Re: Big Website Hack Documented
From: Soeren Bleikertz (soeren@geekgate.org)
Date: 03/25/03
- Next message: Jeff Funk: "New Users"
- Previous message: 2Host.com - Robert: "Re: Big Website Hack Documented"
- In reply to: Colnel Panic: "Big Website Hack Documented"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Soeren Bleikertz <soeren@geekgate.org> Date: Tue, 25 Mar 2003 19:18:13 +0100
On Tue, 25 Mar 2003 00:54:54 GMT, Colnel Panic wrote:
> chuckwest.org
>
[snip]
> rm -rf km3
>
How?
It seems, that the cracker used the kmod/ptrace bug in linux 2.2/2.4. One
sample exploit named "km3.c" - you see this name in the rm-command. Also the
export, reset and id commands are typically for the km3-exploit. Take a
look at the bugtraq-msg by 'Andrzej Szombierski <qq@kuku.eu.org>' at 19
Mar 2003.
But it's just a local-bug, so the cracker had gain access to
your host in another way. Probably he only reached a non-priviliged
account with exploiting a net-service and used the km3-exploit to get
root.
You should patch your kernel (Alan released a first patch for this
vuln) or just disable kmod-support in your kernel.
-Soeren
-- Soeren Bleikertz soeren[at]geekgate.org http://soeren.geekgate.org
- Next message: Jeff Funk: "New Users"
- Previous message: 2Host.com - Robert: "Re: Big Website Hack Documented"
- In reply to: Colnel Panic: "Big Website Hack Documented"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
