Markus Gaugusch <markus@gaugusch.at> wrote:
On Dec 3, Dirk Schreiner <dirk.schreiner@tria.de> wrote:
Hi,
so what do we learn about this? Never do a automatic Update and run YOU interactive. [...]
----<text snipped>--- Hi, I agree with Markus, fou4s is a good tool, and I use it. But the problem here was deeper than automatic updates, In Oliver's original post he stated: # # Subject:[suse-security] suse 8.1 : ptrace exploit still working fine!? # Date: Sat, 29 Nov 2003 6:48:23 PM EST # From: "Olivier M." <qmail@orion.8304.ch> # To: suse-security@suse.com # # A suse 8.1 based server has been cracked, # and the "visitor" left all his tools, # so I've been able to play with it as well. # # The server was kept "up to date", but look at that: # # om@box:~/tmp> uname -a # Linux box 2.4.19-4GB #1 Fri Sep 13 13:14:56 UTC 2002 i686 unknown # ---<text snipped>--- That date is over a year ago, I am running 8.1 and the SuSE k_deflt kernel that I originally installed (i586) was built (per rpm -qpi) as follows: Build Date: Fri 13 Sep 2002 07:27:51 AM PDT I imagine the i686 kernel was built about the same time, in fact I would bet it was built: Fri Sep 13 13:14:56 UTC 2002 !!!! So, based on the above the machine was still running the original kernel as shipped with 8.1, and the machine had not been patched against the ptrace exploit. * On Tue Dec 02 2003 - 15:42:38 CET (approx) Olivier M.wrote:
Something is still strange: the ptrace exploit appeared around March/April 2003, and the fixed (suse-) kernel for 8.1 only in August ?
He was rong. SuSE issusd a p-trace kernel fix for k_deflt kernel last spring (2003). I installed it in my 8.0 box last May, and in my 8.1 box when I installed 8.1 in July, 2003. The machine that Oliver was saying was "up to date" had missed two kernel updates. One in Spring and one in August. However, the August 5th kernel patch was to fix possible denial of service attack (DoS) in the routing code as well as fix bad side effects of initial ptrace security fix ... http://www.suse.com/de/security/2003_034_kernel.html So, going back to Dirk's question: .. so what do we learn about this? I say we again learn that a responsible sys admin would be subscribed to both this list [suse-security] and {suse-security-announcements] as well as running YOU and/or fou4s checks on a regular basis. But then we all knew that ;) Friendly greetings, Gar -- __________________________________________________________________ McAfee VirusScan Online from the Netscape Network. Comprehensive protection for your entire computer. Get your free trial today! http://channels.netscape.com/ns/computing/mcafee/index.jsp?promo=393397 Get AOL Instant Messenger 5.1 free of charge. Download Now! http://aim.aol.com/aimnew/Aim/register.adp?promo=380455