Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 16 Feb 2018 10:31:24 +0100
From: Krzysztof Kulesza <krzysztof@...esza.eu>
To: lkrg-users@...ts.openwall.com
Subject: [p_lkrg] <Exploit Detection>

Hello
I'm install Linux Kernel Runtime Guard on Ubuntu 16.04 LTS (with latest 
hwe kernel).
After some time it was detect a exploit in process hpetfe from official 
hp-snmp-agent for Ubuntu.

...
Feb 14 12:22:21 hpe kernel: [ 8320.010872] PKCS#7 signature not signed 
with a trusted key
Feb 14 12:22:21 hpe kernel: [ 8320.011738] [p_lkrg] Loading LKRG...
Feb 14 12:22:22 hpe kernel: [ 8320.496200] [p_lkrg] LKRG initialized 
successfully!
Feb 14 12:22:22 hpe kernel: [ 8320.602486] [p_lkrg] System is clean!
...
Feb 14 14:18:55 hpe kernel: [15314.418516] [p_lkrg] <Exploit Detection> 
Error[1] when trying to add process[50890 |hpetfe] for tracking!
Feb 14 14:18:55 hpe kernel: [15314.418991] [p_lkrg] <Exploit Detection> 
process[50890 | hpetfe] has different 'task_struct' pointer 
[0xffff8f9caeb642c0 vs 0xffff8f9d0cc5d900]
Feb 14 14:18:55 hpe kernel: [15314.419403] [p_lkrg] <Exploit Detection> 
Trying to kill process[hpetfe | 50890]!
Feb 14 14:18:55 hpe kernel: [15314.491346] [p_lkrg] <Exploit Detection> 
Error[1] when trying to add process[50940 |hpetfe] for tracking!
Feb 14 14:18:55 hpe kernel: [15314.491957] [p_lkrg] <Exploit Detection> 
process[50940 | hpetfe] has different 'task_struct' pointer 
[0xffff8f9c8cd40000 vs 0xffff8f9d0cc59640]
Feb 14 14:18:55 hpe kernel: [15314.492551] [p_lkrg] <Exploit Detection> 
Trying to kill process[hpetfe | 50940]!
Feb 14 14:18:59 hpe kernel: [15318.308217] [p_lkrg] <Exploit Detection> 
Error[1] when trying to add process[51157 |hpetfe] for tracking!
Feb 14 14:18:59 hpe kernel: [15318.309156] [p_lkrg] <Exploit Detection> 
process[51157 | hpetfe] has different 'task_struct' pointer 
[0xffff8f9caa9e5900 vs 0xffff8f9d35622c80]
Feb 14 14:18:59 hpe kernel: [15318.309947] [p_lkrg] <Exploit Detection> 
Trying to kill process[hpetfe | 51157]!
Feb 14 14:19:56 hpe kernel: [15375.305697] [p_lkrg] <Exploit Detection> 
Error[1] when trying to add process[51696 |hpetfe] for tracking!
Feb 14 14:19:56 hpe kernel: [15375.306323] [p_lkrg] <Exploit Detection> 
process[51696 | hpetfe] has different 'task_struct' pointer 
[0xffff8f9c9c5542c0 vs 0xffff8f9c7ac1d900]
Feb 14 14:19:56 hpe kernel: [15375.307423] [p_lkrg] <Exploit Detection> 
Trying to kill process[hpetfe | 51696]!
Feb 14 14:26:03 hpe kernel: [15741.789382] [p_lkrg] <Exploit Detection> 
Error[1] when trying to add process[55844 |hpetfe] for tracking!
Feb 14 14:26:03 hpe kernel: [15741.790096] [p_lkrg] <Exploit Detection> 
process[55844 | hpetfe] has different 'task_struct' pointer 
[0xffff8f9caebeac80 vs 0xffff8f9d357a42c0]
Feb 14 14:26:03 hpe kernel: [15741.791221] [p_lkrg] <Exploit Detection> 
Trying to kill process[hpetfe | 55844]!
...


Hardware: ProLiant MicroServer Gen8 (819185-421) / Intel(R) Celeron(R) 
CPU G1610T @ 2.30GHz
Software: Ubuntu 16.04.3 LTS
Kernel: Linux hpe 4.13.0-32-generic #35~16.04.1-Ubuntu SMP Thu Jan 25 
10:13:43 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

-- 
Krzysztof Kulesza


Download attachment "smime.p7s" of type "application/pkcs7-signature" (4209 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.