Re: rooted

[ryans () PNX COM (Administrator)]

    Phil,

If  your Ultimate BB was running as root it was easy for  your  attacker
to gain access.  As far as i know, all you can do with the perl hole on
ubb is read a file, and i assume you use shadowed passwords so unless
the bb is run as root, he could not read the shadow file. (or
master.passwd)  I am unaware of a new crontab hole, though it is
possible.

the file in /tmp called broadscan is a tool to scan for smurf
amplifiers.   duno the others..

ryan
ryans () pnx com

Philip Champon wrote:
> Today I was notified via email that a machine of ours was compromised. He
> told us that he gained access through UltimateBB (of recent fame and chatter
> on butraq) then used crontab (he said that he thought that was what he used)
> to obtain a root shell. He also told us that he replaced our sshd binary.
>
> RedHat (kernel 2.2.12-6.2smp) 6.1 was the OS and cron version is 2.4 and ubb
> was the freeware version off their site http://www.ultimatebb.com.
>
> In poking around that server we also found b00ger-rpc listed in inetd.conf
> and running as pop2 ??? (Does b00ger take anything other than stdin?),
> something in tmp called jrnt1.2 and broadscan.
>
> If anyone has anymore info on anything listed here (exploits etc) I am
> all too happy to hear from you. Can anyone refute his claims of using
> crontab to get root, we were pretty sure that this cron version OS release
> were free from any exploit issues.  Even the use of ultimatebb seems strange
> since as I understood it, the insecurities were regarding executing code as the
> user and even reading the passwd file, not actually obtaining shell access.
>
> thanks,
> Phil Champon
> Systems Administrator NOC, Valueweb

--
-----------------------------------------------------------------
The opinions expressed here aren't even mine...
To err is human...to really foul up requires the root password.
-----------------------------------------------------------------