[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] Raq2 Hack
- Subject: RE: [cobalt-users] Raq2 Hack
- From: Michael <mike@xxxxxxxxxx>
- Date: Sun Aug 19 06:52:02 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
At 11:18 AM 08/19/01 -0700, you wrote:
>-----Original Message-----
>From: cobalt-users-admin@xxxxxxxxxxxxxxx
>[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of Hacked Raq2
>Sent: Sunday, August 19, 2001 9:59 AM
>To: cobalt-users@xxxxxxxxxxxxxxx
>Subject: [cobalt-users] Raq2 Hack
>
>
>Hello all,
>
>Well, it seems that I've had an intruder on my Raq2. What I'm trying to
>figure out, is how he got in. I have all the important patches applied and
>I've shutdown telnet in favor of running OpenSSH 2.9. I also run logcheck
>and portsentry and usually keep a close eye on things.
>
>httpd 19108 0.0 0.6 3012 864 ? S NAug 17 0:00 sh -c
>/home/sites/site19/cgi-bin/Mall/../../../../../../../../../../../../../../..
>/../../../../../../../../../
This looks very similar to a hack that I found on newworldorder that exploits webmail on the cobalt qube:
Sun Qube Webmail Directory Traversal
Jul, 16 2001 - 11:15
contributed by: hx
Summary
The Sun Qube (a.k.a. Cobalt Cube) appliance is a complete Internet and intranet server in a box. A security vulnerability in the product allows attackers to gain access to world-readable files without needing to have a shell account.
Details
Vulnerable systems:
Cobalt Linux release 6.0 (Carmel), Kernel 2.2.16C7
Example:
http://example.com:444/base/webmail/readmsg.php?
mailbox=../../../../../../../../../../../../../../etc/passwd&id=1
(NOTE: URL has been wrapped for readability)
Additional information
The information has been provided by KF.
I don't know if that helps you any, but it is a clue...
Michael Thiessen