Subject: RESOLVED, sort of.... problems with cygwin/xfree86 xdmcp access
From: LT (lee@afabco.com)
Date: Wed Aug 13 2003 - 18:24:17 AKDT
>From -
Return-Path: <cyrus@elle.afabco.com>
X-Sieve: cmu-sieve 2.0
Return-Path: <aklug-bounce@aklug.org>
Received: from asimov.lib.uaa.alaska.edu (asimov.uaa.alaska.edu
[137.229.168.41]) by elle (Postfix) with ESMTP id C9559175 for
<lee@afabco.com>; Wed, 13 Aug 2003 15:12:05 -0800 (AKDT)
Received: from asimov.lib.uaa.alaska.edu (asimov.lib.uaa.alaska.edu
[137.229.168.41]) by asimov.lib.uaa.alaska.edu (Postfix) with ESMTP id
CF3CA362C5; Wed, 13 Aug 2003 15:12:02 -0800 (AKDT)
Received: with LISTAR (v1.0.0; list aklug); Wed, 13 Aug 2003 15:12:02
-0800
(AKDT)
Date: Wed, 13 Aug 2003 15:12:02 -0800 (AKDT)
From: aklug@aklug.org
To: aklug digest users <aklug@aklug.org>
Subject: aklug Digest V2 #188
Precedence: bulk
List-help: <mailto:listar@lib.uaa.alaska.edu?Subject=help>
List-unsubscribe: <mailto:aklug-request@aklug.org?subject=unsubscribe>
List-software: Listar version 1.0.0
X-List-ID: AKLUG <aklug.asimov.lib.uaa.alaska.edu>
List-subscribe: <mailto:aklug-request@aklug.org?subject=subscribe>
List-owner: <mailto:tibor@lib.uaa.alaska.edu>
List-post: <mailto:aklug@aklug.org>
Message-Id: <20030813231202.CF3CA362C5@asimov.lib.uaa.alaska.edu>
Content-Type: text/plain; charset=us-ascii
X-Evolution-Source: imap://thomson@mail.afabco.com/
Mime-Version: 1.0
aklug Digest Wed, 13 Aug 2003 Volume: 02 Issue: 188
In This Issue:
Re: Mulit-Card Reader
Fwd: Distributing OpenOffice to schools
Re: Mulit-Card Reader
Re: Eterm geometry
Re: Fwd: Distributing OpenOffice to schools
RE: Fwd: Distributing OpenOffice to schools
Poor mans Honeypot ( fun with script kids and worms)
Poor Mans Honeypot
Re: Fwd: Distributing OpenOffice to schools
RE: Fwd: Distributing OpenOffice to schools
problems with cygwin/Xfree86 xdmcp access on mandrake 9.1 ho
----------------------------------------------------------------------
Date: Wed, 13 Aug 2003 06:48:08 -0800
From: James Zuelow <e5z8652@zuelow.net>
Subject: Re: Mulit-Card Reader
On Tue, 12 Aug 2003 21:51:30 -0800
"Neil Moomey" <neil@neilmoomey.com> wrote:
>
> Thanks for the reply. SD stands for Secure Digital. It's the new
> postage stamp sized flash cards with a write protect switch. Very
nice.
>
I use a SanDisk SDR-55 reader for these. It is not a multiple format
reader (it only reads the smart media) but it does require special
modules to work. In addition to the normal usb mass storage modules,
2.4.20 or higher is required and I have to set
CONFIG_USB_STORAGE_SDDR55=y in the kernel config. Prior to 2.4.20 my
reader just didn't work. Running usbview would show it as an unknown
device no matter which usb storage modules I loaded.
You didn't mention which model of reader you're using, but it might be
in a similar situation where you have to load device specific modules
(or compile them in like I did) in order to use the smart media part of
the reader.
Cheers,
James
------------------------------
Subject: Re: Mulit-Card Reader
From: Jim Gribbin <jgribbin@alaska.net>
Date: Wed, 13 Aug 2003 07:59:22 -0800
Neil,
Is the SD Card formated and is it formated vfat? I don't believe you can
mount a drive unless it's formated in a recognized format.
Jim Gribbin
On Tue, 2003-08-12 at 21:51, Neil Moomey wrote:
> Thanks for the reply. SD stands for Secure Digital. It's the new
> postage stamp sized flash cards with a write protect switch. Very
nice.
>
> I took out the CF card, put in the SD card and as root I tried:
> mount -t vfat /dev/sdc1 /mnt/sd
> Also tried sdc1 through sdj1 but no luck. All I get is:
> mount: /dev/sdc1 is not a valid block device
>
> Unpluging/pluging the USB like you said didn't work either.
>
> When I run cdrecord --scanbus I get:
> scsibus1:
> 1,0,0 100) 'BELKIN ' 'USB 2 HS-CF' '1.29' Removable Disk
>
> I assume this is my CF card only which I can mount just fine.
>
> Neil
>
>
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>
------------------------------
From: Joshua J.Kugler <isd@as.uaf.edu>
Subject: Fwd: Distributing OpenOffice to schools
Date: Wed, 13 Aug 2003 09:18:32 -0800
Something that might be interesting, especially in light of the recent
budget
cuts for education.
j----- k-----
---------- Forwarded Message ----------
Subject: [CVALE] Distributing OpenOffice to schools
Date: Tue, 12 Aug 2003 22:44:19 -0800
From: "Lincoln Peters" <lincoln_peters@hotmail.com>(by way of "Joshua J.
Kugler" <jkugler@bigfoot.com>)
To: isd@asuaf.org
Perhaps the group has already heard about this (the Linux community in
Northern California has been spreading the word much faster than I
expected), but here it is:
The OpenOffice.org team has announced to Schoolforge that it intends to
launch an education campaign in October (when OpenOffice 1.1 is
released)
and put as many copies of OpenOffice in the hands of students and
teachers
as possible.
Is anyone here interested in burning and distributing OpenOffice CD's to
public schools? At some time in the near future, they will release an
ISO
with OpenOffice 1.1 that supports Windows auto-run, so if you are
interested, you should not start burning CD's just yet (I can notify the
group when the official ISO is available).
This project is being coordinated by "ian" (ian.lynch2@ntlworld.com), an
OpenOffice.org developer. There does not appear to be any information
on
the OpenOffice.org website yet, but I can provide information (and
URL's)
as soon as I receive it.
-------------------------------------------------------
-- Joshua Kugler, Information Services Director Associated Students of the University of Alaska Fairbanks isd@asuaf.org, 907-474-7601------------------------------
Date: Wed, 13 Aug 2003 09:53:02 -0800 Subject: Re: Fwd: Distributing OpenOffice to schools From: fgdowding@iceworm-enterprises.net (Fielder George Dowding)
Greetings all,
Yes, I am for this sort of activity. I have found there is little interest in alternatives to Microsoft products in the not-for-profit and educational community (that part where I have rubbed elbows). There seems to be sufficient support from other not-for-profit organizations such as Foracre (? I still can't remember how to spell it) and various Alaska Native corporations. Thus, there is little incentive for an educational institution to switch from what is now perceived as the mainstream. Therefore, just presenting, say, the Anchorage School District, with a number of free CD's will probably be a waste of time and effort.
I am the first to admit I don't have a good suggestion. I hope there are others on this list who can come up with a reasonable plan. I suspect it will require a combination of personal contact, on-site demonstration, and some level of commitment to support.
Well, there is my $1.50. fgd.
On Wed, Aug 13, 2003 at 09:18:32AM -0800, Joshua J. Kugler wrote: > > Something that might be interesting, especially in light of the recent budget > cuts for education. > > j----- k----- > > ---------- Forwarded Message ---------- > Subject: [CVALE] Distributing OpenOffice to schools > Date: Tue, 12 Aug 2003 22:44:19 -0800 > From: "Lincoln Peters" <lincoln_peters@hotmail.com>(by way of "Joshua J. > Kugler" <jkugler@bigfoot.com>) > To: isd@asuaf.org > > > Perhaps the group has already heard about this (the Linux community in > Northern California has been spreading the word much faster than I > expected), but here it is: > > > The OpenOffice.org team has announced to Schoolforge that it intends to > launch an education campaign in October (when OpenOffice 1.1 is released) > and put as many copies of OpenOffice in the hands of students and teachers > as possible. > > Is anyone here interested in burning and distributing OpenOffice CD's to > public schools? At some time in the near future, they will release an ISO > with OpenOffice 1.1 that supports Windows auto-run, so if you are > interested, you should not start burning CD's just yet (I can notify the > group when the official ISO is available). > > This project is being coordinated by "ian" (ian.lynch2@ntlworld.com), an > OpenOffice.org developer. There does not appear to be any information on > the OpenOffice.org website yet, but I can provide information (and URL's) > as soon as I receive it. > > ------------------------------------------------------- > > Joshua Kugler, Information Services Director > Associated Students of the University of Alaska Fairbanks > isd@asuaf.org, 907-474-7601 > --------- > To unsubscribe, send email to <aklug-request@aklug.org> > with 'unsubscribe' in the message body. > > >
-- Fielder George Dowding, Chief Iceworm .-. Debian/GNU Linux dba Iceworm Enterprises, Anchorage, Alaska /v\ "Woody" v3.0r1 Since 1976 - Over 25 Years of Service. // \\ User Number 269482 /( )\ ^^-^^ Windows there are none in our houses: for the light comes to us alike in our homes and out of them, by day and by night, equally at all times and in all places, whence we know not. "Flatland", by A. Square (Edwin A. Abbott) 1884
------------------------------
Date: Wed, 13 Aug 2003 10:31:11 -0800 (AKDT) From: "Peter Q. Olsson" <olsson@koyukuk.at.uaa.alaska.edu> Subject: Re: Mulit-Card Reader
Jim (and Neil)-
This is a very good point. I know that CF and Sony memory stick are vfat FSs, but SD does not necessarily have to be. That is certainly a potential wrinkle...
PQO
>Neil, > >Is the SD Card formated and is it formated vfat? I don't believe you can >mount a drive unless it's formated in a recognized format. > >Jim Gribbin > __________________________________________________________________ | | | Dr. Peter Q. Olsson, | | Chief Scientist, Alaska Experimental Forecast Facility | | University of Alaska Anchorage | | 2811 Merrill Field Drive | | Anchorage, AK 99501 | | voice: (907) 264-7449 | | fax : (907) 264-7444 | | olsson@aeff.at.uaa.alaska.edu | |__________________________________________________________________|
------------------------------
Date: Wed, 13 Aug 2003 12:13:23 -0800 Subject: Re: Fwd: Distributing OpenOffice to schools From: fgdowding@iceworm-enterprises.net (Fielder George Dowding)
My son, George, is heading toward Clemson University for their graduate program in computer science. He just called from a rest stop west of Columbia, Missouri. I decided to visit the Clemson web site and check out the CS Department.
I was not surprised to find reference to a Microsoft site license. Here it is:
http://dcit.clemson.edu/pub/homepage/microsoft.html
This illustrates my consern that just distributing OpenOffice CD's is not going to make much of a dent in the mind set of not-for-profits including educational institutions. The IT departments have a stake in this. Their careers are on the line. To accept a free CD even for evaluation would suggest they have not been doing their job.
Perhaps someone on the list can find out what institutions have MS site licenses. It seems that MS Office and Windows are like Siamese Twins.
I do want to have free CD's available. IT Expo is coming up. There will be educators and other not-for-profits attending. All I have is questions at this point.
Cheerio! fgd. -- Fielder George Dowding, Chief Iceworm .-. Debian/GNU Linux dba Iceworm Enterprises, Anchorage, Alaska /v\ "Woody" v3.0r1 Since 1976 - Over 25 Years of Service. // \\ User Number 269482 /( )\ ^^-^^ Windows there are none in our houses: for the light comes to us alike in our homes and out of them, by day and by night, equally at all times and in all places, whence we know not. "Flatland", by A. Square (Edwin A. Abbott) 1884
------------------------------
From: bryan@ak.net Date: Wed, 13 Aug 2003 13:58:49 -0800 Subject: Re: Eterm geometry
On Wed, Aug 13, 2003 at 04:26:53AM -0800, David J. Weller-Fahy <dave-lists-aklug@weller-fahy.com> wrote: > > * bryan@ak.net <bryan@ak.net> [2003-08-12 22:56]: > > My Eterm 0.8.9 will accept the -g geometry option, but doesn't obey > > it. If I start a regular Eterm, it comes up as 80x22, and a login > > shell Eterm comes up as 80x23, no matter what. > > Hrmmm... Have you tried adding the X and Y coord options? > > Example: '-g 800x600+1+1' > > Also, you could try using the long version of the -g option, --geometry. > Other than that, not sure.
Nope, doesn't work either. Don't worry about it -- I found a way to get what I want without the geometry option. Don't ask me how -- it's too embarassing.
-- Bryan Medsker bryan@ak.net
------------------------------
Date: Wed, 13 Aug 2003 14:04:51 -0800 (AKDT) From: "Peter Q. Olsson" <olsson@koyukuk.at.uaa.alaska.edu> Subject: Re: Fwd: Distributing OpenOffice to schools
Fielder-
To the best of my knowledge UAA has site licenses for various flavors of Windoz (xp, etc) and for MS-office 2000. The corporate mentality of UAA-IT is such that I can never see them taking a plunge into open-source software. There is a desire to have identical software, to the point of discussing re-imaging hard drives every 6 months. Got to admit that from a underfunded IT support point of view, it is attractive.
Could be that as M$ pursues more and more heinous license policies, that this view may change, but not for the present.,
>X-Original-To: aklug@aklug.org >Delivered-To: aklug@aklug.org >Date: Wed, 13 Aug 2003 12:13:23 -0800 >To: aklug@aklug.org >Subject: Re: Fwd: Distributing OpenOffice to schools >Mail-Followup-To: aklug@aklug.org >Mime-Version: 1.0 >Content-Disposition: inline >User-Agent: Mutt/1.3.28i >From: fgdowding@iceworm-enterprises.net (Fielder George Dowding) >Content-Transfer-Encoding: 8bit >X-listar-version: Listar v1.0.0 >X-original-sender: fgdowding@iceworm-enterprises.net >List-help: <mailto:listar@lib.uaa.alaska.edu?Subject=help> >List-unsubscribe: <mailto:aklug-request@aklug.org?subject=unsubscribe> >List-software: Listar version 1.0.0 >X-List-ID: AKLUG <aklug.asimov.lib.uaa.alaska.edu> >List-subscribe: <mailto:aklug-request@aklug.org?subject=subscribe> >List-owner: <mailto:tibor@lib.uaa.alaska.edu> >List-post: <mailto:aklug@aklug.org> >X-list: aklug > > >My son, George, is heading toward Clemson University for their graduate >program in computer science. He just called from a rest stop west of >Columbia, Missouri. I decided to visit the Clemson web site and check >out the CS Department. > >I was not surprised to find reference to a Microsoft site license. Here >it is: > > http://dcit.clemson.edu/pub/homepage/microsoft.html > > >This illustrates my consern that just distributing OpenOffice CD's is >not going to make much of a dent in the mind set of not-for-profits >including educational institutions. The IT departments have a stake in >this. Their careers are on the line. To accept a free CD even for >evaluation would suggest they have not been doing their job. > >Perhaps someone on the list can find out what institutions have MS site >licenses. It seems that MS Office and Windows are like Siamese Twins. > >I do want to have free CD's available. IT Expo is coming up. There will >be educators and other not-for-profits attending. All I have is >questions at this point. > >Cheerio! fgd. >-- >Fielder George Dowding, Chief Iceworm .-. Debian/GNU Linux >dba Iceworm Enterprises, Anchorage, Alaska /v\ "Woody" v3.0r1 >Since 1976 - Over 25 Years of Service. // \\ User Number 269482 > /( )\ > ^^-^^ >Windows there are none in our houses: for the light comes to >us alike in our homes and out of them, by day and by night, >equally at all times and in all places, whence we know not. >"Flatland", by A. Square (Edwin A. Abbott) 1884 >--------- >To unsubscribe, send email to <aklug-request@aklug.org> >with 'unsubscribe' in the message body. >
__________________________________________________________________ | | | Dr. Peter Q. Olsson, | | Chief Scientist, Alaska Experimental Forecast Facility | | University of Alaska Anchorage | | 2811 Merrill Field Drive | | Anchorage, AK 99501 | | voice: (907) 264-7449 | | fax : (907) 264-7444 | | olsson@aeff.at.uaa.alaska.edu | |__________________________________________________________________|
------------------------------
Date: Wed, 13 Aug 2003 14:24:21 -0800 From: "William F. Fulton" <fulton@gci.net> Subject: RE: Fwd: Distributing OpenOffice to schools
Another way to look at it is this
Schools are there to teach individuals to exist in the job market at this time a large majority of businesses continue to pay for and use M$ Office until we can integrate open source applications into the majority of businesses it would be foolish for public institutions to use any other product. The problem isn't the IT departments of the schools mentality it is the various corporations' insistence on using M$ products. Until we change corporate and government buying practices there is no hope for Open Source anything to have more than a back seat role in education.
