... By my mistake a 2.2.8a-1 running on RH8 was exposed to the Internet. It was cracked in a matter of hours. I noticed it because they've deleted my smbd. :-| I'm ready to reinstall the machine, if there are any logs that anybody is interested into please say it now.
Hi.> ... By my mistake a 2.2.8a-1 running on RH8 was exposed to the Internet. It > was cracked in a matter of hours. I noticed it because they've deleted my > smbd. :-|2.2.8a cracked? Isn't this supposed to be the most stable release?> I'm ready to reinstall the machine, if there are any logs that anybody is > interested into please say it now.Please send them to me. Thank you. -- Nejc Skoberne Grajska 5 SI-5220 Tolmin E-mail: nejc.skoberne@guest.arnes.si
On Mon, Jun 30, 2003 at 06:08:02PM +0200, Vizitiu, Ciprian wrote:> > ... By my mistake a 2.2.8a-1 running on RH8 was exposed to the Internet. It > was cracked in a matter of hours. I noticed it because they've deleted my > smbd. :-| > > I'm ready to reinstall the machine, if there are any logs that anybody is > interested into please say it now.Were there any other ports open ? We are not aware of any securty holes in 2.2.8a (and one of the Samba Team who is a member of ISS has been testing it on an open Internet connected machine for many weeks now). Jeremy.
Vizitiu, Ciprian ?rta:>... By my mistake a 2.2.8a-1 running on RH8 was exposed to the Internet. It >was cracked in a matter of hours. I noticed it because they've deleted my >smbd. :-| > >I'm ready to reinstall the machine, if there are any logs that anybody is >interested into please say it now. > >Are you really shure, that the computer was breaked through samba, you can be sure only if just the samba ports (137,138,139,445) was opened to the Internet?!
> Are you really shure, that the computer was breaked through > samba, you > can be sure only if just the samba ports (137,138,139,445) > was opened to > the Internet?!Yes, totally agree with you. Maybe my message was... No, for sure my message was badly formulated. I had a RH8 machine with qmail, latest pure-ftpd and latest Courier IMAP and samba. It was exposed to the Internet and was cracked. From logs like: Jun 30 16:17:39 server smbd[28856]: [2003/06/30 16:17:39, 0] lib/fault.c:fault_report(38) Jun 30 16:17:39 server smbd[28856]: =============================================================== Jun 30 16:17:39 server smbd[28856]: [2003/06/30 16:17:39, 0] lib/fault.c:fault_report(39) Jun 30 16:17:39 server smbd[28856]: INTERNAL ERROR: Signal 11 in pid 28856 (2.2.8) Jun 30 16:17:39 server smbd[28856]: Please read the file BUGS.txt in the distribution Jun 30 16:17:39 server smbd[28856]: [2003/06/30 16:17:39, 0] lib/fault.c:fault_report(41) Jun 30 16:17:39 server smbd[28856]: =============================================================== Jun 30 16:17:39 server smbd[28856]: [2003/06/30 16:17:39, 0] lib/util.c:smb_panic(1094) Jun 30 16:17:39 server smbd[28856]: PANIC: internal error Jun 30 16:17:39 server smbd[28856]: Jun 30 16:19:03 server kernel: Unable to handle kernel paging request at virtual address 8491bb2e Jun 30 16:19:03 server kernel: printing eip: Jun 30 16:19:03 server kernel: 8491bb2e Jun 30 16:19:03 server kernel: *pde = 00000000 Jun 30 16:19:03 server kernel: Oops: 0000 Jun 30 16:19:03 server kernel: lp parport e1000 iptable_filter ip_tables reiserfs mousedev keybdev hid input usb-ohci usbcore ext3 jbd ips sd_mod scsi_mod Jun 30 16:19:03 server kernel: CPU: 0 Jun 30 16:19:03 server kernel: EIP: 0010:[<8491bb2e>] Not tainted Jun 30 16:19:03 server kernel: EFLAGS: 00010283 ... to me *it looks* like a samba exploit. Please note that the trigger for the whole issue was the absence of smbd file. It was deleted. And that stopped Winbind auth from working so I started to investigate the issue then I saw the logs and then looked at the firewall rules that I've modified short time ago and found the real mistake. Is it better now?
Signal 11, mmm, that could be a memory error(hardware). Is the hardware certified? (www.memtest86.com) HTH Oliver Vizitiu, Ciprian wrote:>>Are you really shure, that the computer was breaked through >>samba, you >>can be sure only if just the samba ports (137,138,139,445) >>was opened to >>the Internet?! >> >> > >Yes, totally agree with you. Maybe my message was... No, for sure my message >was badly formulated. I had a RH8 machine with qmail, latest pure-ftpd and >latest Courier IMAP and samba. It was exposed to the Internet and was >cracked. From logs like: > > > > >-- Oliver Schulze L. <oliver@samera.com.py>
Hi.> Signal 11, mmm, that could be a memory error(hardware). > Is the hardware certified? (www.memtest86.com)If it was a hardware error; why would be smbd deleted? -- Nejc Skoberne Grajska 5 SI-5220 Tolmin E-mail: nejc.skoberne@guest.arnes.si
> > Signal 11, mmm, that could be a memory error(hardware). > > Is the hardware certified? (www.memtest86.com) >:-D ... Well it's a IBM e-server. No, I didn't change the original memory modules.> If it was a hardware error; why would be smbd deleted?Good question.
Le lun 30/06/2003 ? 08:38, Rashkae a ?crit :> For that matter, why would smbd (but not the system logs) be deleted in > the first place?on which FS type on does smbd reside ? ext3. But it served files from a [Homes] on a ReiserFS
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 30 Jun 2003, Vizitiu, Ciprian wrote:> Jun 30 16:17:39 server smbd[28856]: [2003/06/30 16:17:39, 0] > lib/fault.c:fault_report(38) > Jun 30 16:17:39 server smbd[28856]: > =============================================================== > Jun 30 16:17:39 server smbd[28856]: [2003/06/30 16:17:39, 0] > lib/fault.c:fault_report(39) > Jun 30 16:17:39 server smbd[28856]: INTERNAL ERROR: Signal 11 in pid 28856 > (2.2.8)^^^^^^^ 2.2.8 is vunerable. 2.2.8a is not. cheers, jerry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE/AYkHIR7qMdg1EfYRAkwGAKDr0g1I9/Z9+vMiNKbhbFsEbM9kCACff5Mz /wkgqFUipSUFvWchx81VPfg=ZHZC -----END PGP SIGNATURE-----