Results 161 to 200 of 263
-
09-21-2010, 10:39 AM #161Web Hosting Evangelist
- Join Date
- Jul 2004
- Posts
- 514
OSHS Ltd
OSHS Services - DNS Clusters | R1Soft Licenses | Remote Backup Storage | R1Soft CDP Storage | Cheap Dedicated Servers
EconDC.com - Enterprise UK Server Colo & Rack Space at Lowest Prices
-
09-21-2010, 12:24 PM #162Web Hosting Master
- Join Date
- Aug 2003
- Location
- East Coast
- Posts
- 2,063
This is why we run ksplice on our openvz nodes. It really does turn these things into a non-event.
-
09-21-2010, 12:44 PM #163Web Hosting Master
- Join Date
- Feb 2006
- Location
- Florida
- Posts
- 1,390
In this case if the exploit code was ran previously it would have left a backdoor in memory allowing it to be compromised after the ksplice update. The only fix for this currently is to reboot the machine.
In addition to this we (and some others) have had issues with ksplice on OpenVZ nodes which causes the CPU to spike and take ages to install a single update. Imagine rebooting using an older kernel and having to apply 30+ of these..
Needless to say relying solely on ksplice doesn't seem like a good idea especially for something as critical as this (in a shared environment at least) .
**EDIT** Oh and we love ksplice, just saying it's not the end all.█ Cody R.
█ Hawk Host Inc. Proudly Serving websites since 2004.
█ Official Let's Encrypt Sponsor
-
09-21-2010, 12:46 PM #164Web Hosting Master
- Join Date
- Aug 2003
- Location
- East Coast
- Posts
- 2,063
Well of course you test for an exploit like this but we found that all of our 64 bit ksplice nodes were already patched by ksplice.
-
09-21-2010, 12:48 PM #165
It does not leave a backdoor, it just changes the LSM value, its just a way to fingerprint if the server was exploited previously using the public exploit.
The LSM value is reset upon reboot, it is also possible for the attacker to restore the LSM value after he exploited the vulnerability, just because the ksplice tool says 'no backdoor found' does not mean you're safe or not exploited previously.█ VPSnoc.com offers high quality Xen® OpenVZ & Windows® Virtual Private Servers at affordable prices.
█ 99.95% Uptime | 24/7/365 Support | Unmetered bandwidth.
█ Follow us: twitter.com/VPSnoc
-
09-21-2010, 12:49 PM #166
Last edited by Steven; 09-21-2010 at 12:58 PM.
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
09-21-2010, 12:50 PM #167Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
09-21-2010, 12:58 PM #168Web Hosting Master
- Join Date
- Apr 2002
- Posts
- 961
Official CentOS updated kernel is now available. Should be making it to repositories soon. Or directly at:
http://centosq4.centos.org/centos/5....el5.x86_64.rpm
-
09-21-2010, 02:47 PM #169WHT Addict
- Join Date
- Jun 2010
- Posts
- 144
GOOD GOOD GOOD news
Be back shortly if system fails to boot
-
09-21-2010, 03:46 PM #170Web Hosting Master
- Join Date
- Feb 2006
- Location
- Florida
- Posts
- 1,390
-
09-21-2010, 03:52 PM #171WHT Addict
- Join Date
- Jun 2010
- Posts
- 144
I swear its not me ! But its like a jinx, Every kernal I do the damn box does not boot up lol, I have to phone the DC to get me online... They even know me by my voice now it happened that many times
Anyhow, Booted fine this time.. Looking all good so far and things are stable, I was more worried about mysql issues, Since I applied the patch originaly I could hardly keep the sql online, Only issue is with WHM setups.
This seemed to do the trick tho... Fingers crossed.
-
09-21-2010, 04:21 PM #172
Its in yum now.
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
09-21-2010, 04:28 PM #173Web Hosting Master
- Join Date
- Apr 2004
- Posts
- 569
I'm moving accounts to a new sever with 32bits kernel
honesting.es honest european provider
-
09-21-2010, 04:31 PM #174Web Hosting Master
- Join Date
- Aug 2003
- Location
- East Coast
- Posts
- 2,063
You are downgrading over this?
-
09-21-2010, 04:45 PM #175Web Hosting Master
- Join Date
- Feb 2006
- Location
- Florida
- Posts
- 1,390
-
09-21-2010, 04:55 PM #176Web Hosting Master
- Join Date
- Apr 2004
- Posts
- 569
yes, welcome back to 32bits!
honesting.es honest european provider
-
09-22-2010, 03:01 AM #177WHT Addict
- Join Date
- Apr 2010
- Posts
- 160
Good thing we havent upgraded all of our servers to 64bit. Less work fixing this if any of our servers is exploited
-
09-22-2010, 03:48 AM #178WHT Addict
- Join Date
- Dec 2005
- Location
- Poland
- Posts
- 143
█ Marcin Krupinski
█ HOSTINEURO
█ Fast,reliable VPS and Dedicated Servers in Europe (Germany / Netherlands)
█ Red Hat Certified Engineer(RHCE)
-
09-22-2010, 07:03 AM #179Junior Guru Wannabe
- Join Date
- Aug 2007
- Location
- Moscow
- Posts
- 39
ISPlicense.com -- special offer for new partners to sell ISPsystem software!
