Security :: Logwatch Reported Possible Exploits On Gateway Machine?
Mar 15, 2011
I have set logwatch to report daily the logs, somehow since last week i get below message. A total of 1 possible successful probes were detected (the following URLs contain strings that match one or more of a listing of strings that indicate a possible exploit):
/cgi-bin/blocked.cgi?clientaddr=192.168.1.108&clientname=&clientident=&clientgroup=limitedaccess&targetclass= untrusted&url=http://adfarm.mediaplex.com/ad/fm/9608-84171-8772-2?
[code]...
View 7 Replies
ADVERTISEMENT
Nov 25, 2009
A few days ago I installed F12 and it was working fine very well up until today when I booted my computer from a perfect working order state yesterday to this. Well my wireless was still being sniffed and slowed down to dial up speed but what's new thats been consistant for at least 3 months I can't really do much about it since my brother doesn't like changing the password.
I recently logged onto my new fedora 12, 64-bit, system encrypted (all partitions effected by install), selinux enforced install to find myself in tty4 and some "other" users logged on to the other terminals. My folders would have lock icons on them after opening, my notication menu/toolbar crashed and hasn't returned on system reboot, some data transfers between removable storage returned input output errors while others worked fine(?). I also recieved this kernel bug output from the bug reporting tool but I have no idea what it means.
Also I was not loose with the security either I had removed unconfined login types (After setting up the system as I needed) meaning I couldn't even run root or sudo and neither could anyone else (asfar as I was aware). I pretty much increased selinux to its maximum boolean strictness and limited the _default_(Me included) account to a user from a _default_ unconfined (to actually be able to log in with the selinux boolean in place). Meaning they "the exploiters" were able to bypass selinux as a user account? How is that possible and even if you do root logon is disabled by selinux too?
At the moment I'm on a live cd trying to look for a way to custimise them as it seems it may be my only option.
Just a side note you can't just log in to tty4 by default without actively taking up spaces either by other users or your own use. Meaning since the tty login is automated 3 terminals were in use tty1, tty2 and tty3.
Which commands should I run to find out what is being done?
Edit: Just had my F12 x64 live cd taken down twice and had to hard reset as the toolbar disappeared. Took a photo of the last error message. I was just reading a pdf and using firefox at the time.
Is fedora usually this easy to hack?
View 8 Replies
View Related
Apr 29, 2011
Does anyone know any common apache 2.2 exploits and how to stop them? I am setting up a web server and want it to be secure as possible. I currently have a basic lamp server on a ubuntu server.
View 1 Replies
View Related
Jul 18, 2009
I refrained from posting this in the Kernel Vulns thread earlier, due to its zero-day status. But now that the issue has been Slashdotted, there's no use in keeping us from publicly discussing this vulnerability. The link to the article (from which I quote below) is here. Brad Spengler's original announcement on the Dailydave mailing list is here.Quote:A researcher has published exploit code for a new vulnerability he discovered in the Linux kernel. The vulnerability is an especially interesting one in that the researcher who discovered it, Brad Spengler, has demonstrated that he can use the weakness to defeat many of the add-on security protections offered by SELinux and AppArmor.
View 9 Replies
View Related
Jul 4, 2010
When there is an exploit in the kernal, can the iptables firewall get bypass? If yes,how do you know? Otherwise how can you find out.
View 9 Replies
View Related
Jun 3, 2011
I have some questions about security
1> are the flash exploits are of any use to a Linux operating system like Ubuntu etc. ?
2>are the Microsoft office exploits any risk to libreoffice or open-office software suites?
3>are there exploits for Linux , open-office and libreoffice ?
View 9 Replies
View Related
Dec 9, 2010
Recently I had a Java exploit on Windows. Luckily Microsoft Security Essentials identified and removed it. Such things can happen on Linux as well, from what I've heard. Why does Linux offer no such detection?
View 14 Replies
View Related
Mar 4, 2010
how to configure Logwatch? where can I find its config file? I never configure it but I received email everyday from Logwatch@mydomain.com..
View 1 Replies
View Related
Sep 11, 2010
I was advised by a fellow forum owner to install logwatch as a security precaution. Our forum runs on a dedicated server. CentOS 5.5. I ran "yum install logwatch" and got the following:
Code:
Examining logwatch-7.3.6-1.noarch.rpm: logwatch-7.3.6-1.noarch
Marking logwatch-7.3.6-1.noarch.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package logwatch.noarch 0:7.3.6-1 set to be updated
--> Finished Dependency Resolution
[Code]...
View 15 Replies
View Related
Apr 20, 2011
I have a server, running Centos 5.5. It runs daily rkhunter and logwatch. From both I get a daily mail.
I have a desktop computer, running Fedora 13 (almost 14...). It runs also a daily rkhunter and logwatch. But I get ONE mail from logwatch, which contains the result of rkhunter.
On the server, I want also only mail from logwatch, containing the rkhunter results. But so far, no luck.
How can I get the rkhunter results in the logwatch mail on my Centos server?
View 2 Replies
View Related
Dec 14, 2010
I'm not concerned about this since this traffic is generated from the loopback address, but would like to find out what it is.
[code]...
View 1 Replies
View Related
Sep 6, 2010
Possible Duplicate:Forward SSH traffic through a middle machine.I am looking to get an interactive ssh session on a remote machine, but must login via a gateway.For example, right now I do the following:
@local % ssh <user>@<gateway>
@gateway % ssh <user>@<remote>
Is it possible to achieve the same thing in a single command from my local machine? I have tried:
@local % ssh <user>@<gateway> 'ssh <user>@<remote>`
From the output i am indeed able to login, but do not get an interactive session. I took inspiration for this attempt from using ssh to run a command remotely.
View 1 Replies
View Related
Jul 31, 2010
I have several (say, 50) machines running ubuntu.I want them to be centrally controlled.That is, each machine should get permit from central machine before installing any software etc.I googled quite a lot but could not find the solution...
View 1 Replies
View Related
Mar 24, 2010
a client asked me to install ettercap on their linux gateway machine - two ethernet machine. I tried it in bridged mode, it but as soon as I start it, the traffic stops and no one can access anything. Did anyone ever succeed in running it on the gateway?
View 1 Replies
View Related
Jun 15, 2010
We've had a site broken into, and several of the desktop computers physically stolen. The Ubuntu 9.10 router/gateway/firewall/web filter box has however NOT been stolen. I'm wondering if there is any information we can get from this that would help the police.
NAT and firewalling are handled by firehol. It runs a DHCP server to provide the desktops with IP addresses. It runs a Samba server with some file shares. It runs Squid and Dansguardian in an intercepting-proxy configuration. Of particular interest might be whether the MAC addresses of the stolen desktops can be obtained, which might help with tracking them down. Also anything to narrow down the time of the break-in.
View 2 Replies
View Related
Nov 1, 2010
I recently re0instralled and update ubuntu 10.04 LTS. After installing and running debsecan, I found ALOT of problems. Does anyone have experiance with this tool?
View 2 Replies
View Related
Dec 18, 2010
Is Linux vulnerable to Java drive-by exploits? Another computer I run on windows 7 just notified me that it was infected through Java, and I'm wondering if my Linux box (ubuntu 10) with Java installed is vulnerable.
View 1 Replies
View Related
Feb 25, 2010
I have this little nettop box, an Acer Revo, that I use for Boxee/Hulu Desktop with my tv. It's been a fairly enjoyable setup for months, until two mornings ago. The first strike Before work I poured myself some cereal, wandered over to the couch, plopped down and powered on the tv. After the set warmed up, a header image for some banking/something-another website made it from my screen, into my retinas, and slowly turned my otherwise uneventful morning into me chocking on a mouth full of Honey Nut Os as I lept over my coffee table and slammed the off button on my cable modem.
I clean up the Nut Os that I knocked on the floor and systematically change every password on my networked machines (Revo and two *laptops*). I check my router, disable my ssh port forwarding rule, kill remote admin access, change passwords, MAC addr whitelist my wifi connected machines just in case it's a local job. I read through all running processes, check my bash history, look for screen sessions, and so on. Finally I decide that I must have been brute forced, either on my ssh port or perhaps even directly on my router. My laptops should have been, and seemed to still be, in sleep mode since that night.
The second strike So tonight I'm watching a South Park episode (a show I hate to love), about to cut out for the night, when the Boxee menu pops up. I look at the remote and back at the tv; for just a moment I think that perhaps the mouse shifted slightly on the carpet and caused the menu to activate. Then Boxee stops the video, navigates the menu a few clicks, pulls up the exit menu and closes itself. ......
View 9 Replies
View Related
Sep 10, 2010
I'm not really a network security guy or anything. I'm setting up an FTP server on my lan. I know how to install the software and how to setup my router but still have a couple question for an expert...
1. Which version of Ubuntu should I install? Server?
2. How can I isolate this machine from the others on the lan?
View 6 Replies
View Related
Dec 26, 2010
When i run
Code:
I sometimes see
Code:
So i'm wondering if this means my ubuntu server box is being used for spam or something? There are no other (human) users on the computer and i don't use it to send mails.
I've run
Code:
In paranoia, but still when i run
Code:
I get
Code:
And sometimes
Code:
Just thought i should ask before starting the tedious process of reinstalling and restoring the system.
View 2 Replies
View Related
Jan 18, 2010
I have installed an Ubuntu server and it running OK. Before making it a production server, I want to make sure one day if the OS corrupts accidentally, I can still access the users' files on the hard disk.
I burned a Ubuntu desktop live CD, and booted it with this machine. There are 2 hard disks on the server, both could be mounted automatically. However, I can only access some folders like lost+found.
The questions are:
1. how can I access the other folders, given I have the root password of the server.
2. is there a way to access all folders without knowing the users + passwords?
View 9 Replies
View Related
Jul 8, 2010
I have stuk up in big issue here , I just want to find the remote url in which it listens ?
I know the remote host and remote port number but i just want to which url the web application listen
For example : Host : 1.1.1.1 & port no : 8080
But i remember the url would be http://1.1.1.1/(something):8080
I want to find the complete url in which it listens ?
In nmap whether i can achive this or anyother tool ?
View 5 Replies
View Related
Jul 3, 2009
I have LAN with 20 machines. I see that one of them is infected. Its sending a lot of packets to the internet. My internet connection at this momment is realy slow. What should I do? How to detect which machine is infected? I'm using hardware firewall. Fortigate... Its hard to configure there nice logs. Any good software. I don't want to switch off network cable from each machine and check.
View 10 Replies
View Related
Jan 9, 2010
I want to do port mapping on a linux machine using iptables.I have a service listeneing on port 2000 udp and I want to add iptables rule, which will map incoming packets on port 2001 to port 2000, so that service will accept the connections.The idea is that I don't want to change the default port for the service, but to make internal port redirection from (2001 to 2000), so the default service port will be filtered by iptables, and the other port will be open to the outside. The internet host connects to the linux machine on port 2001. The linux machine change destiation port from 2001 to 2000 and the service (on the same machine) process the packets and accepts the connection.I tried adding the following to my iptables rules, but it didn't work out:
$IPTABLES -A FORWARD -p udp --destination-port 2001 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i eth0 -p udp --dport 2001 -j REDIRECT --to-port 2000
View 6 Replies
View Related
May 12, 2010
I'm currently using Slackware 13.0 and have my machine behind a Linksys DD-WRT router. I believe the DD-WRT software has all ports blocked by default so opening up my machine for SSH login would only leave my system vulnerable at that port. To give an extra layer of security for that opened port, I've created the following script that would be invoked as the users' shell.
