openSUSE Security December 2009

security@lists.opensuse.org

9 participants
5 discussions

[opensuse-security] Blocking one specific user on skype from connecting to users inside my network?

by Rikard Johnels

Hello all. I have a rather specific problem: I need to block one specific skype user to contact or be contacted by ppl on the inside of my network. (Company problems). I have tried to find sollutions on the net, but havent found anything i can use. (Or so i think) Scenario: User X is trying to subvert ppl in my organisation through skype. (We use skype for communication to customers, so i cant just block all of it. I still need to have it running.) I need to block user X from connecting "in". And i need to block ppl from the inside to initiate connections "out" to user X is there any way to do this on a corporate level, or do i have to restrict every single account? I cant lock users down any more than i have, so setting them as "restricted users" wont work. They still need to gave "deeper" access to their machines. -- /Rikard Johnels

12 years, 6 months

[opensuse-security] gmonstart / jvregisterclasses in tons of binaries with commands,malware?

by whereislibertyandjustice＠Safe-mail.net

In linux binaries, in any linux distro, I've discovered the same strings which I believe may be due to a virus or trojan. Yet, clamav, rkhunter, chkrootkit do not detect abnormalities. Whether I run 'strings' on the binary files or view with vim or gedit, here is what is always seen inside the binaries: __gmon_start__ _Jv_RegisterClasses Followed by commands which differ within each binary. If, by some luck, I've downloaded a fresh Linux ISO where binaries do not include the above two strings followed by commands, after I run an update the updated binaries suddenly contain the above two strings and other, what I believe to be, rogue strings. I've avoided the possible infection with an OpenBSD install, yet all the Linux installations and burned ISOs contain binaries with the above two strings followed by commands. Search using find within your bin and sbin directories for those two strings and see how many positives you find. Now use a text editor like vi or gedit and search through the gibberish, locate these strings and isolate the commands, if any, which follow them. Searching for gmonstart, gmon, registerclasses, jv, etc. variations of works. If you find results in your binaries, please copy/paste the commands following the gmonstart and jvregisterclasses strings so I may compare them to mine. I've purchased Linux CDs from brick + mortar stores, downloaded ISOs from different physical locations and found some CDs contained these strings in the binaries and one or two rare ones did not, but when installed/updated on a network connection the binaries replaced in the update process would show these strings!! These strings are not alone by themselves in the binaries they follow with commands with a @ mark before each command. Google results are vague, some suggest shell backdoors, every Linux user I've asked to date calls me paranoid while at the same time this knowledge comes as a surprise to them, too, when they search their binaries and find the same strings. I'm amazed by how quickly some rush to judgement and call you a paranoid for being curious about the files on your system. The strings may/may not be common, but in comparing commands which follow these strings I've noticed some which seem down right malicious! Maybe they're right, I'm just paranoid, but what am I seeing and why are these strings so common across Linux distros binaries, esp. the Jv (java?) reference? Please, any help? -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security+help(a)opensuse.org

12 years, 6 months

[opensuse-security] SuSE 11.2 SuSEfirewall2 Problems.... need help.

by Rowan R.

