RE: Automated ssh scanning

[Ron DuFresne <dufresne () winternet com>]

On Thu, 26 Aug 2004, Todd Towles wrote:

> Hey Ron,
>
> Guest isn't a admin so they let the tool get in. But the real questions
> is, how does it get root access on a fully patched server? It appears to
> use a local exploit to gain root access. This is a problem.

The better question to ask is;  on a fully  patched *nix system, which
apps are not exploitable to gain elivated privledge.  KDE, GNOME, other X
apps are prime targets, as well as things like vi, jed, etc.  The smaller
number on a fully installed system is going to be those apps that have
either been audited to the point all overflows have been fixed.

Now, how they gained root is likely in the logs or .history files, if they
have not been removed or truncated in the exploitation.  System forensics
is the key to trying to track this down on the server i question and is a
whole area unto itself in systems security.

Thanks,

Ron Dufresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html