Security Incidents mailing list archives
Re: cron exploit?
From: Matt Zimmerman <mdz () debian org>
Date: Mon, 29 Sep 2003 13:30:24 -0400
On Sun, Sep 28, 2003 at 03:09:01PM -0700, Jeremy Hanmer wrote:
We just had a Debian (Woody) box get rooted, apparently by a cron exploit mentioned here: http://www.codon.org.uk/~mjg59/kern/jmb73bash We've contacted the package maintainer, but has anybody else seen anything like this floating around yet? It's pretty worrisome since we have a couple hundred linux boxes that must run cron for various reasons.
As I said before, there is no evidence here of a cron exploit, and it raises unnecessary alarm to claim that there is one. It looks like you had a world-writable script (or a script owned by the unprivileged user who was exploited) in /etc/cron.daily, and so the intruder modified that script in order to execute commands as root. All signs point to a local configuration error.
echo chown root:root /tmp/rmsd >> mkwebuserlist echo chmod 4755 /tmp/rmsd >> mkwebuserlist
-- - mdz --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- cron exploit? Jeremy Hanmer (Sep 29)
- Re: cron exploit? Pavel Kankovsky (Sep 29)
- Re: cron exploit? Matt Zimmerman (Sep 29)
- Re: cron exploit? Jeremy Hanmer (Sep 29)
- Re: cron exploit? Barry Fitzgerald (Sep 29)
- Re: cron exploit? Jeremy Hanmer (Sep 29)
- Re: cron exploit? Matt Zimmerman (Sep 29)
- Re: cron exploit? Jeremiah Cornelius (Sep 30)
- Re: cron exploit? Tim Greer (Sep 30)
- Re: cron exploit? Jeremy Hanmer (Sep 29)
- Re: cron exploit? Matt Zimmerman (Sep 29)