lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20061127213837.GC9959@sdf.lonestar.org>
Date: Mon, 27 Nov 2006 21:38:37 +0000
From: Tavis Ormandy <taviso@...too.org>
To: "J. Oquendo" <sil@...iltrated.net>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: SSH brute force blocking tool

On Mon, Nov 27, 2006 at 04:27:24PM -0500, J. Oquendo wrote:
> Tavis Ormandy wrote:
> 
> >I'm not sure what you mean by modification, I simply subsituted the name
> >for the logfile I use.
> >
> >Thanks, Tavis.
> >
> >  
> So for the third time now. Explain to me how I am backdooring someone's 
> system.

J, Please calm down. You have made a programming error in your script
that attempts to eliminate the minor `log noise` from incorrect ssh
logins with a script that can be subverted to execute arbitrary shell
commands.


> 
> [root@...alhost include]# uname -a
> Linux int-mrkt 2.6.18-1.2200.fc5 #1 Sat Oct 14 16:59:26 EDT 2006 i686 
> i686 i386 GNU/Linux
> [root@...alhost include]# awk '/error retrieving/{getline;print $13}' 
> /var/log/secure|sort -ru
> 222.171.20.252
> 211.137.74.58
> 
> My logs parse out addresses not named and there is no redirection going 
> on.

Yes, but you assume a fixed format of the log entries. This is not the
case. The string "error retrieving" is easily placed in the log by
setting it as your username and attempting to login. You also assume
that the multiple log entries generated by a failed login are logged
atomically (ie, no other log entries will appear between these two
entries), this is also not the case.

> If you want to say "Hey... It should be written as such" then gladly 
> do so. But posting "hey you're backdooring the planet" like a jackass is 
> moronic.

J, you asked people to install your "security tool" which contacts you
with enough information to find out who installed it and where, and
contains several rather obvious security flaws. If I mistook stupidity
for malice, I apologise.

> Line by line on my machines it does what it needs to do and it 
> does so just fine.

This is because your logs dont contain any entries specially crafted by
an attacker to subvert your machine. I'm sure some members of the list
are already attempting this on your web server, so you can check your
logs for examples.

> Did you see any notes of Gentoo on the comments? I
> didn't because I don't use it, never have, don't care to. So if it does 
> something different on Gentoo, let's use the brain for a moment... "Gee 
> this works horrible on Gentoo. The author is a shitty writer... I think 
> I should let him know" as opposed to "Oh my gawd he's backdooring you".

It's a standard format J, my log entries look identical to yours. It has
nothing to do with Gentoo.

Thanks, Tavis.

-- 
-------------------------------------
taviso@....lonestar.org | finger me for my pgp key.
-------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