#!/bin/sh
#if SSH_CLIENT defined run nail with $SSH_CLIENT as an argument
if [[ -n ${SSH_CLIENT} ]]; then
[code]....
View 10 Replies
View Related
Dec 16, 2010
I have an SSH tunnel setup between a local server and a remote postfix relay VPS. This is so we can route all our outgoing mail through this SSH tunnel to a private relay VPS, this seems to give us much more consistent mail delivery than using our ISP's relay. So the SSH tunnel is set to route port 1025 on machine A to port 25 on the VPS This part of it is working perfectly and has been for months. However today I wanted to set our e-mail newsletter software (on the same network as the SSH tunnel start-point) to send through the SSH tunnel. So I punched in the IP/port... 192.168.1.5:1025 but it doesn't work. Is there something I need to do to allow connections from other machines on the LAN to access the start-point of the SSH tunnel? Or are SSH tunnels restricted to localhost connections only?
View 6 Replies
View Related
Mar 5, 2010
I have a F11 box serving xdmcp. I log into them machine remotely with xming. As far as I can tell, all x clients work fine, EXCEPT for sealert. I get occasional selinux alerts, but I cannot use the sealert browser on my remote machine. When I try to run the browser, I get this: sealert -V -b
2010-03-05 11:27:49,841 [dbus.proxies.ERROR] Introspect error on :1.61:/org/fedoraproject/Setroubleshootd: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Message did not receive a reply (timeout by message bus) 2010-03-05 11:27:49,842 [dbus.proxies.DEBUG] Executing introspect queue due to error 2010-03-05 11:27:49,842 [dbus.ERROR] could not start dbus: org.freedesktop.DBus.Error.ServiceUnknown: The name :1.61 was not provided by any .service files
I see the bug at [URL].. but it does not mention the browser, nor does it say what the fix/workaround is..Im going to stab in the dark and start relabeling things, but anyone know what's really wrong?
View 2 Replies
View Related
Jan 9, 2010
If i download files from the internet to the ubuntu home download folder will that kill off windows viruses? Ive also have avast on demand scanner-but are anti-viruses effective against windows viruses these days?
View 6 Replies
View Related
Nov 8, 2010
I have a server that is on a high port number, and people want it on port 80. For root exploit issues people say the server can not run as root. So to solve things I want to redirect port 80 to a high port number, say 12345 on the machine. This has been discussed all over the web, so I find I need to do this:
/sbin/iptables -t nat -A PREROUTING -p tcp -d 123.45.67.89 --dport 80 -j REDIRECT --to-ports 12345
/sbin/iptables-save > /etc/sysconfig/iptables
And I do this, an voila things work for the whole world. All machines in the world can see the server on port 80 on the machine.Except, on the machine itself. On the machine 123.45.67.89, I try to get to the server on 123.45.67.89:80, I get a can't connect error. On the machine if I try 123.45.67.89:12345 I can connect.What am I doing wrong here? I don't want localhost network really, I want the ip address and port, but I want the forwarding to work on the local machine. But it doesn't...
View 8 Replies
View Related
Apr 18, 2011
I have, say, 10 machines, connected via NFS and NIS. There's a server which exports the /home using NFS, and exports the user names using NIS. All machines are working fine. I am able to ssh to the machines remotely and get my work done.Recently though, one of the machines (say M, for easy reference) would not allow any other machine on the NFS network [or outside the NFS network] to ssh into it. Every time an ssh attempt is made, 3 IP addresses [including the machine from which an ssh attempt was being made] are added to the /etc/hosts.deny file on M, and the error message on the other machine shows 'permission denied' after the password is entered. I tried using various options that ssh provides, but I cannot figure it out. I also tried uninstalling and reinstalling openssh-client and openssh-server on M, but it didn't change anything.
Another point to note is this: another user made use of M before, for a while, by disabling ssh passwords - so he could access M without having to enter his ssh password. That individual can still log in to M. All others who require to enter a password cannot ssh into M.
View 5 Replies
View Related
