Plug-discuss digest, Vol 1 #890 - 11 msgs
Max Tekchand
maxtek@qwest.net
Sun, 25 Mar 2001 21:28:27 -0800
Does anyone know, if there is a program that converts Word document into
html files to run on a Linux box. I've tried "webdoc". It craps out
after converting the first 5 .doc.
Thanks,
Max
Thanks,
plug-discuss-admin@lists.PLUG.phoenix.az.us wrote:
>
> Send Plug-discuss mailing list submissions to
> plug-discuss@lists.PLUG.phoenix.az.us
>
> To subscribe or unsubscribe via the web, visit
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> or, via email, send a message with subject or body 'help' to
> plug-discuss-request@lists.PLUG.phoenix.az.us
> You can reach the person managing the list at
> plug-discuss-admin@lists.PLUG.phoenix.az.us
>
> When replying, please edit your Subject line so it is more specific than
> "Re: Contents of Plug-discuss digest..."
>
> Today's Topics:
>
> 1. Re: bind (Shawn T. Rutledge)
> 2. Re: Fwd: ALERT - A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET (Shawn T. Rutledge)
> 3. Re: bind (Kurt Granroth)
> 4. Three NIC problem (David Demland)
> 5. Re: Three NIC problem (Bob George)
> 6. Re: Fwd: ALERT - A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET (Rick Rosinski)
> 7. Re: Fwd: ALERT - A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET (der.hans)
> 8. RE: Free stuff for PLUG and some not so free stuff for PLUG (Gary Nichols)
> 9. RE: Fwd: ALERT - A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET (Craig White)
> 10. RE: Three NIC problem (Craig White)
> 11. Re: Three NIC problem (Bob George)
>
> --__--__--
>
> Message: 1
> Date: Fri, 23 Mar 2001 17:36:10 -0700
> From: "Shawn T. Rutledge" <ecloud@bigfoot.com>
> To: plug-discuss@lists.plug.phoenix.az.us
> Subject: Re: bind
> Reply-To: plug-discuss@lists.PLUG.phoenix.az.us
>
> On Fri, Mar 23, 2001 at 04:29:59PM -0800, Lucas Vogel wrote:
> > Can I ask a really stupid question? What is BIND, and how do I know if I'm
> > running it or not?
>
> ps auxw | grep named
>
> it's the name server
> (Berkeley Internet Name Daemon)
>
> --
> _______ Shawn T. Rutledge / KB7PWD ecloud@bigfoot.com
> (_ | |_) http://www.bigfoot.com/~ecloud kb7pwd@kb7pwd.ampr.org
> __) | | \________________________________________________________________
>
> --__--__--
>
> Message: 2
> Date: Fri, 23 Mar 2001 17:38:10 -0700
> From: "Shawn T. Rutledge" <ecloud@bigfoot.com>
> To: plug-discuss@lists.plug.phoenix.az.us
> Subject: Re: Fwd: ALERT - A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET
> Reply-To: plug-discuss@lists.PLUG.phoenix.az.us
>
> Thank you! I saw something about it, but didn't realize I needed
> to do something about it until now.
>
> 8.2.3-0 would be OK right? That's the latest one from
> http://security.debian.org
>
> On Fri, Mar 23, 2001 at 12:25:52PM -0700, Rusty Carruth wrote:
> >
> > In case nobody has posted this yet:
> >
> > If you've not updated your bind/dns - do so NOW.
> >
> > Also, if you run bsd there is a chance the problem is there also.
> >
> > >Date: Fri, 23 Mar 2001 9:40:03 -0700 (MST)
> > >From: The SANS Institute <securityalert@sans.org>
> > >Subject: ALERT - A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET
> > >Sender: sans@sans.org
> > >To: John Driggers (SD512389) <driggers@slb.com>
> > >X-LDAP-Alias: V 1.0rc5. Sent to driggers@slb.com resolving to
> > >driggers@austin.apc.slb.com
> > >
> > >-----BEGIN PGP SIGNED MESSAGE-----
> > >Hash: SHA1
> > >
> > >ALERT! A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET
> > >
> > >March 23, 2001 7:00 AM
> > >
> > >Late last night, the SANS Institute (through its Global Incident
> > >Analysis Center) uncovered a dangerous new worm that appears to be
> > >spreading rapidly across the Internet. It scans the Internet looking
> > >for Linux computers with a known vulnerability. It infects the
> > >vulnerable machines, steals the password file (sending it to a
> > >China.com site), installs other hacking tools, and forces the newly
> > >infected machine to begin scanning the Internet looking for other
> > >victims.
