Bug 52291 - Cybercop scan caused PC to hang
Cybercop scan caused PC to hang
Status: CLOSED DEFERRED
Product: Red Hat Linux
Classification: Retired
Component: openssh (Show other bugs)
7.1
i686 Linux
medium Severity high
: ---
: ---
Assigned To: Anthon Pang
http://www.mcafeeasap.com/
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-08-22 10:31 EDT by Anthon Pang
Modified: 2008-05-01 11:38 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-08-22 10:31:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Anthon Pang 2001-08-22 10:31:35 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)

Description of problem:
Initiated Cybercop scan.  Came back after scan had completed, and found PC 
was hung.

Version-Release number of selected component (if applicable):


How reproducible:
Didn't try

Steps to Reproduce:
1. Sign up for free scan from http://www.mcafeeasap.com/
2.
3.
	

Actual Results:  Rebooted PC.  (I'm choked that I had to reboot after 6 
days of uptime...my NT box manages to stay up continuously for weeks.)

Expected Results:  Trapped or logged the source of the "vulnerability"

Additional info:

If you have suggestions for enabling more logging, I'd appreciate it, but 
don't re-assign this just yet.  I just wanted to log this before I forgot 
because I won't be able to investigate this in-depth for the next little 
while.

Since, I didn't receive the Cybercop scan results (but did receive some 
junk email from McAfee), I'm going to try and reproduce it, and narrow 
down the root component (i.e., it probably isn't openssh, but sshd and 
sftpd are the few services available externally, i.e., telnet, smtp, ftp, 
... are disabled). 

At the time the PC was being scanned, the processes running should be 
similar to this list:

[root@olympus /root]# ps -aef
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 06:32 ?        00:00:04 init [5] 
root         2     1  0 06:32 ?        00:00:00 [keventd]
root         3     1  0 06:32 ?        00:00:00 [kapm-idled]
root         4     1  0 06:32 ?        00:00:00 [kswapd]
root         5     1  0 06:32 ?        00:00:00 [kreclaimd]
root         6     1  0 06:32 ?        00:00:00 [bdflush]
root         7     1  0 06:32 ?        00:00:00 [kupdated]
root         8     1  0 06:32 ?        00:00:00 [mdrecoveryd]
root        73     1  0 06:32 ?        00:00:00 [khubd]
root       655     1  0 06:35 ?        00:00:00 syslogd -m 0
root       660     1  0 06:35 ?        00:00:00 klogd -2
rpc        674     1  0 06:35 ?        00:00:00 portmap
rpcuser    689     1  0 06:35 ?        00:00:00 rpc.statd
root       789     1  0 06:35 ?        00:00:00 /usr/sbin/apmd -p 10 -w 5 -
W -P 
root       838     1  0 06:35 ?        00:00:00 /usr/sbin/automount --
timeout 60
daemon     850     1  0 06:35 ?        00:00:00 /usr/sbin/atd
root       865     1  0 06:35 ?        00:00:00 /usr/sbin/sshd
root       885     1  0 06:35 ?        00:00:00 xinetd -stayalive -reuse -
pidfil
root       943     1  0 06:37 ?        00:00:00 sendmail: accepting 
connections
root       956     1  0 06:37 ?        00:00:00 gpm -t ps/2 -m /dev/mouse
root       968     1  0 06:37 ?        00:00:00 crond
xfs       1040     1  0 06:37 ?        00:00:00 xfs -droppriv -daemon
root      1075     1  0 06:37 tty1     00:00:00 /sbin/mingetty tty1
root      1076     1  0 06:37 tty2     00:00:00 /sbin/mingetty tty2
root      1077     1  0 06:37 tty3     00:00:00 /sbin/mingetty tty3
root     1078     1  0 06:37 tty4     00:00:00 /sbin/mingetty tty4
root      1079     1  0 06:37 tty5     00:00:00 /sbin/mingetty tty5
root      1081     1  0 06:37 ?        00:00:00 /usr/bin/gdm -nodaemon
root      1089  1081  0 06:37 ?        00:00:00 /etc/X11/X -auth 
/var/gdm/:0.Xau
root      1090  1081  0 06:37 ?        00:00:00 /usr/bin/gdm -nodaemon
gdm       1098  1090  0 06:37 ?        00:00:00 /usr/bin/gdmlogin --
disable-soun
root      1511     1  0 06:55 tty6     00:00:00 /sbin/mingetty tty6
root      1557   968  0 07:01 ?        00:00:00 CROND
root      1558  1557  0 07:01 ?        00:00:00 /bin/bash /usr/bin/run-
parts /et
root      1568  1558  0 07:01 ?        00:00:00 awk -v 
progname=/etc/cron.hourly
root      1569     1  0 07:01 ?        00:00:00 /bin/sh /usr/lib/sa/sa1 
600 6
root      1571  1569  0 07:01 ?        00:00:00 /usr/lib/sa/sadc 600 6 
/var/log/
root      1574   865  0 07:18 ?        00:00:00 /usr/sbin/sshd
root      1575  1574  0 07:18 pts/0    00:00:00 -bash
root      1623  1575  0 07:24 pts/0    00:00:00 ps -aef
Comment 1 Anthon Pang 2001-09-08 19:10:08 EDT
Blah, I just checked the firewall and it was [dumbass] configured to allow 
ports 1-1024 through, so contrary to what I initially believed, any number of 
services could have been the source of the crash.  And since Cybercop costs 
$$$, I'm not going to try and reproduce this at this time, but I suspect it was 
a buffer overflow attack.  I have, however, re-configured the firewall.
Comment 2 Anthon Pang 2002-10-07 17:46:30 EDT
Suspect Cybercop somehow exploited the 4M page Athlon problem.  Having since
added mem=nopentium, crashes have not recurred.

Note You need to log in before you can comment on or make changes to this bug.