Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 21 Feb 2018 21:48:45 +0100
From: Adam Zabrocki <pi3@....com.pl>
To: lkrg-users@...ts.openwall.com
Subject: Re: [p_lkrg] <Exploit Detection>

Hi,

Can you tell which version of LKRG did you install? If it is not from the
latest bitbucket repo, can you try this one? It includes the latest patch
which handles call_usermodehelper invoked from the kernel.

If you do use latest version of LKRG from the bitbucket repo, can you
reliably repro the situation which you mentioned about in the email?


Btw. Sorry for a late reply but I had problem with my mailbox.

Thanks,
Adam


On Fri, Feb 16, 2018 at 10:31:24AM +0100, Krzysztof Kulesza wrote:
> Hello
> I'm install Linux Kernel Runtime Guard on Ubuntu 16.04 LTS (with latest 
> hwe kernel).
> After some time it was detect a exploit in process hpetfe from official 
> hp-snmp-agent for Ubuntu.
> 
> ...
> Feb 14 12:22:21 hpe kernel: [ 8320.010872] PKCS#7 signature not signed 
> with a trusted key
> Feb 14 12:22:21 hpe kernel: [ 8320.011738] [p_lkrg] Loading LKRG...
> Feb 14 12:22:22 hpe kernel: [ 8320.496200] [p_lkrg] LKRG initialized 
> successfully!
> Feb 14 12:22:22 hpe kernel: [ 8320.602486] [p_lkrg] System is clean!
> ...
> Feb 14 14:18:55 hpe kernel: [15314.418516] [p_lkrg] <Exploit Detection> 
> Error[1] when trying to add process[50890 |hpetfe] for tracking!
> Feb 14 14:18:55 hpe kernel: [15314.418991] [p_lkrg] <Exploit Detection> 
> process[50890 | hpetfe] has different 'task_struct' pointer 
> [0xffff8f9caeb642c0 vs 0xffff8f9d0cc5d900]
> Feb 14 14:18:55 hpe kernel: [15314.419403] [p_lkrg] <Exploit Detection> 
> Trying to kill process[hpetfe | 50890]!
> Feb 14 14:18:55 hpe kernel: [15314.491346] [p_lkrg] <Exploit Detection> 
> Error[1] when trying to add process[50940 |hpetfe] for tracking!
> Feb 14 14:18:55 hpe kernel: [15314.491957] [p_lkrg] <Exploit Detection> 
> process[50940 | hpetfe] has different 'task_struct' pointer 
> [0xffff8f9c8cd40000 vs 0xffff8f9d0cc59640]
> Feb 14 14:18:55 hpe kernel: [15314.492551] [p_lkrg] <Exploit Detection> 
> Trying to kill process[hpetfe | 50940]!
> Feb 14 14:18:59 hpe kernel: [15318.308217] [p_lkrg] <Exploit Detection> 
> Error[1] when trying to add process[51157 |hpetfe] for tracking!
> Feb 14 14:18:59 hpe kernel: [15318.309156] [p_lkrg] <Exploit Detection> 
> process[51157 | hpetfe] has different 'task_struct' pointer 
> [0xffff8f9caa9e5900 vs 0xffff8f9d35622c80]
> Feb 14 14:18:59 hpe kernel: [15318.309947] [p_lkrg] <Exploit Detection> 
> Trying to kill process[hpetfe | 51157]!
> Feb 14 14:19:56 hpe kernel: [15375.305697] [p_lkrg] <Exploit Detection> 
> Error[1] when trying to add process[51696 |hpetfe] for tracking!
> Feb 14 14:19:56 hpe kernel: [15375.306323] [p_lkrg] <Exploit Detection> 
> process[51696 | hpetfe] has different 'task_struct' pointer 
> [0xffff8f9c9c5542c0 vs 0xffff8f9c7ac1d900]
> Feb 14 14:19:56 hpe kernel: [15375.307423] [p_lkrg] <Exploit Detection> 
> Trying to kill process[hpetfe | 51696]!
> Feb 14 14:26:03 hpe kernel: [15741.789382] [p_lkrg] <Exploit Detection> 
> Error[1] when trying to add process[55844 |hpetfe] for tracking!
> Feb 14 14:26:03 hpe kernel: [15741.790096] [p_lkrg] <Exploit Detection> 
> process[55844 | hpetfe] has different 'task_struct' pointer 
> [0xffff8f9caebeac80 vs 0xffff8f9d357a42c0]
> Feb 14 14:26:03 hpe kernel: [15741.791221] [p_lkrg] <Exploit Detection> 
> Trying to kill process[hpetfe | 55844]!
> ...
> 
> 
> Hardware: ProLiant MicroServer Gen8 (819185-421) / Intel(R) Celeron(R) 
> CPU G1610T @ 2.30GHz
> Software: Ubuntu 16.04.3 LTS
> Kernel: Linux hpe 4.13.0-32-generic #35~16.04.1-Ubuntu SMP Thu Jan 25 
> 10:13:43 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
> 
> -- 
> Krzysztof Kulesza
> 



-- 
pi3 (pi3ki31ny) - pi3 (at) itsec pl
http://pi3.com.pl

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.