some new remote exploit?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi all,


I just had a weird expirience ... In a server system, running a free webmail 
service, i started getting weird oopsen.

On a quad p2/xeon box, 2gb ram, running rehdat 6.2 with sendmail 8.10 (patched 
with latest stuff), cyrus 2.0.16, openldap 1.2 and sasl 1.5, with a custom 
2.4.19-pre10 aa something kernel, it looked like this:

ksymoops 2.4.4 on i686 2.4.19-pre10.  Options used
     -V (default)
     -k /proc/ksyms (default)
     -l /proc/modules (default)
     -o /lib/modules/2.4.19-pre10/ (default)
     -m /boot/System.map-2.4.19-pre10 (default)

Warning: You did not tell me where to find symbol information.  I will
assume that the log matches the kernel and modules that are running
right now and I'll use the default options above for symbol resolution.
If the current kernel and/or modules do not match the log, you can get
more accurate output by telling me the kernel version and where to find
map, modules, ksyms etc.  ksymoops -h explains the options.

Warning (compare_maps): ksyms_base symbol set_cpus_allowed_R__ver_set_cpus_allowed not found in System.map.
Ignoring ksyms_base entry
Apr  7 12:55:23 castor kernel: de08d7db 
Apr  7 12:55:23 castor kernel: *pde = 00000000 
Apr  7 12:55:23 castor kernel: Oops: 0000 
Apr  7 12:55:23 castor kernel: CPU:    0 
Apr  7 12:55:23 castor kernel: EIP:    0010:[<de08d7db>]    Not tainted 
Using defaults from ksymoops -t elf32-i386 -a i386
Apr  7 12:55:23 castor kernel: EFLAGS: 00010286 
Apr  7 12:55:23 castor kernel: eax: bfffff14   ebx: ec3f6000   ecx: 00000000   edx: 00000000 
Apr  7 12:55:23 castor kernel: esi: c0108efb   edi: 0000000b   ebp: ec3f7fb8   esp: ec3f7f80 
Apr  7 12:55:23 castor kernel: ds: 0018   es: 0018   ss: 0018 
Apr  7 12:55:23 castor kernel: Process mail2sms (pid: 13314, stackpage=ec3f7000) 
Apr  7 12:55:23 castor kernel: Stack: ec3f6000 c0108efb 0000000b 00000296 00000000 d8d23000 0000000b 00000296  
Apr  7 12:55:23 castor kernel:        d8d23000 bfffff14 c0107a5f 00000000 00000a3a 00000020 bffffd28 de08d9c4  
Apr  7 12:55:23 castor kernel:        00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  
Apr  7 12:55:23 castor kernel: Call Trace: [system_call+47/52] [sys_execve+79/92]  
Apr  7 12:55:23 castor kernel: Code: 8b 42 04 83 f8 ff 0f 84 69 01 00 00 83 f8 fc 77 07 c7 42 04 

>>EIP; de08d7db <END_OF_CODE+1abe12e0/????>   <=====
Code;  de08d7db <END_OF_CODE+1abe12e0/????>
00000000 <_EIP>:
Code;  de08d7db <END_OF_CODE+1abe12e0/????>   <=====
   0:   8b 42 04                  mov    0x4(%edx),%eax   <=====
Code;  de08d7de <END_OF_CODE+1abe12e3/????>
   3:   83 f8 ff                  cmp    $0xffffffff,%eax
Code;  de08d7e1 <END_OF_CODE+1abe12e6/????>
   6:   0f 84 69 01 00 00         je     175 <_EIP+0x175> de08d950 <END_OF_CODE+1abe1455/????>
Code;  de08d7e7 <END_OF_CODE+1abe12ec/????>
   c:   83 f8 fc                  cmp    $0xfffffffc,%eax
Code;  de08d7ea <END_OF_CODE+1abe12ef/????>
   f:   77 07                     ja     18 <_EIP+0x18> de08d7f3 <END_OF_CODE+1abe12f8/????>
Code;  de08d7ec <END_OF_CODE+1abe12f1/????>
  11:   c7 42 04 00 00 00 00      movl   $0x0,0x4(%edx)

