Results 1 to 4 of 4

Thread: Ubuntu Server Shellcode Alert

  1. #1
    Join Date
    Apr 2008
    Beans
    332
    Distro
    Ubuntu 10.04 Lucid Lynx

    Ubuntu Server Shellcode Alert

    http://i.imgur.com/FdXA8.png

    Backstory:

    Yesterday I installed fresh ubuntu server LTS. Installed Security Onion.

    Picture above is what I saw today. It appears that the detection occurred when I ran dist-upgrade more or less.


    Code:
    Start-Date: 2012-10-04  00:44:17
    Commandline: apt-get dist-upgrade
    Install: linux-headers-3.2.0-31-generic:amd64 (3.2.0-31.50, automatic), linux-headers-3.2.0-31:amd64 (3.2.0-31.50, automatic), linux-image-3.2.0-31-generic:amd64 (3.2.0-31.50)
    Upgrade: apt-transport-https:amd64 (0.8.16~exp12ubuntu10.2, 0.8.16~exp12ubuntu10.3), securityonion-setup:amd64 (20120912-0ubuntu0securityonion20, 20120912-0ubuntu0securityonion21), bind9-host:amd64 (9.8.1.dfsg.P1-4ubuntu0.2, 9.8.1.dfsg.P1-4ubuntu0.3), linux-server:amd64 (3.2.0.29.31, 3.2.0.31.34), dnsutils:amd64 (9.8.1.dfsg.P1-4ubuntu0.2, 9.8.1.dfsg.P1-4ubuntu0.3), libdbus-1-3:amd64 (1.4.18-1ubuntu1, 1.4.18-1ubuntu1.1), ubuntu-keyring:amd64 (2011.11.21, 2011.11.21.1), libdns81:amd64 (9.8.1.dfsg.P1-4ubuntu0.2, 9.8.1.dfsg.P1-4ubuntu0.3), libapt-inst1.4:amd64 (0.8.16~exp12ubuntu10.2, 0.8.16~exp12ubuntu10.3), apport:amd64 (2.0.1-0ubuntu12, 2.0.1-0ubuntu13), libisccc80:amd64 (9.8.1.dfsg.P1-4ubuntu0.2, 9.8.1.dfsg.P1-4ubuntu0.3), apt-utils:amd64 (0.8.16~exp12ubuntu10.2, 0.8.16~exp12ubuntu10.3), linux-headers-server:amd64 (3.2.0.29.31, 3.2.0.31.34), securityonion-rule-update:amd64 (20120726-0ubuntu0securityonion3, 20120726-0ubuntu0securityonion5), linux-firmware:amd64 (1.79, 1.79.1), dbus:amd64 (1.4.18-1ubuntu1, 1.4.18-1ubuntu1.1), apt:amd64 (0.8.16~exp12ubuntu10.2, 0.8.16~exp12ubuntu10.3), liblwres80:amd64 (9.8.1.dfsg.P1-4ubuntu0.2, 9.8.1.dfsg.P1-4ubuntu0.3), multiarch-support:amd64 (2.15-0ubuntu10, 2.15-0ubuntu10.2), python-problem-report:amd64 (2.0.1-0ubuntu12, 2.0.1-0ubuntu13), libxml2:amd64 (2.7.8.dfsg-5.1ubuntu4.1, 2.7.8.dfsg-5.1ubuntu4.2), libbind9-80:amd64 (9.8.1.dfsg.P1-4ubuntu0.2, 9.8.1.dfsg.P1-4ubuntu0.3), libapt-pkg4.12:amd64 (0.8.16~exp12ubuntu10.2, 0.8.16~exp12ubuntu10.3), isc-dhcp-client:amd64 (4.1.ESV-R4-0ubuntu5.2, 4.1.ESV-R4-0ubuntu5.5), libisccfg82:amd64 (9.8.1.dfsg.P1-4ubuntu0.2, 9.8.1.dfsg.P1-4ubuntu0.3), tzdata:amd64 (2012e-0ubuntu0.12.04, 2012e-0ubuntu0.12.04.1), gpgv:amd64 (1.4.11-3ubuntu2, 1.4.11-3ubuntu2.1), python-apport:amd64 (2.0.1-0ubuntu12, 2.0.1-0ubuntu13), linux-image-server:amd64 (3.2.0.29.31, 3.2.0.31.34), openssl:amd64 (1.0.1-4ubuntu5.3, 1.0.1-4ubuntu5.5), resolvconf:amd64 (1.63ubuntu15, 1.63ubuntu16), libgc1c2:amd64 (7.1-8build1, 7.1-8ubuntu0.12.04.1), isc-dhcp-common:amd64 (4.1.ESV-R4-0ubuntu5.2, 4.1.ESV-R4-0ubuntu5.5), libisc83:amd64 (9.8.1.dfsg.P1-4ubuntu0.2, 9.8.1.dfsg.P1-4ubuntu0.3), ntfs-3g:amd64 (2012.1.15AR.1-1ubuntu1, 2012.1.15AR.1-1ubuntu1.2), securityonion-nsmnow-admin-scripts:amd64 (20120724-0ubuntu0securityonion17, 20120724-0ubuntu0securityonion18), gnupg:amd64 (1.4.11-3ubuntu2, 1.4.11-3ubuntu2.1)
    End-Date: 2012-10-04  00:47:02
    My guess at this point is that one of the packages above has the shellcode within; but there's a very good chance it's just a false positive.
    Last edited by munky99999; October 4th, 2012 at 04:45 PM.

  2. #2
    Join Date
    Aug 2009
    Beans
    Hidden!

    Re: Ubuntu Server Shellcode Alert

    Just look up the SID and see what it checks for, assess if that's strong enough a classifier on its own (or not) and if necessary adjust Snort configuration / alerting accordingly.

  3. #3
    Join Date
    Sep 2012
    Location
    Virginia, USA
    Beans
    209
    Distro
    Ubuntu Development Release

    Re: Ubuntu Server Shellcode Alert

    I have virtually no knowledge regarding shellcode and Security Onion, but I did some quick Googling and found the following thread, which suggests that the rule that is being "triggered" here is a notorious generator of false positives, often generated by downloading binary files (which is what you were doing when it happened):

    http://security.stackexchange.com/qu...rules-question
    Asus K55A (Core i5-3210M @ 2.5GHz/8GB RAM/120GB SSD/Intel HD 4000) with Ubuntu 12.10 Beta 2
    Compaq Presario C700 (Pentium Dual-Core @ 1.6GHz/2.5GB RAM/500GB HDD/Intel GM965) with Arch Linux and Linux Mint Debian Edition

  4. #4
    Join Date
    Nov 2009
    Beans
    919
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Ubuntu Server Shellcode Alert

    As the link in the post above makes clear, the shellcode signatures do generate a large number of false positives. Part of the reason is because of how broad the port variable is (everything except http by default). However this means it will also include traffic involving ports often associated with compressed or encrypted data transfer as well (like 443 for https, 1935 for flash, 554 for rtsp and so on). When that happens you'll get matches on things that wouldn't match at all if they were not compressed or were in clear text formats.

    Software packages also tend to be compressed/packed/whatever even when pulled down over regular http ports, which can have the same results. Bottom line, for most people it's best not to have any of the shellcode signatures enabled. The risk of encountering the things they look for is really small compared to the amount of effort you'd have to put into sorting the signal from the noise, especially without a lot of knowledge of shellcode and the context within which those signatures were created.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •