Security Incidents mailing list archives
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition
From: Graeme Fowler <G.E.Fowler () lboro ac uk>
Date: Wed, 30 Jan 2008 17:50:27 +0000
On Wed, 2008-01-30 at 08:22 +0800, Eduardo Tongson wrote:
Yeah, completely forgot about those ran as root and setuid programs. Been a while since I have seen those. Also forgot about the usual admin errors. But it is ridiculous to say "all bets are off" when a user gets a shell. Thats got a lot to say about the admin in charge.
Yep, that's right, it does. I've seen way too many colo'd servers out there running a portmapper service, for example. However there is rather more to it than inexperience - what about customers of hosting companies who keep their hosting infrastructure several OS revisions "behind the times" because upgrading them makes their customers leave? There are many of them, too many to list here (no offence intended to anyone). If you have a customer on your system, you have a contract with them and you can exert legal power over them if they misbehave (as long as you can detect that misbehaviour). What you can't do, however, is exert the same level of control over a J.Random-Kiddie who exploits a hole in a vulnerable web app (choose one from, oh, thousands) that a customer of yours has uploaded to fulfil one specific requirement and then left the app in place. Can anyone say "formmail.pl"? I know that's a trivial example, but it's *still* being installed in vulnerable versions and *still* being exploited. That's been fixed for, oh, something like 8 years now, and that's just one example. Once that kiddie has access to a shell - whether fully interactive, bound to a port, or via a webserver, you better be a *really* good admin to (a) spot the fact that they are there amongst the noise, and (b) prevent them doing something simple like `cat /etc/passwd` and then brute-forcing your user accounts. Then there's always: find / -perm 4000 My money, for most of these exploits, is on some web app being exploited to gain a shell of some sort, then either simple passwords being guessed or a setuid script derived from some hosting control panel being abused to get root. So far, most of the systems I've seen described as being affected have been running some form of control panel; the majority of which are a setuid-addict's heaven by definition. I still say - if you have someone on your system and you don't know that they are there, all bets are off. Graeme
Current thread:
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition, (continued)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jeff Plewes (Jan 28)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Paul Schmehl (Jan 28)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jeff Plewes (Jan 28)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Gary Baribault (Jan 28)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Graeme Fowler (Jan 28)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Eduardo Tongson (Jan 28)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Graeme Fowler (Jan 29)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Paul Schmehl (Jan 29)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Valdis . Kletnieks (Jan 29)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Eduardo Tongson (Jan 30)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Graeme Fowler (Jan 30)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jason Stelzer (Jan 30)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Eduardo Tongson (Jan 31)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jamie Riden (Jan 31)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Eduardo Tongson (Jan 31)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Eduardo Tongson (Jan 28)
- Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jon R. Kibler (Jan 28)