Apr  7 12:55:23 castor kernel:  <1>Unable to handle kernel NULL pointer dereference at virtual address 00000004 
Apr  7 12:55:23 castor kernel: de08d7db 
Apr  7 12:55:23 castor kernel: *pde = 00000000 
Apr  7 12:55:23 castor kernel: Oops: 0000 
Apr  7 12:55:23 castor kernel: CPU:    2 
Apr  7 12:55:23 castor kernel: EIP:    0010:[<de08d7db>]    Not tainted 
Apr  7 12:55:23 castor kernel: EFLAGS: 00010286 
Apr  7 12:55:23 castor kernel: eax: bffffee4   ebx: c0846000   ecx: 00000000   edx: 00000000 
Apr  7 12:55:23 castor kernel: esi: c0108efb   edi: 0000000b   ebp: c0847fb8   esp: c0847f80 
Apr  7 12:55:23 castor kernel: ds: 0018   es: 0018   ss: 0018 
Apr  7 12:55:23 castor kernel: Process sendmail (pid: 13313, stackpage=c0847000) 
Apr  7 12:55:23 castor kernel: Stack: c0846000 c0108efb 0000000b 00000296 00000000 e9a6f000 0000000b 00000296  
Apr  7 12:55:23 castor kernel:        e9a6f000 bffffee4 c0107a5f 00000000 00000a3a 00000020 bffffb90 de08d9c4  
Apr  7 12:55:23 castor kernel:        00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000  
Apr  7 12:55:23 castor kernel: Call Trace: [system_call+47/52] [sys_execve+79/92]  
Apr  7 12:55:23 castor kernel: Code: 8b 42 04 83 f8 ff 0f 84 69 01 00 00 83 f8 fc 77 07 c7 42 04  

>>EIP; de08d7db <END_OF_CODE+1abe12e0/????>   <=====
Code;  de08d7db <END_OF_CODE+1abe12e0/????>
00000000 <_EIP>:
Code;  de08d7db <END_OF_CODE+1abe12e0/????>   <=====
   0:   8b 42 04                  mov    0x4(%edx),%eax   <=====
Code;  de08d7de <END_OF_CODE+1abe12e3/????>
   3:   83 f8 ff                  cmp    $0xffffffff,%eax
Code;  de08d7e1 <END_OF_CODE+1abe12e6/????>
   6:   0f 84 69 01 00 00         je     175 <_EIP+0x175> de08d950 <END_OF_CODE+1abe1455/????>
Code;  de08d7e7 <END_OF_CODE+1abe12ec/????>
   c:   83 f8 fc                  cmp    $0xfffffffc,%eax
Code;  de08d7ea <END_OF_CODE+1abe12ef/????>
   f:   77 07                     ja     18 <_EIP+0x18> de08d7f3 <END_OF_CODE+1abe12f8/????>
Code;  de08d7ec <END_OF_CODE+1abe12f1/????>
  11:   c7 42 04 00 00 00 00      movl   $0x0,0x4(%edx)


2 warnings issued.  Results may not be reliable.


There were two oopsen at 12:55 and 41 from 15:00:01 to 15:01:32 localtime . 
The machine appears to be running fine.



The other box, dual xeon 2.0ghz (HT enabled), 4gb ram, running 7.3 with 
kernel 2.4.18-26 bigmem, started returning segmentation fault for every 
command i wanted to run at about 15:15. It is running apache 1.3.26, php 
4.3.1 and postfix 1.11. I was lucky to have two ssh sessions opened to it 
before this started. The oops looked like this:

ksymoops 2.4.4 on i686 2.4.18-26.7.xbigmem.  Options used
     -V (default)
     -k /proc/ksyms (default)
     -l /proc/modules (default)
     -o /lib/modules/2.4.18-26.7.xbigmem/ (default)
     -m /boot/System.map-2.4.18-26.7.xbigmem (default)

Warning: You did not tell me where to find symbol information.  I will
assume that the log matches the kernel and modules that are running
right now and I'll use the default options above for symbol resolution.
If the current kernel and/or modules do not match the log, you can get
more accurate output by telling me the kernel version and where to find
map, modules, ksyms etc.  ksymoops -h explains the options.

