Incidents
DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 22 2008 12:55AM
ponchovaldes gmail com (4 replies)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 24 2008 11:55AM
david bizeul (david bizeul gmail com) (1 replies)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 28 2008 06:58PM
Jon R. Kibler (Jon Kibler aset com)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 24 2008 04:05AM
dxp (dxp2532 gmail com) (1 replies)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 25 2008 12:31PM
Ronald van der Westen (rvdwesten gmail com) (2 replies)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our firstcompetition Jan 25 2008 06:00PM
Cedric Blancher (blancher cartel-securite fr) (1 replies)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 28 2008 04:59PM
Jeff Plewes (plewes gmail com) (4 replies)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 29 2008 12:06AM
Eduardo Tongson (propolice gmail com)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our firstcompetition Jan 28 2008 10:46PM
Graeme Fowler (G E Fowler lboro ac uk) (1 replies)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 28 2008 11:57PM
Eduardo Tongson (propolice gmail com) (2 replies)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 29 2008 06:59PM
Valdis Kletnieks vt edu (1 replies)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 30 2008 12:22AM
Eduardo Tongson (propolice gmail com) (2 replies)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 30 2008 06:15PM
Jason Stelzer (jason stelzer gmail com) (1 replies)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 31 2008 02:49AM
Eduardo Tongson (propolice gmail com) (1 replies)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 31 2008 04:54PM
Jamie Riden (jamie riden gmail com) (1 replies)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Feb 01 2008 12:07AM
Eduardo Tongson (propolice gmail com)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our firstcompetition Jan 30 2008 05:50PM
Graeme Fowler (G E Fowler lboro ac uk)
On Wed, 2008-01-30 at 08:22 +0800, Eduardo Tongson wrote:
> Yeah, completely forgot about those ran as root and setuid programs.
> Been a while since I have seen those. Also forgot about the usual
> admin errors. But it is ridiculous to say "all bets are off" when a
> user gets a shell. Thats got a lot to say about the admin in charge.

Yep, that's right, it does. I've seen way too many colo'd servers out
there running a portmapper service, for example.

However there is rather more to it than inexperience - what about
customers of hosting companies who keep their hosting infrastructure
several OS revisions "behind the times" because upgrading them makes
their customers leave? There are many of them, too many to list here (no
offence intended to anyone).

If you have a customer on your system, you have a contract with them and
you can exert legal power over them if they misbehave (as long as you
can detect that misbehaviour). What you can't do, however, is exert the
same level of control over a J.Random-Kiddie who exploits a hole in a
vulnerable web app (choose one from, oh, thousands) that a customer of
yours has uploaded to fulfil one specific requirement and then left the
app in place. Can anyone say "formmail.pl"? I know that's a trivial
example, but it's *still* being installed in vulnerable versions and
*still* being exploited. That's been fixed for, oh, something like 8
years now, and that's just one example.

Once that kiddie has access to a shell - whether fully interactive,
bound to a port, or via a webserver, you better be a *really* good admin
to (a) spot the fact that they are there amongst the noise, and (b)
prevent them doing something simple like `cat /etc/passwd` and then
brute-forcing your user accounts. Then there's always:

find / -perm 4000

My money, for most of these exploits, is on some web app being exploited
to gain a shell of some sort, then either simple passwords being guessed
or a setuid script derived from some hosting control panel being abused
to get root. So far, most of the systems I've seen described as being
affected have been running some form of control panel; the majority of
which are a setuid-addict's heaven by definition.

I still say - if you have someone on your system and you don't know that
they are there, all bets are off.

Graeme

[ reply ]
Re: DNS CACHE POISONING? - Our Portal is redirecting to our firstcompetition Jan 29 2008 08:39AM
Graeme Fowler (G E Fowler lboro ac uk) (1 replies)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 29 2008 04:25PM
Paul Schmehl (pauls utdallas edu)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 28 2008 09:15PM
Gary Baribault (gary baribault net)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 28 2008 07:24PM
Paul Schmehl (pauls utdallas edu) (1 replies)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 28 2008 08:17PM
Jeff Plewes (plewes gmail com)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 23 2008 03:04AM
Jeff Plewes (plewes gmail com) (4 replies)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 24 2008 02:53AM
Eduardo Tongson (propolice gmail com)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 23 2008 10:11PM
Florian Weimer (fw deneb enyo de) (1 replies)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 24 2008 02:46AM
Jeff Plewes (plewes gmail com) (1 replies)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 24 2008 08:03AM
Mark Gottschalk (mgotts 2roads com)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 23 2008 06:28PM
Gary Baribault (gary baribault net)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 23 2008 05:15PM
Stephen John Smoogen (smooge gmail com)
Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition Jan 22 2008 05:03PM
Stephen John Smoogen (smooge gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus