Re: possible 0-day exploit for latest Real-/Helixserver 9.0.2.794

From: Eric Nelson (en_at_megahosted.com)
Date: 08/21/03

  • Next message: Dowling, Gabrielle: "RE: DCOM bot.rar"
    Date: Wed, 20 Aug 2003 16:15:35 -0700
    To: incidents@securityfocus.com
    
    

    Have you tried rebooting the machine with a known "good" init? I believe
    the suckit script copies the original instead of clobbering it.

    If they installed lkm there will be an invisible directory that you
    probably won't be able to see with any of the usual utils. SK default
    for this is /usr/share/locale/sk/.sk12

    cd to it and see what ya see.

    Eric

    On Mon, Aug 18, 2003 at 04:27:56PM -0000, Frank wrote:
    > In-Reply-To: <3F3E9312.7060500@koschikode.com>
    >
    > Looks like a confirm
    > We've lost two linux Realservers last week (7 and 9th
    > of august), same rootkit.
    > All other services were firewalled, the Real services
    > running as a normal user was used to gain root access
    > somehow. OS Debian Linux, uptodate, 2.4.20grsec kernel.
    > On both helix servers the error logs mentions
    > restarts..and the access logs are empty...
    > We usually don't have empty access logs...
    >
    > ppl running Helix, watch out for unexpected restarts!
    > Real has been contacted.
    >
    > Frank
    >
    >
    >
    >
    > >Received: (qmail 15779 invoked from network); 17 Aug
    > 2003 16:42:09 -0000
    > >Received: from outgoing3.securityfocus.com
    > (205.206.231.27)
    > > by mail.securityfocus.com with SMTP; 17 Aug 2003
    > 16:42:09 -0000
    > >Received: from lists.securityfocus.com
    > (lists.securityfocus.com [205.206.231.19])
    > > by outgoing3.securityfocus.com (Postfix) with QMQP
    > > id 19A73A30D9; Sun, 17 Aug 2003 10:46:01 -0600 (MDT)
    > >Mailing-List: contact
    > incidents-help@securityfocus.com; run by ezmlm
    > >Precedence: bulk
    > >List-Id: <incidents.list-id.securityfocus.com>
    > >List-Post: <mailto:incidents@securityfocus.com>
    > >List-Help: <mailto:incidents-help@securityfocus.com>
    > >List-Unsubscribe:
    > <mailto:incidents-unsubscribe@securityfocus.com>
    > >List-Subscribe:
    > <mailto:incidents-subscribe@securityfocus.com>
    > >Delivered-To: mailing list incidents@securityfocus.com
    > >Delivered-To: moderator for incidents@securityfocus.com
    > >Received: (qmail 7218 invoked from network); 16 Aug
    > 2003 14:19:55 -0000
    > >Message-ID: <3F3E9312.7060500@koschikode.com>
    > >Date: Sat, 16 Aug 2003 22:24:50 +0200
    > >From: Juri Haberland <juri@koschikode.com>
    > >User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US;
    > rv:1.3.1) Gecko/20030425
    > >X-Accept-Language: en-us, de-de, en
    > >MIME-Version: 1.0
    > >To: Mark Tinberg <mtinberg@securepipe.com>
    > >Cc: incidents@securityfocus.com
    > >Subject: Re: possible 0-day exploit for latest
    > Real-/Helixserver 9.0.2.794
    > >References: <3F3CD032.8060601@koschikode.com>
    > <Pine.LNX.4.55.0308152356040.9706@tinberg.wi.securepipe.com>
    > >In-Reply-To:
    > <Pine.LNX.4.55.0308152356040.9706@tinberg.wi.securepipe.com>
    > >Content-Type: text/plain; charset=us-ascii
    > >Content-Transfer-Encoding: 7bit
    > >
    > >Mark Tinberg wrote:
    > >> On Fri, 15 Aug 2003, Juri Haberland wrote:
    > >>
    > >>> /sbin/init had nearly the same timestamp (Aug 12
    > 23:17:29 2003) as the
    > >>> following log entry from the Realserver's
    > rmerror.log file:
    > >>>
    > >>> ***12-Aug-03 23:18:12.471 rmserver(11402): Server
    > automatically restarted
    > >>> due to fatal error condition
    > >>
    > >> From this it would seem most likely to be an exploit
    > of the rmserver
    > >> process. Check to see if there is an unpatched
    > SecurityFocus BID for
    > >> RealServer otherwise you were probably comprimised
    > with an
    > >> as-yet-publicly-unknown exploit. I'd try working
    > with Real.com and see if
    > >> they'll provide any help (well, here's to hoping 8^)
    > >
    > >I checked SecurityFocus before sending my initial
    > mail. Let's see what
    > >Real.com has to say.
    > >
    > >> If you can find a live copy of the exploit used on
    > the system, for example
    > >> if your system was used to attack others, that'd be
    > very helpful.
    > >
    > >Unfortunately there was nothing else other than rootkit.
    > >
    > >Cheers,
    > >Juri
    > >
    > >
    > >---------------------------------------------------------------------------
    > >Captus Networks - Integrated Intrusion Prevention and
    > Traffic Shaping
    > > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
    > > - Automatically Control P2P, IM and Spam Traffic
    > > - Ensure Reliable Performance of Mission Critical
    > Applications
    > > - Precisely Define and Implement Network Security and
    > Performance Policies
    > >**FREE Vulnerability Assessment Toolkit - WhitePapers
    > - Live Demo
    > >Visit us at:
    > >http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
    > >----------------------------------------------------------------------------
    > >
    > >
    >
    > ---------------------------------------------------------------------------
    > Captus Networks - Integrated Intrusion Prevention and Traffic Shaping
    > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
    > - Automatically Control P2P, IM and Spam Traffic
    > - Ensure Reliable Performance of Mission Critical Applications
    > - Precisely Define and Implement Network Security and Performance Policies
    > **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    > Visit us at:
    > http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
    > ----------------------------------------------------------------------------
    >

    -- 
    Eric Nelson	<en@megahosted.com>	http://www.megahosted.com/~en/
    GPG-key: C4AB5707 Fingerprint: 9E50 D5C2 2B02 A944 1A28  5CA5 366A 0294 C4AB 5707
    ---------------------------------------------------------------------------
    Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Ensure Reliable Performance of Mission Critical Applications
     - Precisely Define and Implement Network Security and Performance Policies
    **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    Visit us at: 
    http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
    ----------------------------------------------------------------------------
    

  • Next message: Dowling, Gabrielle: "RE: DCOM bot.rar"

    Relevant Pages