Openbsd 3.2 wtmp delay and named backdoor

From: Eric Weaver (internet@whttp.com)
Date: 01/15/03

  • Next message: Ryan Yagatich: "Re: Hacked web server" 
    Date: 15 Jan 2003 14:19:52 -0000
From: Eric Weaver <internet@whttp.com>
To: incidents@securityfocus.com
    ('binary' encoding is not supported, stored as-is)

    Can anyone explain what would cause a wtmp delay like this? Notice I am
    invisible, until the third iteration of 'w'. I hope this is nothing more
    than some sort of filesystem lag or sshd delay.

    The only known vulnerability on this box is Named. Openbsd 3.2 named has a
    possible remote exploit, but since its jailed, the security is "mitigated"
    (so they say).

    My observation is that there may be a way out of the jail through the
    default socket to syslogd (via the -a flag (shown below)). Syslogd runs as
    root. Doesn't this seem unsafe to anyone else? If a process is truely
    jailed, it should have its own non-root logging mechanism. Agreed?

    Eric Weaver
    wHTTP consulting
    ----------------

    <suser@silver:/home/suser:1>$ w
     5:37AM up 5 days, 1:35, 0 users, load averages: 0.42, 0.16, 0.10
    USER TTY FROM LOGIN@ IDLE WHAT
    <suser@silver:/home/suser:2>$ ps -aux
    USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
    suser 7019 0.0 0.0 264 156 p0 R+ 5:37AM 0:00.01 ps -aux
    root 3023 0.0 0.0 100 376 ?? Ss Fri04AM 0:01.44 syslogd -
    a /var/named/dev/log
    root 20857 0.0 0.0 328 184 ?? Ss Fri04AM 0:12.36 pflogd
    named 24326 0.0 0.0 940 1224 ?? Ss Fri04AM 0:22.56 named -
    t /var/named -u named
    root 29615 0.0 0.0 356 868 ?? Ss Fri04AM
    0:02.20 /usr/sbin/sshd
    root 5861 0.0 0.0 228 460 ?? Is Fri04AM 0:02.01 cron
    root 2034 0.0 0.0 48 420 C0 Is+ Fri04AM
    0:00.01 /usr/libexec/getty Pc ttyC0
    root 23329 0.0 0.0 880 820 ?? Ss Fri04AM 0:18.16
    sendmail: accepting connections (sendmail)
    www 8816 0.0 0.0 4528 5184 ?? Ss Fri04AM 0:08.10 httpd:
    parent [chroot /var/www] (httpd)
    www 7158 0.0 0.0 4960 4488 ?? I Fri04AM 0:01.23 httpd:
    child (httpd)
    www 30780 0.0 0.0 4936 4504 ?? I Fri04AM 0:01.18 httpd:
    child (httpd)
    www 432 0.0 0.0 4932 4452 ?? I Fri04AM 0:00.79 httpd:
    child (httpd)
    www 31496 0.0 0.0 4936 4436 ?? I Fri04AM 0:01.01 httpd:
    child (httpd)
    www 4692 0.0 0.0 4900 4412 ?? I Fri04AM 0:01.06 httpd:
    child (httpd)
    www 23742 0.0 0.0 4936 4448 ?? I Fri04AM 0:00.85 httpd:
    child (httpd)
    www 13186 0.0 0.0 4948 4484 ?? I Fri04AM 0:01.26 httpd:
    child (httpd)
    www 18151 0.0 0.0 4892 4308 ?? I Sun12AM 0:00.26 httpd:
    child (httpd)
    root 19734 0.0 0.0 464 1164 ?? Ss 5:37AM 0:00.05 sshd:
    suser [priv] (sshd)
    suser 2391 0.0 0.0 400 1036 ?? S 5:37AM 0:00.02 sshd:
    suser@ttyp0 (sshd)
    suser 14872 0.0 0.0 400 320 p0 Ss 5:37AM 0:00.03 -ksh
    (ksh)
    root 1 0.0 0.0 336 200 ?? Is Fri04AM
    0:00.03 /sbin/init
    <suser@silver:/home/suser:3>$ w
     5:37AM up 5 days, 1:35, 0 users, load averages: 0.42, 0.16, 0.10
    USER TTY FROM LOGIN@ IDLE WHAT
    <suser@silver:/home/suser:4>$ w
     5:37AM up 5 days, 1:36, 1 user, load averages: 0.38, 0.15, 0.10
    USER TTY FROM LOGIN@ IDLE WHAT
    suser p0 192.168.25.104 5:37AM 0 w
    <suser@silver:/home/suser:5>$ w
     5:37AM up 5 days, 1:36, 1 user, load averages: 0.35, 0.15, 0.10
    USER TTY FROM LOGIN@ IDLE WHAT
    suser p0 192.168.25.104 5:37AM 0 w
    <suser@silver:/home/suser:6>$

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com

    Relevant Pages