"JaMaYcKa" hacker strikes 8,000+ websites

Sumaleth said:
Re: Installatron

None of the the domains, or their IPs, mentioned/linked in this thread or the webhosting thread thus far have Installatron licenses (and we don't have any .gov. hostnames licensed, and wouldn't really expect to).

This is by no means conclusive, of course, and I couldn't rule anything out until the cause is named, but the patterns don't suggest an Installatron problem to me.

We'll keep an eye on things (and you can disable Installatron for now if you want to rule it out).

Rowan @ Installatron
Click to expand...

Hmm, but doesn't installatron use suid? Isn't anything that uses suid a risk?
 
I doubt its installatron. Maybe an application that is installed via it is the reason why, but anyone could upload a 3rd party application and get owned if the security is not there. I cant see what Iinstallatron has to do with anything.
 
pucky said:
I doubt its installatron. Maybe an application that is installed via it is the reason why, but anyone could upload a 3rd party application and get owned if the security is not there. I cant see what Iinstallatron has to do with anything.
Click to expand...

You do have a point there, but how would the hacker go from a user to root without something actually connected to root?
 
I cant see how the installatron application is giving anymore root. And now im thinking its not a kernel issue either and heres why. There are reports on WHT, Steve who claims he has seen a few FreeBSD boxes affected. If that is true then its not the kernel because the kernels on RH and BSD are very different. If what his saying is true and FreeBSD boxes are also getting owned then its something else and not the kernel. Possibly a popular applications thats installed server wide on all server eg Imagemagic for one. Thats just an example though.

Anyone can get owned though an insecure application in a users webspace. This is not something new. That is why its recommended that you have mod_security installed with strict rules in place. Its not Installatron. We only run FreeBSD boxes with Installatron installed.
 
I didn't say it was Installatron, I was simply asking if those affected were running this tool. I noticed it uses a suid bit on the orbit file which seemed a bit of a security risk. As you know, suid scripts have a wonderful history of being insecure, having a third party addon have a suid root script worries me is all I'm saying.
 
pucky said:
I cant see how the installatron application is giving anymore root. And now im thinking its not a kernel issue either and heres why. There are reports on WHT, Steve who claims he has seen a few FreeBSD boxes affected. If that is true then its not the kernel because the kernels on RH and BSD are very different. If what his saying is true and FreeBSD boxes are also getting owned then its something else and not the kernel. Possibly a popular applications thats installed server wide on all server eg Imagemagic for one. Thats just an example though.

Anyone can get owned though an insecure application in a users webspace. This is not something new. That is why its recommended that you have mod_security installed with strict rules in place. Its not Installatron. We only run FreeBSD boxes with Installatron installed.
Click to expand...

The only quote I have seen from steve is when he said he has not seen any freebsd boxes affected yet.
 
Which is a good thing however if you read earlier in the thread you will see that he states he saw Freebsd boxes owned as well. I dont think anyone knows really since there are far fewer BSD boxes online compared to RH.
 
nope he didnt I read the whole thread and at the end he even corrects the guy who misquoted him.
 
You must log in or register to reply here.
Back
Top