> > >
> > >Several experts from the security community worked through the night to
> > >decompose the worm's code and engineer a utility to help you discover
> > >if the Lion worm has affected your organization.
> > >
> > >Updates to this announcement will be posted at the SANS web site,
> > >http://www.sans.org
> > >
> > >
> > >DESCRIPTION
> > >
> > >The Lion worm is similar to the Ramen worm. However, this worm is
> > >significantly more dangerous and should be taken very seriously. It
> > >infects Linux machines running the BIND DNS server. It is known to
> > >infect bind version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all
> > >8.2.3-betas. The specific vulnerability used by the worm to exploit
> > >machines is the TSIG vulnerability that was reported on January 29,
> > >2001.
> > >
> > >The Lion worm spreads via an application called "randb". Randb scans
> > >random class B networks probing TCP port 53. Once it hits a system, it
> > >checks to see if it is vulnerable. If so, Lion exploits the system using
> > >an exploit called "name". It then installs the t0rn rootkit.
> > >
> > >Once Lion has compromised a system, it:
> > >
> > >- - Sends the contents of /etc/passwd, /etc/shadow, as well as some
> > >network settings to an address in the china.com domain.
> > >- - Deletes /etc/hosts.deny, eliminating the host-based perimeter
> > >protection afforded by tcp wrappers.
> > >- - Installs backdoor root shells on ports 60008/tcp and 33567/tcp (via
> > >inetd, see /etc/inetd.conf)
> > >- - Installs a trojaned version of ssh that listens on 33568/tcp
> > >- - Kills Syslogd , so the logging on the system can't be trusted
> > >- - Installs a trojaned version of login
> > >- - Looks for a hashed password in /etc/ttyhash
> > >- - /usr/sbin/nscd (the optional Name Service Caching daemon) is
> > >overwritten with a trojaned version of ssh.
> > >
> > >The t0rn rootkit replaces several binaries on the system in order to
> > >stealth itself. Here are the binaries that it replaces:
> > >
> > >du, find, ifconfig, in.telnetd, in.fingerd, login, ls, mjy, netstat,
> > >ps, pstree, top
> > >
> > >- - "Mjy" is a utility for cleaning out log entries, and is placed in /bin
> > >and /usr/man/man1/man1/lib/.lib/.
> > >- - in.telnetd is also placed in these directories; its use is not known
> > >at this time.
> > >- - A setuid shell is placed in /usr/man/man1/man1/lib/.lib/.x
> > >
> > >DETECTION AND REMOVAL
> > >
> > >We have developed a utility called Lionfind that will detect the Lion
> > >files on an infected system. Simply download it, uncompress it, and
> > >run lionfind. This utility will list which of the suspect files is on
> > >the system.
> > >
> > >At this time, Lionfind is not able to remove the virus from the system.
> > >If and when an updated version becomes available (and we expect to
> > >provide one), an announcement will be made at this site.
> > >
> > >Download Lionfind at http://www.sans.org/y2k/lionfind-0.1.tar.gz
> > >
> > >
> > >REFERENCES
> > >
> > >Further information can be found at:
> > >
> > >http://www.sans.org/current.htm
> > >http://www.cert.org/advisories/CA-2001-02.html, CERT Advisory CA-2001-02,
> > >Multiple Vulnerabilities in BIND
> > >http://www.kb.cert.org/vuls/id/196945 ISC BIND 8 contains buffer overflow
> > >in transaction signature (TSIG) handling code
> > >http://www.sans.org/y2k/t0rn.htm Information about the t0rn rootkit.
> > >The following vendor update pages may help you in fixing the original BIND
> > >vulnerability:
> > >
> > >Redhat Linux RHSA-2001:007-03 - Bind remote exploit
> > >http://www.redhat.com/support/errata/RHSA-2001-007.html
> > >Debian GNU/Linux DSA-026-1 BIND
> > >http://www.debian.org/security/2001/dsa-026
> > >SuSE Linux SuSE-SA:2001:03 - Bind 8 remote root compromise.
> > >http://www.suse.com/de/support/security/2001_003_bind8_ txt.txt
> > >Caldera Linux CSSA-2001-008.0 Bind buffer overflow
> > >http://www.caldera.com/support/security/advisories/CSSA-2001-008.0.txt
> > >http://www.caldera.com/support/security/advisories/CSSA-2001-008.1.txt
> > >
> > >This security advisory was prepared by Matt Fearnow of the SANS
> > >Institute and William Stearns of the Dartmouth Institute for Security
> > >Technology Studies.
> > >
> > >The Lionfind utility was written by William Stearns. William is an
> > >Open-Source developer, enthusiast, and advocate from Vermont, USA. His
> > >day job at the Institute for Security Technology Studies at Dartmouth
> > >College pays him to work on network security and Linux projects.
> > >
> > >Also contributing efforts go to Dave Dittrich from the University of
> > >Washington, and Greg Shipley of Neohapsis
> > >
> > >Matt Fearnow
> > >SANS GIAC Incident Handler
> > >
> > >If you have additional data on this worm or a critical quetsion please
> > >email lionworm@sans.org
> > >-----BEGIN PGP SIGNATURE-----
> > >Version: GnuPG v1.0.4 (BSD/OS)
> > >Comment: For info see http://www.gnupg.org
> > >
> > >iD8DBQE6u17n+LUG5KFpTkYRAgn9AJ0ffubakBA47teAe9lF92lrS2H+TwCgh3T/
> > >ek+YCliAS832nnMIzP28ezM=
> > >=E1SG
> > >-----END PGP SIGNATURE-----
> >
> >
> > Rusty Carruth Email: rcarruth@Tempe.tt.slb.com or rcarruth@slb.com
> > Voice: (480) 345-3621 SnailMail: Schlumberger ATE
> > FAX: (480) 345-8793 7855 S. River Parkway, Suite 116
> > Ham: N7IKQ @ 146.82+,pl 162.2 Tempe, AZ 85284-1825
> > ICBM: 33 20' 44"N 111 53' 47"W
> >
> >
> > ________________________________________________
> > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> >
> > Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
> --
> _______ Shawn T. Rutledge / KB7PWD ecloud@bigfoot.com
> (_ | |_) http://www.bigfoot.com/~ecloud kb7pwd@kb7pwd.ampr.org
> __) | | \________________________________________________________________
> Free long distance at http://www.bigredwire.com/me/RefTrack?id=USA063420
>
> --__--__--
>
> Message: 3
> Date: Fri, 23 Mar 2001 17:45:57 -0700
> From: Kurt Granroth <kurt@granroth.org>
> To: plug-discuss@lists.PLUG.phoenix.az.us
> Subject: Re: bind
> plug-discuss@lists.PLUG.phoenix.az.us
> Reply-To: plug-discuss@lists.PLUG.phoenix.az.us
>
> Lucas Vogel wrote:
> > Can I ask a really stupid question? What is BIND, and how do I know if I'm
> > running it or not?
>
> It is the (set of) programs that handle name lookups. The specific
> program that does most of the work is called 'named'. You can tell if
> it's running by doing 'ps aux | grep named' or '/etc/rc.d/named status'
> (maybe).
>
> You almost surely *aren't* running it unless:
>
> 1) You are running a DNS server to handle name server requests for
> your LAN
> 2) Your distribution installs and runs it by default
>
> I don't think any distros are dumb enough to do the latter and since
> you are asking what it is, you clearly aren't doing the former :-)
> --
> Kurt Granroth | http://www.granroth.org
> KDE Developer/Evangelist | SuSE Labs Open Source Developer
> granroth@kde.org | granroth@suse.com
> KDE -- Conquer Your Desktop
>
> --__--__--
>
> Message: 4
> From: "David Demland" <ddemland@cadtel.com>
> To: "Plug-Discuss" <plug-discuss@lists.PLUG.phoenix.az.us>
> Subject: Three NIC problem
> Date: Fri, 23 Mar 2001 18:09:56 -0700
> charset="iso-8859-1"
> Reply-To: plug-discuss@lists.PLUG.phoenix.az.us
>
> I have a problem. I am installing a Storm box. It has to have three NICs.
> This is because two if the NICs will be used as the gateways for our
> internal workstations. At the current time some of our workstations use one
> gateway, a T1, and the others use an other gateway, an ISDN line. This new
> firewall has to have NICs for each of these gateways. This way we can remove
> these firewalls without having to reconfigure all the workstations. The
> third NIC will be used to send data out to our Cisco router which we will
> use to do the routing for all our network. The idea is to use the current
> gateway IP of 192.168.1.204 (T1) and 192.168.1.79 (ISDN). The third NIC will
> be given an IP of 10.0.1.1 that will be used to pass all traffic to the
> router.
>
> Question:
>
> How do I get the Storm box to route both of the functioning gateway IPs out
> the third NIC to the router? I thought I had the routing table and the NICs
> configured right but I can not get anything to pass out the third NIC.
>
> Thank You,
>
> David Demland
> Qa/Process Manager
> CADTEL Systems, Inc.
> 11201 N. Tatum Ste. 200
> Phoenix, AZ 85028
> (602) 648-6054
> Fax: (602) 648-6054
> ddemland@cadtel.com
>
> --__--__--
>
> Message: 5
> From: "Bob George" <plug@bobspc.dhs.org>
> To: <plug-discuss@lists.PLUG.phoenix.az.us>
> Subject: Re: Three NIC problem
> Date: Fri, 23 Mar 2001 18:13:02 -0700
> charset="iso-8859-1"
> Reply-To: plug-discuss@lists.PLUG.phoenix.az.us
>
> "David Demland" <ddemland@cadtel.com> wrote:
>
> > [...]
> > Question:
> >
> > How do I get the Storm box to route both of the functioning gateway IPs
> out
> > the third NIC to the router? I thought I had the routing table and the
> NICs
> > configured right but I can not get anything to pass out the third NIC.
>
> Can we assume that the 3rd NIC is up and running OK? You'd typically just
> have static routes pointing to your local subnets as appropriate, and a
> default route pointing to the Cisco router. You mentioned that the Storm box
> is also acting as a firewall. Are you using NAT? Could that be the issue?
> Can you ping the Cisco router from the Storm box?
>
> Dump us your configs, routing tables and traceroutes and some more ideas may
> be forthcoming.
>
> (FYI: You could also bind multiple secondary IPs to the Cisco router's
> internal port, and use IT as your firewall. The capabilities will depend on
> who manages it, and what feature set you've purchased.)
>
> Good luck!
>
> - Bob
>
> --__--__--
>
> Message: 6
> From: Rick Rosinski <rick@rickrosinski.com>
> To: plug-discuss@lists.PLUG.phoenix.az.us
> Subject: Re: Fwd: ALERT - A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET
> Date: Fri, 23 Mar 2001 19:14:33 +0000
> charset="us-ascii"
> Reply-To: plug-discuss@lists.PLUG.phoenix.az.us
>
> Would this effect a Slackware 7.x system? I noticed that I don't have any
> "bind" in my paths.
>
> On Saturday 24 March 2001 00:38, you wrote:
> > Thank you! I saw something about it, but didn't realize I needed
> > to do something about it until now.
> >
> > 8.2.3-0 would be OK right? That's the latest one from
> > http://security.debian.org
> >
> > On Fri, Mar 23, 2001 at 12:25:52PM -0700, Rusty Carruth wrote:
> > > In case nobody has posted this yet:
> > >
> > > If you've not updated your bind/dns - do so NOW.
> > >
> > > Also, if you run bsd there is a chance the problem is there also.
> > >
> > > >Date: Fri, 23 Mar 2001 9:40:03 -0700 (MST)
> > > >From: The SANS Institute <securityalert@sans.org>
> > > >Subject: ALERT - A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET
> > > >Sender: sans@sans.org
> > > >To: John Driggers (SD512389) <driggers@slb.com>
> > > >X-LDAP-Alias: V 1.0rc5. Sent to driggers@slb.com resolving to
> > > >driggers@austin.apc.slb.com
> > > >
> > > >-----BEGIN PGP SIGNED MESSAGE-----
> > > >Hash: SHA1
> > > >
> > > >ALERT! A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET
> > > >
> > > >March 23, 2001 7:00 AM
> > > >
> > > >Late last night, the SANS Institute (through its Global Incident
> > > >Analysis Center) uncovered a dangerous new worm that appears to be
> > > >spreading rapidly across the Internet. It scans the Internet looking
> > > >for Linux computers with a known vulnerability. It infects the
> > > >vulnerable machines, steals the password file (sending it to a
> > > >China.com site), installs other hacking tools, and forces the newly
> > > >infected machine to begin scanning the Internet looking for other
> > > >victims.
> > > >
> > > >Several experts from the security community worked through the night to
> > > >decompose the worm's code and engineer a utility to help you discover
> > > >if the Lion worm has affected your organization.
> > > >
> > > >Updates to this announcement will be posted at the SANS web site,
> > > >http://www.sans.org
> > > >
> > > >
> > > >DESCRIPTION
> > > >
> > > >The Lion worm is similar to the Ramen worm. However, this worm is
> > > >significantly more dangerous and should be taken very seriously. It
> > > >infects Linux machines running the BIND DNS server. It is known to
> > > >infect bind version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all
> > > >8.2.3-betas. The specific vulnerability used by the worm to exploit
> > > >machines is the TSIG vulnerability that was reported on January 29,
> > > >2001.
> > > >
> > > >The Lion worm spreads via an application called "randb". Randb scans
> > > >random class B networks probing TCP port 53. Once it hits a system, it
> > > >checks to see if it is vulnerable. If so, Lion exploits the system using
> > > >an exploit called "name". It then installs the t0rn rootkit.
> > > >
> > > >Once Lion has compromised a system, it:
> > > >
> > > >- - Sends the contents of /etc/passwd, /etc/shadow, as well as some
> > > >network settings to an address in the china.com domain.
> > > >- - Deletes /etc/hosts.deny, eliminating the host-based perimeter
> > > >protection afforded by tcp wrappers.
> > > >- - Installs backdoor root shells on ports 60008/tcp and 33567/tcp (via
> > > >inetd, see /etc/inetd.conf)
> > > >- - Installs a trojaned version of ssh that listens on 33568/tcp
> > > >- - Kills Syslogd , so the logging on the system can't be trusted
> > > >- - Installs a trojaned version of login
> > > >- - Looks for a hashed password in /etc/ttyhash
> > > >- - /usr/sbin/nscd (the optional Name Service Caching daemon) is
> > > >overwritten with a trojaned version of ssh.
> > > >
> > > >The t0rn rootkit replaces several binaries on the system in order to
> > > >stealth itself. Here are the binaries that it replaces:
> > > >
> > > >du, find, ifconfig, in.telnetd, in.fingerd, login, ls, mjy, netstat,
> > > >ps, pstree, top
> > > >
> > > >- - "Mjy" is a utility for cleaning out log entries, and is placed in
> > > > /bin and /usr/man/man1/man1/lib/.lib/.
> > > >- - in.telnetd is also placed in these directories; its use is not known
> > > >at this time.
> > > >- - A setuid shell is placed in /usr/man/man1/man1/lib/.lib/.x
> > > >
> > > >DETECTION AND REMOVAL
> > > >
> > > >We have developed a utility called Lionfind that will detect the Lion
> > > >files on an infected system. Simply download it, uncompress it, and
> > > >run lionfind. This utility will list which of the suspect files is on
> > > >the system.
> > > >
> > > >At this time, Lionfind is not able to remove the virus from the system.
> > > >If and when an updated version becomes available (and we expect to
> > > >provide one), an announcement will be made at this site.
> > > >
> > > >Download Lionfind at http://www.sans.org/y2k/lionfind-0.1.tar.gz
> > > >
> > > >
> > > >REFERENCES
> > > >
> > > >Further information can be found at:
> > > >
> > > >http://www.sans.org/current.htm
> > > >http://www.cert.org/advisories/CA-2001-02.html, CERT Advisory
> > > > CA-2001-02, Multiple Vulnerabilities in BIND
> > > >http://www.kb.cert.org/vuls/id/196945 ISC BIND 8 contains buffer
> > > > overflow in transaction signature (TSIG) handling code
> > > >http://www.sans.org/y2k/t0rn.htm Information about the t0rn rootkit.
> > > >The following vendor update pages may help you in fixing the original
> > > > BIND vulnerability:
> > > >
> > > >Redhat Linux RHSA-2001:007-03 - Bind remote exploit
> > > >http://www.redhat.com/support/errata/RHSA-2001-007.html
> > > >Debian GNU/Linux DSA-026-1 BIND
> > > >http://www.debian.org/security/2001/dsa-026
> > > >SuSE Linux SuSE-SA:2001:03 - Bind 8 remote root compromise.
