Re: possible 0-day exploit for latest Real-/Helixserver 9.0.2.794

From: Frank (f.nijenhuisat_private)
Date: Mon Aug 18 2003 - 09:27:56 PDT

Next message: Ulysees: "Re: Microsoft 'extinguishes' windowsupdate.com"

Previous message: Schneider Sebastian: "Re: Software vendor clueless"
Maybe in reply to: Juri Haberland: "possible 0-day exploit for latest Real-/Helixserver 9.0.2.794"
Next in thread: Eric Nelson: "Re: possible 0-day exploit for latest Real-/Helixserver 9.0.2.794"
Next in thread: Brian Benitez: "Re: possible 0-day exploit for latest Real-/Helixserver 9.0.2.794"
Reply: Eric Nelson: "Re: possible 0-day exploit for latest Real-/Helixserver 9.0.2.794"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) In-Reply-To: <3F3E9312.7060500at_private> Looks like a confirm We've lost two linux Realservers last week (7 and 9th of august), same rootkit. All other services were firewalled, the Real services running as a normal user was used to gain root access somehow. OS Debian Linux, uptodate, 2.4.20grsec kernel. On both helix servers the error logs mentions restarts..and the access logs are empty... We usually don't have empty access logs... ppl running Helix, watch out for unexpected restarts! Real has been contacted. Frank >Received: (qmail 15779 invoked from network); 17 Aug 2003 16:42:09 -0000 >Received: from outgoing3.securityfocus.com (205.206.231.27) > by mail.securityfocus.com with SMTP; 17 Aug 2003 16:42:09 -0000 >Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) > by outgoing3.securityfocus.com (Postfix) with QMQP > id 19A73A30D9; Sun, 17 Aug 2003 10:46:01 -0600 (MDT) >Mailing-List: contact incidents-helpat_private; run by ezmlm >Precedence: bulk >List-Id: <incidents.list-id.securityfocus.com> >List-Post: <mailto:incidentsat_private> >List-Help: <mailto:incidents-helpat_private> >List-Unsubscribe: <mailto:incidents-unsubscribeat_private> >List-Subscribe: <mailto:incidents-subscribeat_private> >Delivered-To: mailing list incidentsat_private >Delivered-To: moderator for incidentsat_private >Received: (qmail 7218 invoked from network); 16 Aug 2003 14:19:55 -0000 >Message-ID: <3F3E9312.7060500at_private> >Date: Sat, 16 Aug 2003 22:24:50 +0200 >From: Juri Haberland <juriat_private> >User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3.1) Gecko/20030425 >X-Accept-Language: en-us, de-de, en >MIME-Version: 1.0 >To: Mark Tinberg <mtinbergat_private> >Cc: incidentsat_private >Subject: Re: possible 0-day exploit for latest Real-/Helixserver 9.0.2.794 >References: <3F3CD032.8060601at_private> <Pine.LNX.4.55.0308152356040.9706at_private> >In-Reply-To: <Pine.LNX.4.55.0308152356040.9706at_private> >Content-Type: text/plain; charset=us-ascii >Content-Transfer-Encoding: 7bit > >Mark Tinberg wrote: >> On Fri, 15 Aug 2003, Juri Haberland wrote: >> >>> /sbin/init had nearly the same timestamp (Aug 12 23:17:29 2003) as the >>> following log entry from the Realserver's rmerror.log file: >>> >>> ***12-Aug-03 23:18:12.471 rmserver(11402): Server automatically restarted >>> due to fatal error condition >> >> From this it would seem most likely to be an exploit of the rmserver >> process. Check to see if there is an unpatched SecurityFocus BID for >> RealServer otherwise you were probably comprimised with an >> as-yet-publicly-unknown exploit. I'd try working with Real.com and see if >> they'll provide any help (well, here's to hoping 8^) > >I checked SecurityFocus before sending my initial mail. Let's see what >Real.com has to say. > >> If you can find a live copy of the exploit used on the system, for example >> if your system was used to attack others, that'd be very helpful. > >Unfortunately there was nothing else other than rootkit. > >Cheers, >Juri > > >--------------------------------------------------------------------------- >Captus Networks - Integrated Intrusion Prevention and Traffic Shaping > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans > - Automatically Control P2P, IM and Spam Traffic > - Ensure Reliable Performance of Mission Critical Applications > - Precisely Define and Implement Network Security and Performance Policies >**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo >Visit us at: >http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 >---------------------------------------------------------------------------- > > --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------

Next message: Ulysees: "Re: Microsoft 'extinguishes' windowsupdate.com"
Previous message: Schneider Sebastian: "Re: Software vendor clueless"
Maybe in reply to: Juri Haberland: "possible 0-day exploit for latest Real-/Helixserver 9.0.2.794"
Next in thread: Eric Nelson: "Re: possible 0-day exploit for latest Real-/Helixserver 9.0.2.794"
Next in thread: Brian Benitez: "Re: possible 0-day exploit for latest Real-/Helixserver 9.0.2.794"
Reply: Eric Nelson: "Re: possible 0-day exploit for latest Real-/Helixserver 9.0.2.794"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 18 2003 - 11:50:50 PDT