[opensuse] access logs on Nov 30
Hello, Some malicious files where written to my openSUSE (13.1, I know... obsolete :-() on nov 30 How can I trace what access was used, I suspect ftp, but it may also be php thanks jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
jdd wrote:
Hello,
Some malicious files where written to my openSUSE (13.1, I know... obsolete :-() on nov 30
How can I trace what access was used, I suspect ftp, but it may also be php
Try running a rootkit scanner. -- Per Jessen, Zürich (1.1°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 13/12/2016 à 18:28, Per Jessen a écrit :
jdd wrote:
Hello,
Some malicious files where written to my openSUSE (13.1, I know... obsolete :-() on nov 30
How can I trace what access was used, I suspect ftp, but it may also be php
Try running a rootkit scanner.
like? by the way I don't think it's a root kit, only an obscure account is compromised, not my main one (gladfully) thanks jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
jdd wrote:
Le 13/12/2016 à 18:28, Per Jessen a écrit :
jdd wrote:
Hello,
Some malicious files where written to my openSUSE (13.1, I know... obsolete :-() on nov 30
How can I trace what access was used, I suspect ftp, but it may also be php
Try running a rootkit scanner.
like?
rkhunter for instance.
by the way I don't think it's a root kit, only an obscure account is compromised, not my main one (gladfully)
Even when it's only an unprivileged account, it's still worrying. I guess you don't which account it is? -- Per Jessen, Zürich (1.1°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 13/12/2016 à 19:56, Per Jessen a écrit :
Even when it's only an unprivileged account, it's still worrying. I guess you don't which account it is?
I stupidly neglected to look at the (evil) file owner, but I know what account it is, for sure I'm not the only one that have the problem (search for "piwigo cialis"). the piwigo dev that works on it said that he think its a ftp problem. It may be if the susefirewall2 log I published on the other post mean an accepted connection. jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
jdd wrote:
Le 13/12/2016 à 19:56, Per Jessen a écrit :
Even when it's only an unprivileged account, it's still worrying. I guess you don't which account it is?
I stupidly neglected to look at the (evil) file owner, but I know what account it is, for sure
I'm not the only one that have the problem (search for "piwigo cialis").
aha, I see. So the weakness is clearly in the gallery software. I googled "piwigo vulnerabilities", quite a few interesting hits.
the piwigo dev that works on it said that he think its a ftp problem.
TBH, that sounds like a lame excuse for "I don't know, but surely it isn't me". ftp is easy to set up so it is safe to use and any setup would be separate from piwigo anyway. if this is an ongoing problem, apparmor could probably help you. -- Per Jessen, Zürich (0.8°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 14/12/2016 à 07:40, Per Jessen a écrit :
aha, I see. So the weakness is clearly in the gallery software.
may be the software use some "ftp like" php functions, I dunno. I had vsftp active (and removed it, I don't use it now)
I googled "piwigo vulnerabilities", quite a few interesting hits.
not so bad: https://www.cvedetails.com/product/17862/?q=Piwigo
the piwigo dev that works on it said that he think its a ftp problem.
TBH, that sounds like a lame excuse for "I don't know, but surely it isn't me".
I dont think so, the dev I think of is really smart
ftp is easy to set up so it is safe to use
it's not the reputation it have and any setup would be
separate from piwigo anyway.
in fact I just notice this piwigo version is the only one I have that is setup in a personal account (user/public_html). The other are unaffected. It's easy to see because the attacker added files on the install that are easy to look at
if this is an ongoing problem, apparmor could probably help you.
dunno how, if the attacker uses "official" disk access methods thanks jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2016-12-14 09:19, jdd wrote:
if this is an ongoing problem, apparmor could probably help you.
dunno how, if the attacker uses "official" disk access methods
Doesn't matter. AA can confine any process you configure to confine. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlhRAqwACgkQja8UbcUWM1wDlAD+LiJqZyVksFMTB4W4eLkDm31r muSI0GmKUGnWS9zuxx8A/RMK9vmijLYrCZmZ8ngB2+iayHh1vGXpDMXD6HRpQJw9 =len9 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 14/12/2016 à 09:28, Carlos E. R. a écrit :
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 2016-12-14 09:19, jdd wrote:
if this is an ongoing problem, apparmor could probably help you.
