rooted

[pchampon () GONK VALUEWEB NET (Philip Champon)]

Today I was notified via email that a machine of ours was compromised. He
told us that he gained access through UltimateBB (of recent fame and chatter
on butraq) then used crontab (he said that he thought that was what he used)
to obtain a root shell. He also told us that he replaced our sshd binary.

RedHat (kernel 2.2.12-6.2smp) 6.1 was the OS and cron version is 2.4 and ubb
was the freeware version off their site http://www.ultimatebb.com.

In poking around that server we also found b00ger-rpc listed in inetd.conf
and running as pop2 ??? (Does b00ger take anything other than stdin?),
something in tmp called jrnt1.2 and broadscan.

If anyone has anymore info on anything listed here (exploits etc) I am
all too happy to hear from you. Can anyone refute his claims of using
crontab to get root, we were pretty sure that this cron version OS release
were free from any exploit issues.  Even the use of ultimatebb seems strange
since as I understood it, the insecurities were regarding executing code as the
user and even reading the passwd file, not actually obtaining shell access.

thanks,
Phil Champon
Systems Administrator NOC, Valueweb