> > > >http://www.suse.com/de/support/security/2001_003_bind8_ txt.txt
> > > >Caldera Linux CSSA-2001-008.0 Bind buffer overflow
> > > >http://www.caldera.com/support/security/advisories/CSSA-2001-008.0.txt
> > > >http://www.caldera.com/support/security/advisories/CSSA-2001-008.1.txt
> > > >
> > > >This security advisory was prepared by Matt Fearnow of the SANS
> > > >Institute and William Stearns of the Dartmouth Institute for Security
> > > >Technology Studies.
> > > >
> > > >The Lionfind utility was written by William Stearns. William is an
> > > >Open-Source developer, enthusiast, and advocate from Vermont, USA. His
> > > >day job at the Institute for Security Technology Studies at Dartmouth
> > > >College pays him to work on network security and Linux projects.
> > > >
> > > >Also contributing efforts go to Dave Dittrich from the University of
> > > >Washington, and Greg Shipley of Neohapsis
> > > >
> > > >Matt Fearnow
> > > >SANS GIAC Incident Handler
> > > >
> > > >If you have additional data on this worm or a critical quetsion please
> > > >email lionworm@sans.org
> > > >-----BEGIN PGP SIGNATURE-----
> > > >Version: GnuPG v1.0.4 (BSD/OS)
> > > >Comment: For info see http://www.gnupg.org
> > > >
> > > >iD8DBQE6u17n+LUG5KFpTkYRAgn9AJ0ffubakBA47teAe9lF92lrS2H+TwCgh3T/
> > > >ek+YCliAS832nnMIzP28ezM=
> > > >=E1SG
> > > >-----END PGP SIGNATURE-----
> > >
> > > Rusty Carruth Email: rcarruth@Tempe.tt.slb.com or
> > > rcarruth@slb.com Voice: (480) 345-3621 SnailMail: Schlumberger ATE
> > > FAX: (480) 345-8793 7855 S. River Parkway, Suite 116
> > > Ham: N7IKQ @ 146.82+,pl 162.2 Tempe, AZ 85284-1825
> > > ICBM: 33 20' 44"N 111 53' 47"W
> > >
> > >
> > > ________________________________________________
> > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't
> > > post to the list quickly and you use Netscape to write mail.
> > >
> > > Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us
> > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
> --
> Rick Rosinski
> http://rickrosinski.com
> rick@rickrosinski.com
>
> --__--__--
>
> Message: 7
> Date: Fri, 23 Mar 2001 19:20:15 -0700 (MST)
> From: "der.hans" <PLUGd@LuftHans.com>
> To: plug-discuss@lists.plug.phoenix.az.us
> Subject: Re: Fwd: ALERT - A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET
> Reply-To: plug-discuss@lists.PLUG.phoenix.az.us
>
> Am 23. Mar, 2001 schwäzte Rick Rosinski so:
>
> > Would this effect a Slackware 7.x system? I noticed that I don't have any
> > "bind" in my paths.
>
> The executable is called named. Slack probably needs to be updated as the
> upstream security fixes were first released in Jan.
>
> ciao,
>
> der.hans
> --
> # der.hans@LuftHans.com home.pages.de/~lufthans/ www.YourCompanyHere.net ;-)
> # Two roads diverged in a wood, and I --
> # I took the one less traveled by,
> # And that has made all the difference. -- Robert Frost
> # I, OTOH, prefer to just go stomping through the desert... - der.hans
>
> --__--__--
>
> Message: 8
> From: "Gary Nichols" <gnichols@qwest.net>
> To: <plug-discuss@lists.PLUG.phoenix.az.us>
> Subject: RE: Free stuff for PLUG and some not so free stuff for PLUG
> Date: Fri, 23 Mar 2001 19:42:44 -0700
> charset="iso-8859-1"
> Reply-To: plug-discuss@lists.PLUG.phoenix.az.us
>
> Thanks to Jim for volunteering to pick up the loot, and thanks to Lucas for
> offering to buy my Amiga. :-)
>
> Here's the breakdown of the goodies... hope you all enjoy.
>
> Shirts:
> XL Black Penguin Computing
> XL White Penguin VXA
> L Blue Penguin Polo
> (Worn a few times, but in great shape... and washed! *g*)
>
> Boxed Software:
> Applixware Office (can't recall the version... but I think it was from 1998)
> Redhat 7.0 new in shrinkwrap
> Redhat 6.1
> Redhat 5.2
> Redhat 5.1
> Suse 6.1
> Accelerated X Multihead
> Solaris 7 x86 + Sparc
> Solaris 8 beta
>
> Books:
> Computer Consultants Handbook
> Linux, complete ref (caldera)
> Linux, Complete ref (penguin)
> Linux, Adv ref (penguin)
> Tcl/TK Tools
>
> Misc:
> 6" Stuffed Tux
> Linux Library CD
> A bunch of Redhat bumper stickers
>
> Should you be the recipient of a box of software and you're missing the
> cd's, let me know and I'll see if I can find them. This stuff has been in
> my den for a while. *grin*
>
> ~Gary
>
> -----Original Message-----
> From: plug-discuss-admin@lists.PLUG.phoenix.az.us
> [mailto:plug-discuss-admin@lists.PLUG.phoenix.az.us]On Behalf Of Gary
> Nichols
> Sent: Friday, March 23, 2001 3:04 PM
> To: plug-discuss@lists.PLUG.phoenix.az.us
> Subject: Free stuff for PLUG and some not so free stuff for PLUG
>
> Guys,
>
> I just cleaned out my den and I have a bunch of linux-oriented stuff I'd
> like to donate to the group. If somebody could swing by my home or office
> to pick them up I'd appreciate it-- no idea when I'll make the next meeting.
> Perhaps use them as door prizes or donations to school(s)?
>
> More or less the pile of stuff consists of:
> Redhat 5.1
> Redhat 5.2
> Redhat 6.1
> Redhat 7.0 (brand new in shrink wrap)
> Suse 6.x (can't remember)
> Tk/Tcl Tools book
> Applixware office
> Various linux books that I had more than 1 copy of.
>
> There are some linux T-shirts too, just can't remember what I threw in the
> box. Anyway... this stuff is free to the group, just need a 'designatee' to
> come pick it up!
>
> My home is near I-17/Deer Valley in Phoenix, my office is near
> Priest/University in Tempe.
>
> Also OT, I am planning on moving to Chandler shortly so I'm wanting to sell
> my Amiga 2000 with monitor/keyboard/mouse and a box of software. (You know,
> better to sell cheap than move it LOL) The Amiga has 2MB of memory, a hard
> drive/floppy/external floppy and works great.
> I'll let all this Amiga stuff go for $100.
>
> Anybody? Please answer to the list or you can email me directly at:
> gnichols AT qwest.net.
>
> Thanks PLUG'ers
>
> Gary
>
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post
> to the list quickly and you use Netscape to write mail.
>
> Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
> --__--__--
>
> Message: 9
> From: "Craig White" <craigwhite@azapple.com>
> To: <plug-discuss@lists.plug.phoenix.az.us>
> Subject: RE: Fwd: ALERT - A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET
> Date: Fri, 23 Mar 2001 20:42:09 -0700
> charset="US-ASCII"
> Reply-To: plug-discuss@lists.PLUG.phoenix.az.us
>
> > -----Original Message-----
> > From: plug-discuss-admin@lists.plug.phoenix.az.us
> > [mailto:plug-discuss-admin@lists.plug.phoenix.az.us]On Behalf Of Rick
> > Rosinski
> > Sent: Friday, March 23, 2001 12:15 PM
> > To: plug-discuss@lists.plug.phoenix.az.us
> > Subject: Re: Fwd: ALERT - A DANGEROUS NEW WORM IS SPREADING ON THE
> > INTERNET
> >
> >
> > Would this effect a Slackware 7.x system? I noticed that I don't
> > have any
> > "bind" in my paths.
> >
> ---
> Try typing (as root) "ps aux|less" and scroll up and down to see if "named"
> is running. This will tell for sure.
>
> I can't imagine any reason for named/bind to be installed on any workstation
> configuration as it is strictly a network server daemon. If you are running
> a linux as a masquerade/firewall/router box - you may have installed bind -
> if you did, you surely should know whether it is installed or not.
>
> Only 2 scenarios here, 1 is that you plan to provide domain name services to
> the public internet in which case, you better get up to speed on bind, up to
> date and spend a lot of time learning how to chroot because it is probably
> more a question of when it gets hacked than if it gets hacked.
>
> Scenario 2 is that you are providing DNS services to a local lan - in which
> case you MUST block the DNS packets from coming thru your firewall...
>
> on the 2.2-xxx kernel
>
> /sbin/ipchains -A input -j REJECT (or DENY) - i (public ethernet
> interface) -p tcp -s 0.0.0.0 -d (public ipaddress) domain
>
> and also
>
> /sbin/ipchains -A input -j REJECT (or DENY) - i (public ethernet
> interface) -p udp -s 0.0.0.0 -d (public ipaddress) domain
>
> replace (public ethernet interface) with eth0, eth1 whichever appropriate
> replace (public ipaddress) with your public/internet ip address
> you need to block both tcp & udp because DNS packets can be either.
>
> as one who has experience bind exploits, I speak with experience.
>
> Craig
>
> --__--__--
>
> Message: 10
> From: "Craig White" <craigwhite@azapple.com>
> To: <plug-discuss@lists.plug.phoenix.az.us>
> Subject: RE: Three NIC problem
> Date: Fri, 23 Mar 2001 20:50:01 -0700
> charset="iso-8859-1"
> Reply-To: plug-discuss@lists.PLUG.phoenix.az.us
>
> > -----Original Message-----
> > From: plug-discuss-admin@lists.plug.phoenix.az.us
> > [mailto:plug-discuss-admin@lists.plug.phoenix.az.us]On Behalf Of David
> > Demland
> > Sent: Friday, March 23, 2001 6:10 PM
> > To: Plug-Discuss
> > Subject: Three NIC problem
> >
> >
> > I have a problem. I am installing a Storm box. It has to have three NICs.
> > This is because two if the NICs will be used as the gateways for our
> > internal workstations. At the current time some of our
> > workstations use one
> > gateway, a T1, and the others use an other gateway, an ISDN line. This new
> > firewall has to have NICs for each of these gateways. This way we
> > can remove
> > these firewalls without having to reconfigure all the workstations. The
> > third NIC will be used to send data out to our Cisco router which we will
> > use to do the routing for all our network. The idea is to use the current
> > gateway IP of 192.168.1.204 (T1) and 192.168.1.79 (ISDN). The
> > third NIC will
> > be given an IP of 10.0.1.1 that will be used to pass all traffic to the
> > router.
> >
> > Question:
> >
> > How do I get the Storm box to route both of the functioning
> > gateway IPs out
> > the third NIC to the router? I thought I had the routing table
> > and the NICs
> > configured right but I can not get anything to pass out the third NIC.
> >
> -----
> Perhaps I'm not understanding what's going on but on the surface, it appears
> that you are using a Cisco router to route two distinct subnets but trying
> to put a firewall between the two subnets and the router - that doesn't make
> sense to me.
>
> I would like to see this topic remain public and not private so I can
> benefit from learning about 3 NIC setup since I am going to be trying to do
> a similar thing.
>
> Craig
>
> --__--__--
>
> Message: 11
> From: "Bob George" <plug@bobspc.dhs.org>
> To: <plug-discuss@lists.PLUG.phoenix.az.us>
> Subject: Re: Three NIC problem
> Date: Fri, 23 Mar 2001 21:35:49 -0700
> charset="iso-8859-1"
> Reply-To: plug-discuss@lists.PLUG.phoenix.az.us
>
> "Craig White" <craigwhite@azapple.com> wrote:
> > [...]
> > I would like to see this topic remain public and not private so I can
> > benefit from learning about 3 NIC setup since I am going to be trying to
> do
> > a similar thing.
>
> Are there any particular issues you're concerned about? I've got 3 10/100
> ethernet plus a token ring port going on my firewall at present. I'm using
> Debian on a 2.4.1 kernel to support my internal LAN (general usage), DMZ
> (mail, web servers), and lab (Cisco router pod). NAT to the Internet as
> well. It's working great. In fact, a few of us are using Zebra to test
> various BGP routing scenarios (GRE tunnels between Cisco and Linux devices).
> I'd be happy to share my notes.
>
> - Bob
>
> --__--__--
>
> _______________________________________________
> Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
> End of Plug-discuss Digest