Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: DNS CACHE POISONING? - Our Portal is redirecting to our first compet

from [Graeme Fowler] Network Security [Permanent Link]
Subject: Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition
Date: Wed, 30 Jan 2008 17:50:27 +0000 
On Wed, 2008-01-30 at 08:22 +0800, Eduardo Tongson wrote:

Yeah, completely forgot about those ran as root and setuid programs.
Been a while since I have seen those. Also forgot about the usual
admin errors. But it is ridiculous to say "all bets are off" when a
user gets a shell. Thats got a lot to say about the admin in charge.


Yep, that's right, it does. I've seen way too many colo'd servers out
there running a portmapper service, for example.

However there is rather more to it than inexperience - what about
customers of hosting companies who keep their hosting infrastructure
several OS revisions "behind the times" because upgrading them makes
their customers leave? There are many of them, too many to list here (no
offence intended to anyone).

If you have a customer on your system, you have a contract with them and
you can exert legal power over them if they misbehave (as long as you
can detect that misbehaviour). What you can't do, however, is exert the
same level of control over a J.Random-Kiddie who exploits a hole in a
vulnerable web app (choose one from, oh, thousands) that a customer of
yours has uploaded to fulfil one specific requirement and then left the
app in place. Can anyone say "formmail.pl"? I know that's a trivial
example, but it's *still* being installed in vulnerable versions and
*still* being exploited. That's been fixed for, oh, something like 8
years now, and that's just one example.

Once that kiddie has access to a shell - whether fully interactive,
bound to a port, or via a webserver, you better be a *really* good admin
to (a) spot the fact that they are there amongst the noise, and (b)
prevent them doing something simple like `cat /etc/passwd` and then
brute-forcing your user accounts. Then there's always:

find / -perm 4000

My money, for most of these exploits, is on some web app being exploited
to gain a shell of some sort, then either simple passwords being guessed
or a setuid script derived from some hosting control panel being abused
to get root. So far, most of the systems I've seen described as being
affected have been running some form of control panel; the majority of
which are a setuid-addict's heaven by definition.

I still say - if you have someone on your system and you don't know that
they are there, all bets are off.

Graeme
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition, Eduardo Tongson
Next by Date:  Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition, Jason Stelzer
Previous by Thread:  Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition, Eduardo Tongson
Next by Thread:  Re: DNS CACHE POISONING? - Our Portal is redirecting to our first competition, Jason Stelzer
Indexes:  [Date] [Thread] [Top] [All Lists]