William F. Fulton Northern Lights Automation -----Original Message----- From: aklug-bounce@aklug.org [mailto:aklug-bounce@aklug.org] On Behalf Of Peter Q. Olsson Sent: Wednesday, August 13, 2003 2:05 PM To: fgdowding@iceworm-enterprises.net; aklug@aklug.org Subject: Re: Fwd: Distributing OpenOffice to schools
Fielder-
To the best of my knowledge UAA has site licenses for various flavors of Windoz (xp, etc) and for MS-office 2000. The corporate mentality of UAA-IT is such that I can never see them taking a plunge into open-source software. There is a desire to have identical software, to the point of discussing re-imaging hard drives every 6 months. Got to admit that from a underfunded IT support point of view, it is attractive.
Could be that as M$ pursues more and more heinous license policies, that this view may change, but not for the present.,
>X-Original-To: aklug@aklug.org >Delivered-To: aklug@aklug.org >Date: Wed, 13 Aug 2003 12:13:23 -0800 >To: aklug@aklug.org >Subject: Re: Fwd: Distributing OpenOffice to schools >Mail-Followup-To: aklug@aklug.org >Mime-Version: 1.0 >Content-Disposition: inline >User-Agent: Mutt/1.3.28i >From: fgdowding@iceworm-enterprises.net (Fielder George Dowding) >Content-Transfer-Encoding: 8bit >X-listar-version: Listar v1.0.0 >X-original-sender: fgdowding@iceworm-enterprises.net >List-help: <mailto:listar@lib.uaa.alaska.edu?Subject=help> >List-unsubscribe: <mailto:aklug-request@aklug.org?subject=unsubscribe> >List-software: Listar version 1.0.0 >X-List-ID: AKLUG <aklug.asimov.lib.uaa.alaska.edu> >List-subscribe: <mailto:aklug-request@aklug.org?subject=subscribe> >List-owner: <mailto:tibor@lib.uaa.alaska.edu> >List-post: <mailto:aklug@aklug.org> >X-list: aklug > > >My son, George, is heading toward Clemson University for their graduate >program in computer science. He just called from a rest stop west of >Columbia, Missouri. I decided to visit the Clemson web site and check >out the CS Department. > >I was not surprised to find reference to a Microsoft site license. Here >it is: > > http://dcit.clemson.edu/pub/homepage/microsoft.html > > >This illustrates my consern that just distributing OpenOffice CD's is >not going to make much of a dent in the mind set of not-for-profits >including educational institutions. The IT departments have a stake in >this. Their careers are on the line. To accept a free CD even for >evaluation would suggest they have not been doing their job. > >Perhaps someone on the list can find out what institutions have MS site >licenses. It seems that MS Office and Windows are like Siamese Twins. > >I do want to have free CD's available. IT Expo is coming up. There will >be educators and other not-for-profits attending. All I have is >questions at this point. > >Cheerio! fgd. >-- >Fielder George Dowding, Chief Iceworm .-. Debian/GNU Linux >dba Iceworm Enterprises, Anchorage, Alaska /v\ "Woody" v3.0r1 >Since 1976 - Over 25 Years of Service. // \\ User Number 269482 > /( )\ > ^^-^^ >Windows there are none in our houses: for the light comes to >us alike in our homes and out of them, by day and by night, >equally at all times and in all places, whence we know not. >"Flatland", by A. Square (Edwin A. Abbott) 1884 >--------- >To unsubscribe, send email to <aklug-request@aklug.org> >with 'unsubscribe' in the message body. >
__________________________________________________________________ | | | Dr. Peter Q. Olsson, | | Chief Scientist, Alaska Experimental Forecast Facility | | University of Alaska Anchorage | | 2811 Merrill Field Drive | | Anchorage, AK 99501 | | voice: (907) 264-7449 | | fax : (907) 264-7444 | | olsson@aeff.at.uaa.alaska.edu | |__________________________________________________________________|
--------- To unsubscribe, send email to <aklug-request@aklug.org> with 'unsubscribe' in the message body.
------------------------------
Date: Wed, 13 Aug 2003 16:27:04 -0600 (MDT) From: ninjatech@ninjatech.cjb.net Subject: Poor mans Honeypot ( fun with script kids and worms)
Whenever a huge hole or worm is making the rounds , I like to set up a quick and easy trap to gather information like so.
First I set up a little honey daemon with a simple shell script like this:
!/bin/bash #pmp.sh - Poor Man's Pot #2003 t.c.v. ( Special DCOM Edition :p ) # http://ninjatech.cjb.net #this can be re-used anytime a major hole comes out and you want to #get packet captures of attacks to add signatures to your NIDS #quick and dirty , but it does the job #requires netcat: #http://www.atstake.com/research/tools/network_utilities/
nc -l -p 135 -vv >> loc-srv.txt & nc -l -p 139 -vv >> netbios-ssn.txt & nc -l -p 445 -vv >> microsoft-ds.txt & nc -l -p 593 -vv >> http-rpc-epmap.txt &
#masquerade as vulnerable services and gather data
---------------------------------------------------------------------------------------------------------
Then to make sure my little info grabber doesn't cause me any grief I add a few quick iptables entries to my firewall script that will both , keep track of the origin of attack as well as limit the connection attempts to my listener so I don't get flooded:
$IPTABLES -A INPUT -p tcp --dport 135 -m limit -j LOG \ --log-prefix "Firewalled packet: loc-srv "
$IPTABLES -A INPUT -p tcp --dport 139 -m limit -j LOG \ --log-prefix "Firewalled packet: netbios-ssn "
$IPTABLES -A INPUT -p tcp --dport 445 -m limit -j LOG \ --log-prefix "Firewalled packet: microsoft-ds "
$IPTABLES -A INPUT -p tcp --dport 593 -m limit -j LOG \ --log-prefix "Firewalled packet: http-rpc-epmap "
--------------------------------------------------------------------------------------------------------------
Ok , now to put it all together: bash-2.05b$chmod +x pmp.sh bash-2.05b$/etc/init.d/firewall restart #make sure all the new rules are running
Actually.... let's take a look from the outside without my firewall in place..
