Page 5 of 7 FirstFirst ... 234567 LastLast
Results 161 to 200 of 263
  1. #161
    Quote Originally Posted by wdaher View Post
    Thanks Waseem.
    OSHS Ltd
    OSHS Services - DNS Clusters | R1Soft Licenses | Remote Backup Storage | R1Soft CDP Storage | Cheap Dedicated Servers
    EconDC.com - Enterprise UK Server Colo & Rack Space at Lowest Prices

  2. #162
    Join Date
    Aug 2003
    Location
    East Coast
    Posts
    2,063
    This is why we run ksplice on our openvz nodes. It really does turn these things into a non-event.

  3. #163
    Join Date
    Feb 2006
    Location
    Florida
    Posts
    1,390
    Quote Originally Posted by Dave - Just199 View Post
    This is why we run ksplice on our openvz nodes. It really does turn these things into a non-event.
    In this case if the exploit code was ran previously it would have left a backdoor in memory allowing it to be compromised after the ksplice update. The only fix for this currently is to reboot the machine.

    In addition to this we (and some others) have had issues with ksplice on OpenVZ nodes which causes the CPU to spike and take ages to install a single update. Imagine rebooting using an older kernel and having to apply 30+ of these..

    Needless to say relying solely on ksplice doesn't seem like a good idea especially for something as critical as this (in a shared environment at least) .

    **EDIT** Oh and we love ksplice, just saying it's not the end all.
    Cody R.
    Hawk Host Inc. Proudly Serving websites since 2004.
    Official Let's Encrypt Sponsor

  4. #164
    Join Date
    Aug 2003
    Location
    East Coast
    Posts
    2,063
    Well of course you test for an exploit like this but we found that all of our 64 bit ksplice nodes were already patched by ksplice.

  5. #165
    Join Date
    Oct 2006
    Location
    /usr/src/linux/
    Posts
    699
    Quote Originally Posted by CodyRo View Post
    In this case if the exploit code was ran previously it would have left a backdoor in memory allowing it to be compromised after the ksplice update. The only fix for this currently is to reboot the machine.

    In addition to this we (and some others) have had issues with ksplice on OpenVZ nodes which causes the CPU to spike and take ages to install a single update. Imagine rebooting using an older kernel and having to apply 30+ of these..

    Needless to say relying solely on ksplice doesn't seem like a good idea especially for something as critical as this (in a shared environment at least) .

    **EDIT** Oh and we love ksplice, just saying it's not the end all.
    It does not leave a backdoor, it just changes the LSM value, its just a way to fingerprint if the server was exploited previously using the public exploit.

    The LSM value is reset upon reboot, it is also possible for the attacker to restore the LSM value after he exploited the vulnerability, just because the ksplice tool says 'no backdoor found' does not mean you're safe or not exploited previously.
    VPSnoc.com offers high quality Xen® OpenVZ & Windows® Virtual Private Servers at affordable prices.
    99.95% Uptime | 24/7/365 Support | Unmetered bandwidth.
    Follow us: twitter.com/VPSnoc

  6. #166
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,355
    Quote Originally Posted by Dave - Just199 View Post
    Well of course you test for an exploit like this but we found that all of our 64 bit ksplice nodes were already patched by ksplice.
    If a vps was exploited prior to the ksplice patch (it was in the wild for a couple days before ksplice had a patch) then you could still be vulnerable.
    Last edited by Steven; 09-21-2010 at 12:58 PM.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  7. #167
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,355
    Quote Originally Posted by CodyRo View Post
    I think that's just a version they patched themselves and not the official update from Red Hat.
    As stated earlier in the thread, it was a dev kernel from centos themself.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  8. #168
    Join Date
    Apr 2002
    Posts
    961
    Official CentOS updated kernel is now available. Should be making it to repositories soon. Or directly at:

    http://centosq4.centos.org/centos/5....el5.x86_64.rpm

  9. #169
    GOOD GOOD GOOD news

    Be back shortly if system fails to boot

  10. #170
    Join Date
    Feb 2006
    Location
    Florida
    Posts
    1,390
    Quote Originally Posted by LynxUser View Post
    GOOD GOOD GOOD news

    Be back shortly if system fails to boot
    Hah, we haven't had any issues. If anyone is curious Facebook mirror has the new kernel synced.
    Cody R.
    Hawk Host Inc. Proudly Serving websites since 2004.
    Official Let's Encrypt Sponsor

  11. #171
    I swear its not me ! But its like a jinx, Every kernal I do the damn box does not boot up lol, I have to phone the DC to get me online... They even know me by my voice now it happened that many times

    Anyhow, Booted fine this time.. Looking all good so far and things are stable, I was more worried about mysql issues, Since I applied the patch originaly I could hardly keep the sql online, Only issue is with WHM setups.

    This seemed to do the trick tho... Fingers crossed.

  12. #172
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,355
    Its in yum now.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  13. #173
    I'm moving accounts to a new sever with 32bits kernel
    honesting.es honest european provider

  14. #174
    Join Date
    Aug 2003
    Location
    East Coast
    Posts
    2,063
    You are downgrading over this?

  15. #175
    Join Date
    Feb 2006
    Location
    Florida
    Posts
    1,390
    Quote Originally Posted by Steven View Post
    Its in yum now.
    That would be dependent on the repositories you're using w/ CentOS.. not all mirrors have it yet.
    Cody R.
    Hawk Host Inc. Proudly Serving websites since 2004.
    Official Let's Encrypt Sponsor

  16. #176
    yes, welcome back to 32bits!
    honesting.es honest european provider

  17. #177
    Good thing we havent upgraded all of our servers to 64bit. Less work fixing this if any of our servers is exploited

  18. #178
    Join Date
    Dec 2005
    Location
    Poland
    Posts
    143
    Quote Originally Posted by weboutloud-Chris View Post
    I can't think of any reason why it wouldn't, I was playing around with it on a CentOS 5.5 VM in VirtualBox which was completely vulnerable, so I don't think virtualization would really get in the way at all.
    Apparently openvz is safe unless exploit is used on HW node. It was tested by some members from openvz forum.
    Marcin Krupinski
    HOSTINEURO
    Fast,reliable VPS and Dedicated Servers in Europe (Germany / Netherlands)
    Red Hat Certified Engineer(RHCE)

  19. #179
    Join Date
    Aug 2007
    Location
    Moscow
    Posts
    39
    Quote Originally Posted by pueblosnet View Post
    I'm moving accounts to a new sever with 32bits kernel
    It is very strange - to use 32bit system in 2010
    ISPlicense.com -- special offer for new partners to sell ISPsystem software!

  20. #180
    yes, and secure
    honesting.es honest european provider

  21. #181
    Join Date
    Dec 2005
    Location
    Poland
    Posts
    143

    *

    Quote Originally Posted by pueblosnet View Post
    yes, and secure

    Secure until new exploit for 32bit kernel
    Marcin Krupinski
    HOSTINEURO
    Fast,reliable VPS and Dedicated Servers in Europe (Germany / Netherlands)
    Red Hat Certified Engineer(RHCE)

  22. #182
    Join Date
    Oct 2006
    Location
    /usr/src/linux/
    Posts
    699
    Quote Originally Posted by hostineuro View Post
    Apparently openvz is safe unless exploit is used on HW node. It was tested by some members from openvz forum.

    Wrong, the openvz breakout code was intentionally removed from ABftw.c
    VPSnoc.com offers high quality Xen® OpenVZ & Windows® Virtual Private Servers at affordable prices.
    99.95% Uptime | 24/7/365 Support | Unmetered bandwidth.
    Follow us: twitter.com/VPSnoc

  23. #183
    Join Date
    Dec 2009
    Location
    Cambridge, MA
    Posts
    30
    Quote Originally Posted by DigitalLinx View Post
    Wrong, the openvz breakout code was intentionally removed from ABftw.c
    Right, exactly.

