## September 29, 2006

### Security

As I was was about to leave work on Thursday, I got an email from the Department’s Computer Administrator. The ITS people had noticed a bandwidth issue with golem, which I would have to attend to. But, at the bottom of the email, he wrote

Also [ITS person] stated that your machine was used to attack some other machine off campus and that person wasn’t very happy.

I went home rather shaken. Had my computer been hacked? I’d noticed nothing amiss. But, if others were seeing attacks emanating from my machine …

So I spent the evening poring over system logs and searching for clues as to what might have taken place. Finally, the next morning, I managed to get ahold of the aforementioned ITS person and he had a somewhat different take on the story:

The person who called us just stated that he ran a web site and saw what he thought was an attack against his web server originating from the golem.ph server. I tried to refer him to the security office, but he was adamant about not taking the issue to them. He also was not interested in leaving contact information so we could call him back after investigating.

The way I figure it, if the web admin didn’t think it was important enough to provide details on the attack or contact information, then I wouldn’t worry too much about this supposed “attack”.

Whew! I guess I dodged a bullet on that one. But it did prompt me to finally get Tripwire up and running on MacOSX.

In other security news, the previous day, I hastily upgraded to Movable Type 3.3, in response to their, rather dire, security announcement. Looking at the changes, it appears that there were some rather serious flaws in the way MT handled some user input. If you’re running an old version, it might be time to upgrade …

[Hmmm… Seems there’s something wonky about the XML-RPC interface after the upgrade.]

Finally, just because I could, I also upgraded to the latest version of OpenSSH. I was rather disconcerted to find that, for once, it didn’t compile cleanly. Instead, I needed

--- auth.h.orig 2006-08-18 09:32:46.000000000 -0500
+++ auth.h      2006-09-28 00:49:38.000000000 -0500
@@ -28,6 +28,8 @@
#ifndef AUTH_H
#define AUTH_H

+#include "key.h"
+# include "hostfile.h"
#include <signal.h>

#include <openssl/rsa.h>

Oh, and I suppose I could mention the various security fixes in MacOSX 10.4.8, but I won’t.

Posted by distler at September 29, 2006 11:59 PM

TrackBack URL for this Entry:   http://golem.ph.utexas.edu/cgi-bin/MT-3.0/dxy-tb.fcgi/953