Re: Hacker Script Attempt

To: Gene Grimm <elessar@noi.net>
Cc: debian-isp@lists.debian.org
Subject: Re: Hacker Script Attempt
From: Joey Hess <joey@kitenet.net>
Date: Fri, 5 Oct 2001 12:46:14 -0400
Message-id: <[🔎] 20011005124614.A7513@kitenet.net>
Mail-followup-to: Gene Grimm <elessar@noi.net>, debian-isp@lists.debian.org
In-reply-to: <[🔎] 001a01c1564d$437cafc0$13cca341@networksonline.com>
References: <[🔎] 001a01c1564d$437cafc0$13cca341@networksonline.com>

Gene Grimm wrote:
> The following message was received by our admin account after finding an
> intrusion (followed by rotating shell account passwords). Can anyone tell me
> how to find out what devices are referenced in this message?
> 
> ----- Original Message -----
> 
> > User 501 tried to run dev 773 ino 278048 in place of dev 774 ino 310316!
> > (Filename of set-id script was ./none

These aren't devices. To uniquely identify a file in unix you need
provide only the device it is on and the inode of the device that the
file occupies, and that's what the numbers are. Comes right out of
stat(2).

This is suidperl detecting an attempt to exploit a common unix race
condition dealing with executing suid scripts. Or they might have really
been trying to exploit an old security hole in suidperl's checks for
that race condition. perlsec(1) under "Security Bugs" for details.

-- 
see shy jo

Reply to:

Follow-Ups:
- Re: Hacker Script Attempt
  - From: "Gene Grimm" <elessar@noi.net>
- Re: Hacker Script Attempt
  - From: Gene Grimm <elessar@noi.net>

References:
- Hacker Script Attempt
  - From: "Gene Grimm" <elessar@noi.net>

Prev by Date: Re: Apache
Next by Date: Re: Hacker Script Attempt
Previous by thread: Re: Hacker Script Attempt
Next by thread: Re: Hacker Script Attempt
Index(es):
- Date
- Thread