Re: Weird server mystery: self-reset, mostly
On Thu, 27 Jan 2011, elbbit wrote:
> On 27/01/11 16:21, will trillich wrote:
> > That's quite an assertion. How can I confirm it HAS been compromised, as
> > opposed to thinking it's a possibility?
>
> There is no way to know for sure unless you dissect the code running the
> machine. Depending on your paranoia quotient you will either reinstall
> or not.
The kernel complained that something tried a segfault, with a known marker
(i.e the segfault was NOT in error, it was on purpose). Then it told is it
autoloaded support for pf-net-5: AppleTalk.
What is weird is that someone would do that running an exploid named
"exploit". Oh well. That's also in the segfault report.
Bugs in the appletalk implementation gives you ring-0 shellcode access on
the kernel that box is running by its uptime.
This did not happen by accident. Unless a local administrator ran the
exploit himself to check whether the system was vulnerable or not (it was),
then it means someone got enough access to attack the system, i.e. it is
compromised.
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
Reply to: