RE: [cobalt-developers] Fixing the nasty RaQ Hack...

["Peter Lorent" <lorent@xxxxxxxxxxxxxxx>]

I think it will. I will look into it right away. Thanks.
Peter

-----Oorspronkelijk bericht-----
Van: cobalt-developers-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-developers-admin@xxxxxxxxxxxxxxx]Namens SarrCom.com -
Reginald
Verzonden: donderdag 23 januari 2003 16:48
Aan: cobalt-developers@xxxxxxxxxxxxxxx
Onderwerp: Re: [cobalt-developers] Fixing the nasty RaQ Hack...


Peter,
Does this help [email addresses truncated]?


Bug-Travel :
================
Exploit:
========
http://www.securiteam.com/exploits/5MP0R0A80K.html


Solution:
=========

From: Greg Boehnlein <@nacs.net>
To: @list.cobalt.com
Cc: Chuck Liggett <@nacs.net>, Jason Fenner <@nacs.net>,
Brian Kosick <@nacs.net>

Hello,
If any of you have been attacked by the "Bug-Travel" exploit, this
information is for you. We had several servers that were crippled due
 to this attack. Thank god for backups! :) In any case, here is what
 I have been able to find out about the exploit:

1. It replaced all .html and .asp files with trojan html code. An
 example can be seen at http://www.nacs.net/~jfenner/hack.html

2. It appears to use components of the "RaQFuCk.sh" script by core
http://www.securiteam.com/exploits/5MP0R0A80K.html, which attempts a
symlink attack using cron through the exploitation of an suid
/usr/lib/authenticate on the Cobalt Raq.

3. We have not been able to actually catch the code in action, but
 the html references the following: irc.brasnet.org #BugTravel

4. The HTML also suggests sending E-mail to
 "admin@xxxxxxxxxxxxxxxxxxxx" for help, which I did, kindly
 requesting that they inform me of how/what was used to remote
 exploit the box. I received the following:

From: desenhobadboy@xxxxxxxxxxxxxx
To: "[iso-8859-1] Greg" <removed@xxxxxxxxxxx>
Subject: [iso-8859-1] Re: Bug-Travel

>Hello,
>       One of our Raq units was hacked by Bug-Travel, and it
> suggested that we E-mail this address for help. So, here you go.
> I'm E-mailing you for help.
>Thanks

patch you OpenSSL
- -- End of Message --

Analysis
- --------
Near as I can tell, they were able to remotely exploit OpenSSL
and establish a remote shell, at which point RaQFuCk.sh was executed,
providing full open access to the system. I haven't been able to gain
access through any exploit code that I can find. The attack could
 have come either through Apache or OpenSSH, but I have no direct
 proof, so this is all conjecture.

Reaction
- --------
I reacted by updating my Raq4 units to OpenSSL 0.9.7 and OpenSSH
 3.4p1PM4 from http://pkgmaster.com. We have also restricted SSH
 access to our raqs through /etc/hosts.allow|deny.

I have put RPMS for OpenSSL 0.9.7 on our FTP server at:
ftp://ftp.nacs.net/pub/software/cobalt_raq4
openssl-0.9.7-1.i386.rpm
openssl-0.9.7-1.src.rpm
openssl-devel-0.9.7-1.i386.rpm
openssl-doc-0.9.7-1.i386.rpm

OpenSSL 0.9.7 fixes 4 reported remote exploits. I have no idea if
 Cobalt's security patches address this, as I just applied them in
 the order required and didn't read much about what was being
 patched. After installing the new OpenSSL RPMS, my previous versions
 of OpenSSH would not work properly, so I updated to the 3.4pl1 from
 pkgmaster and all is fine.

Comments? Suggestions? This is a nasty bug. If anyone has more
 information to provide on this thing, please do not hesitate to chip
 in. I may be way off base here, but I've had the opportunity to look
 at 3 different boxes that where compromised and I think I'm on the
 right track.

Greg









----- Original Message ----- 
From: "Peter Lorent" <lorent@xxxxxxxxxxxxxxx>
To: <cobalt-developers@xxxxxxxxxxxxxxx>
Sent: Thursday, January 23, 2003 11:15 AM
Subject: RE: [cobalt-developers] Fixing the nasty RaQ Hack...


As to the question which particular service is being hacked: it seems
possible to sniff individual ftp-accounts and get root-access.
Peter


_______________________________________________
cobalt-developers mailing list
cobalt-developers@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-developers