Sniffed password used for Debian server compromise

[InfoSec News <isn () c4i org>]

http://www.smh.com.au/articles/2003/12/01/1070127318372.html

By Sam Varghese
December 1, 2003

A member of the Debian GNU/Linux system administration team believes 
there is an unknown local root exploit for the Linux kernel 
circulating in the wild and says it may have been used to compromise 
four servers belonging to the free software project, after initial 
unprivileged access was gained by using a sniffed password. 

Debian is a free operating system which uses the Linux kernel; most of 
the basic OS tools come from the GNU project hence the name GNU/Linux. 
The break-in was reported on November 21. 

An ongoing investigation had shown that a sniffed password was used to 
initially access the server named klecker, one of four which was 
compromised, a post to one of the Debian mailing lists, by James 
Troup, said. 

Troup said that on November 20, it had been noticed that the kernel on 
a server called master, which hosts the project's bug tracking system, 
was doing an oops - something which occurs when the kernel code gets 
into an unrecoverable state. 

He said suspicions were aroused when the server named murphy, which 
hosts the mailing lists, started showing the same error. 

Three of the servers had an intrusion detection package installed and 
the admins began to see warnings that certain files had been replaced 
and that the timestamps for some files had changed. Investigations 
showed that a rootkit, known as suckit, had been installed. 

A rootkit is a collection of tools that allows an attacker, among 
other things, to provide a backdoor into a system, collect information 
about other systems on the network, and mask the fact that the system 
is compromised. 

Based on investigations, Troup said it appeared that on November 19, 
at approximately 5pm GMT, a sniffed password had been was used to 
access an (unprivileged) account on one of the servers, klecker. 

"Somehow they got root on klecker and installed suckit. The same 
account was then used to log into master and gain root and install 
suckit there too. They then tried to get to murphy (which runs the 
mailing lists) with the same account. This failed because murphy is a 
restricted box that only a small subset of developers can log into," 
Troup said. 

"They then used their root access on master to access an 
administrative account used for backup purposes and used that to gain 
access to murphy. They got root on murphy and installed suckit there 
too. The next day they used a password sniffed on master to login into 
gluck, got root there and installed suckit."

Troup said the project team was looking at hardening the servers and 
tightening up procedures to try and stop such intrusions happening 
again.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.