January 2003 - openSUSE Security - openSUSE Mailing Lists

RE: [suse-security] Help with Attack/Worm/???
by Thomas Langfeld 30 Jan '03

30 Jan '03

Hi, > Hi Thomas, > > Something very similair happended to me some weeks ago. We traced it to > be a vicious trojan, that replaced my system ls, ps and other such vital > commands. > > If I guess right your www process is running, but the 'ps aux' that you > run won't show it. No. httpd did NOT run -> and we couldn't restart it. Thats why we looked for suspucious activitites in our system. If httpd would have run as usual, propaply till today we wouldn't know, whats going on. > The www process is probably supplying data to the > hacker through the trojan. Yes, an irc-daemon was started as user wwwrun. And "top" revealed this. > > In my particular attack the hacker had a keyboard sniffer, which > tranmitted my root passwd etc through a tcp connection to a site > somewhere in Russia. Also sited was an ftp host in Belgium which was > getting some of the data that was being sniffed out. I also found some hints. In /var/tmp/ the attacker created two directories: "..." and " " (one blank) there i found many tools and sources. - many irc-tools - a scanner, which scans other hosts for apache/ssl-vulnerabilities - apache/ssl-exploit - some tools to hide processes and a .bash_history for user wwwrun, so i was able to reconstruct many of the activities. if somebody ist interested in receiving the history or the tools, mail me. > > I was running suse 7.3 w/ apache+mod_ssl, and disregarded to apply the > security patch to cover a known vulnerability. yeah, shit happens ... > > Ended up changing the hard-drive and rebuilding the server! yes. Thomas > > pm > > Thomas Langfeld wrote: > > >Hi, > > > >we are running suse 7.3 and apache 1.3.20 with mod_ssl > > > >Last week it happened: > >- webserver down > >- apache could not be restarted > >- error-log: > >'[crit] (98)Address already in use: make_sock: could not bind to > port 443' > > > >So, lets look, what wwwrun is doing: > >- a 'ps aux | grep wwwrun' showed nothing > >- but: 'top' and 'uwwwrun' showed some processes 'eggdrop' > running by user > >'wwwrun' > >-> maybe a rootkit which replaced '/usr/bin/ps' ??? > >- a portscan revealed open tcp-port 6667 > > > >1. question: > >Does anybody know, what's the reason for that ?!? > > > >We suggested, it could by ssl-worm slapper, but it usually opens > udp-ports > >and not tcp 6667 > > > >2. question: > >In Apache 1.3.27 all known security-holes are fixed. > > > >But there is no RPM for suse 7.3. > >There is only a package with version 1.3.20-77 > >So, we don't know, if in this package all that security-holes are fixed ? > > > >The same for mod_ssl / OpenSSL ? > > > >So, we don't know, when we install the latest Suse-RPM's, are we > protected > >against the above attack?? > > > >Anybody who can answer the questions ? > > > >Thx, > >Thomas > > > > > > > > > > >

1 0

Apache with mod_frontpage
by Olsson Mattias 30 Jan '03

30 Jan '03

Hi all! Can somebody pls tell me how to enable the mod_frontpage for apache within SuSE 8.1. I have apache installed, and the mod_frontpage, and /usr/local/frontpage .... I rather have the MS ppl run there stuff on an real OS:) Mattias Olsson IT Consultant Communication Solutions mattias.olsson(a)siemens.com Phone: +46 8 730 6573 Mobile: +46 70 629 1071

3 2

SuSEfirewall2 config question
by Jaap Noordzij 29 Jan '03

29 Jan '03

Hi, How do I get access to my own webserver from internal via the normal DNS lookup http://mydomain.com ? My setup: FW_DEV_EXT="eth2" is external, masqueraded to my IP adress FW_DEV_DMZ="eth1" is dmz, 10.0.0.0/8 with a webserver in the dmz FW_DEV_INT="eth0" is internal 192.168.1.0/24 FW_ROUTE=yes FW_MASQUERADE="yes" Internal network has full access to internet: FW_MASQ_NETS="192.168.1.0/24" External traffic is allowed to the webserver: FW_FORWARD_MASQ="0/0,10.0.0.2,tcp,80 When I add a rule to FW_FORWARD="192.168.1.0/24,10.0.0.2,tcp,80" as suggested with option 14 I can get access from internal to webserver by going directoy to the 10.0.0.2 addres but this is not what I want. The explanation with Conf option 14 does not help me out here . Log says: SuSE-FW-ACCCESS_DENIED_INT - jaap noordzij smokejumper at chello.nl

2 1

RE: [suse-security] MSSQL-Attack: What can I do?
by GarUlbricht7＠netscape.net 29 Jan '03

