FreeBSD-SA-04:13.linux in the wild
From: Ryan Thompson (ryan_at_sasknow.com)
Date: 08/11/04
- Previous message: Ryan Thompson: "Re: [PATCH] Tighten /etc/crontab permissions"
- Next in thread: Gustavo A. Baratto: "Re: FreeBSD-SA-04:13.linux in the wild"
- Reply: Gustavo A. Baratto: "Re: FreeBSD-SA-04:13.linux in the wild"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 11 Aug 2004 15:07:11 -0600 (CST) To: freebsd-security@freebsd.org
Has anyone else seen this in the wild?
We just had an attempted attack yesterday from a live attacker on one of
our machines using this vulnerability. It wasn't all that clever, and
they're long gone, but I *did* manage to catch them in the act and grab
a copy of the binary they tried to run from /tmp/, as well as the PHP
injection code they used to subvert a virtual web site's poorly-written
index.php script to execute commands as a local user.
Their first order of business was uname -a, and the timing of the
requests appeared to be random and experimental ("cd /tmp; ls -la", a
few times). If any @FreeBSD.org developers would like more information,
I'd be happy to share my findings and log output off-list.
- Ryan
-- Ryan Thompson <ryan@sasknow.com> SaskNow Technologies - http://www.sasknow.com 901-1st Avenue North - Saskatoon, SK - S7K 1Y4 Tel: 306-664-3600 Fax: 306-244-7037 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Ryan Thompson: "Re: [PATCH] Tighten /etc/crontab permissions"
- Next in thread: Gustavo A. Baratto: "Re: FreeBSD-SA-04:13.linux in the wild"
- Reply: Gustavo A. Baratto: "Re: FreeBSD-SA-04:13.linux in the wild"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
