Berkeley CSUA MOTD:2006:July:30 Sunday <Monday>
Berkeley CSUA MOTD
2006/7/30-8/2 [Transportation/Airplane] UID:43837 Activity:nil
7/28    MiniJets are coming!
        \_ Time for a nice tourist trip to central Asia, skipping customs
           on the way back...
        \_ 10000lb, not much heavier than a Chevy Suburban.
2006/7/30-8/2 [Computer/SW/Security, Computer/SW/Languages/Web] UID:43838 Activity:low
7/28    Anyone have more info on the breakins on a bunch of Cal sites?   -John
        \_ Yes.
           (The defacements were mostly one multi-homed server).  -tom
           \_ Most kernel problems require local access to exploit.
              so, if not a user account then some other insecure service
              that can be used as a starting point.  Is this the case here?
              Do you know/mind_telling_us the details? -crebbs
              Do you mind telling us the details? -crebbs
              \_ The machine is a web hosting server for L&S departments,
                 where departments can install their own PHP code.  There
                 was a security hole in user-installed PHP code that got
                 the hackers shell access, and they used a 0-day RedHat
                 kernel priv escalation bug (SYS_PRCTL) to get root.
                 It is worth noting that the bad PHP code was hand-written,
                 not some package like phpBB with security holes which you can
                 search the net for; the initial compromise seemed to have
                 a higher degree of sophistication than is usually found
                 in script kiddies.  -tom
                 \_ I doubt the hackers found the PHP hole the same day the
                    Redhat bug came out.  I'd bet a buck they had non-root
                    shell access on the machine for a long time.  I also
                    suspect they had root for a while too.  Or there was more
                    than 1 set of hackers.  Why would sophisticated hackers
                    waste a quality attack on a web page defacement?  I'd bet
                    another buck they still have access to that and several
                    other machines.
                    \_ I can pretty closely track their root access; they
                       did have it for over a week before it was discovered.
                       I am pretty certain that they no longer have root
                       access.  I agree that there are likely remaining
                       apache-level holes on the machine; it's an
                       occupational hazard of an open PHP hosting environment.
                       When is PHP going to implement taint mode, anyway?
                       \_ The only way to be absolutely sure is to rebuild the
                          box.  You could do a bit by bit comparison from a CD
                          on all the binaries but yech.
                          \_ Yes, I've read "Reflections on Trusting Trust."
                          \_ Yes, I've read "eflections on the Revolution in
                          \_ Yes, I've read "Reflections on the Revolution in
                             France" -tom
Berkeley CSUA MOTD:2006:July:30 Sunday <Monday>