bash-2.05b$/etc/init.d/firewall stop
bash-2.05b$nmap -sS -O -F -vv 68.58.*.*
(The 1194 ports scanned but not shown below are in state: closed) Port State Service 443/tcp open https 3306/tcp open mysql 5555/tcp open freeciv Device type: general purpose Running: Linux 2.4.X|2.5.X OS details: Linux Kernel 2.4.0 - 2.5.20 OS Fingerprint: (None) Uptime 0.003 days (since Wed Aug 13 13:50:12 2003) TCP Sequence Prediction: Class=random positive increments Difficulty=4234777 (Good luck!) TCP ISN Seq. Numbers: 1B65E8D5 1BBCF99D 1BA07CBF 1B46345C 1B2BAC73 1BF81744 IPID Sequence Generation: All zeros
Hrrrm. Ok , so let's check out our script and see if it does what we want:
bash-2.05b# ./pmp.sh bash-2.05b# listening on [any] 593 ... listening on [any] 135 ... listening on [any] 139 ... listening on [any] 445 ...
Now I'll ctl ^c the script into the background and see what I look like now
bash-2.05b$nmap -sS -O -F -vv 68.58.*.* (The 1189 ports scanned but not shown below are in state: closed) Port State Service 80/tcp open http 135/tcp open loc-srv 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 593/tcp open http-rpc-epmap 3306/tcp open mysql 5555/tcp open freeciv Device type: general purpose Running: Linux 2.4.X|2.5.X OS details: Linux Kernel 2.4.0 - 2.5.20 OS Fingerprint: (None) Uptime 0.006 days (since Wed Aug 13 13:50:11 2003) TCP Sequence Prediction: Class=random positive increments Difficulty=2755747 (Good luck!) TCP ISN Seq. Numbers: 2C519537 2CCA6710 2CD8A3CF 2CD66CC6 2C97791E 2CBE9ED6 IPID Sequence Generation: All zeros
Ok , that's better. Good enough to fool a poorly written virus/worm/ , but probably not an attacker. Let me load up my silly iptables setup ( I'll make it available on my site soon), and try it again.
bash-2.05b#/etc/init.d/wall start
bash-2.05b# nmap -sS -O -F -vv 66.58.***.***
(The 1189 ports scanned but not shown below are in state: closed) Port State Service 80/tcp open http 135/tcp open loc-srv 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 593/tcp open http-rpc-epmap 3306/tcp open mysql 5555/tcp open freeciv Device type: firewall|general purpose|PDA Running (JUST GUESSING) : Checkpoint Windows NT/2K/XP (97%), Linux 2.4.X|2.5.X|2.3.X (97%), Sun Solaris 2.X (87%) Aggressive OS guesses: Checkpoint SecurePlatform NG FP3 (97%), Linux Kernel 2.4.0 - 2.5.20 w/o tcp_timestamps (97%), Linux Kernel 2.4.0 - 2.5.20 (94%), Linux 2.4.7 (X86) (94%), Linux 2.4.6 as on Sharp Zaurus PDA (91%), Linux Kernel 2.4.20 (91%), Linux 2.5.25 - 2.5.70 or Gentoo 1.2 Linux 2.4.19 rc1-rc7) (91%), Linux 2.4.18 (91%), Linux Kernel 2.4.18 - 2.5.70 (X86) (88%), Gentoo 1.2 linux (Kernel 2.4.19-gentoo-rc5) (88%) No exact OS matches for host (test conditions non-ideal). TCP/IP fingerprint: (None) TCP Sequence Prediction: Class=random positive increments Difficulty=2629515 (Good luck!) TCP ISN Seq. Numbers: 46D1AB1B 468B703A 471EB2EF 4702C84C 46CCE555 470A5F48 IPID Sequence Generation: All zeros
Heh! *Much* better. Now I look like an inferior ( and expensive) firewall product with ds and epmap open to the world. All I have to do is sit back and harvest attack signatures for my NIDS ruleset and send mails to script kids demanding cases of Red Bull lest I turn them over to their ISP. (kidding)
Hope this helps anyone interested in such things.
An in depth version of this , including my nmap-fooling iptables ruleset will be available at http://ninjatech.cjb.net later today or early tomorrow.
If anyone captures any interesting attacks not mentioned on the netsys, bugtraq or vuln-dev lists , please let me know.
------------------------------------------------------------------------------------------------------------------- pub 1024D/6F04299B 2003-08-10 T.C.V. (Postatem obscuri lateris nescitis) <tcv@ninjatech.cjb.net> Key fingerprint = 2E8F 57BF 31FC 1344 7BB3 2D08 AB33 1185 6F04 299B sub 2048g/431F3112 2003-08-10 [expires: 2004-08-09] -------------------------------------------------------------------------------------------------------------------
------------------------------
Date: Wed, 13 Aug 2003 16:33:09 -0600 (MDT) From: tcv@ninjatech.cjb.net Subject: Poor Mans Honeypot
Whenever a huge hole or worm is making the rounds , I like to set up a quick and easy trap to gather information like so.
First I set up a little honey daemon with a simple shell script like this:
!/bin/bash #pmp.sh - Poor Man's Pot #2003 t.c.v. ( Special DCOM Edition :p ) # http://ninjatech.cjb.net #this can be re-used anytime a major hole comes out and you want to #get packet captures of attacks to add signatures to your NIDS #quick and dirty , but it does the job #requires netcat: #http://www.atstake.com/research/tools/network_utilities/
nc -l -p 135 -vv >> loc-srv.txt & nc -l -p 139 -vv >> netbios-ssn.txt & nc -l -p 445 -vv >> microsoft-ds.txt & nc -l -p 593 -vv >> http-rpc-epmap.txt &
#masquerade as vulnerable services and gather data
---------------------------------------------------------------------------------------------------------
Then to make sure my little info grabber doesn't cause me any grief I add a few quick iptables entries to my firewall script that will both , keep track of the origin of attack as well as limit the connection attempts to my listener so I don't get flooded:
$IPTABLES -A INPUT -p tcp --dport 135 -m limit -j LOG \ --log-prefix "Firewalled packet: loc-srv "
$IPTABLES -A INPUT -p tcp --dport 139 -m limit -j LOG \ --log-prefix "Firewalled packet: netbios-ssn "
$IPTABLES -A INPUT -p tcp --dport 445 -m limit -j LOG \ --log-prefix "Firewalled packet: microsoft-ds "
$IPTABLES -A INPUT -p tcp --dport 593 -m limit -j LOG \ --log-prefix "Firewalled packet: http-rpc-epmap "
--------------------------------------------------------------------------------------------------------------
Ok , now to put it all together: bash-2.05b$chmod +x pmp.sh bash-2.05b$/etc/init.d/firewall restart #make sure all the new rules are running
Actually.... let's take a look from the outside without my firewall in place..
bash-2.05b$/etc/init.d/firewall stop
bash-2.05b$nmap -sS -O -F -vv 68.58.*.*
(The 1194 ports scanned but not shown below are in state: closed) Port State Service 443/tcp open https 3306/tcp open mysql 5555/tcp open freeciv Device type: general purpose Running: Linux 2.4.X|2.5.X OS details: Linux Kernel 2.4.0 - 2.5.20 OS Fingerprint: (None) Uptime 0.003 days (since Wed Aug 13 13:50:12 2003) TCP Sequence Prediction: Class=random positive increments Difficulty=4234777 (Good luck!) TCP ISN Seq. Numbers: 1B65E8D5 1BBCF99D 1BA07CBF 1B46345C 1B2BAC73 1BF81744 IPID Sequence Generation: All zeros
Hrrrm. Ok , so let's check out our script and see if it does what we want:
bash-2.05b# ./pmp.sh bash-2.05b# listening on [any] 593 ... listening on [any] 135 ... listening on [any] 139 ... listening on [any] 445 ...
Now I'll ctl ^c the script into the background and see what I look like now
bash-2.05b$nmap -sS -O -F -vv 68.58.*.* (The 1189 ports scanned but not shown below are in state: closed) Port State Service 80/tcp open http 135/tcp open loc-srv 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 593/tcp open http-rpc-epmap 3306/tcp open mysql 5555/tcp open freeciv Device type: general purpose Running: Linux 2.4.X|2.5.X OS details: Linux Kernel 2.4.0 - 2.5.20 OS Fingerprint: (None) Uptime 0.006 days (since Wed Aug 13 13:50:11 2003) TCP Sequence Prediction: Class=random positive increments Difficulty=2755747 (Good luck!) TCP ISN Seq. Numbers: 2C519537 2CCA6710 2CD8A3CF 2CD66CC6 2C97791E 2CBE9ED6 IPID Sequence Generation: All zeros
Ok , that's better. Good enough to fool a poorly written virus/worm/ , but probably not an attacker. Let me load up my silly iptables setup ( I'll make it available on my site soon), and try it again.
bash-2.05b#/etc/init.d/wall start
bash-2.05b# nmap -sS -O -F -vv 66.58.***.***
(The 1189 ports scanned but not shown below are in state: closed) Port State Service 80/tcp open http 135/tcp open loc-srv 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 593/tcp open http-rpc-epmap 3306/tcp open mysql 5555/tcp open freeciv Device type: firewall|general purpose|PDA Running (JUST GUESSING) : Checkpoint Windows NT/2K/XP (97%), Linux 2.4.X|2.5.X|2.3.X (97%), Sun Solaris 2.X (87%) Aggressive OS guesses: Checkpoint SecurePlatform NG FP3 (97%), Linux Kernel 2.4.0 - 2.5.20 w/o tcp_timestamps (97%), Linux Kernel 2.4.0 - 2.5.20 (94%), Linux 2.4.7 (X86) (94%), Linux 2.4.6 as on Sharp Zaurus PDA (91%), Linux Kernel 2.4.20 (91%), Linux 2.5.25 - 2.5.70 or Gentoo 1.2 Linux 2.4.19 rc1-rc7) (91%), Linux 2.4.18 (91%), Linux Kernel 2.4.18 - 2.5.70 (X86) (88%), Gentoo 1.2 linux (Kernel 2.4.19-gentoo-rc5) (88%) No exact OS matches for host (test conditions non-ideal). TCP/IP fingerprint: (None) TCP Sequence Prediction: Class=random positive increments Difficulty=2629515 (Good luck!) TCP ISN Seq. Numbers: 46D1AB1B 468B703A 471EB2EF 4702C84C 46CCE555 470A5F48 IPID Sequence Generation: All zeros
Heh! *Much* better. Now I look like an inferior ( and expensive) firewall product with ds and epmap open to the world. All I have to do is sit back and harvest attack signatures for my NIDS ruleset and send mails to script kids demanding cases of Red Bull lest I turn them over to their ISP. (kidding)
Hope this helps anyone interested in such things.
An in depth version of this , including my nmap-fooling iptables ruleset will be available at http://ninjatech.cjb.net later today or early tomorrow. ( sorry in advance about the annoying pop up)
If anyone captures any interesting attacks not mentioned on the netsys, bugtraq or vuln-dev lists , please let me know.
------------------------------------------------------------------------------------------------------------------- pub 1024D/6F04299B 2003-08-10 T.C.V. (Postatem obscuri lateris nescitis) <tcv@ninjatech.cjb.net> Key fingerprint = 2E8F 57BF 31FC 1344 7BB3 2D08 AB33 1185 6F04 299B sub 2048g/431F3112 2003-08-10 [expires: 2004-08-09] -------------------------------------------------------------------------------------------------------------------
------------------------------
From: bryan@ak.net Date: Wed, 13 Aug 2003 14:45:39 -0800 Subject: Re: Fwd: Distributing OpenOffice to schools
On Wed, Aug 13, 2003 at 02:24:21PM -0800, William F. Fulton <fulton@gci.net> wrote: > > Another way to look at it is this > > Schools are there to teach individuals to exist in the job market at > this time a large majority of businesses continue to pay for and use M$ > Office until we can integrate open source applications into the majority > of businesses it would be foolish for public institutions to use any > other product. The problem isn't the IT departments of the schools > mentality it is the various corporations' insistence on using M$ > products. Until we change corporate and government buying practices > there is no hope for Open Source anything to have more than a back seat > role in education.
I see your point, but I don't entirely agree. Education is a lot more than just job training. As an example, Pascal is used (and in fact designed) for teaching programming skills. It's rarely used in the job market, but once a person learns how to program, moving to another language is not so hard. The general skills and thought processes are what the education is about.
As another example, Apple II series computers were used forever in schools, even into the 90s, when IBM PCs and compatibles were the norm in business. Once you know how computers work, moving to a new platform is no big deal. It's the same with productivity software. Once you know how to use office programs effectively, how much effort does would it take to move from OpenOffice to MS Office?
Besides, the open source movement is making rapid progress. By the time today's freshmen graduate, Linux and OpenOffice may be, if not as popular as MS products, at least widely used alternatives. Would it have made sense to avoid teaching students about this new Windows thing that's catching on while most businesses were still using DOS?
-- Bryan Medsker bryan@ak.net
------------------------------
Date: Wed, 13 Aug 2003 15:08:24 -0800 From: "William F. Fulton" <fulton@gci.net> Subject: RE: Fwd: Distributing OpenOffice to schools
Well conceived rebuttal I agree with you that schools should be doing more than just teaching for the job market but alas they pretty much are. As for the switch from apple to IBM compatibles that illustrates my point the schools refused to switch until pressures from the market made it impossible for them to continue ignoring the fact that the majority had begun using PC's.
I am in no way arguing that schools should be wasting there money on M$ crap I'm just saying that the initiative would be better served by getting Linux and other open source products on the desktops of businesses then and only then will it force the behemoth that is our public education system to turn around and take a look at us.
William F. Fulton Northern Lights Automation -----Original Message----- From: aklug-bounce@aklug.org [mailto:aklug-bounce@aklug.org] On Behalf Of bryan@ak.net Sent: Wednesday, August 13, 2003 2:46 PM To: aklug@aklug.org Subject: Re: Fwd: Distributing OpenOffice to schools
On Wed, Aug 13, 2003 at 02:24:21PM -0800, William F. Fulton <fulton@gci.net> wrote: > > Another way to look at it is this > > Schools are there to teach individuals to exist in the job market at > this time a large majority of businesses continue to pay for and use M$ > Office until we can integrate open source applications into the majority > of businesses it would be foolish for public institutions to use any > other product. The problem isn't the IT departments of the schools > mentality it is the various corporations' insistence on using M$ > products. Until we change corporate and government buying practices > there is no hope for Open Source anything to have more than a back seat > role in education.
I see your point, but I don't entirely agree. Education is a lot more than just job training. As an example, Pascal is used (and in fact designed) for teaching programming skills. It's rarely used in the job market, but once a person learns how to program, moving to another language is not so hard. The general skills and thought processes are what the education is about.
As another example, Apple II series computers were used forever in schools, even into the 90s, when IBM PCs and compatibles were the norm in business. Once you know how computers work, moving to a new platform is no big deal. It's the same with productivity software. Once you know how to use office programs effectively, how much effort does would it take to move from OpenOffice to MS Office?
Besides, the open source movement is making rapid progress. By the time today's freshmen graduate, Linux and OpenOffice may be, if not as popular as MS products, at least widely used alternatives. Would it have made sense to avoid teaching students about this new Windows thing that's catching on while most businesses were still using DOS?
-- Bryan Medsker bryan@ak.net
--------- To unsubscribe, send email to <aklug-request@aklug.org> with 'unsubscribe' in the message body.
------------------------------
Date: Wed, 13 Aug 2003 15:11:59 -0800 From: LT <lee@afabco.com> Subject: problems with cygwin/Xfree86 xdmcp access on mandrake 9.1 host
hey folks,
I'm starting to dip a toe into thin clients using XFree86.
I've got a mandrake 9.1 box to use as a host, and I'm using xdmcp to connect to it:
1055 ? S 0:00 /usr/bin/mdkkdm -nodaemon 1056 ? S 1:57 /usr/bin/mdkkdm_greet
I've got a windows 98SE box that I'm using as a client. It has both starnet's xwin32 and cygwin xfree86. I can get a login screen when I use the starnet, log in, get a {kde, icewm} desktop, have a blast.
But when I try to use the cygwin, all I get is a blank grey screen.
Googling, the log entries are typical of a lot of issues, but none seemed to fix my particular problem here. So any ideas would be helpful and welcome.
thx,
Lee
PS happy bday debian! ---------------
Here are the commands I use from a cygwin bash shell:
xwin.exe -query 192.168.12.5 &
Here's the log:
Aug 13 14:47:31 bridget mdkkdm[23276]: server open failed for 0.0.0.0:0, giving up Aug 13 14:47:31 bridget mdkkdm[1055]: Display 0.0.0.0:0 cannot be opened
-----------
Also, I tried, just on a lark:
xwin.exe :1 -query 192.168.12.5 &
Log:
Aug 13 14:54:36 bridget mdkkdm[23441]: server open failed for 0.0.0.0:1, giving up Aug 13 14:54:36 bridget mdkkdm[1055]: Display 0.0.0.0:1 cannot be opened
-------------------
here's the /etc/hosts on the host box:
127.0.0.1 localhost 192.168.110.222 tech
(tech is the windows box I'm using for a client)
-------------------
here's the /etc/hosts (as seen from a cygwin bash prompt) on the client win98se box:
127.0.0.1 localhost 192.168.12.5 bridget
(bridget is the name of the mandrake host box)
-------------------
It seems to me the big glaring neon idiot sign is the 0.0.0.0 in the logs, shouldn't it be 192.168.110.222, or at least 192.168.110.0?
But the name resolutions appear to be working...
I have an ipsec tunnel set up between my 192.168.12. net and my 192.168.110. net. I can ping and nmap boxen on both subnets.
My first inclination would be to assume an issue with the vpn, except that the starnet Xstuff works.
-------------------
Here's the [Xdmcp] entry in /usr/share/config/kdm/kdmrc:
[Xdmcp] Enable=true KeyFile=/etc/X11/xdm/xdm-keys Willing= Xaccess=/etc/X11/xdm/Xaccess Port=177
--------------------
Here's the whole kdmrc:
[Desktop0] BackgroundMode=Flat BlendBalance=100 BlendMode=NoBlending ChangeInterval=60 Color1=33,68,156 Color2=192,192,192 CurrentWallpaper=0 LastChange=0 MinOptimizationDepth=1 MultiWallpaperMode=NoMulti Pattern= Program= ReverseBlending=false UseSHM=false Wallpaper=/usr/share/mdk/backgrounds/default.png WallpaperList= WallpaperMode=Scaled
[General] PidFile=/var/run/xdm.pid Xservers=/etc/X11/xdm/Xservers
[Shutdown] HaltCmd=/sbin/halt LiloCmd=/sbin/lilo LiloMap=/boot/map RebootCmd=/sbin/reboot UseLilo=true
[X-*-Core] AllowNullPasswd=false AllowRootLogin=false AllowShutdown=Root AutoReLogin=false Reset= Resources=/etc/X11/xdm/Xresources Session=/etc/X11/xdm/Xsession Setup= Startup= SystemPath=/usr//bin:/sbin:/usr/sbin:/bin:/usr/bin::/usr/local/bin UserPath=/usr//bin:/bin:/usr/bin::/usr/local/bin
[X-*-Greeter] AntiAliasing=true AuthComplain=false EchoMode=OneStar FailFont=Sans,12,-1,5,75,0,0,0,0,0 FocusPasswd=false GUIStyle=Galaxy ColorScheme=Galaxy GreetFont=Sans,24,-1,5,50,0,0,0,0,0 GreetString=Welcome to %n GreeterPosFixed=false GreeterPosX=0 GreeterPosY=0 HiddenUsers=adm,bin,daemon,games,halt,lp,mail,news,nobody,operator,root,rpc,rpcuser,rpm,shutdown,sshd,sync,uucp,xfs, Language=en_US LogoArea=None LogoPixmap= MaxShowUID=65535 MinShowUID=500 PreselectUser=None SelectedUsers= SessionTypes=KDE,IceWM,failsafe,default SortUsers=true StdFont=Sans,12,-1,5,50,0,0,0,0,0 ShowUsers=None
[X-:*-Core] AllowNullPasswd=true AllowRootLogin=true AllowShutdown=None NoPassEnable=false NoPassUsers=
[X-:0-Core] Authorize=true AutoLogin1st=true AutoLoginEnable=false Reset=/etc/X11/xdm/TakeConsole Setup=/etc/X11/xdm/Xsetup_0 Startup=/etc/X11/xdm/GiveConsole
[X-:1-Core] Authorize=true
[Xdmcp] Enable=true KeyFile=/etc/X11/xdm/xdm-keys Willing= Xaccess=/etc/X11/xdm/Xaccess Port=177
-------------------
Here's the /etc/X11/kdm/Xaccess:
# $XConsortium: Xaccess,v 1.5 91/08/26 11:52:51 rws Exp $ # # Access control file for XDMCP connections # # To control Direct and Broadcast access: # # pattern # # To control Indirect queries: # # pattern list of hostnames and/or macros ... # # To use the chooser: # # pattern CHOOSER BROADCAST # # or # # pattern CHOOSER list of hostnames and/or macros ... # # To define macros: # # %name list of hosts ... # # The first form tells xdm which displays to respond to itself. # The second form tells xdm to forward indirect queries from hosts matching # the specified pattern to the indicated list of hosts. # The third form tells xdm to handle indirect queries using the chooser; # the chooser is directed to send its own queries out via the broadcast # address and display the results on the terminal. # The fourth form is similar to the third, except instead of using the # broadcast address, it sends DirectQuerys to each of the hosts in the list # # In all cases, xdm uses the first entry which matches the terminal; # for IndirectQuery messages only entries with right hand sides can # match, for Direct and Broadcast Query messages, only entries without # right hand sides can match. #
* #any host can get a login window
# # To hardwire a specific terminal to a specific host, you can # leave the terminal sending indirect queries to this host, and # use an entry of the form: # #terminal-a host-a
# # The nicest way to run the chooser is to just ask it to broadcast # requests to the network - that way new hosts show up automatically. # Sometimes, however, the chooser can't figure out how to broadcast, # so this may not work in all environments. #
* CHOOSER BROADCAST #any indirect host can get a chooser
# # If you'd prefer to configure the set of hosts each terminal sees, # then just uncomment these lines (and comment the CHOOSER line above) # and edit the %hostlist line as appropriate #
#%hostlist host-a host-b
#* CHOOSER %hostlist #
-----------------------------------
-- LT <lee@afabco.com>
switched over to the gnome display manager (gdm) instead of the mandrake/kde manager.
access was still being denied, but at least the ip address was showing up correctly in the log.
final piece (as far as gdm concerned) is putting the clients' ip addr/subnets into the /etc/hosts.allow file.
Later,
Lee
------------------------------
End of aklug Digest V2 #188 *************************** --------- To unsubscribe, send email to <aklug-request@aklug.org> with 'unsubscribe' in the message body.
-- LT <lee@afabco.com>
--------- To unsubscribe, send email to <aklug-request@aklug.org> with 'unsubscribe' in the message body.
This archive was generated by hypermail 2a23 : Wed Aug 13 2003 - 18:25:05 AKDT