[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] Fwd: [cobalt-security] Bug-Travel
- Subject: [cobalt-users] Fwd: [cobalt-security] Bug-Travel
- From: Bruce Timberlake <bruce@xxxxxxxxxx>
- Date: Mon Jan 20 23:50:02 2003
- Organization: BRTNet.org
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
FYI...
- ---------- Forwarded Message ----------
Subject: [cobalt-security] Bug-Travel
Date: Tue, 21 Jan 2003 01:31:35 -0500 (EST)
From: Greg Boehnlein <damin@xxxxxxxx>
To: cobalt-security@xxxxxxxxxxxxxxx
Cc: Chuck Liggett <chuckl@xxxxxxxx>, Jason Fenner <jfenner@xxxxxxxx>,
Brian Kosick <briank@xxxxxxxx>
Hello,
If any of you have been attacked by the "Bug-Travel" exploit, this
information is for you. We had several servers that were crippled due
to this attack. Thank god for backups! :) In any case, here is what
I have been able to find out about the exploit:
1. It replaced all .html and .asp files with trojan html code. An
example can be seen at http://www.nacs.net/~jfenner/hack.html
2. It appears to use components of the "RaQFuCk.sh" script by core
http://www.securiteam.com/exploits/5MP0R0A80K.html, which attempts a
symlink attack using cron through the exploitation of an suid
/usr/lib/authenticate on the Cobalt Raq.
3. We have not been able to actually catch the code in action, but
the html references the following: irc.brasnet.org #BugTravel
4. The HTML also suggests sending E-mail to
"admin@xxxxxxxxxxxxxxxxxxxx" for help, which I did, kindly
requesting that they inform me of how/what was used to remote
exploit the box. I received the following:
From: desenhobadboy@xxxxxxxxxxxxxx
To: "[iso-8859-1] Greg" <removed@xxxxxxxxxxx>
Subject: [iso-8859-1] Re: Bug-Travel
>Hello,
> One of our Raq units was hacked by Bug-Travel, and it
> suggested that we E-mail this address for help. So, here you go.
> I'm E-mailing you for help.
>Thanks
patch you OpenSSL
- -- End of Message --
Analysis
- --------
Near as I can tell, they were able to remotely exploit OpenSSL
and establish a remote shell, at which point RaQFuCk.sh was executed,
providing full open access to the system. I haven't been able to gain
access through any exploit code that I can find. The attack could
have come either through Apache or OpenSSH, but I have no direct
proof, so this is all conjecture.
Reaction
- --------
I reacted by updating my Raq4 units to OpenSSL 0.9.7 and OpenSSH
3.4p1PM4 from http://pkgmaster.com. We have also restricted SSH
access to our raqs through /etc/hosts.allow|deny.
I have put RPMS for OpenSSL 0.9.7 on our FTP server at:
ftp://ftp.nacs.net/pub/software/cobalt_raq4
openssl-0.9.7-1.i386.rpm
openssl-0.9.7-1.src.rpm
openssl-devel-0.9.7-1.i386.rpm
openssl-doc-0.9.7-1.i386.rpm
OpenSSL 0.9.7 fixes 4 reported remote exploits. I have no idea if
Cobalt's security patches address this, as I just applied them in
the order required and didn't read much about what was being
patched. After installing the new OpenSSL RPMS, my previous versions
of OpenSSH would not work properly, so I updated to the 3.4pl1 from
pkgmaster and all is fine.
Comments? Suggestions? This is a nasty bug. If anyone has more
information to provide on this thing, please do not hesitate to chip
in. I may be way off base here, but I've had the opportunity to look
at 3 different boxes that where compromised and I think I'm on the
right track.
Greg
- --
Bruce Timberlake
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+LPi8vLA2hUZ9kgwRAoSkAJ9y7tdtW4Aqkq8GTl6RzQlY5brITwCfe8gr
Hg59yH+w3hVI0EkEbCeeVaI=
=2qgA
-----END PGP SIGNATURE-----