Re: cron exploit?
From: Matt Zimmerman (mdz_at_debian.org)
Date: 09/29/03
- Previous message: Pavel Kankovsky: "Re: cron exploit?"
- In reply to: Jeremy Hanmer: "cron exploit?"
- Next in thread: Jeremy Hanmer: "Re: cron exploit?"
- Reply: Jeremy Hanmer: "Re: cron exploit?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 29 Sep 2003 13:30:24 -0400 To: Incidents <incidents@securityfocus.com>
On Sun, Sep 28, 2003 at 03:09:01PM -0700, Jeremy Hanmer wrote:
> We just had a Debian (Woody) box get rooted, apparently by a cron
> exploit mentioned here: http://www.codon.org.uk/~mjg59/kern/jmb73bash
>
> We've contacted the package maintainer, but has anybody else seen
> anything like this floating around yet? It's pretty worrisome since we
> have a couple hundred linux boxes that must run cron for various
> reasons.
As I said before, there is no evidence here of a cron exploit, and it raises
unnecessary alarm to claim that there is one. It looks like you had a
world-writable script (or a script owned by the unprivileged user who was
exploited) in /etc/cron.daily, and so the intruder modified that script in
order to execute commands as root.
All signs point to a local configuration error.
> echo chown root:root /tmp/rmsd >> mkwebuserlist
> echo chmod 4755 /tmp/rmsd >> mkwebuserlist
-- - mdz --------------------------------------------------------------------------- ----------------------------------------------------------------------------
- Previous message: Pavel Kankovsky: "Re: cron exploit?"
- In reply to: Jeremy Hanmer: "cron exploit?"
- Next in thread: Jeremy Hanmer: "Re: cron exploit?"
- Reply: Jeremy Hanmer: "Re: cron exploit?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
