Re: cron exploit?

[Jeremy Hanmer <jeremy () hq newdream net>]

Unfortunately, the permissions were all fine.  The user apparently poked
around cron.daily, but there isn't any evidence that they were ever able
to successfully modify anything in there.  All files (and the directory
itself) were owned by root.root, and all were 755.  The *only* file
found modified by tripwire was /sbin/init.  Nothing else in any library
paths, bin paths, or /etc had been touched.

On Mon, 2003-09-29 at 10:30, Matt Zimmerman wrote:
> On Sun, Sep 28, 2003 at 03:09:01PM -0700, Jeremy Hanmer wrote:
>
> > We just had a Debian (Woody) box get rooted, apparently by a cron
> > exploit mentioned here:  http://www.codon.org.uk/~mjg59/kern/jmb73bash
> >
> > We've contacted the package maintainer, but has anybody else seen
> > anything like this floating around yet?  It's pretty worrisome since we
> > have a couple hundred linux boxes that must run cron for various
> > reasons.
>
> As I said before, there is no evidence here of a cron exploit, and it raises
> unnecessary alarm to claim that there is one.  It looks like you had a
> world-writable script (or a script owned by the unprivileged user who was
> exploited) in /etc/cron.daily, and so the intruder modified that script in
> order to execute commands as root.
>
> All signs point to a local configuration error.
>
> > echo chown root:root /tmp/rmsd >> mkwebuserlist
> > echo chmod 4755 /tmp/rmsd >> mkwebuserlist

Attachment: signature.asc
Description: This is a digitally signed message part