Hello On Tue, Aug 19, 2003 at 07:55:02PM -0000, Brian Benitez wrote: > can anyone confirm if this exploit would work on a FreeBSD Helix > server? We have been having unexplained spontaneous restarts > for a while now, but as of August 17th they've been accompanied > by the behavior of not writing the access log after the restart. I cannot confirm this. The only systems being exploited I have seen so far were RedHat and Debian GNU/Linux systems on x86. Furthermore the suckit rootkit, a rootkit modifying /dev/kmem instead of using modules to change system calls, was installed. This also won't work on freebsd I guess. In addition, the exploit for the helix server (on one system there were no other services which were not blocked by the firewall, internal hacking can be ruled out, so it somehow has to be the helix stuff at least to get partly in) was not found. Both systems were used for further hacking (which was caught by the IDS as outgoing traffic was detected). > We haven't found any obvious rootkit signs, but we're still looking > into it. If anyone knows about any other symptomatic behavior > related to this problem, I'd love to hear about it. Reading this threat it seems to be the unintended restart of the helix server... MfG/Regards, Alexander -- Alexander Reelsen http://tretmine.org refat_private --------------------------------------------------------------------------- Captus Networks - Integrated Intrusion Prevention and Traffic Shaping - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Ensure Reliable Performance of Mission Critical Applications - Precisely Define and Implement Network Security and Performance Policies **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo Visit us at: http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Aug 20 2003 - 16:56:14 PDT