Difference between revisions of "HIDS 60027"

From Atomicorp Wiki
Jump to: navigation, search
m
m
Line 4: Line 4:
 
|data2 = Active
 
|data2 = Active
 
|label3 = Alert Message
 
|label3 = Alert Message
|data3 =  >Denied a RWX mmap event. An application just attmpted to use the mprotect function to bypass memory protection functions in the kernel.
+
|data3 =  Denied a RWX mmap event. An application just attempted to use the mprotect function to bypass memory protection functions in the kernel.
 
}}
 
}}
  

Revision as of 11:49, 27 June 2014

Rule 60027
Status Active
Alert Message Denied a RWX mmap event. An application just attempted to use the mprotect function to bypass memory protection functions in the kernel.

Contents

Description

This means this program is attempting to either perform a dangerous operation, that could cause your system to be compromised, or someone is trying to break into your system and the ASL kernel is preventing this program from doing this.

This may also occur with malicious applications, or applications that do things in a dangerous way. You can read more about this kernel protection capability in this article:

http://pax.grsecurity.net/docs/mprotect.txt You should investigate this event as it may be part of a broader attack.

Log examples

Jun 27 20:32:38 host kernel: grsec: From 1.2.3.4: denied RWX mmap of <anonymous mapping> by /usr/sbin/r1soft/bin/2-6/cdp-2-6[cdp-2-6:6653] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

May 5 09:24:02 host kernel: grsec: From 1.2.3.4: denied RWX mprotect of /lib64/ld-2.12.so by /usr/local/cpanel/whostmgr/docroot/cgi/addon_installatron.cgi[addon_installat:3705] uid/euid:0/0 gid/egid:0/0, parent /usr/local/cpanel/cpsrvd-ssl[cpsrvd-ssl:3642] uid/euid:0/0 gid/egid:0/0

May 1 01:01:01 host kernel: grsec: From 1.2.3.4: denied RWX mprotect of /lib64/ld-2.5.so by /usr/local/cpanel/3rdparty/php/53/bin/php-cgi[php-cgi:25915] uid/euid:32003/32003 gid/egid:32003/32003, parent /usr/local/cpanel/cpsrvd-ssl[cpsrvd-ssl:25913] uid/euid:32003/32003 gid/egid:32003/32003

Troubleshooting

Solutions

Please see this article if you see this event for any paxtest events:

https://www.atomicorp.com/wiki/index.php/ASL_error_messages#grsec:_denied_RWX_mprotect

Please see these article for solutions if your application has this vulnerability:

https://www.atomicorp.com/wiki/index.php/ASL_error_messages#denied_RWX_mmap_of

Note: Java may require you to open other holes in your system. If you are attempting to fix Java, please see this article:

https://www.atomicorp.com/wiki/index.php/ASL_error_messages#Java_is_stopped_by_PAX

False Positives

Please report this to support if you know this is not an attack.

Additional Information

Similar Rules

HIDS_61027

Knowledge Base Articles

None.

Personal tools