'RE: possible 0-day exploit for latest Real-/Helixserver 9.0.2.794'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       incidents
Subject:    RE: possible 0-day exploit for latest Real-/Helixserver 9.0.2.794
From:       "Bojan Zdrnja" <Bojan.Zdrnja () LSS ! hr>
Date:       2003-08-25 22:01:14
[Download RAW message or body]

Hi all,

Just to let you know, if you haven't seen already that Realserver 7,8,9
remote exploit for Linux and Windows has been released.

You can find more information at:

http://lists.immunitysec.com/pipermail/dailydave/2003-August/000030.html


And the exploit at:

http://www.k-otik.com/exploits/08.25.THCREALbad.c.php


Regards,

Bojan Zdrnja

> -----Original Message-----
> From: Alexander Reelsen [mailto:ref@tretmine.org] 
> Sent: Wednesday, 20 August 2003 11:46 p.m.
> To: incidents@securityfocus.com
> Subject: Re: possible 0-day exploit for latest 
> Real-/Helixserver 9.0.2.794
> 
> 
> Hello
> 
> On Tue, Aug 19, 2003 at 07:55:02PM -0000, Brian Benitez wrote:
> > can anyone confirm if this exploit would work on a FreeBSD Helix 
> > server? We have been having unexplained spontaneous restarts 
> > for a while now, but as of August 17th they've been accompanied 
> > by the behavior of not writing the access log after the restart.
> I cannot confirm this. The only systems being exploited I 
> have seen so far
> were RedHat and Debian GNU/Linux systems on x86. Furthermore 
> the suckit
> rootkit, a rootkit modifying /dev/kmem instead of using 
> modules to change
> system calls, was installed. This also won't work on freebsd I guess.
> 
> In addition, the exploit for the helix server (on one system 
> there were
> no other services which were not blocked by the firewall, 
> internal hacking
> can be ruled out, so it somehow has to be the helix stuff at 
> least to get
> partly in) was not found.
> Both systems were used for further hacking (which was caught 
> by the IDS as
> outgoing traffic was detected).
> 
> > We haven't found any obvious rootkit signs, but we're still looking 
> > into it. If anyone knows about any other symptomatic behavior 
> > related to this problem, I'd love to hear about it.
> Reading this threat it seems to be the unintended restart of the helix
> server...
> 
> 
> MfG/Regards, Alexander
> 
> -- 
> Alexander Reelsen   http://tretmine.org
> ref@tretmine.org
> 
> --------------------------------------------------------------
> -------------
> Captus Networks - Integrated Intrusion Prevention and Traffic 
> Shaping  
>  - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
>  - Automatically Control P2P, IM and Spam Traffic
>  - Ensure Reliable Performance of Mission Critical Applications
>  - Precisely Define and Implement Network Security and 
> Performance Policies
> **FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
> Visit us at: 
> http://www.securityfocus.com/sponsor/CaptusNetworks_incidents_030814
> --------------------------------------------------------------
> --------------
> 


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic