('binary' encoding is not supported, stored as-is) In-Reply-To: <20030818162756.24005.qmailat_private> Hi All, can anyone confirm if this exploit would work on a FreeBSD Helix server? We have been having unexplained spontaneous restarts for a while now, but as of August 17th they've been accompanied by the behavior of not writing the access log after the restart. We're running 9.0.2.794 on FreeBSD 4.8. We haven't found any obvious rootkit signs, but we're still looking into it. If anyone knows about any other symptomatic behavior related to this problem, I'd love to hear about it. >From: Frank <f.nijenhuisat_private> >To: incidentsat_private >Subject: Re: possible 0-day exploit for latest Real-/Helixserver 9.0.2.794 > >In-Reply-To: <3F3E9312.7060500at_private> > >Looks like a confirm >We've lost two linux Realservers last week (7 and 9th >of august), same rootkit. >All other services were firewalled, the Real services >running as a normal user was used to gain root access >somehow. OS Debian Linux, uptodate, 2.4.20grsec kernel. >On both helix servers the error logs mentions >restarts..and the access logs are empty... >We usually don't have empty access logs... > >ppl running Helix, watch out for unexpected restarts! >Real has been contacted. > >Frank > > > > >>Received: (qmail 15779 invoked from network); 17 Aug >2003 16:42:09 -0000 >>Received: from outgoing3.securityfocus.com >(205.206.231.27) >> by mail.securityfocus.com with SMTP; 17 Aug 2003 >16:42:09 -0000 >>Received: from lists.securityfocus.com >(lists.securityfocus.com [205.206.231.19]) >> by outgoing3.securityfocus.com (Postfix) with QMQP >> id 19A73A30D9; Sun, 17 Aug 2003 10:46:01 -0600 (MDT) >>Mailing-List: contact >incidents-helpat_private; run by ezmlm >>Precedence: bulk >>List-Id: <incidents.list-id.securityfocus.com> >>List-Post: <mailto:incidentsat_private> >>List-Help: <mailto:incidents-helpat_private> >>List-Unsubscribe: ><mailto:incidents-unsubscribeat_private> >>List-Subscribe: ><mailto:incidents-subscribeat_private> >>Delivered-To: mailing list incidentsat_private >>Delivered-To: moderator for incidentsat_private >>Received: (qmail 7218 invoked from network); 16 Aug >2003 14:19:55 -0000 >>Message-ID: <3F3E9312.7060500at_private> >>Date: Sat, 16 Aug 2003 22:24:50 +0200 >>From: Juri Haberland <juriat_private> >>User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; >rv:1.3.1) Gecko/20030425 >>X-Accept-Language: en-us, de-de, en >>MIME-Version: 1.0 >>To: Mark Tinberg <mtinbergat_private> >>Cc: incidentsat_private >>Subject: Re: possible 0-day exploit for latest >Real-/Helixserver 9.0.2.794 >>References: <3F3CD032.8060601at_private> ><Pine.LNX.4.55.0308152356040.9706at_private om> >>In-Reply-To: ><Pine.LNX.4.55.0308152356040.9706at_private om> >>Content-Type: text/plain; charset=us-ascii >>Content-Transfer-Encoding: 7bit >> >>Mark Tinberg wrote: >>> On Fri, 15 Aug 2003, Juri Haberland wrote: >>> >>>> /sbin/init had nearly the same timestamp (Aug 12 >23:17:29 2003) as the >>>> following log entry from the Realserver's >rmerror.log file: >>>> >>>> ***12-Aug-03 23:18:12.471 rmserver(11402): Server >automatically restarted >>>> due to fatal error condition >>> >>> From this it would seem most likely to be an exploit >of the rmserver >>> process. Check to see if there is an unpatched >SecurityFocus BID for >>> RealServer otherwise you were probably comprimised >with an >>> as-yet-publicly-unknown exploit. I'd try working >with Real.com and see if >>> they'll provide any help (well, here's to hoping 8^) >> >>I checked SecurityFocus before sending my initial >mail. Let's see what >>Real.com has to say. >> >>> If you can find a live copy of the exploit used on >the system, for example >>> if your system was used to attack others, that'd be >very helpful. >> >>Unfortunately there was nothing else other than rootkit. >> >>Cheers, >>Juri >> >> >>----------------------------------------------------- ---------------------- >>Captus Networks - Integrated Intrusion Prevention and >Traffic Shaping >> - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans >> - Automatically Control P2P, IM and Spam Traffic >> - Ensure Reliable Performance of Mission Critical >Applications >> - Precisely Define and Implement Network Security and >Performance Policies >>**FREE Vulnerability Assessment Toolkit - WhitePapers >- Live Demo >>Visit us at: >>http://www.securityfocus.com/sponsor/ CaptusNetworks_incidents_030814 >>----------------------------------------------------- ----------------------- >> >> > >------------------------------------------------------ --------------------- >Captus Networks - Integrated Intrusion Prevention and Traffic Shaping > - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans > - Automatically Control P2P, IM and Spam Traffic > - Ensure Reliable Performance of Mission Critical Applications > - Precisely Define and Implement Network Security and Performance Policies >**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo >Visit us at: >http://www.securityfocus.com/sponsor/ CaptusNetworks_incidents_030814 >------------------------------------------------------ ---------------------- > > --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 19 2003 - 21:33:56 PDT