Results 1 to 9 of 9
  1. #1
    Join Date
    Jun 2001
    Posts
    64

    Strange error message

    I started receiving this email 20 minutes ago. It sends it once every minute. Any idea what this is and where it came from?


    ----- Original Message -----
    From: <root (Cron Daemon)>
    To: <root>
    Sent: Monday, September 09, 2002 3:12 PM
    Subject: Cron <[email protected]> if [ -x "/tmp/core/own" ] ; then "/tmp/core/own";


    > /bin/sh: -c: line 2: syntax error: unexpected end of file

  2. #2
    Join Date
    Dec 2001
    Location
    London, UK
    Posts
    75
    must be a cron job.. check your cpanel ... i am with ventures online they send you the result of the cronjob by email

  3. #3
    Join Date
    Jun 2001
    Posts
    64
    Sorry I forgot to mention I'm using a RAQ4. Where in the cpanel would I look?

  4. #4
    Join Date
    Jun 2001
    Posts
    64
    This problem is still occuring. I'm receiving over 1400 emails a day now, lol. Anyone have any ideas?

  5. #5
    Yes, this is someone trying to hack into your server using this exploit:

    http://online.securityfocus.com/bid/5529/info/

    You should check the server over very carefully to make sure that they weren't subsequently successful.

    A very useful reminder to monitor any shell access that you allow - if giving any at all.

  6. #6
    Note that the exploit as posted on security focus has a (not very) subtle deliberate mistake, the consequences of the mistake you are seeing. It only takes a very minor change in the exploit and the person will have root access to your server from a normal user shell account.

    So far, there's no fix from Cobalt, though doing this should remove the vulnerability:

    chmod 755 /usr/lib/authenticate

    Though this may have some consequences as someone reported on the Cobalt list:

    "Just been doing some checking, and it seems this 'quick fix' whilst it indeed does fix, also means that some forms of .htaccess don't work, client informed me that webalizer stats access was now nolonger accepting groups as valid users."

    So, you, if you still allow user shell access you have a choice of allowing them to get root access, or do the above chmod and risk problems with .htaccess files. I know which problem I'd rather weather

  7. #7
    Join Date
    Jun 2001
    Posts
    64
    Well I'm the only one with shell access, and the only shell access that is open is SSH. htaccess is extremely important for our server and can not risk being disabled. There seems to be no effect on our server, or any indication that it has been hacked, or attempts towards being hacked.

    I just receive that email over and over, that is the only effect I can see. I've looked over that security page you posted and can seem to see any reference to the message I posted above. Anymore info would be great, thanks a bundle.

  8. #8
    It is the footprint of this exploit. If you have a look at the exploit code from this link you may be able to see how it works. The message you are receiving is the evidence of this exploit being attempted with fixing the exploit code to run correctly.

    To clean this up you can issue:
    rm -rf /tmp/core /etc/cron.d/core

    It would seem highly likely that someone has access to your server to run this exploit. You should probably install and run something like chrootkit to check your server:

    http://www.chkrootkit.org/

    It's possible that there is an innocent explaination for this, but I'm not aware of one, it looks positively suspicious to me.

  9. #9
    Join Date
    Aug 2001
    Location
    Atlanta
    Posts
    1,167
    Keep in mind that (as demonstrated previously) it's quite easy for someone with only FTP access to use a script to spawn a shell given CGI or PHP access. So disallowing shell users (which is a smart idea!) isn't a guarantee that you're safe....

    Brandon

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •