MySecureShell – chrooted SFTP server

Yesterday the wonderful Howtoforge had an article that finally freed me from my beloved/hated scponly. MySecureShell offers all the functionality of a proper SFTP server, easily configurable and very well integrated.

To get it up and running on Debian, just download the latest *.deb version from Sourceforge.
Then install it with the following command:
dpkg -i mysecureshell_0.95_i386.deb

Now for every SFTP user you want on your system just do the following (substitute ‘test’ with your desired username).
Add a normal user to your system:
adduser test
Open the file /etc/passwd and change the user’s shell from /bin/bash to /bin/MySecureShell. The line then should look something like this:
test:1111:1111::/home/test:/bin/MySecureShell
Alas, you have a chrooted SFTP only user, without the clutter of numerous additional directories for the chroot. Simple and elegant :)

The last step is to have a look through the config file in /etc/ssh/sftp_config, it’s pretty well documented!

OS X Trojan

Seems like the digital fortress that is OS X is finally starting to crack. Andrew over at the Ambrosia Software Web Board writes about what he sees as a Trojan for OS X which was postet at the MacRumors.com website.

It’s a little compressed file pretending to include screenshots of the next OS X version. When decompressed it appears to include a JPG file which in reality is a UNIX executable that performs several malicious functions.
From what he found out the Trojan tries to send itself via iChat to all your buddies, there is also code that tries to spread the Trojan via eMail but it looks like it’s not entirely finished.

Read more about the dissection in the original thread ยป here. Included is also a disassembled version (textfile) of the Trojan.

Here is the thread at MacRumors.com (link to the original file deleted).

So maybe it’s time for us Mac users to start running a virus scanner in the background while working?

Update: robg of macosxhints.com examined the Trojan a little further for Macworld at Digging deeper into the Leap-A malware. His resum??is the following:

I am now officially very sick of Leap-A, having spent probably 18 hours on it over the last two days. The short summary is that it’s a bad piece of malware that could have been worse but it’s far from the self-propagating internet-spreading virus/worm that’s been described on other sites. At the end of the day, it’s really just a good reminder to be very careful about what you download and install on your Mac.

SANS Infocon YELLOW

Infocon YELLOW The SANS Internet Storm Center has raised it’s global Infocon status to yellow due to a recent Exploit targeting a specific DLL on Microsoft Windows Operating Systems. The Explotit, for which there is no official Patch at the moment, allows attackers to execute any kind of code via just by viewing an Image. That means you do not need to open an Image sent to you by mail the malicous code will execute immediately.

  • Why is this issue so important? The WMF vulnerability uses images (WMF images) to execute arbitrary code. It will execute just by viewing the image. In most cases, you don’t have click anything. Even images stored on your system may cause the exploit to be triggered if it is indexed by some indexing software. Viewing a directory in Explorer with ‘Icon size’ images will cause the exploit to be triggered as well.
  • Is it better to use Firefox or Internet Explorer? Internet Explorer will view the image and trigger the exploit without warning. New versions of Firefox will prompt you before opening the image. However, in most environments this offers little protection given that these are images and are thus considered ‘safe’.
  • What versions of Windows are affected? All. Windows 2000, Windows XP, (SP1 and SP2), Windows 2003. All are affected to some extent. Mac OS X, Unix or BSD is not affected. Note: If you’re still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS. Your mitigation options are very limited. You really need to upgrade.
  • What can I do to protect myself?
    1. Microsoft has not yet released a patch. An unofficial patch was made available by Ilfak Guilfanov. The reviewed and tested version is available here (now at v1.3, MD5: 14d8c937d97572deb9cb07297a87e62a), PGP signature (signed with ISC key) here. THANKS to Ilfak Guilfanov for providing the patch!!
    2. You can unregister the related DLL.
    3. Virus checkers provide some protection.

    To unregister the DLL:

    • Click Start, click Run, type “regsvr32 -u %windir%\system32\shimgvw.dll” (without the quotation marks), and then click OK.
    • A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

It is generally considered best practice to unregister the DLL and install the Patch.

For the most up-to-date information and current Patch versions, refer to the WMF FAQ.