Atomicorp

Security for Everyone
https://forums.atomicorp.com/

Problems

https://forums.atomicorp.com/viewtopic.php?t=2360

Page 1 of 1

Problems

Posted: Wed Jun 25, 2008 5:49 am
by jcejvan
Hi. I have two problems with ASL. They started appearing few days ago (not at the same time). after install everything seemd fine for couple of weeks and then it hit us:
1. Urchin stopped working and I get this by mail if I wan't to open domain.com:9999/ where urchin was usually running I recieve 500 error + email with the following conent:

OSSEC HIDS Notification. 2008 Jun 24 12:00:15 Received From: www->/var/log/messages Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system." Portion of the log(s): Jun 24 12:00:14 www kernel: grsec: From 212.118.92.27: denied untrusted exec of /usr/local/urchin/htdocs/session.cgi by /usr/local/urchin/bin/urchinwebd[urchinwebd:30120] uid/euid:99/99 gid/egid:2522/2522, parent /usr/local/urchin/bin/urchinwebd[urchinwebd:30110] uid/euid:99/99 gid/egid:2522/2522


2. Mplayer stopped working and I get this by mail:
OSSEC HIDS Notification.
2008 Jun 25 10:52:18

Received From: www->/var/log/httpd/error_log
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

/usr/bin/mplayer: error while loading shared libraries: libdv.so.4: cannot enable executable stack as shared object requires: Permission denied



--END OF NOTIFICATION



What can I do?

Posted: Wed Jun 25, 2008 7:13 am
by scott
For urchin, apparently it uses setuid binaries and therefore you cannot use the Trusted Path Execution policy with it. Urchin is aware of this issue, but since they're largely going away probably wont ever fix it. What you can do is remove the user "nobody" from the untrusted group.


Do you use mplayer somehow through apache? If not the latter message could indicate that something malicious is going on.

Posted: Wed Jun 25, 2008 7:19 am
by jcejvan
Well about mplayer... i have installed clip-share.com script that uses mplayer to add videos to a youtube like site. the problem is that this message shows up everytime I try to add videos...

Posted: Wed Jun 25, 2008 10:07 am
by scott
Gotcha, is that an RPM? You can check with:

rpm -qf /usr/bin/mplayer

As a workaround until I get an update to trigger on that, you can try the following:

execstack -c /usr/bin/mplayer

That removes the bit on the binary where it says it needs an executable stack. 99% of the time when someone says they need that, they're lying. :P

Posted: Wed Jun 25, 2008 11:50 am
by jcejvan
Hi,
well on the first command the output is:
mplayer-1.0-0.38.rc1try2.el4.rf

while on the second there is no output and it also don't seem to do the trick :(
The Mplayer website: http://www.mplayerhq.hu/design7/dload.html

I will also check with the guys that developed the video script...maybe they have some clue

Posted: Wed Jun 25, 2008 12:26 pm
by jcejvan
Oh and regarding urchin, removing nobody from untrusted group trigers this:
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Jun 25 18:12:48 www kernel: grsec: From 84.20.245.46: denied untrusted exec of /usr/local/urchin/htdocs/session.cgi by /usr/local/urchin/bin/urchinwebd[urchinwebd:16931] uid/euid:99/99 gid/egid:2522/2522, parent /usr/local/urchin/bin/urchinwebd[urchinwebd:16620] uid/euid:99/99 gid/egid:2522/2522

Posted: Wed Jun 25, 2008 6:53 pm
by scott
Have to restart apache too. Did that do the trick on mplayer?
All times are UTC-04:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited