I think it will. I will look into it right away. Thanks. Peter -----Oorspronkelijk bericht----- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Namens SarrCom.com - Reginald Verzonden: donderdag 23 januari 2003 16:48 Aan: [EMAIL PROTECTED] Onderwerp: Re: [cobalt-developers] Fixing the nasty RaQ Hack...
Peter, Does this help [email addresses truncated]? Bug-Travel : ================ Exploit: ======== http://www.securiteam.com/exploits/5MP0R0A80K.html Solution: ========= From: Greg Boehnlein <@nacs.net> To: @list.cobalt.com Cc: Chuck Liggett <@nacs.net>, Jason Fenner <@nacs.net>, Brian Kosick <@nacs.net> Hello, If any of you have been attacked by the "Bug-Travel" exploit, this information is for you. We had several servers that were crippled due to this attack. Thank god for backups! :) In any case, here is what I have been able to find out about the exploit: 1. It replaced all .html and .asp files with trojan html code. An example can be seen at http://www.nacs.net/~jfenner/hack.html 2. It appears to use components of the "RaQFuCk.sh" script by core http://www.securiteam.com/exploits/5MP0R0A80K.html, which attempts a symlink attack using cron through the exploitation of an suid /usr/lib/authenticate on the Cobalt Raq. 3. We have not been able to actually catch the code in action, but the html references the following: irc.brasnet.org #BugTravel 4. The HTML also suggests sending E-mail to "[EMAIL PROTECTED]" for help, which I did, kindly requesting that they inform me of how/what was used to remote exploit the box. I received the following: From: [EMAIL PROTECTED] To: "[iso-8859-1] Greg" <[EMAIL PROTECTED]> Subject: [iso-8859-1] Re: Bug-Travel >Hello, > One of our Raq units was hacked by Bug-Travel, and it > suggested that we E-mail this address for help. So, here you go. > I'm E-mailing you for help. >Thanks patch you OpenSSL - -- End of Message -- Analysis - -------- Near as I can tell, they were able to remotely exploit OpenSSL and establish a remote shell, at which point RaQFuCk.sh was executed, providing full open access to the system. I haven't been able to gain access through any exploit code that I can find. The attack could have come either through Apache or OpenSSH, but I have no direct proof, so this is all conjecture. Reaction - -------- I reacted by updating my Raq4 units to OpenSSL 0.9.7 and OpenSSH 3.4p1PM4 from http://pkgmaster.com. We have also restricted SSH access to our raqs through /etc/hosts.allow|deny. I have put RPMS for OpenSSL 0.9.7 on our FTP server at: ftp://ftp.nacs.net/pub/software/cobalt_raq4 openssl-0.9.7-1.i386.rpm openssl-0.9.7-1.src.rpm openssl-devel-0.9.7-1.i386.rpm openssl-doc-0.9.7-1.i386.rpm OpenSSL 0.9.7 fixes 4 reported remote exploits. I have no idea if Cobalt's security patches address this, as I just applied them in the order required and didn't read much about what was being patched. After installing the new OpenSSL RPMS, my previous versions of OpenSSH would not work properly, so I updated to the 3.4pl1 from pkgmaster and all is fine. Comments? Suggestions? This is a nasty bug. If anyone has more information to provide on this thing, please do not hesitate to chip in. I may be way off base here, but I've had the opportunity to look at 3 different boxes that where compromised and I think I'm on the right track. Greg ----- Original Message ----- From: "Peter Lorent" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, January 23, 2003 11:15 AM Subject: RE: [cobalt-developers] Fixing the nasty RaQ Hack... As to the question which particular service is being hacked: it seems possible to sniff individual ftp-accounts and get root-access. Peter _______________________________________________ cobalt-developers mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-developers _______________________________________________ cobalt-developers mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-developers
