Security Incidents mailing list archives
Re: cron exploit?
From: Jeremy Hanmer <jeremy () hq newdream net>
Date: Mon, 29 Sep 2003 11:55:22 -0700
Unfortunately, the permissions were all fine. The user apparently poked around cron.daily, but there isn't any evidence that they were ever able to successfully modify anything in there. All files (and the directory itself) were owned by root.root, and all were 755. The *only* file found modified by tripwire was /sbin/init. Nothing else in any library paths, bin paths, or /etc had been touched. On Mon, 2003-09-29 at 10:30, Matt Zimmerman wrote:
On Sun, Sep 28, 2003 at 03:09:01PM -0700, Jeremy Hanmer wrote:We just had a Debian (Woody) box get rooted, apparently by a cron exploit mentioned here: http://www.codon.org.uk/~mjg59/kern/jmb73bash We've contacted the package maintainer, but has anybody else seen anything like this floating around yet? It's pretty worrisome since we have a couple hundred linux boxes that must run cron for various reasons.As I said before, there is no evidence here of a cron exploit, and it raises unnecessary alarm to claim that there is one. It looks like you had a world-writable script (or a script owned by the unprivileged user who was exploited) in /etc/cron.daily, and so the intruder modified that script in order to execute commands as root. All signs point to a local configuration error.echo chown root:root /tmp/rmsd >> mkwebuserlist echo chmod 4755 /tmp/rmsd >> mkwebuserlist
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- cron exploit? Jeremy Hanmer (Sep 29)
- Re: cron exploit? Pavel Kankovsky (Sep 29)
- Re: cron exploit? Matt Zimmerman (Sep 29)
- Re: cron exploit? Jeremy Hanmer (Sep 29)
- Re: cron exploit? Barry Fitzgerald (Sep 29)
- Re: cron exploit? Jeremy Hanmer (Sep 29)
- Re: cron exploit? Matt Zimmerman (Sep 29)
- Re: cron exploit? Jeremiah Cornelius (Sep 30)
- Re: cron exploit? Tim Greer (Sep 30)
- Re: cron exploit? Jeremy Hanmer (Sep 29)
- Re: cron exploit? Matt Zimmerman (Sep 29)