Any Brand New Linux Vulnerabilities that match?

Hello, i was currently contacted by someone that said they could drop my box really easy. I just ignored the message on yahoo messenger and to my surprise i get an email and a txt message from my box watchers saying your server is down. He then sent me a pm back saying that he dropped my box with only 50 kb of data due to a new linux vulnerability. He said that he is not reporting it to linux because he don't want them to patch it. He then said that 90% of linux servers are vulnerable.




--------------------
******* (10/8/2007 6:27:01 PM): right now, i keep you down by a vulnerability me and my team found
******* (10/8/2007 6:27:04 PM): is not only you
******* (10/8/2007 6:27:17 PM): 90% of the linux servers out there are vulnerable
******* (10/8/2007 6:27:18 PM): i keep you down with 1 ip and only 50 kb of data. 90 % linux servers are vulnerable so don't feel bad.
----------------------

Is this dude nuts or what?

 

Could be a private exploit or a buffer overflow that sends a null byte or a different request that causes that kernal, or apache version to crash.

Very similar to a Syn DoS attack. Crash the apache, and the server will not responde to requests.

 

well my server blocks most syn attacks but it is likely possible that it could be because i get an email saying that like 2000 ip's are blocked then its offline. so it could be some are getting through causing the server to not respond.

 

This is not official, legal advice, but what I would do is treat it like a bug. (A software bug, not a metaphor for something unimportant)

Try to figure out how he's able to do this to you. When the box is down, can you ssh to it ? Can you log in at the console ? Is it only Apache that dies or is it the whole networking stack ? or is it a kernel panic which causes the whole box to reboot ?

Are there core dumps on your server's hard drive anywhere ? Apache core dumps usually end up in the directory where you were when you started it. Kernel core dumps usually end up in /var/core/

Turn on every logging option you have. (Keep a close eye on your hard drive space...)

Based on what he said, it looks like he's causing this by sending a specially crafted packet to your box. Try creating a five-minute rolling window of tcpdump (or snort, or whatever packet dumping utility you like). This may get you nothing... (if the packet causes the crash before it has a chance to be logged) but if you're lucky, it may just result in the last packet in your dump file being the one that caused the crash.

If you can get the packet, or the core dump of whatever crashed, then there will be several Linux developers that will be extremely interested in seeing those two things. (The packet is better because with the packet, they can create as many core dumps as they want. Plus, don't forget that core dumps are your RAM, so it's possible that they might contain sensitive information. Don't post them to the internet. Make sure they only go to one, trusted person at a time.)

It's possible that what he said to you is simply a bit of social engineering designed to make you think that he knows a zero-day exploit when in fact what he has done is already hacked your box using an old, known exploit and installed a program that causes a kernel panic locally that he can trigger remotely. I don't know if this is what has happened but it is a possibility. If you already have a file integrity system like Tripwire or AIDE then anything it has reported in the last few weeks would be worth looking at. Maybe SELinux is the answer... but maybe not. We just don't know enough yet. Hopefully, logging everything will pick up how it's being done.

I've read too many stories of people who have quietly rolled over and paid extortionists like this. All that ends up happening is that next month they ask you for the same amount again... or even more. You didn't say that he asked you for any money, but it seems that in most cases they DoS your box first, then ask for money later.

If this really is a zero-day exploit, I expect there will be a lot of people very interested in how this plays out.