Atomicorp

This morning i ran yum and the kernal was updated. Now all of a sudden i'm having a couple issues and not sure where to go on these.

First i'm getting this message every 5 minutes:
OSSEC HIDS Notification.
2009 Jan 02 08:20:02

Received From: D2540->/var/log/messages
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Jan 2 09:20:01 D2540 kernel: grsec: denied untrusted exec of /usr/lib/mailman/cron/gate_news by /bin/bash[sh:14301] uid/euid:41/41 gid/egid:41/41, parent /usr/sbin/crond[crond:14300] uid/euid:41/41 gid/egid:41/41

Second now all of a sudden Dr Web refuses to start in Plesk:
ERROR: PLeskFatalException
Unable to make action: Unable to manage service by drwebmng: drwebmng: Service /etc/init.d/drwebd failed to start
drwebmng: drweb start failed

--------------------------------------------------------------------------------

0: /usr/local/psa/admin/plib/common_func.php3:190
psaerror(string 'Unable to make action: Unable to manage service by drwebmng: drwebmng: Service /etc/init.d/drwebd failed to start drwebmng: drweb start failed')
1: /usr/local/psa/admin/htdocs/server/restart_services.php:28

Third issue seems to be with IonCube:
Failed loading /usr/lib/php/ioncube/ioncube_loader_lin_5.2.so:
/usr/lib/php/ioncube/ioncube_loader_lin_5.2.so: cannot enable executable stack as shared object requires: Permission denied

Final issue:
PaX/GRESECURITY seems to not be working as it has a Red Button in the ASL GUI.

Anyone else have problems after updating this morning? i'm running Plesk 8.6 latest with Centos 5.2 with Linux 2.6.27.7-9.art.i686.PAE

Is gradm installed? That contains all the fixups for things like you're reporting.

Thanks scott,

That seemed to do the trick for Dr.web, but seem to still have the Pax/GRE
issue with it having the red icon.

I'm probably not going to worry about this server anyways since i've migrated most of all the clients off it to a new server not running PAE.

But i do appreciate the help and knowledge i've been giving....

See http://www.atomicrocketturtle.com/forum ... 5078#15078 for an explanation of why the ASL kernel is not being detected.

Well seems i'll have to put a ticket in for my production box, seems since yesterday now PaX is showing red also on a non-PAE box after it's daily reboot. Which before it was fine on saturday and everything seemed to work ok.

But my main concern is now since the kernel update a couple shopping carts are having issues with Tiny_MCE when trying to use the Ibrowser.php function of tiny_mce. ANd that is stopping merchants from adding products in their carts.

I believe it's a java issue with tiny_mce because this is the message that pops up when they try and add products. Any one ever see this error?

"403 forbidden error : "you dont have permission to access /catalog/admin/inludes/javascript/tiny_mce/plugins/ibrowser/ibrowswer.php on this server. Apache server for xxxxxxxxxx.com port 443"

Can you let us know how you get on with this as I use tiny MCE on several applications

Do you see anything in your ASL logs blocking tinymce? If you submit a report I guarantee we will get an update out that day (well as long as its not at midnight or something).

Mike,
This is what triggers when ibrowser is trying to be used. I went into a clients cart and clicked while watching the level 2 events and this came in right after i clicked the ibrowser function.

Signature ID: 50128
Logfile: /var/asl/data/auditnull
Alert information
[modsecurity] [client 70.168.xx.x] [domain www.xxxxxxxxxxx.com] [403] [/20090106/20090106-0822/20090106-082234-TN2dTn8AAAEAAGkUh3IAAAAM] (null)

What do you see in the specific events log? (You need to look at this file as well /20090106/20090106-0822/20090106-082234-TN2dTn8AAAEAAGkUh3IAAAAM within the ASL audit directory)

Here's what i found in that file.

--5c5f082d-A--
[06/Jan/2009:08:22:34 --0500] TN2dTn8AAAEAAGkUh3IAAAAM 70.168.74.2 45330 10.102.150.173 443
--5c5f082d-B--
GET /catalog/admin/includes/javascript/tiny_mce/plugins/ibrowser/ibrowser.php HTTP/1.1
Accept: */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.2; .NET CLR 3.0.04506.648)
Host: www.xxxxxxxxxxxxx.com
Connection: Keep-Alive
Cookie: osCAdminID=0tbcvu83ss96dspppsnns585u2

--5c5f082d-F--
HTTP/1.1 403 Forbidden
Content-Length: 347
Connection: close
Content-Type: text/html; charset=iso-8859-1

--5c5f082d-H--
Apache-Error: [file "/builddir/build/BUILD/httpd-2.2.3/modules/aaa/mod_authz_host.c"] [line 299] [level 3] client denied by server configuration: /var/www/vhosts/personallypaws.com/httpdocs/catalog/admin/includes/javascript/tiny_mce/plugins/ibrowser/ibrowser.php
Stopwatch: 1231248154271054 14859 (- - -)
Producer: ModSecurity for Apache/2.5.7 (http://www.modsecurity.org/); 200901051040.
Server: Apache/2.2.3 (CentOS)

--5c5f082d-Z--

One other thing i just noticed is that the Security Bullentins in the ASL Web GUI are not showing the latest like it was a couple days ago the last notice update is for December 15. And the inventory does'nt seem to be scanning dailey because the other server is showing some apps which i know are on this box also.

I also went into my other server to a domain running a cart just like it that has tiny_mce and they also are having the same issue only difference with this box is it is a PAE so i know about the PaX issue being out of sync but it's not getting security bullentins neither.

I did open a ticket yesterday because both of these boxes we fine before the kernel update last week. i just have'nt heard from your support crew yet.