[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Bug-Travel
- Subject: [cobalt-security] Bug-Travel
- From: Greg Boehnlein <damin@xxxxxxxx>
- Date: Tue, 21 Jan 2003 01:31:35 -0500 (EST)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hello,
If any of you have been attacked by the "Bug-Travel" exploit, this
information is for you. We had several servers that were crippled due to
this attack. Thank god for backups! :) In any case, here is what I have
been able to find out about the exploit:
1. It replaced all .html and .asp files with trojan html code. An example
can be seen at http://www.nacs.net/~jfenner/hack.html
2. It appears to use components of the "RaQFuCk.sh" script by core
http://www.securiteam.com/exploits/5MP0R0A80K.html, which attempts a
symlink attack using cron through the exploitation of an suid
/usr/lib/authenticate on the Cobalt Raq.
3. We have not been able to actually catch the code in action, but the
html references the following: irc.brasnet.org #BugTravel
4. The HTML also suggests sending E-mail to "admin@xxxxxxxxxxxxxxxxxxxx"
for help, which I did, kindly requesting that they inform me of how/what
was used to remote exploit the box. I received the following:
From: desenhobadboy@xxxxxxxxxxxxxx
To: "[iso-8859-1] Greg" <removed@xxxxxxxxxxx>
Subject: [iso-8859-1] Re: Bug-Travel
>Hello,
> One of our Raq units was hacked by Bug-Travel, and it suggested
>that we E-mail this address for help. So, here you go. I'm E-mailing you
>for help.
>Thanks
patch you OpenSSL
-- End of Message --
Analysis
--------
Near as I can tell, they were able to remotely exploit OpenSSL
and establish a remote shell, at which point RaQFuCk.sh was executed,
providing full open access to the system. I haven't been able to gain
access through any exploit code that I can find. The attack could have
come either through Apache or OpenSSH, but I have no direct proof, so this
is all conjecture.
Reaction
--------
I reacted by updating my Raq4 units to OpenSSL 0.9.7 and OpenSSH 3.4p1PM4
from http://pkgmaster.com. We have also restricted SSH access to our raqs
through /etc/hosts.allow|deny.
I have put RPMS for OpenSSL 0.9.7 on our FTP server at:
ftp://ftp.nacs.net/pub/software/cobalt_raq4
openssl-0.9.7-1.i386.rpm
openssl-0.9.7-1.src.rpm
openssl-devel-0.9.7-1.i386.rpm
openssl-doc-0.9.7-1.i386.rpm
OpenSSL 0.9.7 fixes 4 reported remote exploits. I have no idea if Cobalt's
security patches address this, as I just applied them in the order
required and didn't read much about what was being patched. After
installing the new OpenSSL RPMS, my previous versions of OpenSSH would not
work properly, so I updated to the 3.4pl1 from pkgmaster and all is fine.
Comments? Suggestions? This is a nasty bug. If anyone has more information
to provide on this thing, please do not hesitate to chip in. I may be way
off base here, but I've had the opportunity to look at 3 different boxes
that where compromised and I think I'm on the right track.
Greg
--
Vice President of N2Net, a New Age Consulting Service, Inc. Company
http://www.n2net.net Where everything clicks into place!
KP-216-121-ST