a)suse.de, not here > > > > > > > > -- > Check the headers for your unsubscription address > For additional commands, e-mail: suse-security-help(a)suse.com > Security-related bug reports go to security(a)suse.de, not here > >

2 1

AW: [suse-security] Sendmail DoS?
by Ulrich Roth 03 Jun '03

03 Jun '03

> Anyway, why does everybody run sendmail instead of postfix > (8.x comes with postfix as default MTA)? AFAIK 8.0 still comes with sendmail as default MTA. I love the output of "sendmail -v <user@domain>". Is there a way for postfix to produce the same output? If a mail is stuck in the queue, I am able to identify the two files belonging to that mail, and to delete them if the content is not important or to manipulate headers and resend the mail. All this is much more difficult with postfix, or even impossible. Bye Uli -- Ulrich Roth IMPACT Business & Technology Consulting GmbH Im Mediapark 8 / KölnTurm D-50670 Koeln Phone +49-221-93 70 80-29 Fax +49-221-93 70 80-15 E-Mail: roth(a)impact.de

1 0

Sendmail DoS?
by Boris Kimel (IOC) 03 Jun '03

03 Jun '03

Hello dear List Members. One of our SuSE 8.0 boxes which is a sendmail mailserver got those lines in /var/log/mail: > Jun 2 01:26:12 suse80box sendmail[18268]: h51LQCu5018268: [XXX.YYY.ZZZ.TTT] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA > Jun 2 01:26:13 suse80box sendmail[18270]: h51LQDu5018270: [XXX.YYY.ZZZ.TTT] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA > Jun 2 01:26:14 suse80box sendmail[18272]: h51LQEu5018272: [XXX.YYY.ZZZ.TTT] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA > Jun 2 01:26:18 suse80box sendmail[18274]: h51LQFu5018274: [XXX.YYY.ZZZ.TTT] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA > Jun 2 01:26:20 suse80box sendmail[18276]: h51LQJu5018276: [XXX.YYY.ZZZ.TTT] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA > Jun 2 01:26:21 suse80box sendmail[18278]: h51LQKu5018278: [XXX.YYY.ZZZ.TTT] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA > Jun 2 01:26:22 suse80box sendmail[18280]: h51LQMu5018280: [XXX.YYY.ZZZ.TTT] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA > Jun 2 01:26:23 suse80box sendmail[18282]: h51LQNu5018282: [XXX.YYY.ZZZ.TTT] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA > Jun 2 01:26:24 suse80box sendmail[18284]: h51LQOu5018284: [XXX.YYY.ZZZ.TTT] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA > Jun 2 01:26:28 suse80box sendmail[18286]: h51LQSu5018286: [XXX.YYY.ZZZ.TTT] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA > Jun 2 01:26:29 suse80box sendmail[18288]: h51LQTu5018288: [XXX.YYY.ZZZ.TTT] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA > Jun 2 01:26:30 suse80box sendmail[18290]: h51LQUu5018290: [XXX.YYY.ZZZ.TTT] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA > Jun 2 01:26:31 suse80box sendmail[18292]: h51LQVu5018292: [XXX.YYY.ZZZ.TTT] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA I've googled for those and found some situations involving port scans etc. But here we get the messages every second so this should be a DoS attempt. Am I right? What is the medicine? -- Best regards, Boris Kimel mailto:bobk@ioc.ac.ru

3 3

snort & logsurfer
by mailinglists 02 Jun '03

02 Jun '03

Hi I'm trying to build up an email alerting system with snort 2 and logsurfer 1.5. Basically it's working; I get the emails from the snort box when snort acction occurs in the messages log. Problem is, the mail bodies are empty. That's the logsurfer command: '(.*snort:.*)' - - - 0 report "/usr/lib/sendmail -F ALERT(a)domain.com psnizek "security alert: $1"" "$1" please, can anybody help? thanks a lot & kind regards, Philipp

2 1

Re: [suse-security] initsys prozess / rootkit? trojan?
by GentooRulez 02 Jun '03

02 Jun '03

google: initsys rootkit found exactly 1 hit: http://www.giac.org/practical/Edmo_Filho_GCIH.doc and there is to read snip ---- ...and initsys is a session hijacking tool that can be remotely connected by using another session hijacking tool called Hunt. Initsys was listening in the TCP ports 1867, 1868, 1871, 1872, 1880, 1881, 1884, 1885, 2106, 2107, 3464, 4998 and 30009. The results of the strings command executed by using initsys as the input file can be verified in Appendix D of this paper. ---- snap Hope that helps Michael

1 0

Jump to page:

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

1997

1996

openSUSE Security June 2003