Error (expand_objects): cannot stat(/lib/ext3.o) for ext3
ksymoops: No such file or directory
Error (expand_objects): cannot stat(/lib/jbd.o) for jbd
ksymoops: No such file or directory
Error (expand_objects): cannot stat(/lib/raid1.o) for raid1
ksymoops: No such file or directory
Error (expand_objects): cannot stat(/lib/aic7xxx.o) for aic7xxx
ksymoops: No such file or directory
Error (expand_objects): cannot stat(/lib/sd_mod.o) for sd_mod
ksymoops: No such file or directory
Error (expand_objects): cannot stat(/lib/scsi_mod.o) for scsi_mod
ksymoops: No such file or directory
/usr/bin/find: /lib/modules/2.4.18-26.7.xbigmem/build: No such file or directory
Error (pclose_local): find_objects pclose failed 0x100
Warning (map_ksym_to_module): cannot match loaded module ext3 to a unique module object.  Trace may not be reliable.
Apr  7 15:12:31 www kernel: Unable to handle kernel NULL pointer dereference at virtual address 00000004
Apr  7 15:12:31 www kernel: d01597ae
Apr  7 15:12:31 www kernel: *pde = 1a8b6001
Apr  7 15:12:31 www kernel: Oops: 0000
Apr  7 15:12:31 www kernel: CPU:    2
Apr  7 15:12:31 www kernel: EIP:    0010:[<d01597ae>]    Not tainted
Using defaults from ksymoops -t elf32-i386 -a i386
Apr  7 15:12:31 www kernel: EFLAGS: 00010286
Apr  7 15:12:31 www kernel: eax: bffff9d4   ebx: ce346000   ecx: 00000000   edx: 00000000
Apr  7 15:12:31 www kernel: esi: c0108c93   edi: 0000000b   ebp: ce347fb8   esp: ce347f80
Apr  7 15:12:31 www kernel: ds: 0018   es: 0018   ss: 0018
Apr  7 15:12:31 www kernel: Process sh (pid: 15725, stackpage=ce347000)
Apr  7 15:12:31 www kernel: Stack: 00000000 bffffff4 00000292 f441c000 c014e48e f441c000 bffff9d4 0000000b 
Apr  7 15:12:31 www kernel:        00000000 f441c000 0000000b ce346000 c0108c93 0000000b bffe6118 d01599a2 
Apr  7 15:12:31 www kernel:        00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
Apr  7 15:12:31 www kernel: Call Trace: [<c014e48e>] getname [kernel] 0x5e (0xce347f90))
Apr  7 15:12:31 www kernel: [<c0108c93>] system_call [kernel] 0x33 (0xce347fb0))
Apr  7 15:12:31 www kernel: Code: 8b 42 04 83 f8 ff c7 45 f0 20 00 00 00 c7 45 ec 3a 0a 00 00 

>>EIP; d01597ae <_end+fd16d92/383ca5e4>   <=====
Trace; c014e48e <getname+5e/a0>
Trace; c0108c93 <system_call+33/38>
Code;  d01597ae <_end+fd16d92/383ca5e4>
00000000 <_EIP>:
Code;  d01597ae <_end+fd16d92/383ca5e4>   <=====
   0:   8b 42 04                  mov    0x4(%edx),%eax   <=====
Code;  d01597b1 <_end+fd16d95/383ca5e4>
   3:   83 f8 ff                  cmp    $0xffffffff,%eax
Code;  d01597b4 <_end+fd16d98/383ca5e4>
   6:   c7 45 f0 20 00 00 00      movl   $0x20,0xfffffff0(%ebp)
Code;  d01597bb <_end+fd16d9f/383ca5e4>
   d:   c7 45 ec 3a 0a 00 00      movl   $0xa3a,0xffffffec(%ebp)


2 warnings and 7 errors issued.  Results may not be reliable.

The box also segfaulted on a shutdown -r now, so i had no other choice but to
press the reset button. Then, it started appearing again seconds after the box 
came up. After another reboot at around 15:46, it stopped. There are 517 oopsen 
recorded in the log from 15:12:31 to 15:39:34.


Any ideas?

Both machines have good hardware and are running problemfree. This *looks* like 
it is remotely triggered, so i suspect it is some kind of attack. system_call
is the common point in oopsen on both machines. Any ideas how to mess with this 
remotely?


--

Jure Pecar



_______________________________________________
Redhat-devel-list mailing list
Redhat-devel-list@xxxxxxxxxx
https://listman.redhat.com/mailman/listinfo/redhat-devel-list

[Index of Archives]     [Kernel Newbies]     [Red Hat General]     [Fedora]     [Red Hat Install]     [Linux Kernel Development]     [Yosemite News]

  Powered by Linux