29 Jan '03

Hi Mario: I just tried some downloads (10:00 PM PTZ) and all SuSE mirrors that I tried "timed out." Internet health Report <http://www.internetpulse.net/> now shows a number of US backbone providers including At&T going critical (in the red zone - ) so you are not alone. SQLsecurity.com is recommending blocking access to TCP 1433 and UDP 1434 from all un-trusted clients which it appears you are doing by your rules. You didn't say if you have a SQL Server inside your firewall. Do you? If so you might look at SQLsecurity.com Sorry I can't be more helpfull :(( ************* "Mario Neubert" <mario_neubert(a)gmx.de> wrote: >Hello List, > >Just I have seen the graphics of my server with MRTG. >This fu..... crackers. My system is stable but the trafic is very high. >The rules with udp/tcp - 1433/1434 does blocking the unicast traffic but >also multicast trafic comes in and I don't know what can I do against >this. >It seems to be the MSSQL-Worm on a multicast adress. > >List, have anyone any idea? Many thanks.... > >Mario > > > > >PS: > >tcpdump> 217.175.233.161.1181 > 224.41.16.185.1434: udp 376 > >I have inserted following rules to SuSEfirewall > >DROP all -- 0.0.0.0/0 224.0.0.0/8 >DROP all -- 217.175.233.161 0.0.0.0/0 >DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1433 >DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1434 >DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1433 >DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1434 > > >-- >Check the headers for your unsubscription address >For additional commands, e-mail: suse-security-help(a)suse.com >Security-related bug reports go to security(a)suse.de, not here > > __________________________________________________________________ The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/

5 6

SuSEfirewall2 - outgoing traffic
by Dominik Sk?adanowski 29 Jan '03

29 Jan '03

Hello. I have firewall installed on server, incoming traffic is filtering very good. I have everything clear written in logs. But, last time I thought about my outgoing traffic. How can I check/log which packets outgo my server and which server proccesses communicate with Internet? I have one eth0 - external device. -- ----------------------------------------------------------------- Dominik Skladanowski e-mail: dominik.skladanowski(a)ch.pw.edu.pl -----------------------------------------------------------------

2 1

Chroot services
by Brett Stevens 29 Jan '03

29 Jan '03

Hi all, Firstly sorry if this has been covered earlier. I could not find any informaiton previously posted. Im trying to find out info on chrooting both named bind and postfix. on suse 8 I notice that both services have a chroot sysconfig variable which has been set to yes but there appears to be no actual call to the chroot binary. I have tried this using dhcpd which works a treat with the process list clearly showing that the daemon is running under a chroot env etc this does not occur for both named and postfix. Any ideas thanks Brett Stevens

4 4

MSSQL-Attack: What can I do?
by Mario Neubert 29 Jan '03

29 Jan '03

Hello List, Just I have seen the graphics of my server with MRTG. This fu..... crackers. My system is stable but the trafic is very high. The rules with udp/tcp - 1433/1434 does blocking the unicast traffic but also multicast trafic comes in and I don't know what can I do against this. It seems to be the MSSQL-Worm on a multicast adress. List, have anyone any idea? Many thanks.... Mario PS: tcpdump> 217.175.233.161.1181 > 224.41.16.185.1434: udp 376 I have inserted following rules to SuSEfirewall DROP all -- 0.0.0.0/0 224.0.0.0/8 DROP all -- 217.175.233.161 0.0.0.0/0 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1433 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1434 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1433 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1434

1 0

Blocking IP addresses
by Jaap Noordzij 28 Jan '03

28 Jan '03

Hi, How can I block IP addresses completely from accessing my fw in SuSEfirewall2 configuration ? -- jaap noordzij smokejumper at chello.nl

3 4

AW: [suse-security] Strange behaviour ...
by Stingl, Martin 28 Jan '03

28 Jan '03

Hi, > I have a SUSE 7.2 machine, with running samba and mysql. > > And as the machine did not make any move this morning (but was still > running)I had to (hard-)reboot it. > which kernel version do you use? I've got a similar problem some months ago using the originial kernel of SuSE 7.2. I've compiled a new kernel from kernel.org and everything was okay. Bye, Martin Stingl

1 0

Strange behaviour ...
by Martin Schichl 28 Jan '03

28 Jan '03

Hi! Has anyone had something similar before? I have a SUSE 7.2 machine, with running samba and mysql. And as the machine did not make any move this morning (but was still running)I had to (hard-)reboot it. Now I've found, that there has not been written anything to the harddisks since Friday noon, although there have been opened, changed and saved some files from the Windows-Boxes and there have been changes to the MySQL databases ... (!!! even yesterday and even one file saved on saturday have been opend and changed yesterday !!!) But after the reboot today everything since Friday noon has been gone ... The message-logfile stopped on Friday with a line of @@@@@@@@ and begins this morning again. Is it possible that the linux box had all this change in the files (and in the SQL database) in its RAM and did not write it back to disk? OK I know this with MySQL, but therefore I do a flush tables 4 times a day ... even this has been ignored ... And the worst thing is, that linux and the windows-boxes did not give any error-messages ... Any idea??? ThanXs, Martin ----------------------------------------------------------------- Dipl.-Ing. Martin Schichl SC&C Software, Communication & Consulting GmbH & Co KEG Grottenhofstr. 3, A-8053 Graz Tel. +43/(0)316/265-205, Fax +43/(0)316/265-234 mschichl(a)scc.co.at, http://scc.co.at

3 3