    More generally, once you're executing arbitrary code in the kernel, you already have a potential breakout exploit on your hands -- you just need to be a little bit clever about getting it to work.

    This is just one of the properties inherent to Virtuozzo/OpenVZ: if all of your containers are sharing the same kernel, and one container can do arbitrary things to the kernel, it can affect all the other containers.

  24. #184
    I can only imagen openVZ servers, Everyone will be affected rather than just the one user, so my theory is, If you have a vps, You run the ksplice and it says its clean.. But reality the main system could be compromised and not just the one user so it won't show on that account ?

    Correct me if I'm wrong.

  25. #185
    Join Date
    Dec 2009
    Location
    Cambridge, MA
    Posts
    30
    Quote Originally Posted by LynxUser View Post
    I can only imagen openVZ servers, Everyone will be affected rather than just the one user, so my theory is, If you have a vps, You run the ksplice and it says its clean.. But reality the main system could be compromised and not just the one user so it won't show on that account ?

    Correct me if I'm wrong.
    A few comments:
    First, on OpenVZ, all of the containers share one kernel, so if a change was made in the kernel, it would affect all the containers. So, no, that's not quite right.

    But the situation is subtle: as folks have mentioned, the Ksplice test tool looks for backdoors left by the high-profile exploit code, ABftw.c. The unmodified version of this exploit doesn't work on OpenVZ (it's had that portion of the code removed), so our detector tool also won't do anything useful there.

    In general, no one can write a checker that's 100%: if an attacker has root on the system, they can do arbitrarily clever things to hide themselves. For example, a sufficiently clever attacker could modify ABftw.c not to leave those backdoors (or could modify it to work on OpenVZ), and then the Ksplice tool would not detect that the system has been compromised.

    So in general, if you suspect your system has been compromised, you should treat it as such. The diagnostic tool we provided isn't a general rootkit checker or a tool that says "Yes, your systems are totally free of any and all attackers". It's answering a very specific question: Has someone already run ABftw.c (without any modifications) on this system?

    Did that answer your question?

  26. #186
    Join Date
    Oct 2007
    Posts
    99
    Hi, my server hacked for this problen, how to I solved it? I use CENTOS 5.5 x86_64 standard with cPanel/WHM.

  27. #187
    Quote Originally Posted by feliper View Post
    Hi, my server hacked for this problen, how to I solved it? I use CENTOS 5.5 x86_64 standard with cPanel/WHM.
    Best practice is do a complete re-install and restore, update your kernel, and restore from backups.

  28. #188
    Quote Originally Posted by feliper View Post
    Hi, my server hacked for this problen, how to I solved it? I use CENTOS 5.5 x86_64 standard with cPanel/WHM.
    Move user backups / re-install server -restore backups - This is the only way you know your safe.

  29. #189
    Join Date
    Oct 2007
    Posts
    99
    OK, and I have other 30 servers with this config, i executed comand:

    [email protected] [~]# yum upgrade
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
    Excluding Packages in global exclude list
    Finished
    Setting up Upgrade Process
    Resolving Dependencies
    There are unfinished transactions remaining. You might consider running yum-complete-transaction first to finish them.
    The program yum-complete-transaction is found in the yum-utils package.
    --> Running transaction check
    ---> Package kernel.x86_64 0:2.6.18-194.11.3.el5.centos.plus set to be installed
    --> Finished Dependency Resolution

    Dependencies Resolved

    ====================================================================================================================================================== =========================================================================================================================
    Package Arch Version Repository Size
    ====================================================================================================================================================== =========================================================================================================================
    Installing:
    kernel x86_64 2.6.18-194.11.3.el5.centos.plus centosplus 21 M

    Transaction Summary
    ====================================================================================================================================================== =========================================================================================================================
    Install 1 Package(s)
    Upgrade 0 Package(s)

