mailing list archives
ABfrag followup / WITHOUT ATTACHMENT
From: daniel.roberts () hushmail com
Date: Thu, 24 Oct 2002 07:38:36 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Due to legal restrictions in the ABfrags output the Securityfocus staff are
refusing to distribute the binary on any of their lists and I do not have the
time or patience to reply to each repondant individually.
It is quite frankly staggering to see politics playing such a role in the
security of my organization's infrastrcuture.
If anybody could email offering a _PUBLIC_ place for the distribution of this
binary (it seems to be all over several IRC networks and I have recieved two
other reports of similar compromise from subscribers to these lists) then I
will more than happy to provide you with it.
The behaviour that triggered my IDS was rapidly mounting unsequenceable seq
numbers in the TCP stream. There seemed to be a backlog of unsent traffic
from my gateway box causing a rise in the size of the TCP queue in one of
the internal unrouted machines - also a Linux (2.4.17).
Unfortunately a non-disclosure agreement I have signed with my current
employers prohibits me from releasing any IDS logs or even the location
of the network - I am probably sailing a bit close to wind as it is.
As for the gateway machine itself; it was running no server processes and
has very little client activity - only the occasional reboot or reconfiguration.
We had installed the 'grsec' security patch and had enabled non-executable
user pages as a precaution against intrustion. Due to performance hits, however,
we had not enabled ET_DYN or non-executable kernel pages.
Again a very big thankyou to all those who have responded, I will try
to get a personal reply to you all as soon as possible. However, as I'm
sure you can appreciate my current schedule is somewhat hectic.
Head Network Manager
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify
-----END PGP SIGNATURE-----
Get your free encrypted email at https://www.hushmail.com
- ABfrag followup / WITHOUT ATTACHMENT daniel . roberts (Oct 24)