I have what I think is a pretty simple set up but for some reason I just cannot get it to work properly. _____ eth1-----{uplink1} __|___ | F/W | {masq intranet}-eth0---|_____| |____eth2-----{uplink2) whenever I try to connect to services on eth1 or two from the intranet my connection times out I checked var logs and found the following. #tail -f /var/log/messages Dec 2 10:45:37 linux-fw kernel: [65074.814640] martian source 68.***.192.234 from 192.168.1.14, on dev eth0 Dec 2 10:45:37 linux-fw kernel: [65074.814663] ll header: 00:c0:9f:19:da:3f:00:b0:d0:24:b5:8d:08:00 I've also copied my SuSEfirewall2 config. any help woudl really be appreciated FW_DEV_EXT="eth2" FW_DEV_INT="eth0" FW_DEV_DMZ="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="zone:ext" FW_MASQ_NETS="0/0" FW_NOMASQ_NETS="" FW_PROTECT_FROM_INT="yes" FW_SERVICES_EXT_TCP="" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_EXT_RPC="" FW_CONFIGURATIONS_EXT="apache2 apache2-ssl ejabberd sshd" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_DMZ_RPC="" FW_CONFIGURATIONS_DMZ="apache2 ejabberd sshd" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_SERVICES_INT_RPC="" FW_CONFIGURATIONS_INT="apache2 apache2-ssl ejabberd sshd" FW_SERVICES_DROP_EXT="" FW_SERVICES_DROP_DMZ="" FW_SERVICES_DROP_INT="" FW_SERVICES_REJECT_EXT="" FW_SERVICES_REJECT_DMZ="" FW_SERVICES_REJECT_INT="" FW_SERVICES_ACCEPT_EXT="" FW_SERVICES_ACCEPT_DMZ="" FW_SERVICES_ACCEPT_INT="" FW_SERVICES_ACCEPT_RELATED_EXT="" FW_SERVICES_ACCEPT_RELATED_DMZ="" FW_SERVICES_ACCEPT_RELATED_INT="" FW_TRUSTED_NETS="192.168.1.0/24,tcp,22" FW_ALLOW_INCOMING_HIGHPORTS_TCP="" FW_ALLOW_INCOMING_HIGHPORTS_UDP="" FW_FORWARD="192.168.1.0/24,68.164.192.234,tcp,ssh" FW_FORWARD_REJECT="" FW_FORWARD_DROP="" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG_LIMIT="" FW_LOG="" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_SOURCEQUENCH="" FW_ALLOW_FW_BROADCAST_EXT="" FW_ALLOW_FW_BROADCAST_INT="" FW_ALLOW_FW_BROADCAST_DMZ="" FW_IGNORE_FW_BROADCAST_EXT="yes" FW_IGNORE_FW_BROADCAST_INT="no" FW_IGNORE_FW_BROADCAST_DMZ="no" FW_ALLOW_CLASS_ROUTING="int" FW_CUSTOMRULES="" FW_REJECT="" FW_REJECT_INT="yes" FW_HTB_TUNE_DEV="" FW_IPv6="" FW_IPSEC_TRUST="no" FW_ZONES="" FW_ZONE_DEFAULT="" FW_USE_IPTABLES_BATCH="" FW_LOAD_MODULES="nf_conntrack_netbios_ns" FW_FORWARD_ALWAYS_INOUT_DEV="" FW_FORWARD_ALLOW_BRIDGING="" FW_WRITE_STATUS="" FW_RUNTIME_OVERRIDE="" FW_LO_NOTRACK="" -- The general who advances without coveting fame and retreats without fearing disgrace, whose only thought is to protect his country and do good service for his sovereign, is the jewel of the kingdom. - Sun Tzu -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security+help(a)opensuse.org

12 years, 7 months

[opensuse-security] list active ?

by Rowan R.

is the list active ? -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security+help(a)opensuse.org

12 years, 7 months

[opensuse-security] SuSEfirewalls (ver. 11.2) Unable to connect to zone:dmz from behind zone:int

by Rowan R.

I have a SuSE11.2 server running as ejabebrd, httpd and also serving as my firewall. I have three nets zone:int zone:ext and zone:dmz (running https, ejabberd) for some reason whenever behind zone:int and masqaraded I am unable to connect to my dmz but I can connect to zone:ext. checked my logs see below. any iadeas ? linux-fw:~ # tail -f /var/log/messages Dec 1 13:25:37 linux-fw kernel: [104567.407903] martian source 68.164.192.234 from 192.168.1.22, on dev eth0 Dec 1 13:25:37 linux-fw kernel: [104567.407914] ll header: 00:c0:9f:19:da:3f:00:21:70:b8:ff:c9:08:00 Dec 1 13:25:37 linux-fw kernel: [104567.407978] martian source 68.164.192.234 from 192.168.1.22, on dev eth0 Dec 1 13:25:37 linux-fw kernel: [104567.407989] ll header: 00:c0:9f:19:da:3f:00:21:70:b8:ff:c9:08:00 -- The general who advances without coveting fame and retreats without fearing disgrace, whose only thought is to protect his country and do good service for his sovereign, is the jewel of the kingdom. - Sun Tzu -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org For additional commands, e-mail: opensuse-security+help(a)opensuse.org

12 years, 7 months

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

1997

1996

openSUSE Security December 2009