    Total download size: 21 M
    Is this ok [y/N]: y
    Downloading Packages:
    kernel-2.6.18-194.11.3.el5.centos.plus.x86_64.rpm | 21 MB 00:01
    Running rpm_check_debug
    Running Transaction Test
    Finished Transaction Test
    Transaction Test Succeeded
    Running Transaction
    Installing : kernel 1/1

    Installed:
    kernel.x86_64 0:2.6.18-194.11.3.el5.centos.plus

    Complete!
    [email protected] [~]#




    This solved this problen?

  30. #190
    Join Date
    May 2006
    Location
    NJ, USA
    Posts
    6,480
    Quote Originally Posted by pueblosnet View Post
    yes, welcome back to 32bits!
    That's silly. There is plenty of exploits which leave 32 bit open too.

    Quote Originally Posted by pueblosnet View Post
    yes, and secure

    not quite bud
    simplywww: directadmin and cpanel hosting that will rock your socks
    Need some work done in a datacenter in the NYC area? NYC Remote Hands can do it.

    Follow my "deals" Twitter for hardware specials.. @dougysdeals

  31. #191
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,355
    Quote Originally Posted by feliper View Post
    OK, and I have other 30 servers with this config, i executed comand:

    [email protected] [~]# yum upgrade
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
    Excluding Packages in global exclude list
    Finished
    Setting up Upgrade Process
    Resolving Dependencies
    There are unfinished transactions remaining. You might consider running yum-complete-transaction first to finish them.
    The program yum-complete-transaction is found in the yum-utils package.
    --> Running transaction check
    ---> Package kernel.x86_64 0:2.6.18-194.11.3.el5.centos.plus set to be installed
    --> Finished Dependency Resolution

    Dependencies Resolved

    ====================================================================================================================================================== =========================================================================================================================
    Package Arch Version Repository Size
    ====================================================================================================================================================== =========================================================================================================================
    Installing:
    kernel x86_64 2.6.18-194.11.3.el5.centos.plus centosplus 21 M

    Transaction Summary
    ====================================================================================================================================================== =========================================================================================================================
    Install 1 Package(s)
    Upgrade 0 Package(s)

    Total download size: 21 M
    Is this ok [y/N]: y
    Downloading Packages:
    kernel-2.6.18-194.11.3.el5.centos.plus.x86_64.rpm | 21 MB 00:01
    Running rpm_check_debug
    Running Transaction Test
    Finished Transaction Test
    Transaction Test Succeeded
    Running Transaction
    Installing : kernel 1/1

    Installed:
    kernel.x86_64 0:2.6.18-194.11.3.el5.centos.plus

    Complete!
    [email protected] [~]#




    This solved this problen?

    You will need to install 2.6.18-194.11.4 and get off the centos plus branch.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  32. #192
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,355
    For what its worth - Redhat enterprise 4 / Centos 4 is potentially exploitable, not by the public exploit, but someone with some knowledge could probably do it.

    From the Redhat Advisory:
    Red Hat Enterprise Linux 4 and Red Hat Enterprise MRG
    The Red Hat Enterprise Linux 4 and Red Hat Enterprise MRG kernels do not include a backport of the upstream git commit 42908c69; therefore, those kernels do not include compat_mc_getsockopt(). We plan to backport the missing compat_alloc_user_space() sanity checks in future Red Hat Enterprise Linux 4 and Red Hat Enterprise MRG updates.

    Note: Red Hat Enterprise Linux 4 and Red Hat Enterprise MRG are not affected by the publicly-circulated exploit.
    Redhat 4 / Centos 4 does not have compat_mc_getsockopt(), but it does not mean the exploit couldn't take place in another function that utilizes compat_alloc_user_spac if someone was to find it.