dunno how, if the attacker uses "official" disk access methods
Doesn't matter. AA can confine any process you configure to confine.
sure, but "official" access may be nedded for the app work :-) jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2016-12-14 09:32, jdd wrote:
Le 14/12/2016 à 09:28, Carlos E. R. a écrit :
On 2016-12-14 09:19, jdd wrote:
if this is an ongoing problem, apparmor could probably help you.
dunno how, if the attacker uses "official" disk access methods
Doesn't matter. AA can confine any process you configure to confine.
sure, but "official" access may be nedded for the app work :-)
Ah, you mean that the confined app will need to write into the directories it serves for write. True. But not outside, meaning that it would not be able to compromise the system, "only" the served data. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlhRCeYACgkQja8UbcUWM1xasgD6A3IkQ5/y9YTHpuJdsgdY/CG4 /uMjgn1ugoK4zas5syUA/jfp0ePQKjgDRzG964MfTziFUFMoslXAy75oJqcJKZ+3 =/eTS -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 14/12/2016 à 09:59, Carlos E. R. a écrit :
Ah, you mean that the confined app will need to write into the directories it serves for write. True. But not outside, meaning that it would not be able to compromise the system, "only" the served data.
yes. The attacker here only uses the attack to display pharmacy advertisements. Nothing really compromised I even wonder is the gain is worth the work (for him :-) or may be it's a robot work? jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
jdd wrote:
Le 14/12/2016 à 07:40, Per Jessen a écrit :
aha, I see. So the weakness is clearly in the gallery software.
may be the software use some "ftp like" php functions, I dunno.
With a webserver, I think there are only two options - file upload with POST or some sort of webDAV.
ftp is easy to set up so it is safe to use
it's not the reputation it have
Maybe due to poorly skilled admins. I have had a few vsftpd setups running over a few years, no problems.
in fact I just notice this piwigo version is the only one I have that is setup in a personal account (user/public_html). The other are unaffected. It's easy to see because the attacker added files on the install that are easy to look at
if this is an ongoing problem, apparmor could probably help you.
dunno how, if the attacker uses "official" disk access methods
Well, either it's "official" or it's "unofficial". Assuming you're running apache under 'wwwrun', it's easy to control where wwwrun is allowed to write to. -- Per Jessen, Zürich (1.1°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 13/12/2016 à 19:56, Per Jessen a écrit :
rkhunter for instance.
don't seems to ind anything odd. I have this on the server (13.1) that is not on my station (42.1). I guess it's normal?? /dev/.sysconfig/network/config-tunl0: ASCII text /dev/.sysconfig/network/config-sit0: ASCII text /dev/.sysconfig/network/config-ip6tnl0: ASCII text /dev/.sysconfig/network/config-dummy0: ASCII text /dev/.sysconfig/network/config-bond0: ASCII text (... some others) thanks jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
jdd wrote:
Le 13/12/2016 à 19:56, Per Jessen a écrit :
rkhunter for instance.
don't seems to ind anything odd. I have this on the server (13.1) that is not on my station (42.1). I guess it's normal??
/dev/.sysconfig/network/config-tunl0: ASCII text /dev/.sysconfig/network/config-sit0: ASCII text /dev/.sysconfig/network/config-ip6tnl0: ASCII text /dev/.sysconfig/network/config-dummy0: ASCII text /dev/.sysconfig/network/config-bond0: ASCII text (... some others)
Yep, I have those too. -- Per Jessen, Zürich (1.2°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 14/12/2016 à 10:12, Per Jessen a écrit :
jdd wrote:
Le 13/12/2016 à 19:56, Per Jessen a écrit :
rkhunter for instance.
don't seems to ind anything odd. I have this on the server (13.1) that is not on my station (42.1). I guess it's normal??
/dev/.sysconfig/network/config-tunl0: ASCII text /dev/.sysconfig/network/config-sit0: ASCII text /dev/.sysconfig/network/config-ip6tnl0: ASCII text /dev/.sysconfig/network/config-dummy0: ASCII text /dev/.sysconfig/network/config-bond0: ASCII text (... some others)
Yep, I have those too.
good :-) thanks jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (3)
-
Carlos E. R. -
jdd -
Per Jessen