-
09-22-2010, 07:15 AM #180Web Hosting Master
- Join Date
- Apr 2004
- Posts
- 569
yes, and secure
honesting.es honest european provider
-
09-22-2010, 07:40 AM #181WHT Addict
- Join Date
- Dec 2005
- Location
- Poland
- Posts
- 143
█ Marcin Krupinski
█ HOSTINEURO
█ Fast,reliable VPS and Dedicated Servers in Europe (Germany / Netherlands)
█ Red Hat Certified Engineer(RHCE)
-
09-22-2010, 09:54 AM #182█ VPSnoc.com offers high quality Xen® OpenVZ & Windows® Virtual Private Servers at affordable prices.
█ 99.95% Uptime | 24/7/365 Support | Unmetered bandwidth.
█ Follow us: twitter.com/VPSnoc
-
09-22-2010, 09:59 AM #183Junior Guru Wannabe
- Join Date
- Dec 2009
- Location
- Cambridge, MA
- Posts
- 30
Right, exactly.
More generally, once you're executing arbitrary code in the kernel, you already have a potential breakout exploit on your hands -- you just need to be a little bit clever about getting it to work.
This is just one of the properties inherent to Virtuozzo/OpenVZ: if all of your containers are sharing the same kernel, and one container can do arbitrary things to the kernel, it can affect all the other containers.
-
09-22-2010, 11:43 AM #184WHT Addict
- Join Date
- Jun 2010
- Posts
- 144
I can only imagen openVZ servers, Everyone will be affected rather than just the one user, so my theory is, If you have a vps, You run the ksplice and it says its clean.. But reality the main system could be compromised and not just the one user so it won't show on that account ?
Correct me if I'm wrong.
-
09-22-2010, 01:10 PM #185Junior Guru Wannabe
- Join Date
- Dec 2009
- Location
- Cambridge, MA
- Posts
- 30
A few comments:
First, on OpenVZ, all of the containers share one kernel, so if a change was made in the kernel, it would affect all the containers. So, no, that's not quite right.
But the situation is subtle: as folks have mentioned, the Ksplice test tool looks for backdoors left by the high-profile exploit code, ABftw.c. The unmodified version of this exploit doesn't work on OpenVZ (it's had that portion of the code removed), so our detector tool also won't do anything useful there.
In general, no one can write a checker that's 100%: if an attacker has root on the system, they can do arbitrarily clever things to hide themselves. For example, a sufficiently clever attacker could modify ABftw.c not to leave those backdoors (or could modify it to work on OpenVZ), and then the Ksplice tool would not detect that the system has been compromised.
So in general, if you suspect your system has been compromised, you should treat it as such. The diagnostic tool we provided isn't a general rootkit checker or a tool that says "Yes, your systems are totally free of any and all attackers". It's answering a very specific question: Has someone already run ABftw.c (without any modifications) on this system?
Did that answer your question?
-
09-22-2010, 05:33 PM #186Junior Guru Wannabe
- Join Date
- Oct 2007
- Posts
- 99
Hi, my server hacked for this problen, how to I solved it? I use CENTOS 5.5 x86_64 standard with cPanel/WHM.
-
09-22-2010, 05:37 PM #187Web Hosting Master
- Join Date
- Feb 2004
- Posts
- 2,197
-
09-22-2010, 05:43 PM #188WHT Addict
- Join Date
- Jun 2010
- Posts
- 144
-
09-22-2010, 05:43 PM #189Junior Guru Wannabe
- Join Date
- Oct 2007
- Posts
- 99
OK, and I have other 30 servers with this config, i executed comand:
[email protected] [~]# yum upgrade
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Excluding Packages in global exclude list
Finished
Setting up Upgrade Process
Resolving Dependencies
There are unfinished transactions remaining. You might consider running yum-complete-transaction first to finish them.
The program yum-complete-transaction is found in the yum-utils package.
--> Running transaction check
---> Package kernel.x86_64 0:2.6.18-194.11.3.el5.centos.plus set to be installed
--> Finished Dependency Resolution
Dependencies Resolved
====================================================================================================================================================== =========================================================================================================================
Package Arch Version Repository Size
====================================================================================================================================================== =========================================================================================================================
Installing:
kernel x86_64 2.6.18-194.11.3.el5.centos.plus centosplus 21 M
Transaction Summary
====================================================================================================================================================== =========================================================================================================================
Install 1 Package(s)
Upgrade 0 Package(s)
Total download size: 21 M
Is this ok [y/N]: y
Downloading Packages:
kernel-2.6.18-194.11.3.el5.centos.plus.x86_64.rpm | 21 MB 00:01
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : kernel 1/1
Installed:
kernel.x86_64 0:2.6.18-194.11.3.el5.centos.plus
Complete!
[email protected] [~]#
This solved this problen?
-
09-22-2010, 05:44 PM #190Rockin' the beer gut
- Join Date
- May 2006
- Location
- NJ, USA
- Posts
- 6,480
simplywww: directadmin and cpanel hosting that will rock your socks
Need some work done in a datacenter in the NYC area? NYC Remote Hands can do it.
Follow my "deals" Twitter for hardware specials.. @dougysdeals
-
09-22-2010, 07:52 PM #191Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
09-22-2010, 07:56 PM #192
For what its worth - Redhat enterprise 4 / Centos 4 is potentially exploitable, not by the public exploit, but someone with some knowledge could probably do it.
From the Redhat Advisory:
Red Hat Enterprise Linux 4 and Red Hat Enterprise MRG
The Red Hat Enterprise Linux 4 and Red Hat Enterprise MRG kernels do not include a backport of the upstream git commit 42908c69; therefore, those kernels do not include compat_mc_getsockopt(). We plan to backport the missing compat_alloc_user_space() sanity checks in future Red Hat Enterprise Linux 4 and Red Hat Enterprise MRG updates.
Note: Red Hat Enterprise Linux 4 and Red Hat Enterprise MRG are not affected by the publicly-circulated exploit.
Redhat will release a patch, but it sounds like its low priority. I don't know about other people, but we will be manually patching our Rhel4/Centos4 customers until its fully resolved. Better to be safe than sorry.Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
09-22-2010, 08:01 PM #193Junior Guru Wannabe
- Join Date
- Oct 2007
- Posts
- 99
-
09-22-2010, 08:05 PM #194Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
09-22-2010, 08:14 PM #195Junior Guru Wannabe
- Join Date
- Oct 2007
- Posts
- 99
not work:
[email protected] [~]# yum install kernel-2.6.18-194.11.4.el5
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
addons | 951 B 00:00
base | 2.1 kB 00:00
centosplus | 1.9 kB 00:00
extras | 2.1 kB 00:00
update | 1.9 kB 00:00
Excluding Packages in global exclude list
Finished
Setting up Install Process
No package kernel-2.6.18-194.11.4.el5 available.
Nothing to do
[email protected] [~]#
-
09-22-2010, 08:54 PM #196Web Hosting Guru
- Join Date
- Mar 2010
- Location
- Dallas
- Posts
- 305
Does anyone have any steps to see if you were hacked? I ran the check tool after I updated kernel and rebooted. Need some help here just to be sure. The two major rootkit checkers show nothing, but I know they are pretty much useless.
-
09-22-2010, 09:10 PM #197Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
09-22-2010, 09:26 PM #198Junior Guru Wannabe
- Join Date
- Oct 2007
- Posts
- 99
Steven, can u help-me? Not work u info for me. Look result:
[email protected] [~]# yum install kernel-2.6.18-194.11.4.el5
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
addons | 951 B 00:00
base | 2.1 kB 00:00
centosplus | 1.9 kB 00:00
extras | 2.1 kB 00:00
update | 1.9 kB 00:00
Excluding Packages in global exclude list
Finished
Setting up Install Process
No package kernel-2.6.18-194.11.4.el5 available.
Nothing to do
[email protected] [~]#
-
09-22-2010, 09:42 PM #199Warp Speed!
- Join Date
- Feb 2008
- Location
- Houston, Texas, USA
- Posts
- 3,036
It's disappointing to see places online monetizing this security flaw. If you're one of those places, keep in mind that people remember you for how you helped them and not for how much you charged them.
Regards
Joe / UNIXY
-
09-22-2010, 09:49 PM #200Web Hosting Guru
- Join Date
- Mar 2010
- Location
- Dallas
- Posts
- 305
Does anyone have the name of someone who could check out server for a reasonable price? I am not a security expert, and I am pretty sure there is nothing wrong.
Similar Threads
-
kernel exploit!
By tkanaco in forum Hosting Security and TechnologyReplies: 4Last Post: 06-28-2008, 03:13 PM -
Notice: New Exploit for 2.6 Kernel
By Tekerz in forum Hosting Security and TechnologyReplies: 1Last Post: 07-17-2006, 01:15 PM -
New old kernel exploit ??
By papi in forum Hosting Security and TechnologyReplies: 0Last Post: 06-01-2006, 12:49 AM -
x86_64 Kernel 2.6.14.3-grsec hangs on loopback
By Soulwatcher1974 in forum Hosting Security and TechnologyReplies: 0Last Post: 12-02-2005, 10:15 AM -
xmlrpc exploit affects many software packages
By JohnCrowley in forum Hosting Security and TechnologyReplies: 27Last Post: 07-18-2005, 04:14 PM