| WIKI | FAQ | Tech FAQ | |
 http://csua.com/feed/ | |
| ||||||
| 11/23 |
| 2006/7/30-8/2 [Computer/SW/Languages/Web, Computer/SW/Security] UID:43838 Activity:low |
7/28 Anyone have more info on the breakins on a bunch of Cal sites?
http://www.csua.org/u/gkg -John
\_ Yes.
http://ls.berkeley.edu/lscr/news/2006-07-25-security-incident
(The defacements were mostly one multi-homed server). -tom
\_ Most kernel problems require local access to exploit.
so, if not a user account then some other insecure service
that can be used as a starting point. Is this the case here?
Do you know/mind_telling_us the details? -crebbs
Do you mind telling us the details? -crebbs
\_ The machine is a web hosting server for L&S departments,
where departments can install their own PHP code. There
was a security hole in user-installed PHP code that got
the hackers shell access, and they used a 0-day RedHat
kernel priv escalation bug (SYS_PRCTL) to get root.
It is worth noting that the bad PHP code was hand-written,
not some package like phpBB with security holes which you can
search the net for; the initial compromise seemed to have
a higher degree of sophistication than is usually found
in script kiddies. -tom
\_ I doubt the hackers found the PHP hole the same day the
Redhat bug came out. I'd bet a buck they had non-root
shell access on the machine for a long time. I also
suspect they had root for a while too. Or there was more
than 1 set of hackers. Why would sophisticated hackers
waste a quality attack on a web page defacement? I'd bet
another buck they still have access to that and several
other machines.
\_ I can pretty closely track their root access; they
did have it for over a week before it was discovered.
I am pretty certain that they no longer have root
access. I agree that there are likely remaining
apache-level holes on the machine; it's an
occupational hazard of an open PHP hosting environment.
When is PHP going to implement taint mode, anyway?
-tom
\_ The only way to be absolutely sure is to rebuild the
box. You could do a bit by bit comparison from a CD
on all the binaries but yech.
\_ Yes, I've read "Reflections on Trusting Trust."
\_ Yes, I've read "eflections on the Revolution in
France"
-tom
\_ Yes, I've read "Reflections on the Revolution in
France" -tom |
| 11/23 |
|
| www.csua.org/u/gkg -> www.zone-h.org/index.php?option=com_content&task=view&id=13932&Itemid=30&msgid=710 E-mail User Rating: / 21 Poor Best Rate Written by Marcelo Dos Santos de Almeida Friday, 28 July 2006 The war in Lebanon is now showing its consequences in the digital world and a huge number of websites has been attacked and defaced as a protest against the invasion of Lebanon by Israel. Byond Hackers Crew through a leak in the SQL Injection they entered the system and subtracted user names, passwords and e-mails from the NASA web server. After that these information had been stolen, they managed in entering the administrative area by using an administrator user ID and password , and finally they made the defacement replacing the homepage with their message... This group goes with the others that in last days carried out attacks against governmental and commercial websites both from America and Israel, whereas other blackhat groups attacked Israeli websites provoking a denial of service (DDoS) of that particular webpage. The messages conveyed by all these defacements focus on the idea that, according to the attackers, the search of terrorist is just a pretext for the war on the south of Lebanon, that actually killed a lot of innocent people . The list of the websites that have been defaced this week follows, including NASA , Berkeley University, Microsoft and US Government web pages. " that the way Written by Guest on 2006-07-28 20:00:36 Power to the People thise is the umah power and thise is the Cyber rage as useal They Kill people we Kill Server viva freedome .. DISCLAIMER: Forum postings are the opinion of the posting author alone, and should not be taken as the opinion of Zone-h. The author is entirely and solely responsible for all content that he/she uploads, posts, or otherwise transmits via the website. However, Zone-h shall have the right, but not the obligation, to delete, move, or edit any content that violates this agreement or is otherwise objectionable as determined by Zone-h in its sole discretion and without notice. |
| ls.berkeley.edu/lscr/news/2006-07-25-security-incident News See also: by Tom Holub Many of you may have noticed that your web site was down for most of the afternoon of Tuesday, 7/25. A few of you also noticed that your home page had been defaced. This is apparently the result of a concerted effort by a particular group of hackers to deface web sites around the world; we're seeing evidence of various sites in Israel, India, Chile, and the Red Cross, defaced with the same message. We had been monitoring hacker activity over the past few days, but had not been able to confirm a compromise until today. Fortunately, because of our precautions we discovered the problem within a few minutes, and immediately shut down the web server (at about 2:00 PM today). We were able to restore all of these from last night's backups; any changes you made to index files on Tuesday during the day may have been lost. In addition to altering files, the intruders captured the passwords of a number of our users. We have temporarily disabled the accounts of anyone whose account was compromised; Also, if there are any other accounts where you use the same password, you should change your password on those systems, as well. After forensic examination, we were able to identify the security problem, which was related to a hole in the Linux kernel; we had installed the patch previously, but we had not rebooted the machine, so we were still vulnerable. We've located the script the hackers used to gain access to the machine, and have verified that our machine is no longer vulnerable to this exploit. However, it appears that this attack is part of a larger pattern; there are other machines on campus displaying similar problems, and we may be subject to additional attacks on our web server now that it is clean. I assure you that we will take every possible precaution to keep your sites and your data secure. we will continue monitoring for security problems, but we do not at this time anticipate further downtime or problems for your web sites. |