Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition

From: Graeme Fowler <G.E.Fowler () lboro ac uk>
Date: Wed, 30 Jan 2008 17:50:27 +0000
On Wed, 2008-01-30 at 08:22 +0800, Eduardo Tongson wrote:

Yeah, completely forgot about those ran as root and setuid programs.
Been a while since I have seen those. Also forgot about the usual
admin errors. But it is ridiculous to say "all bets are off" when a
user gets a shell. Thats got a lot to say about the admin in charge.


Yep, that's right, it does. I've seen way too many colo'd servers out
there running a portmapper service, for example.

However there is rather more to it than inexperience - what about
customers of hosting companies who keep their hosting infrastructure
several OS revisions "behind the times" because upgrading them makes
their customers leave? There are many of them, too many to list here (no
offence intended to anyone).

If you have a customer on your system, you have a contract with them and
you can exert legal power over them if they misbehave (as long as you
can detect that misbehaviour). What you can't do, however, is exert the
same level of control over a J.Random-Kiddie who exploits a hole in a
vulnerable web app (choose one from, oh, thousands) that a customer of
yours has uploaded to fulfil one specific requirement and then left the
app in place. Can anyone say "formmail.pl"? I know that's a trivial
example, but it's *still* being installed in vulnerable versions and
*still* being exploited. That's been fixed for, oh, something like 8
years now, and that's just one example.

Once that kiddie has access to a shell - whether fully interactive,
bound to a port, or via a webserver, you better be a *really* good admin
to (a) spot the fact that they are there amongst the noise, and (b)
prevent them doing something simple like `cat /etc/passwd` and then
brute-forcing your user accounts. Then there's always:

find / -perm 4000

My money, for most of these exploits, is on some web app being exploited
to gain a shell of some sort, then either simple passwords being guessed
or a setuid script derived from some hosting control panel being abused
to get root. So far, most of the systems I've seen described as being
affected have been running some form of control panel; the majority of
which are a setuid-addict's heaven by definition.

I still say - if you have someone on your system and you don't know that
they are there, all bets are off.

Graeme
Previous By Date Next
Previous By Thread Next

Current thread: