Security Incidents mailing list archives
Re: cron exploit?
From: Vinicius Moreira Mello <vinicius () lineone net>
Date: Tue, 30 Sep 2003 20:19:15 -0300
Jeremy,
May be it exploits an improper tmp file created by an application run
by root or an improper file permission that you haven't noticed.
Something I always do in systems that users log into is mounting
/tmp,/var with nodev,nosuid,noexec permissions, removing the compiler
and unsetting the suid bit of many executables, including crontab.
Gook luck,
--
Vinicius
Jeremy Hanmer wrote:
> Unfortunately, the permissions were all fine. The user apparently poked
> around cron.daily, but there isn't any evidence that they were ever able
> to successfully modify anything in there. All files (and the directory
> itself) were owned by root.root, and all were 755. The *only* file
> found modified by tripwire was /sbin/init. Nothing else in any library
> paths, bin paths, or /etc had been touched.
>
---------------------------------------------------------------------------
----------------------------------------------------------------------------
Current thread:
- Re: cron exploit? Vinicius Moreira Mello (Oct 01)
- Re: cron exploit? Barry Fitzgerald (Oct 01)
- Re: cron exploit? Steffen Kluge (Oct 02)
- Re: cron exploit? Jeremy Hanmer (Oct 02)
- <Possible follow-ups>
- Re: cron exploit? Jeremy Hanmer (Oct 02)
- Re: cron exploit? Matt Zimmerman (Oct 10)
- Re: cron exploit? Barry Fitzgerald (Oct 01)