TRG vger.timpanogas.org hacked

Jeff V. Merkey (jmerkey@vger.timpanogas.org)
Mon, 4 Jun 2001 18:36:42 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: safemode: "Re: lowlatency 2.2.19"
Previous message: Dan Kegel: "re: disk-based fds in select/poll"
Next in thread: Henning P. Schmiedehausen: "Re: TRG vger.timpanogas.org hacked"
Reply: Henning P. Schmiedehausen: "Re: TRG vger.timpanogas.org hacked"

Our master server (vger.timpanogas.org) running 2.2.19 was hacked and
completely obliterated by someone using a Novell Proxy Cache via a kernel
level exploit in [sys_wait+4]. They somehow created a segmentation fault
down inside the kernel, then gained access to the /lib directory and
relinked the libraries to a set of bogus libs, which gave them
access to the server. Only public code and email is processed on
this server.

For those interested in reviewing this attack, I have the entire previous
hard disk available and can mount it under the public ftp area if anyone
is curious as to how these folks did this. They exploited BIND 8.2.3
to get in and logs indicated that someone was using a "back door" in
Novell's NetWare proxy caches to perform the attack (since several
different servers were used as "blinds" to get in).

We are unable to determine just how they got in exactly, but they
kept trying and created an oops in the affected code which allowed
the attack to proceed.

Jeff

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: safemode: "Re: lowlatency 2.2.19"
Previous message: Dan Kegel: "re: disk-based fds in select/poll"
Next in thread: Henning P. Schmiedehausen: "Re: TRG vger.timpanogas.org hacked"
Reply: Henning P. Schmiedehausen: "Re: TRG vger.timpanogas.org hacked"