Question about SuSE security alerts
Perhaps someone from SuSE could clear this up. I am subscribed to the SuSE security announcements mailing list - I was actively monitoring the list so I could know when updates for mod_python and libxml2 would be available. The last security announcement (before today's openssl one) mentioned this.. http://lists.suse.com/archive/suse-security-announce/2004-Feb/0002.html - mod_python A remote denial-of-service attack can be triggered against the Apache web server by sending a specific query string that is processed by mod_python. New packages will be available soon. - libxml2 A buffer overflow in the URI parsing cde is fixed. This bug can lead to remote access to a system using libxml2. New packages will be available soon. - pwlib This update addresses several security vulnerabilities that may be exploited remotely via applications that link with pwlib, like GnomeMeeting or alike. New packages will be available soon. I maintain my own FTP server which contains the base SuSE RPMs and some of my own custom packages. Yesterday when rsync was run from cron on my FTP server I noticed that those three updates were in the mirrors. But there were no security announcements for these updates. And now in today's OpenSSL announcement it says that new packages for the above mentioned software are available on the SuSE ftp servers.. http://lists.suse.com/archive/suse-security-announce/2004-Mar/0001.html My question is what is the reason for not issuing separate security announcements for updates such as these? Other distributions (like Debian) post one announcement per update which seems like a logical choice. Any thoughts? Regards, Avtar Gill
Hi !
I maintain my own FTP server which contains the base SuSE RPMs and some of my own custom packages. Yesterday when rsync was run from cron on my FTP server I noticed that those three updates were in the mirrors. But there were no security announcements for these updates. And now in today's OpenSSL announcement it says that new packages for the above mentioned software are available on the SuSE ftp servers..
--> And the packages are there. If you run "YOU" or "fou4s" regularly (at least once a week IMHO), you will notice them and can install them. Or do it like me: mirror the SuSE FTP-server (or one of its mirrors) and get a notification from the "mirror" program when there is something new. SuSE issues Security Announcements only for patches that fix severe problems. All the little fixes and patches just turn up on the FTP-server. And as you noticed, they are mentioned in the next (few) security announcements that SuSE issues to the "suse-security" and "suse-security-announce" mailing lists. Regards, Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
Armin Schoech wrote:
SuSE issues Security Announcements only for patches that fix severe problems. All the little fixes and patches just turn up on the FTP-server. And as you noticed, they are mentioned in the next (few) security announcements that SuSE issues to the "suse-security" and "suse-security-announce" mailing lists.
I guess that's one way to do it. I still think that each of those security updates deserves individual annoucements on the SUSE security announcements mailing list. In my opinion any security fix is severe and notification of a fix should be advertised clearly on its own and not somewhere in between another security advisory's text.
On Mar 18, Avtar Gill
I still think that each of those security updates deserves individual annoucements on the SUSE security announcements mailing list. In my opinion any security fix is severe and notification of a fix should be advertised clearly on its own and not somewhere in between another security advisory's text. That's the reason why a lot of people use fou4s (http://fou4s.gaugusch.at/). As soon as there is an update available, you are notified via mail with a description of the update. What else do you want?
Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus(at)gaugusch.at X Against HTML Mail / \
Markus Gaugusch wrote:
That's the reason why a lot of people use fou4s (http://fou4s.gaugusch.at/). As soon as there is an update available, you are notified via mail with a description of the update. What else do you want?
I already have an automated method of monitoring SUSE ftp mirrors for updates, downloading and incorporating them into my local APT ftp repository and I get notified of any changes in the process. But that wasn't my point. I raised a question regarding a procedure of the SUSE security team and not about a third party tool. I just wanted to be familiar with the reasoning behind incorporating small security announcements of several programs in other unrelated errata updates. What I was hinting at was that it might be beneficial to post individual notifications to the suse-security-announcements mailing list for each update. There is only one email notification for the month of March.. http://lists.suse.com/archive/suse-security-announce/2004-Mar/ At first glance it looks like an OpenSSL update and yet it notifies users of an unrelated kernel security fix within the email (along with xf86_glx, gnome-session, pwlib, libxml2, mod_python, mozilla, mailman, metamail and sysstat!).
The Thursday 2004-03-18 at 09:27 -0000, Armin Schoech wrote:
SuSE issues Security Announcements only for patches that fix severe problems. All the little fixes and patches just turn up on the FTP-server. And as you noticed, they are mentioned in the next (few) security announcements that SuSE issues to the "suse-security" and "suse-security-announce" mailing lists.
Interestingly, the last announcement (Mar 17) made it to the suse-security list, but not to the suse-security-announce list - or at least, I haven't got it. Is that usually so? -- Cheers, Carlos Robinson
On Fri, Mar 19, 2004 at 01:55:23AM +0100, Carlos E. R. wrote:
Interestingly, the last announcement (Mar 17) made it to the suse-security list, but not to the suse-security-announce list - or at least, I haven't got it. Is that usually so?
It made it to the suse-security-announce list, you just didn't get it. I cannot tell you whether it is usually so that you don't get it. ;-) Robert -- Robert Schiele Tel.: +49-621-181-2517 Dipl.-Wirtsch.informatiker mailto:rschiele@uni-mannheim.de
Carlos E. R. wrote:
The Thursday 2004-03-18 at 09:27 -0000, Armin Schoech wrote:
SuSE issues Security Announcements only for patches that fix severe problems. All the little fixes and patches just turn up on the FTP-server. And as you noticed, they are mentioned in the next (few) security announcements that SuSE issues to the "suse-security" and "suse-security-announce" mailing lists.
Interestingly, the last announcement (Mar 17) made it to the suse-security list, but not to the suse-security-announce list - or at least, I haven't got it. Is that usually so?
Cyrus-Imapd with kill-duplicate messages enabled? (option is called duplicatesuppression in imapd.conf and defaults to on) -- C U - -- ---- ----- -----/\/ René Gallati \/\---- ----- --- -- -
The Friday 2004-03-19 at 17:22 +0100, Rene Gallati wrote:
Interestingly, the last announcement (Mar 17) made it to the suse-security list, but not to the suse-security-announce list - or at least, I haven't got it. Is that usually so?
Cyrus-Imapd with kill-duplicate messages enabled? (option is called duplicatesuppression in imapd.conf and defaults to on)
No, nothing of the kind: fetchmail, procmail, postfix. The last email on suse-security-announce I got is dated Mon, 23 Feb 2004 17:32:52 I'll have a look at lists.suse.com, and then I'll have to resubscribe, perhaps. -- Cheers, Carlos Robinson
The Friday 2004-03-19 at 01:55 +0100, Carlos E. R. wrote:
Interestingly, the last announcement (Mar 17) made it to the suse-security list, but not to the suse-security-announce list - or at least, I haven't got it. Is that usually so?
Found the problem: mea culpa. A bad procmail recipe was moving emails on the suse-security-announce list to the suse-security list instead, because the recipe for the last was above in the .procmailrc file, and it matched first. -- Cheers, Carlos Robinson
Hi There, We have a number of servers running 8.2. One of them was recently hacked. We noticed that an IFRAME-tag was added to a few index.html files. This IFRAME-tag sends a URL to the client and forces the client to download malware from another server. It seems they tried to exploit a IE vulnerability this way. Further, the global PHP.INI was edited. The option 'auto-append' was set to '/etc/.app'. This file (.app) contains the same URL as the IFRAME-tag. This results in a behaviour that clients are getting awful pop-ups every time they request a php page. The file dates and times of the changed files were all lying in a small time frame of about 10 minutes. We didn't find anything unusual in the system logs etc. The only remarkable finding is that /USR/SBIN/CRON has been changed. It is 28024 bytes and its date and time is March 7, 00:55 hrs. (On our other servers (same OS version) this file is 23928 bytes and dated March 14, 2003.) Of course I googled but didn't find very much. This URL describes a 6KB worm on BSD-systems: http://craiu.pcnet.ro/papers/papers/exsee.html, but i doubt whether this is the cause in my case. At the time of the hack we were using: Apache 1.3.28 and 1.3.29 PHP 4.3.2 Cvsd 0.9.20 Openssl 0.9.6i Suse auto_update Webmin 1.131 - Is there anyone who knows more about this? - How can I see which code (worm) is added to the file CRON? - Does CVSD has any specific weaknesses which can be related to this? Thanks in advance for you help, Jeroen
On Mar 20, Jeroen Taalman
We have a number of servers running 8.2. One of them was recently hacked. Did you always apply all patches that were available via you/fou4s? Did you reboot after kernel updates, and restart affected services after online update?
Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus(at)gaugusch.at X Against HTML Mail / \
On Sat, 20 Mar 2004, Jeroen Taalman wrote:
To: suse-security@suse.com From: Jeroen Taalman
Subject: [suse-security] server hacked, but how? Hi There,
At the time of the hack we were using:
Apache 1.3.28 and 1.3.29 PHP 4.3.2 Cvsd 0.9.20 Openssl 0.9.6i Suse auto_update Webmin 1.131
Did you change the default settings of php.ini before going online? These are insecure by default. Try taking a look at chapter 20 of the php4 manual, about remote file access. This may help you. Kind Regards - Keith Roberts
Did you run chkrootkit? Try running it to see what worm is there. Have it from here: http://www.chkrootkit.org/ Any file monitoring system? (tripwire) IDS or anything? (AIDE, Snort) Updates up2date? At 10:54 PM 3/20/2004, Jeroen Taalman wrote:
Hi There,
We have a number of servers running 8.2. One of them was recently hacked. We noticed that an IFRAME-tag was added to a few index.html files. This IFRAME-tag sends a URL to the client and forces the client to download malware from another server. It seems they tried to exploit a IE vulnerability this way. Further, the global PHP.INI was edited. The option 'auto-append' was set to '/etc/.app'. This file (.app) contains the same URL as the IFRAME-tag. This results in a behaviour that clients are getting awful pop-ups every time they request a php page. The file dates and times of the changed files were all lying in a small time frame of about 10 minutes.
We didn't find anything unusual in the system logs etc. The only remarkable finding is that /USR/SBIN/CRON has been changed. It is 28024 bytes and its date and time is March 7, 00:55 hrs. (On our other servers (same OS version) this file is 23928 bytes and dated March 14, 2003.) Of course I googled but didn't find very much. This URL describes a 6KB worm on BSD-systems: http://craiu.pcnet.ro/papers/papers/exsee.html, but i doubt whether this is the cause in my case.
At the time of the hack we were using:
Apache 1.3.28 and 1.3.29 PHP 4.3.2 Cvsd 0.9.20 Openssl 0.9.6i Suse auto_update Webmin 1.131
- Is there anyone who knows more about this? - How can I see which code (worm) is added to the file CRON? - Does CVSD has any specific weaknesses which can be related to this?
Thanks in advance for you help, Jeroen
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
--------------------------------------------------------------- Martisoare virtuale prin http://felicitari.acasa.ro
What you have to do now is called forensic analysis. Ask google for
details. First separate you from network and "dd" your hard drive content
to somewhere. Install a complete new system and apply all current
patches and harden the box at your best knowlegde (hopefully enough).
With the backup of the compromised system you can now try to find out
how attacker came in and owned your box.
One point to start from is here:
http://www.sleuthkit.org/autopsy/index.php
Hope that helps
The bob
--
technician
http://www.hs-pongratz.de
info@hs-pongratz.de
----- Original Message -----
From: "Jeroen Taalman"
Hi There,
We have a number of servers running 8.2. One of them was recently hacked. We noticed that an IFRAME-tag was added to a few index.html files. This IFRAME-tag sends a URL to the client and forces the client to download malware from another server. It seems they tried to exploit a IE vulnerability this way. Further, the global PHP.INI was edited. The option 'auto-append' was set to '/etc/.app'. This file (.app) contains the same URL as the IFRAME-tag. This results in a behaviour that clients are getting awful pop-ups every time they request a php page. The file dates and times of the changed files were all lying in a small time frame of about 10 minutes.
We didn't find anything unusual in the system logs etc. The only remarkable finding is that /USR/SBIN/CRON has been changed. It is 28024 bytes and its date and time is March 7, 00:55 hrs. (On our other servers (same OS version) this file is 23928 bytes and dated March 14, 2003.) Of course I googled but didn't find very much. This URL describes a 6KB worm on BSD-systems: http://craiu.pcnet.ro/papers/papers/exsee.html, but i doubt whether this is the cause in my case.
At the time of the hack we were using:
Apache 1.3.28 and 1.3.29 PHP 4.3.2 Cvsd 0.9.20 Openssl 0.9.6i Suse auto_update Webmin 1.131
- Is there anyone who knows more about this? - How can I see which code (worm) is added to the file CRON? - Does CVSD has any specific weaknesses which can be related to this?
Thanks in advance for you help, Jeroen
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Die Nachricht wurde 'bereinigt', das hei?t, potentiell gef?hrlicher Inhalt der EMail wurde umgeschrieben oder entfernt. Die folgenden ?nderungen wurden vorgenommen [Fragen an mappeldorn@codi].
Sanitizer (start="1079816236"): SanitizeFile (filename="unnamed.txt", mimetype="text/plain"): Match (names="unnamed.txt", rule="2"): ScanFile (file="/var/spool/filter/quarantine/att-unnamed.txt-405cb02d.J5"): Scan succeeded, file is clean.
Enforced policy: unknown
Match (names="unnamed.txt", rule="9"): Enforced policy: accept
Anomy 0.0.0 : Sanitizer.pm $Id: Sanitizer.pm,v 1.79 2003/06/19 19:22:00 bre Exp $
participants (10)
-
Armin Schoech
-
Avtar Gill
-
Carlos E. R.
-
GentooRulez
-
Jeroen Taalman
-
Keith Roberts
-
Markus Gaugusch
-
Rene Gallati
-
Robert Schiele
-
S.