Jim Salter
2011-04-15 16:29:42 UTC
Package: webalizer
Version: 2.01.10-32.4
Severity: critical
Tags: security
Justification: root security hole
A server I admin running Debian Lenny with the current version of
webalizer installed was exploited through webalizer. Once the attackers
had a shell, they used an unknown, presumably local, privilege
escalation exploit to compromise several system binaries. The
escalation happened later; the original attacker installed a phishing
site within /var/www/.webalizer.
I checked to make absolutely certain, and the version of webalizer
running on the system WAS the most current in Lenny repos.
It does not show as installed on the system currently, because I nuked
it from orbit with great prejudice in the process of reclaiming my
system from known good backups.
-- System Information:
Debian Release: 5.0.8
APT prefers oldstable
APT policy: (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages webalizer depends on:
ii debconf [debcon 1.5.24 Debian configuration management sy
ii libc6 2.7-18lenny7 GNU C Library: Shared libraries
ii libdb4.5 4.5.20-13 Berkeley v4.5 Database Libraries [
ii libgd2-xpm 2.0.36~rc1~dfsg-3+lenny1 GD Graphics Library version 2
ii libgeoip1 1.4.4.dfsg-3+lenny1 A non-DNS IP-to-country resolver l
ii libpng12-0 1.2.27-2+lenny4 PNG library - runtime
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
webalizer recommends no packages.
Versions of packages webalizer suggests:
ii apache2-mpm-prefork [htt 2.2.9-10+lenny9 Apache HTTP Server - traditional n
Version: 2.01.10-32.4
Severity: critical
Tags: security
Justification: root security hole
A server I admin running Debian Lenny with the current version of
webalizer installed was exploited through webalizer. Once the attackers
had a shell, they used an unknown, presumably local, privilege
escalation exploit to compromise several system binaries. The
escalation happened later; the original attacker installed a phishing
site within /var/www/.webalizer.
I checked to make absolutely certain, and the version of webalizer
running on the system WAS the most current in Lenny repos.
It does not show as installed on the system currently, because I nuked
it from orbit with great prejudice in the process of reclaiming my
system from known good backups.
-- System Information:
Debian Release: 5.0.8
APT prefers oldstable
APT policy: (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages webalizer depends on:
ii debconf [debcon 1.5.24 Debian configuration management sy
ii libc6 2.7-18lenny7 GNU C Library: Shared libraries
ii libdb4.5 4.5.20-13 Berkeley v4.5 Database Libraries [
ii libgd2-xpm 2.0.36~rc1~dfsg-3+lenny1 GD Graphics Library version 2
ii libgeoip1 1.4.4.dfsg-3+lenny1 A non-DNS IP-to-country resolver l
ii libpng12-0 1.2.27-2+lenny4 PNG library - runtime
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
webalizer recommends no packages.
Versions of packages webalizer suggests:
ii apache2-mpm-prefork [htt 2.2.9-10+lenny9 Apache HTTP Server - traditional n