Security Incidents mailing list archives
Re: cron exploit?
From: Matt Zimmerman <mdz () debian org>
Date: Mon, 29 Sep 2003 17:24:44 -0400
On Mon, Sep 29, 2003 at 11:55:22AM -0700, Jeremy Hanmer wrote:
Unfortunately, the permissions were all fine. The user apparently poked around cron.daily, but there isn't any evidence that they were ever able to successfully modify anything in there. All files (and the directory itself) were owned by root.root, and all were 755. The *only* file found modified by tripwire was /sbin/init. Nothing else in any library paths, bin paths, or /etc had been touched.
Did the file 'mkwebuserlist' exist? Is it a local script? It is always possible that these particular modifications were reversed after the exploit was successful, or that your tripwire database was compromised. Assuming those commands were run interactively (and they certainly look like it, since vi(1) etc. were used), then there is no reason the intruder would continue executing these commands if they were failing. It seems likely that the "echo ... >> mkwebuserlist" succeeded. -- - mdz --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- cron exploit? Jeremy Hanmer (Sep 29)
- Re: cron exploit? Pavel Kankovsky (Sep 29)
- Re: cron exploit? Matt Zimmerman (Sep 29)
- Re: cron exploit? Jeremy Hanmer (Sep 29)
- Re: cron exploit? Barry Fitzgerald (Sep 29)
- Re: cron exploit? Jeremy Hanmer (Sep 29)
- Re: cron exploit? Matt Zimmerman (Sep 29)
- Re: cron exploit? Jeremiah Cornelius (Sep 30)
- Re: cron exploit? Tim Greer (Sep 30)
- Re: cron exploit? Jeremy Hanmer (Sep 29)
- Re: cron exploit? Matt Zimmerman (Sep 29)