Security Incidents mailing list archives

Re: cron exploit?

From: Matt Zimmerman <mdz () debian org>
Date: Mon, 29 Sep 2003 17:24:44 -0400

On Mon, Sep 29, 2003 at 11:55:22AM -0700, Jeremy Hanmer wrote:

Unfortunately, the permissions were all fine.  The user apparently poked
around cron.daily, but there isn't any evidence that they were ever able
to successfully modify anything in there.  All files (and the directory
itself) were owned by root.root, and all were 755.  The *only* file
found modified by tripwire was /sbin/init.  Nothing else in any library
paths, bin paths, or /etc had been touched.


Did the file 'mkwebuserlist' exist?  Is it a local script?  It is always
possible that these particular modifications were reversed after the exploit
was successful, or that your tripwire database was compromised.

Assuming those commands were run interactively (and they certainly look like
it, since vi(1) etc. were used), then there is no reason the intruder would
continue executing these commands if they were failing.  It seems likely
that the "echo ... >> mkwebuserlist" succeeded.

-- 
 - mdz

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

cron exploit? Jeremy Hanmer (Sep 29)
- Re: cron exploit? Pavel Kankovsky (Sep 29)
- Re: cron exploit? Matt Zimmerman (Sep 29)
  - Re: cron exploit? Jeremy Hanmer (Sep 29)
    - Re: cron exploit? Barry Fitzgerald (Sep 29)
    - Re: cron exploit? Jeremy Hanmer (Sep 29)
    - Re: cron exploit? Matt Zimmerman (Sep 29)
    - Re: cron exploit? Jeremiah Cornelius (Sep 30)
    - Re: cron exploit? Tim Greer (Sep 30)
    - Re: cron exploit? Matt Zimmerman (Sep 29)