RE: Re[2]: Exited on signal 11 ??

From: Henrik Kramshøj (none@henrik.kramshoj--vigilante.com.lh.bsd-dk.dk)
Date: Wed 30 May 2001 - 09:02:38 CEST

Next message: Morten Vinding Nielsen: "RE: Rackserver til FreeBSD"
Previous message: mads: "Re[2]: Exited on signal 11 ??"
Maybe in reply to: mads@kanon.net: "Re[2]: Exited on signal 11 ??"
Next in thread: Mads: "Re[4]: Exited on signal 11 ??"
Reply: Mads: "Re[4]: Exited on signal 11 ??"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

From: Henrik Kramshøj <none@henrik.kramshoj--vigilante.com.lh.bsd-dk.dk>
To: "'bsd-dk@BSD-Dk.dk'" <none@bsd-dk--BSD-Dk.dk.lh.bsd-dk.dk>
Subject: RE: Re[2]: Exited on signal 11 ??
Date: Wed, 30 May 2001 09:02:38 +0200

Hej Mads

Surt show, håber du har en relativt ny backup

Hvis du kan finde ud af hvornår det skete kan du gå
tilbage til den backup og patche dit system
- ellers vil jeg personligt anbefale install from scratch

Der er mange eksempler på at folk blot installerer patch for det problem
der i første omgang tillod adgang, men "overser" andre adgangsveje.

Den seneste sadmin/unicode worm, der spreder sig via Solaris sadmind
vulnerability og defacer Microsoft IIS servere med Unicode efterlader
en kopi ad cmd.exe i /scripts kataloget

De travle administratorer installerer seneste 10 patches fra MS
(som de burde have gjort meget tidligere) hvorefter alle og en enhver
stadig kan bruge cmd.exe kopien ...

Det bedste råd der findes er - DONT PANIC !

Selvom I sidder med ansvaret for www.high-profile-site-something.dk/com
og alle står på nakken af jer for at få skidtet i luften så prøv at tage det
roligt

Min personlige plan ville være noget i stil med
- blot et uddrag af hvad man kunne gøre, MIN personlige mening
1) Simuler et strømudfald - hiv ethernet stikket ud, vent 5 min
så der ikke er så meget traffik på maskinen og tag strømmen !
- Hvordan man "lukker" en kompromitteret maskine er et stort diskussions
emne,
der kan være indbygget oprydning i shutdown scripts, og man kan ved
ovenstående miste
muligheden for at dumpe kørende programmer fra memory
De fleste bliver ramt af kendte exploits, og hvis man ikke har tid til at
patche
sine systemer har man sikkert aligevel ikke tid til at dekode memory dumps
etc.

2) Diskuter hvorledes sagen skal håndteres
Tag diskussion med nærmeste chef, inddrag alt efter omfang ledelse/højere
niveauer
Beslut hvem der er ansvarlig for dele af opgaven, skal Politiet indrages
hvem taler
med Politiet, hvem taler med Internet udbyderen

3) Alt efter hvad der aftales så tag backup af det ødelagte system,
ghost, dd whatever

4) Installer backup eller base OS på samme hardware eller en anden server

...

Mads: Hvis du mangler mere info kan jeg sikkert finde nogle links

Henrik Lund Kramshøj
henrik.kramshoj@vigilante.com
Security Engineer
___________________
VIGILANTe - Assuring Internet Security
www.vigilante.com

Company Phone +45 7020 6565
Direct Phone +45 7731 6584
Mobile Phone +45 2026 6000

-----Original Message-----
From: mads [mailto:mads@petersen.eu.com]
Sent: 30. maj 2001 08:23
To: Anton Berezin
Cc: bsd-dk@bsd-dk.dk
Subject: Re[2]: Exited on signal 11 ??

DAMN!!

Thanks Anton.. That was what I feared.. Hmm.. Any small pointers to
how I proceed from here?

Mads

Wednesday, May 30, 2001, 2:33:21 AM, you wrote:

AB> On Wed, May 30, 2001 at 12:15:59AM +0200, mads@kanon.net wrote:
>> Hej liste..
>>
>> Hvad betyder disse kernel log messages:
>> > pid 5573 (ftpd), uid 14: exited on signal 11
>> > pid 5581 (ftpd), uid 14: exited on signal 11
>>
>> Jeg kan godt se at det betyder at to ftpd processer er blevet afbrudt,
>> men er der nogen som ved hvad signal 11 betyder??

AB> Signal 11 is SIGSEGV - segment violation. It is typically caused by
AB> programs trying to write to memory regions that the program has no
AB> permission to write to.

AB> In this particular case, however, what you see is the strong indication
AB> that someone was trying to hack into your system. There were couple of
AB> security vulnerabilities in FreeBSD's (sorry for the assumption here)
AB> ftpd. Please see the list of FreeBSD security advisories on
AB> www.freebsd.org.

AB> Oh, and by the way, it is possible that whoever has done that has
AB> succeeded, so you'd better investigate.

AB> Cheers,
AB> =Anton.

>>>> VIGILANTe.com NOTICE - AUTOMATICALLY INSERTED <<<<

The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited.

Any opinions expressed in this email are those of the individual and not
necessarily the Company.

If you receive this transmission in error, please email to
postmaster@vigilante.com, including a copy of this message. Please then
delete this email and destroy any copies of it.

>>>>>>>>>>>>>>>>>>>>>>>>>> DISCLAIMER END <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Next message: Morten Vinding Nielsen: "RE: Rackserver til FreeBSD"
Previous message: mads: "Re[2]: Exited on signal 11 ??"
Maybe in reply to: mads@kanon.net: "Re[2]: Exited on signal 11 ??"
Next in thread: Mads: "Re[4]: Exited on signal 11 ??"
Reply: Mads: "Re[4]: Exited on signal 11 ??"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b30 : Wed 15 Nov 2006 - 18:24:08 CET