    Redhat will release a patch, but it sounds like its low priority. I don't know about other people, but we will be manually patching our Rhel4/Centos4 customers until its fully resolved. Better to be safe than sorry.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  33. #193
    Join Date
    Oct 2007
    Posts
    99
    Quote Originally Posted by Steven View Post
    You will need to install 2.6.18-194.11.4 and get off the centos plus branch.

    how to install this version? u cam help-me?

  34. #194
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,355
    Quote Originally Posted by feliper View Post
    how to install this version? u cam help-me?
    If your not using any of the special features in the centos-plus kernel you can run:

    yum install kernel-2.6.18-194.11.4.el5
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  35. #195
    Join Date
    Oct 2007
    Posts
    99
    not work:

    [email protected] [~]# yum install kernel-2.6.18-194.11.4.el5
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
    addons | 951 B 00:00
    base | 2.1 kB 00:00
    centosplus | 1.9 kB 00:00
    extras | 2.1 kB 00:00
    update | 1.9 kB 00:00
    Excluding Packages in global exclude list
    Finished
    Setting up Install Process
    No package kernel-2.6.18-194.11.4.el5 available.
    Nothing to do
    [email protected] [~]#

  36. #196
    Join Date
    Mar 2010
    Location
    Dallas
    Posts
    305
    Does anyone have any steps to see if you were hacked? I ran the check tool after I updated kernel and rebooted. Need some help here just to be sure. The two major rootkit checkers show nothing, but I know they are pretty much useless.

  37. #197
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,355
    Quote Originally Posted by dclardy View Post
    Does anyone have any steps to see if you were hacked? I ran the check tool after I updated kernel and rebooted. Need some help here just to be sure. The two major rootkit checkers show nothing, but I know they are pretty much useless.
    Every hack is different, there is no clear steps to finding a hack that involves a root compromise.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  38. #198
    Join Date
    Oct 2007
    Posts
    99
    Quote Originally Posted by Steven View Post
    If your not using any of the special features in the centos-plus kernel you can run:
    Steven, can u help-me? Not work u info for me. Look result:

    [email protected] [~]# yum install kernel-2.6.18-194.11.4.el5
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
    addons | 951 B 00:00
    base | 2.1 kB 00:00
    centosplus | 1.9 kB 00:00
    extras | 2.1 kB 00:00
    update | 1.9 kB 00:00
    Excluding Packages in global exclude list
    Finished
    Setting up Install Process
    No package kernel-2.6.18-194.11.4.el5 available.
    Nothing to do
    [email protected] [~]#

  39. #199
    Join Date
    Feb 2008
    Location
    Houston, Texas, USA
    Posts
    3,036
    It's disappointing to see places online monetizing this security flaw. If you're one of those places, keep in mind that people remember you for how you helped them and not for how much you charged them.

    Regards
    Joe / UNIXY

  40. #200
    Join Date
    Mar 2010
    Location
    Dallas
    Posts
    305
    Does anyone have the name of someone who could check out server for a reasonable price? I am not a security expert, and I am pretty sure there is nothing wrong.

Page 5 of 7 FirstFirst ... 234567 LastLast

Similar Threads

  1. kernel exploit!
    By tkanaco in forum Hosting Security and Technology
    Replies: 4
    Last Post: 06-28-2008, 03:13 PM
  2. Notice: New Exploit for 2.6 Kernel
    By Tekerz in forum Hosting Security and Technology
    Replies: 1
    Last Post: 07-17-2006, 01:15 PM
  3. New old kernel exploit ??
    By papi in forum Hosting Security and Technology
    Replies: 0
    Last Post: 06-01-2006, 12:49 AM
  4. x86_64 Kernel 2.6.14.3-grsec hangs on loopback
    By Soulwatcher1974 in forum Hosting Security and Technology
    Replies: 0
    Last Post: 12-02-2005, 10:15 AM
  5. xmlrpc exploit affects many software packages
    By JohnCrowley in forum Hosting Security and Technology
    Replies: 27
    Last Post: 07-18-2005, 04:14 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •