Security Incidents mailing list archives
Openbsd 3.2 wtmp delay and named backdoor
From: Eric Weaver <internet () whttp com>
Date: 15 Jan 2003 14:19:52 -0000
Can anyone explain what would cause a wtmp delay like this? Notice I am invisible, until the third iteration of 'w'. I hope this is nothing more than some sort of filesystem lag or sshd delay. The only known vulnerability on this box is Named. Openbsd 3.2 named has a possible remote exploit, but since its jailed, the security is "mitigated" (so they say). My observation is that there may be a way out of the jail through the default socket to syslogd (via the -a flag (shown below)). Syslogd runs as root. Doesn't this seem unsafe to anyone else? If a process is truely jailed, it should have its own non-root logging mechanism. Agreed? Eric Weaver wHTTP consulting ---------------- <suser@silver:/home/suser:1>$ w 5:37AM up 5 days, 1:35, 0 users, load averages: 0.42, 0.16, 0.10 USER TTY FROM LOGIN@ IDLE WHAT <suser@silver:/home/suser:2>$ ps -aux USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND suser 7019 0.0 0.0 264 156 p0 R+ 5:37AM 0:00.01 ps -aux root 3023 0.0 0.0 100 376 ?? Ss Fri04AM 0:01.44 syslogd - a /var/named/dev/log root 20857 0.0 0.0 328 184 ?? Ss Fri04AM 0:12.36 pflogd named 24326 0.0 0.0 940 1224 ?? Ss Fri04AM 0:22.56 named - t /var/named -u named root 29615 0.0 0.0 356 868 ?? Ss Fri04AM 0:02.20 /usr/sbin/sshd root 5861 0.0 0.0 228 460 ?? Is Fri04AM 0:02.01 cron root 2034 0.0 0.0 48 420 C0 Is+ Fri04AM 0:00.01 /usr/libexec/getty Pc ttyC0 root 23329 0.0 0.0 880 820 ?? Ss Fri04AM 0:18.16 sendmail: accepting connections (sendmail) www 8816 0.0 0.0 4528 5184 ?? Ss Fri04AM 0:08.10 httpd: parent [chroot /var/www] (httpd) www 7158 0.0 0.0 4960 4488 ?? I Fri04AM 0:01.23 httpd: child (httpd) www 30780 0.0 0.0 4936 4504 ?? I Fri04AM 0:01.18 httpd: child (httpd) www 432 0.0 0.0 4932 4452 ?? I Fri04AM 0:00.79 httpd: child (httpd) www 31496 0.0 0.0 4936 4436 ?? I Fri04AM 0:01.01 httpd: child (httpd) www 4692 0.0 0.0 4900 4412 ?? I Fri04AM 0:01.06 httpd: child (httpd) www 23742 0.0 0.0 4936 4448 ?? I Fri04AM 0:00.85 httpd: child (httpd) www 13186 0.0 0.0 4948 4484 ?? I Fri04AM 0:01.26 httpd: child (httpd) www 18151 0.0 0.0 4892 4308 ?? I Sun12AM 0:00.26 httpd: child (httpd) root 19734 0.0 0.0 464 1164 ?? Ss 5:37AM 0:00.05 sshd: suser [priv] (sshd) suser 2391 0.0 0.0 400 1036 ?? S 5:37AM 0:00.02 sshd: suser@ttyp0 (sshd) suser 14872 0.0 0.0 400 320 p0 Ss 5:37AM 0:00.03 -ksh (ksh) root 1 0.0 0.0 336 200 ?? Is Fri04AM 0:00.03 /sbin/init <suser@silver:/home/suser:3>$ w 5:37AM up 5 days, 1:35, 0 users, load averages: 0.42, 0.16, 0.10 USER TTY FROM LOGIN@ IDLE WHAT <suser@silver:/home/suser:4>$ w 5:37AM up 5 days, 1:36, 1 user, load averages: 0.38, 0.15, 0.10 USER TTY FROM LOGIN@ IDLE WHAT suser p0 192.168.25.104 5:37AM 0 w <suser@silver:/home/suser:5>$ w 5:37AM up 5 days, 1:36, 1 user, load averages: 0.35, 0.15, 0.10 USER TTY FROM LOGIN@ IDLE WHAT suser p0 192.168.25.104 5:37AM 0 w <suser@silver:/home/suser:6>$ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Openbsd 3.2 wtmp delay and named backdoor Eric Weaver (Jan 19)
- Message not available
- Re: Openbsd 3.2 wtmp delay and named backdoor Jose Nazario (Jan 23)
- Message not available
- Re: Openbsd 3.2 wtmp delay and named backdoor Valdis . Kletnieks (Jan 23)