Security Incidents mailing list archives
Re: cron exploit?
From: Jeremy Hanmer <jeremy () hq newdream net>
Date: Wed, 01 Oct 2003 21:37:53 -0700
On Mon, 2003-09-29 at 14:24, Matt Zimmerman wrote:
On Mon, Sep 29, 2003 at 11:55:22AM -0700, Jeremy Hanmer wrote:
Did the file 'mkwebuserlist' exist? Is it a local script? It is always possible that these particular modifications were reversed after the exploit was successful, or that your tripwire database was compromised.
No, that file didn't exist. In fact, the only part of that script that was actually recovered was the source code mentioned (which while generic, was formatted identically so I assumed that was the source of the code). The tripwire database being compromised is not a possibility as it resides in an external database heavily seperated from the machine in question.
Assuming those commands were run interactively (and they certainly look like it, since vi(1) etc. were used), then there is no reason the intruder would continue executing these commands if they were failing. It seems likely that the "echo ... >> mkwebuserlist" succeeded.
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: cron exploit? Vinicius Moreira Mello (Oct 01)
- Re: cron exploit? Barry Fitzgerald (Oct 01)
- Re: cron exploit? Steffen Kluge (Oct 02)
- Re: cron exploit? Jeremy Hanmer (Oct 02)
- <Possible follow-ups>
- Re: cron exploit? Jeremy Hanmer (Oct 02)
- Re: cron exploit? Matt Zimmerman (Oct 10)
- Re: cron exploit? Barry Fitzgerald (Oct 01)