lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <BLU163-W4222F326278DD50C7DB407B4B50@phx.gbl>
Date: Mon, 5 Dec 2011 12:07:16 -0600
From: John Jacobs <flamdugen@...mail.com>
To: <james@...o-internet.org.uk>
Cc: full-disclosure@...ts.grok.org.uk, lucio@...web.org
Subject: Re: one of my servers has been compromized


----------------------------------------
> Subject: Re: [Full-disclosure] one of my servers has been compromized
> From: james@...o-internet.org.uk
> Date: Mon, 5 Dec 2011 17:36:53 +0000
> CC: tim-security@...tinelchicken.org; lucio@...web.org; full-disclosure@...ts.grok.org.uk
> To: flamdugen@...mail.com
>
> John,
>
> All good thoughts but can we show the server was rooted?
>
> In otherwords; instead of an attacker getting root and then adding this to a botnet this way is it not more likely that the original attack added the server in one step to avoid the need to do this?

James, thank you for your response.  I agree with you here, I was speaking more along the lines of defense-in-depth and security generalities.  In this case I believe a vulnerability in an unpatched/unprotected version of PHPMyAdmin permitted the Apache process to write to /tmp and spawn a process.

In my previous experience, including a few vulnerabilities in Roundcube, I've seen a programmatic scan, exploitation, and then wget/dropping of a Perl IRC bot.  Of course this is all speculation based on previous experience, I am not looking at lucio's box.  The Apache access/error logs should have the offending log entries and/or any output from the system()/exec() etc PHP functions.  Lucio -- what user was the IRC bot running under?

It's evident that 10.04.1 LTS is certainly out of date and there are a multitude of vulnerabilities that could be leverage for privilege escalation.

Lucio, I would also recommend subscribing to the Ubuntu Security-Announce mailing lists which issue the USNs so you are aware of which packages have been patched and those which require a reboot to effect the changes, such as Kernel update.

Thanks again for the dialog Tim and James, this exchange is very beneficial and appreciated.

James you are correct regarding the shell; I would assume /bin/sh would be pointed to /bin/dash or /bin/bash on a Ubuntu system.  I would assume the user's login shell would be /bin/bash.  Again, these are all assumptions made on my part and can certainly be incorrect, however, I would hope if someone is using KSH that they would see past the BASHisms of the previous message.

Thanks,
John
 		 	   		  
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