Ubuntu & Antivirus

In <651smvF2dqskmU4@mid.individual.net> ray:

[Snip...]
[color=blue]
> more accurate to say I've never seen any indication of an infestation[/color]

You see, Ray, it's just more wintroll misdirection. Essentially, they're
demanding you prove there are no Linux viruses--a logical fallacy.

But for the wintards it's easier to demand the impossible from FOSS than
admit PHRICKIN' OBVIOUS ALREADY EXISTING M$ malware, like M$ botnets.

It's classic Flatfish misdirection. Don't waste time with such fools.

--
Regards, Weird (Harold Stevens) * IMPORTANT EMAIL INFO FOLLOWS *
Pardon any bogus email addresses (wookie) in place for spambots.
Really, it's (wyrd) at airmail, dotted with net. DO NOT SPAM IT.
Kids jumping ship? Looking to hire an old-school type? Email me.

On 2008-03-27, Hadron <hadronquark@googlemail.com> wrote:[color=blue]
> Ignoramus17842 <ignoramus17842@NOSPAM.17842.invalid> writes:
>[color=green]
>> On 2008-03-27, Hadron <hadronquark@googlemail.com> wrote:[color=darkred]
>>> Ignoramus17842 <ignoramus17842@NOSPAM.17842.invalid> writes:
>>>
>>>> On 2008-03-27, NoStop <nospam@nospam.com> wrote:
>>>>> Ignoramus17842 wrote:
>>>>>
>>>>>> I am sorry to burst anyone's bubble, but there are linux viruses. A
>>>>>> lot of them spread via bad PHP software. I have seen some in
>>>>>> action. That's the reason why I avoid PHP where possible.
>>>>>>
>>>>> You're not bursting my bubble. Prove it. Show us a linux virus that spreads
>>>>> via bad PHP software.
>>>>
>>>> [url]http://www.theregister.co.uk/2006/02/20/linux_worm/[/url]
>>>> [url]http://vil.nai.com/vil/content/v_136821.htm[/url]
>>>> [url]http://www.pandasecurity.com/enterprise/media/press-releases/viewnews?noticia=5766&ver=2004,all&pagina=&numprod=&entorno=[/url]
>>>>
>>>> I run a webserver and frequently see those worms probing my
>>>> webserver. I do not get infected since I have a anti-PHP policy.
>>>>
>>>> i
>>>
>>> If you write correct PHP there is nothing to worry about IMO.[/color]
>>
>> It is very easy to write i ncorrect PHP code without realizing.
>>[color=darkred]
>>> Most errors occur from buffer overruns caused by entry fields not
>>> correctly escaping/detecting php code which is then "redisplayed" as
>>> a user name or some such but obviously then execed by the php server
>>> instead.[/color]
>>
>> No. That's not the case.[/color]
>
> Explain. That is indeed the case for most PHP based exploits.[/color]

I am not a PHP expert, but this article is very accurate as far as I
know.

[url]http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/[/url]
[color=blue][color=green]
>>[color=darkred]
>>> Having a no php rule is over kill, especially if its a non submission
>>> site.[/color]
>>
>> The only PHP software that I run, is mediawiki.
>>
>> i[/color]
>
> So you dont have a no PHP rule?
>[/color]

I have a No PHP except Mediawiki rule.

i

Harold Stevens <wookie@aces.localdomain> writes:
[color=blue]
> In <651smvF2dqskmU4@mid.individual.net> ray:
>
> [Snip...]
>[color=green]
>> more accurate to say I've never seen any indication of an infestation[/color]
>
> You see, Ray, it's just more wintroll misdirection. Essentially, they're
> demanding you prove there are no Linux viruses--a logical fallacy.
>
> But for the wintards it's easier to demand the impossible from FOSS than
> admit PHRICKIN' OBVIOUS ALREADY EXISTING M$ malware, like M$ botnets.
>
> It's classic Flatfish misdirection. Don't waste time with such fools.[/color]

Why would anyone waste time with your fan boy rantings either? You're a
silly old fool. Go away.

--
The "XP could sink Microsoft" thread his an absolute gem. You'd think
comp.os.linux.advocacy - where they put the lunacy in advocacy
these advocates were related to Nostradamus!

ray <ray@zianet.com> writes:
[color=blue]
> On Thu, 27 Mar 2008 16:30:00 +0100, Hadron wrote:
>[color=green]
>> ray <ray@zianet.com> writes:
>>[color=darkred]
>>> On Thu, 27 Mar 2008 03:20:24 -0400, Anonymous wrote:
>>>
>>>> William Poaster wrote:
>>>>
>>>>> ray wrote:
>>>>>
>>>>> > On Wed, 26 Mar 2008 22:04:32 +0000, 80 H wrote:
>>>>> >
>>>>> >> I'm about to load and run Ubuntu (Indeed, Linux...) for the first
>>>>> >> time...
>>>>> >>
>>>>> >> I'm using Ubuntu 7.10 on an IBM T40 and plan to use it with a WEP
>>>>> >> wireless PCMCIA link to my current wireless hub. Do I need to use
>>>>> >> an antivirus, or does the security permissions in Linux really
>>>>> >> prevent third parties accessing data on my machne?
>>>>> >>
>>>>> >> Many thanks
>>>>> >>
>>>>> >> A
>>>>> >
>>>>> > I've never run antivirus on Linux. I've been using various
>>>>> > distributions for over five years - currently have five home
>>>>> > systems on the net 14/7/365 via broadband - I've never had an
>>>>> > infestation.
>>>>>
>>>>> I've run Linux distributions of one sort or another for 10/11 years &
>>>>> never used an AV. AV applications are only any use if you have
>>>>> windoze machines in your network, to stop them getting infected.
>>>>
>>>> My av software sorts out all manner of "cross platform" nasties like
>>>> html tricks and phishing scams.
>>>>
>>>> Are you saying that's of no use to anyone?
>>>
>>> I would not say "of no use to anyone" - but certainly not necessary to
>>> keep the machine safe and secure.[/color]
>>
>> A sensible answer.
>>
>> Unfortunately though the usual blowhards have totally missed the point
>> here : its a point about security as much as about one form of
>> compromising security .
>>
>> Here the more important issue was the WEP. It makes hardly any
>> difference, only good, if he does install an AV for Linux.
>>
>> But using WEP is tantamount to idiocy if his data must remain secure.[/color]
>
> I'm certainly not a security expert, but it would seem to me that steps
> like: not broadcasting essid and having a list of approved MAC addresses
> for connection would go a long way.[/color]

You're correct you are not. And you are wrong. They go a little way. MAC
addresses can be forged easily.

The issue is this:

Can the average home user hack your WEP stream?

Answer: No

Can the average competent Linux user do it?

Answer: probably

Does the average passer by even give a **** about your data?

Answer: No

MUST your data be as secure as possible?

Answer: Yes.

The last one is the key. If the your data MUST be secure then using WEP
is pointless since someone MIGHT decide to try out your link.

And in this day and age you DO NOT want someone piggy backing on your
link either. Do you want some neighbour downloading kiddy porn from your
router? No? I didn't think do.

Bottom line : do not use WEP if you can at all help it.

See the previous link I posted.

--
The "XP could sink Microsoft" thread his an absolute gem. You'd think
comp.os.linux.advocacy - where they put the lunacy in advocacy
these advocates were related to Nostradamus!

Ignoramus17842 wrote:
[color=blue]
> Beauregard T. Shagnasty wrote:[color=green]
>> Ignoramus17842 wrote:[color=darkred]
>>> NoStop <nospam@nospam.com> wrote:
>>>> Ignoramus17842 wrote:
>>>>> I am sorry to burst anyone's bubble, but there are linux viruses.
>>>>> A lot of them spread via bad PHP software. I have seen some in
>>>>> action. That's the reason why I avoid PHP where possible.
>>>>>
>>>> You're not bursting my bubble. Prove it. Show us a linux virus that
>>>> spreads via bad PHP software.
>>>
>>> [url]http://www.theregister.co.uk/2006/02/20/linux_worm/[/url]
>>> [url]http://vil.nai.com/vil/content/v_136821.htm[/url]
>>> [url]http://www.pandasecurity.com/enterprise/media/press-releases/viewnews?noticia=5766&ver=2004,all&pagina=&numprod=&entorno=[/url][/color]
>>
>> Those old references do not actually prove these are Linux viruses or
>> worms. It would seem that if a Windows web server was running
>> three-year old unpatched PHP or CGI script, the result would be the
>> same.[/color]
>
> Sure. If a windows server was running that crap, it would be infected
> too. Which is the whole point.[/color]

But it was not the point you were alluding to, which is, "but there are
linux viruses." No, they are web server application software
vulnerabilities, and not Linux vulns - or viruses. A hacking attempt is
not a virus, either. A PHP (Perl, ASP, C++, DotNet, etc) security hole
is not a virus, either.

I would define a virus as a self-replicating 'program'.
[color=blue][color=green]
>> Notice too, from your third link, that nearly all of the vulns are
>> cgi scripts. Still nothing to do with Linux.[/color]
>
> It has everything to do with linux if they run on Linux.[/color]

See above. Hacking attempts do not "run on Linux."
[color=blue][color=green][color=darkred]
>>> I run a webserver and frequently see those worms probing my
>>> webserver. I do not get infected since I have a anti-PHP policy.[/color]
>>
>> Does that mean you don't use PHP in the sites you write? Or don't
>> visit sites made with PHP?[/color]
>
> That means that I do not use PHP on any server that I host, with the
> exception of mediawiki.[/color]

...so "I do not use PHP" is not true, then. If you use that wiki, PHP is
installed - and available - on your server. You'd better be careful!
[color=blue][color=green]
>> I use hand-coded PHP for all my sites, and with no third-party
>> scripts or "cgi", and have yet to discover a vulnerability. Yes,
>> they are all hosted on Linux servers running cPanel.[/color]
>
> If no one knows what code you are writing, you most likely will be
> safe from automated attacks. But if your hand written code has
> vulnerabilities, and someone wants to hack you specifically, chances
> are good that you will be hacked.[/color]

Well, it hasn't happened in many years...
[color=blue]
> Also if you are on shared hosting, most likely other users of that
> hosting would be able to see the source code of your script.[/color]

I disagree with that statement.
[color=blue]
> I hacked a user of panix.com 12 years ago[/color]

...and the security hole you used hasn't been patched yet, right?
[color=blue]
> because they set up wrong permissions on telnet binary that they
> uploaded to their account ~/bin/telnet (telnetting to outside was
> against panix policy and /usr/bin/telnet was mode 710). I then
> changed it to a altered version that was to run a script that I wrote
> to set other permissions to read his email. I am not a pro hacker
> either, it was just a USENET asshole on whom I needed some intel.[/color]

Ah. So it wasn't a Linux vuln, or a PHP vuln, but a user shooting
himself in the foot by not setting up his web site or host correctly.
Still not a Linux vuln.
[color=blue]
> If you are on shared hosting, source code of your scripts is almost
> publicly available (to anyone with $12 to sign up for a month), as,
> most likely, are your database credentials.[/color]

I've used shared hosting for ten years and never been hacked, nor have
my databases.
[color=blue][color=green]
>> Your references would be valid (except for the Linux part) for web
>> authors still using Matt Wright's ten year old insecure formmail
>> script, for example.[/color]
>
> And a lot of other things.[/color]

I did say Matt's well-known bad script, "for example." I regularly get
requests for "cgi/formmail.pl" - which of course does not exist.
[color=blue]
> Security is not simple and PHP is making it very difficult to be
> secure.[/color]

No, of course it is not simple. But your arguments are flawed,
especially when trying to prove "it's a Linux virus."
[color=blue]
> Linux systems are not impervious to viruses. To think otherwise is to
> delude oneself and to invite trouble.[/color]

I've been using Linux at home for about two years and haven't found any
problem with my computers...

--
-bts
-Friends don't let friends drive Vista

Ignoramus17842 wrote:
[color=blue]
> I am not a PHP expert, but this article is very accurate as far as I
> know.
>
> [url]http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/[/url][/color]

I don't see anywhere on that page where it says "it's a Linux virus."

Of course not. It's poor coding by amateurs, and it doesn't matter if it
is PHP or not. All languages are vulnerable when the coder is an idiot.
[color=blue][color=green][color=darkred]
>>> The only PHP software that I run, is mediawiki.[/color][/color]
>
> I have a No PHP except Mediawiki rule.[/color]

So uninstall the PHP core from your web server and see if Mediawiki
still functions.

--
-bts
-Friends don't let friends drive Vista

On 2008-03-27, Beauregard T. Shagnasty <a.nony.mous@example.invalid> wrote:[color=blue]
> Ignoramus17842 wrote:
>[color=green]
>> Beauregard T. Shagnasty wrote:[color=darkred]
>>> Ignoramus17842 wrote:
>>>> NoStop <nospam@nospam.com> wrote:
>>>>> Ignoramus17842 wrote:
>>>>>> I am sorry to burst anyone's bubble, but there are linux viruses.
>>>>>> A lot of them spread via bad PHP software. I have seen some in
>>>>>> action. That's the reason why I avoid PHP where possible.
>>>>>>
>>>>> You're not bursting my bubble. Prove it. Show us a linux virus that
>>>>> spreads via bad PHP software.
>>>>
>>>> [url]http://www.theregister.co.uk/2006/02/20/linux_worm/[/url]
>>>> [url]http://vil.nai.com/vil/content/v_136821.htm[/url]
>>>> [url]http://www.pandasecurity.com/enterprise/media/press-releases/viewnews?noticia=5766&ver=2004,all&pagina=&numprod=&entorno=[/url]
>>>
>>> Those old references do not actually prove these are Linux viruses or
>>> worms. It would seem that if a Windows web server was running
>>> three-year old unpatched PHP or CGI script, the result would be the
>>> same.[/color]
>>
>> Sure. If a windows server was running that crap, it would be infected
>> too. Which is the whole point.[/color]
>
> But it was not the point you were alluding to, which is, "but there are
> linux viruses." No, they are web server application software
> vulnerabilities, and not Linux vulns - or viruses.[/color]

If Linux runs it, it is a Linux problem. phpbb is a part of some Linux
distros.
[color=blue]
> A hacking attempt is not a virus, either. A PHP (Perl, ASP, C++,
> DotNet, etc) security hole is not a virus, either.
>
> I would define a virus as a self-replicating 'program'.[/color]

That's exactly what they are.

They exploit the holes, start running on the hacked servers and look
for more servers to hack.
[color=blue][color=green][color=darkred]
>>> Notice too, from your third link, that nearly all of the vulns are
>>> cgi scripts. Still nothing to do with Linux.[/color]
>>
>> It has everything to do with linux if they run on Linux.[/color]
>
> See above. Hacking attempts do not "run on Linux."[/color]

Yes they do. They run on those hacked servers.
[color=blue][color=green][color=darkred]
>>>> I run a webserver and frequently see those worms probing my
>>>> webserver. I do not get infected since I have a anti-PHP policy.
>>>
>>> Does that mean you don't use PHP in the sites you write? Or don't
>>> visit sites made with PHP?[/color]
>>
>> That means that I do not use PHP on any server that I host, with the
>> exception of mediawiki.[/color]
>
> ..so "I do not use PHP" is not true, then. If you use that wiki, PHP is
> installed - and available - on your server. You'd better be careful![/color]

I am trying to be careful indeed and do not run any PHP stuff other
than Mediawiki.
[color=blue][color=green][color=darkred]
>>> I use hand-coded PHP for all my sites, and with no third-party
>>> scripts or "cgi", and have yet to discover a vulnerability. Yes,
>>> they are all hosted on Linux servers running cPanel.[/color]
>>
>> If no one knows what code you are writing, you most likely will be
>> safe from automated attacks. But if your hand written code has
>> vulnerabilities, and someone wants to hack you specifically, chances
>> are good that you will be hacked.[/color]
>
> Well, it hasn't happened in many years...
>[color=green]
>> Also if you are on shared hosting, most likely other users of that
>> hosting would be able to see the source code of your script.[/color]
>
> I disagree with that statement.[/color]

Give it a try. Try to write a PHP or perl CGI script that would get a
listing of the directory one level above your home directory. Then see
if subdirectories of that place have known sub-subdirectories such as
public_html or whatever you can guess based on the naming convention
that your ISP has for mapping websites to directories.

Then find out the websites that run on the same IP as you (there are
web sites to help you do this).

Go from there.
[color=blue][color=green]
>> I hacked a user of panix.com 12 years ago[/color]
>
> ..and the security hole you used hasn't been patched yet, right?[/color]

My hack was based on a user mistake and not on any security hole.

[color=blue][color=green]
>> because they set up wrong permissions on telnet binary that they
>> uploaded to their account ~/bin/telnet (telnetting to outside was
>> against panix policy and /usr/bin/telnet was mode 710). I then
>> changed it to a altered version that was to run a script that I wrote
>> to set other permissions to read his email. I am not a pro hacker
>> either, it was just a USENET asshole on whom I needed some intel.[/color]
>
> Ah. So it wasn't a Linux vuln, or a PHP vuln, but a user shooting
> himself in the foot by not setting up his web site or host correctly.
> Still not a Linux vuln.[/color]

No. But it is a good illustration tat getting ****y is a mistake.
[color=blue][color=green]
>> If you are on shared hosting, source code of your scripts is almost
>> publicly available (to anyone with $12 to sign up for a month), as,
>> most likely, are your database credentials.[/color]
>
> I've used shared hosting for ten years and never been hacked, nor have
> my databases.[/color]

So give the above experiment a try.
[color=blue][color=green][color=darkred]
>>> Your references would be valid (except for the Linux part) for web
>>> authors still using Matt Wright's ten year old insecure formmail
>>> script, for example.[/color]
>>
>> And a lot of other things.[/color]
>
> I did say Matt's well-known bad script, "for example." I regularly get
> requests for "cgi/formmail.pl" - which of course does not exist.
>[color=green]
>> Security is not simple and PHP is making it very difficult to be
>> secure.[/color]
>
> No, of course it is not simple. But your arguments are flawed,
> especially when trying to prove "it's a Linux virus."
>[color=green]
>> Linux systems are not impervious to viruses. To think otherwise is to
>> delude oneself and to invite trouble.[/color]
>
> I've been using Linux at home for about two years and haven't found any
> problem with my computers...
>[/color]

I have been using Linux for 13 years (since 1995) and was not hacked
either.

i

Harold Stevens wrote:
[color=blue]
> [Newsgroups trimmed to aolu...]
>
> In <47eb7e07$0$14345$e4fe514c@news.xs4all.nl> Dirk T. Verbeek:
>
> [Snip...]
>[color=green]
>> clearly you seem to know more than any other source[/color]
>
> Is this some wintard whining about the Morris Worm, fercryinoutloud?
>
> [url]http://world.std.com/~franl/worm.html[/url]
>
> You'd think wintrolls could find something newer than 20 YEARS. You really
> "care" about net sanitation--start with M$ botnet spam TODAY, 'kay? And it
> doesn't include FOSS cleaning up AFTER deliberate M$ net sewage spews.
>
> Again: M$ better take care of the net, or the net will take care of M$.[/color]

It's probably a wintroll trying to spread FUD, & put people off using Linux.

The trouble is that there are still one or two newbies who fall for it. I've
used one Linux distro or another for 10/11 years & never had any problems. The
main thing is that Linux is inherently more secure than windoze. I *used* to
run an AV when I first started using SuSE linux regularly in the late '90s, &
it was in the SuSE repositories. However, I discovered that the AVs were only
the same as windoze ones, i.e. they were *only* to stop W32 viruses & trojans
being passed to any windoze machines in the network. As I didn't have any, I
stopped installing the AV application. The present AV applications that are in
linux distro repositories are just teh same, they are there to stop *windows*
machines being infected in a network.
Only things I run now are a rootkit checker & spamassassin.

--
Mandriva 1 - 2008 - RC2 - 64bit OS.
COLA trolls: [url]http://colatrolls.blogspot.com/[/url]

On Thu, 27 Mar 2008 17:35:16 +0100, Hadron wrote:
[color=blue]
> Can the average home user hack your WEP stream?
>
> Answer: No
>
> Can the average competent Linux user do it?
>
> Answer: probably[/color]

Average home user can definitely crack WEP if they care to try. There
are programs available for both windows and *nix systems as well as step
by step howto's that include links to said software. I haven't
personally used a windows one although I have seen screen shots and it's
basically point and click. I have used airsnort under linux and never
having done it before took me less than 5 minutes using 3 commands. I'd
upgrade those answers to probably and yes respectively.

-will

Will <not@real.org> writes:
[color=blue]
> On Thu, 27 Mar 2008 17:35:16 +0100, Hadron wrote:
>[color=green]
>> Can the average home user hack your WEP stream?
>>
>> Answer: No
>>
>> Can the average competent Linux user do it?
>>
>> Answer: probably[/color]
>
> Average home user can definitely crack WEP if they care to try. There
> are programs available for both windows and *nix systems as well as step
> by step howto's that include links to said software. I haven't
> personally used a windows one although I have seen screen shots and it's
> basically point and click. I have used airsnort under linux and never
> having done it before took me less than 5 minutes using 3 commands. I'd
> upgrade those answers to probably and yes respectively.
>
> -will[/color]

I would have but I didn't want to be accused of over reacting. This NG
has become a hot bed of COLA type "advocates" who take any "truth" as a
direct attack on Linux for some mad reason known only to them.

--
However, my enthusiasm for the modular tree is tempered by some parts of
it not existing.
-- Daniel Stone on debian-{x,devel}, commenting on the
future of X

Ignoramus17842 wrote:
[color=blue]
> If Linux runs it, it is a Linux problem.[/color]

<sigh>

--
-bts
-Friends don't let friends drive Vista

Beauregard T. Shagnasty wrote:
[color=blue]
> Ignoramus17842 wrote:
>[color=green]
>> If Linux runs it, it is a Linux problem.[/color]
>
> <sigh>
>[/color]
Waste of time, mate.
Mind you, he did admit in comp.os.linux.misc that he trolls, which is why he
changes the number after his "Ignoramus" nym, (which seems to suit him well,
BTW) so he couldn't be quoted on past posts.

--
Mandriva 1 - 2008 - RC2 - 64bit OS.
COLA trolls: [url]http://colatrolls.blogspot.com/[/url]

On 2008-03-27, William Poaster <wp@leafnode.amd64.eu> wrote:[color=blue]
> Beauregard T. Shagnasty wrote:
>[color=green]
>> Ignoramus17842 wrote:
>>[color=darkred]
>>> If Linux runs it, it is a Linux problem.[/color]
>>
>> <sigh>
>>[/color]
> Waste of time, mate.
> Mind you, he did admit in comp.os.linux.misc that he trolls, which is why he
> changes the number after his "Ignoramus" nym, (which seems to suit him well,
> BTW) so he couldn't be quoted on past posts.
>[/color]

All you can do is whine about my posting alias instead of properly
discussing the issue. The question was: can Linux be infected with a
virus. And the answer, that I provided, is "sure, if you happen to
have installed a PHP package with a bug, for example". You can be
disappointed with my posting alias, if you want, but it does not
change the truthfulness of what I said.

And, mind you, I am being a realist here, not a Windows advocate.
Linux has bugs, cracks and viruses. A lot less than Windows, but a
non-zero amount.

Just a month ago any user of most Linux systems could get root
privilege, for at least 2 days.

If you were not aware of it, you need to stay more current on Linux
security instead of thinking that you can walk on water.

Just google 'vmsplice hole'.


i

Ignoramus17842 wrote:
[color=blue]
> On 2008-03-27, AV3 <arvimide@earthlink.net> wrote:[color=green]
>> Ignoramus17842 wrote:[color=darkred]
>>> On 2008-03-27, NoStop <nospam@nospam.com> wrote:
>>>> Ignoramus17842 wrote:
>>>>
>>>>> I am sorry to burst anyone's bubble, but there are linux viruses. A
>>>>> lot of them spread via bad PHP software. I have seen some in
>>>>> action. That's the reason why I avoid PHP where possible.
>>>>>
>>>> You're not bursting my bubble. Prove it. Show us a linux virus that
>>>> spreads via bad PHP software.
>>>
>>> [url]http://www.theregister.co.uk/2006/02/20/linux_worm/[/url]
>>> [url]http://vil.nai.com/vil/content/v_136821.htm[/url]
>>>[/color][/color][/color]
[url]http://www.pandasecurity.com/enterprise/media/press-releases/viewnews?noticia=5766&ver=2004,all&pagina=&numprod=&entorno=[/url][color=blue][color=green][color=darkred]
>>>
>>> I run a webserver and frequently see those worms probing my
>>> webserver. I do not get infected since I have a anti-PHP policy.
>>>
>>> i[/color]
>>
>>
>> Just taking your word for it isn't enough, especially since you are the
>> only detector of such worms on record. For the benefit of the community,
>> please take the time and trouble to give us a full report the next time
>> you encounter a linux worm in the wild. I suspect that with the help of
>> the members of this message group you will find it to be something else.
>>
>>[/color]
>
> How about these entries from my yesterday log file:
>
> /var/log/httpd==>grep 'php ' access_log.1 |grep -v majestic
> 62.93.234.61 - - [21/Mar/2008:19:11:30 -0500] "GET
> /thisdoesnotexistahaha.php HTTP/1.0" 404 301 "-" "Mozilla/4.0 (compatible;
> MSIE 6.0; Windows 98)" hahaha.com 62.93.234.61 - - [21/Mar/2008:19:11:30
> -0500] "GET /vhcs2/tools/filemanager/login.php HTTP/1.0" 404 309 "-"
> "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" hahaha.com 62.93.234.61 -
> - [21/Mar/2008:19:11:30 -0500] "GET /vhcs2/lostpw.php HTTP/1.0" 404 292
> "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" hahaha.com[/color]

To quote George Bush - So?

Cheers.

--
The world can't afford the rich.

Q: What OS is built for lusers?
A: Which one requires running lusermgr.msc to create them?

Francis (Frank) adds a new "gadget" to his Vista box ...
Download it here: [url]http://tinyurl.com/2hnof6[/url]

Frank wrote:
[color=blue]
> NoStop wrote:[color=green]
>> Ignoramus17842 wrote:
>>
>>[color=darkred]
>>>I am sorry to burst anyone's bubble, but there are linux viruses. A
>>>lot of them spread via bad PHP software. I have seen some in
>>>action. That's the reason why I avoid PHP where possible.
>>>[/color]
>>
>> You're not bursting my bubble. Prove it. Show us a linux virus that
>> spreads via bad PHP software.
>>
>> Thanks
>>
>> Cheers.
>>[/color]
> Live with it old man. You proly have an infected computer and are not
> even aware of it.
> Ignorance is bliss...LOL!
> Frank[/color]

Sorry numbnuts but no infection here. I don't run Windoze. Those who do run
Windoze live in ignorant bliss.

Cheers.

--
The world can't afford the rich.

Q: What OS is built for lusers?
A: Which one requires running lusermgr.msc to create them?

Francis (Frank) adds a new "gadget" to his Vista box ...
Download it here: [url]http://tinyurl.com/2hnof6[/url]

Hadron wrote:
[color=blue]
> Ignoramus17842 <ignoramus17842@NOSPAM.17842.invalid> writes:
>[color=green]
>> On 2008-03-27, Hadron <hadronquark@googlemail.com> wrote:[color=darkred]
>>> Ignoramus17842 <ignoramus17842@NOSPAM.17842.invalid> writes:
>>>
>>>> On 2008-03-27, NoStop <nospam@nospam.com> wrote:
>>>>> Ignoramus17842 wrote:
>>>>>
>>>>>> I am sorry to burst anyone's bubble, but there are linux viruses. A
>>>>>> lot of them spread via bad PHP software. I have seen some in
>>>>>> action. That's the reason why I avoid PHP where possible.
>>>>>>
>>>>> You're not bursting my bubble. Prove it. Show us a linux virus that
>>>>> spreads via bad PHP software.
>>>>
>>>> [url]http://www.theregister.co.uk/2006/02/20/linux_worm/[/url]
>>>> [url]http://vil.nai.com/vil/content/v_136821.htm[/url]
>>>>[/color][/color][/color]
[url]http://www.pandasecurity.com/enterprise/media/press-releases/viewnews?noticia=5766&ver=2004,all&pagina=&numprod=&entorno=[/url][color=blue][color=green][color=darkred]
>>>>
>>>> I run a webserver and frequently see those worms probing my
>>>> webserver. I do not get infected since I have a anti-PHP policy.
>>>>
>>>> i
>>>
>>> If you write correct PHP there is nothing to worry about IMO.[/color]
>>
>> It is very easy to write i ncorrect PHP code without realizing.
>>[color=darkred]
>>> Most errors occur from buffer overruns caused by entry fields not
>>> correctly escaping/detecting php code which is then "redisplayed" as
>>> a user name or some such but obviously then execed by the php server
>>> instead.[/color]
>>
>> No. That's not the case.[/color]
>
> Explain. That is indeed the case for most PHP based exploits.
>[color=green]
>>[color=darkred]
>>> Having a no php rule is over kill, especially if its a non submission
>>> site.[/color]
>>
>> The only PHP software that I run, is mediawiki.
>>
>> i[/color]
>
> So you dont have a no PHP rule?
>[/color]

Obviously Ignoramus lives up to his handle. :-) What a doorknob.

Cheers.

--
The world can't afford the rich.

Q: What OS is built for lusers?
A: Which one requires running lusermgr.msc to create them?

Francis (Frank) adds a new "gadget" to his Vista box ...
Download it here: [url]http://tinyurl.com/2hnof6[/url]

William Poaster wrote:
[color=blue]
> Beauregard T. Shagnasty wrote:[color=green]
>> Ignoramus17842 wrote:
>>[color=darkred]
>>> If Linux runs it, it is a Linux problem.[/color]
>>
>> <sigh>
>>[/color]
> Waste of time, mate.
> Mind you, he did admit in comp.os.linux.misc that he trolls, which is
> why he changes the number after his "Ignoramus" nym, (which seems to
> suit him well, BTW) so he couldn't be quoted on past posts.[/color]

Oh, I see. I thought that "17842" was the number of Linux viruses he's
been infected with. Via PHP, of course. <lol>

I hadn't noticed he was changing the number.

--
-bts
-Friends don't let friends drive Vista

Ignoramus17842 wrote:
[color=blue]
> On 2008-03-27, Beauregard T. Shagnasty <a.nony.mous@example.invalid>
> wrote:[color=green]
>> Ignoramus17842 wrote:
>>[color=darkred]
>>> Beauregard T. Shagnasty wrote:
>>>> Ignoramus17842 wrote:
>>>>> NoStop <nospam@nospam.com> wrote:
>>>>>> Ignoramus17842 wrote:
>>>>>>> I am sorry to burst anyone's bubble, but there are linux viruses.
>>>>>>> A lot of them spread via bad PHP software. I have seen some in
>>>>>>> action. That's the reason why I avoid PHP where possible.
>>>>>>>
>>>>>> You're not bursting my bubble. Prove it. Show us a linux virus that
>>>>>> spreads via bad PHP software.
>>>>>
>>>>> [url]http://www.theregister.co.uk/2006/02/20/linux_worm/[/url]
>>>>> [url]http://vil.nai.com/vil/content/v_136821.htm[/url]
>>>>>[/color][/color][/color]
[url]http://www.pandasecurity.com/enterprise/media/press-releases/viewnews?noticia=5766&ver=2004,all&pagina=&numprod=&entorno=[/url][color=blue][color=green][color=darkred]
>>>>
>>>> Those old references do not actually prove these are Linux viruses or
>>>> worms. It would seem that if a Windows web server was running
>>>> three-year old unpatched PHP or CGI script, the result would be the
>>>> same.
>>>
>>> Sure. If a windows server was running that crap, it would be infected
>>> too. Which is the whole point.[/color]
>>
>> But it was not the point you were alluding to, which is, "but there are
>> linux viruses." No, they are web server application software
>> vulnerabilities, and not Linux vulns - or viruses.[/color]
>
> If Linux runs it, it is a Linux problem. phpbb is a part of some Linux
> distros.
>[color=green]
>> A hacking attempt is not a virus, either. A PHP (Perl, ASP, C++,
>> DotNet, etc) security hole is not a virus, either.
>>
>> I would define a virus as a self-replicating 'program'.[/color]
>
> That's exactly what they are.
>
> They exploit the holes, start running on the hacked servers and look
> for more servers to hack.
>[color=green][color=darkred]
>>>> Notice too, from your third link, that nearly all of the vulns are
>>>> cgi scripts. Still nothing to do with Linux.
>>>
>>> It has everything to do with linux if they run on Linux.[/color]
>>
>> See above. Hacking attempts do not "run on Linux."[/color]
>
> Yes they do. They run on those hacked servers.
>[color=green][color=darkred]
>>>>> I run a webserver and frequently see those worms probing my
>>>>> webserver. I do not get infected since I have a anti-PHP policy.
>>>>
>>>> Does that mean you don't use PHP in the sites you write? Or don't
>>>> visit sites made with PHP?
>>>
>>> That means that I do not use PHP on any server that I host, with the
>>> exception of mediawiki.[/color]
>>
>> ..so "I do not use PHP" is not true, then. If you use that wiki, PHP is
>> installed - and available - on your server. You'd better be careful![/color]
>
> I am trying to be careful indeed and do not run any PHP stuff other
> than Mediawiki.
>[color=green][color=darkred]
>>>> I use hand-coded PHP for all my sites, and with no third-party
>>>> scripts or "cgi", and have yet to discover a vulnerability. Yes,
>>>> they are all hosted on Linux servers running cPanel.
>>>
>>> If no one knows what code you are writing, you most likely will be
>>> safe from automated attacks. But if your hand written code has
>>> vulnerabilities, and someone wants to hack you specifically, chances
>>> are good that you will be hacked.[/color]
>>
>> Well, it hasn't happened in many years...
>>[color=darkred]
>>> Also if you are on shared hosting, most likely other users of that
>>> hosting would be able to see the source code of your script.[/color]
>>
>> I disagree with that statement.[/color]
>
> Give it a try. Try to write a PHP or perl CGI script that would get a
> listing of the directory one level above your home directory. Then see
> if subdirectories of that place have known sub-subdirectories such as
> public_html or whatever you can guess based on the naming convention
> that your ISP has for mapping websites to directories.
>
> Then find out the websites that run on the same IP as you (there are
> web sites to help you do this).
>
> Go from there.
>[color=green][color=darkred]
>>> I hacked a user of panix.com 12 years ago[/color]
>>
>> ..and the security hole you used hasn't been patched yet, right?[/color]
>
> My hack was based on a user mistake and not on any security hole.
>
>[color=green][color=darkred]
>>> because they set up wrong permissions on telnet binary that they
>>> uploaded to their account ~/bin/telnet (telnetting to outside was
>>> against panix policy and /usr/bin/telnet was mode 710). I then
>>> changed it to a altered version that was to run a script that I wrote
>>> to set other permissions to read his email. I am not a pro hacker
>>> either, it was just a USENET asshole on whom I needed some intel.[/color]
>>
>> Ah. So it wasn't a Linux vuln, or a PHP vuln, but a user shooting
>> himself in the foot by not setting up his web site or host correctly.
>> Still not a Linux vuln.[/color]
>
> No. But it is a good illustration tat getting ****y is a mistake.
>[color=green][color=darkred]
>>> If you are on shared hosting, source code of your scripts is almost
>>> publicly available (to anyone with $12 to sign up for a month), as,
>>> most likely, are your database credentials.[/color]
>>
>> I've used shared hosting for ten years and never been hacked, nor have
>> my databases.[/color]
>
> So give the above experiment a try.
>[color=green][color=darkred]
>>>> Your references would be valid (except for the Linux part) for web
>>>> authors still using Matt Wright's ten year old insecure formmail
>>>> script, for example.
>>>
>>> And a lot of other things.[/color]
>>
>> I did say Matt's well-known bad script, "for example." I regularly get
>> requests for "cgi/formmail.pl" - which of course does not exist.
>>[color=darkred]
>>> Security is not simple and PHP is making it very difficult to be
>>> secure.[/color]
>>
>> No, of course it is not simple. But your arguments are flawed,
>> especially when trying to prove "it's a Linux virus."
>>[color=darkred]
>>> Linux systems are not impervious to viruses. To think otherwise is to
>>> delude oneself and to invite trouble.[/color]
>>
>> I've been using Linux at home for about two years and haven't found any
>> problem with my computers...
>>[/color]
>
> I have been using Linux for 13 years (since 1995) and was not hacked
> either.
>
> i[/color]

Then you're blowing smoke, aren't you? Why? is the next question.

Cheers.

--
The world can't afford the rich.

Q: What OS is built for lusers?
A: Which one requires running lusermgr.msc to create them?

Francis (Frank) adds a new "gadget" to his Vista box ...
Download it here: [url]http://tinyurl.com/2hnof6[/url]

Ignoramus17842 wrote:
[color=blue]
> On 2008-03-27, NoStop <nospam@nospam.com> wrote:[color=green]
>> Ignoramus17842 wrote:
>>[color=darkred]
>>> On 2008-03-27, NoStop <nospam@nospam.com> wrote:
>>>> Ignoramus17842 wrote:
>>>>
>>>>> I am sorry to burst anyone's bubble, but there are linux viruses. A
>>>>> lot of them spread via bad PHP software. I have seen some in
>>>>> action. That's the reason why I avoid PHP where possible.
>>>>>
>>>> You're not bursting my bubble. Prove it. Show us a linux virus that
>>>> spreads via bad PHP software.
>>>
>>> [url]http://www.theregister.co.uk/2006/02/20/linux_worm/[/url]
>>> [url]http://vil.nai.com/vil/content/v_136821.htm[/url]
>>>[/color]
>>[/color][/color]
[url]http://www.pandasecurity.com/enterprise/media/press-releases/viewnews?noticia=5766&ver=2004,all&pagina=&numprod=&entorno=[/url][color=blue][color=green][color=darkred]
>>>
>>> I run a webserver and frequently see those worms probing my
>>> webserver. I do not get infected since I have a anti-PHP policy.
>>>
>>> i[/color]
>>
>> All references are 3 years old. Tell us whether PHP has been patched
>> since then.[/color]
>
>
> It was patched a lot of times. I do not believe that it fully stopped
> PHP viruses. I am not going to do your research for you. Just last
> year I saw viruses probing for functions.php files on my server.
>[/color]
Scriptkiddies are ALWAYS probing. How do you know it's a "virus" that's
probing and if it is, is it coming from a compromised Windoze box?
Probably.

Cheers.
[color=blue]
> i[/color]

--
The world can't afford the rich.

Q: What OS is built for lusers?
A: Which one requires running lusermgr.msc to create them?

Francis (Frank) adds a new "gadget" to his Vista box ...
Download it here: [url]http://tinyurl.com/2hnof6[/url]

Hadron illuminated alt.os.linux.ubuntu by typing:
[color=blue]
> <snip>
> Bottom line : do not use WEP if you can at all help it.[/color]

What if you don't have a WPA enabled router? Are ther any ways you can
secure your WEP access? We know about restricting MAC addresses, but
wouldn't turning off ESSID's and DHCP allocation by the router go a
way towards getting WPA like usability from the device?

We can all snort out a wep key, but cloning a MAC address from scratch
is *far* less easy. Stopping automatic allocation of IP addresses a
must.

--
Moog

"If this is gonna be that kinda party I'm gonna stick my dick in the
mashed potatoes"