some questions about suckit

To: debian-security@lists.debian.org
Subject: some questions about suckit
From: mi <michael.wordehoff@gmx.de>
Date: Thu, 04 Dec 2003 07:41:37 +0100
Message-id: <[🔎] 3FCED721.10807@gmx.de>
Reply-to: michael.wordehoff@gmx.de, michael.wordehoff@gmx.de

hi,
i only read the story on wiggynet.
So i'm probably not 'up to date'.
I just hope a little grain in my questions maybe helpful.
I'll join the list for some days now.

Was it suckit which made the kernel oops ? Does suckit cause oopses on
2.4.21, 2.4.22 immediateley when running ?
Murphy was the first one who showed that - but klecker was the first
with replaced init, about 2 h before.
Perhaps replacing init doesn't imply to have installed suckit ?
Murphy was oopsing first, master second - but,  10 hours later ?
Could this mean they installed suckit on master only the next day ?

If they knew about possible oopses, wouldn't they decide to use thistool only when it's worth the risk ?

(And they thought, murphy is)

But why then install suckit on the other machines later, too.
Just playing ? This would reflect the scriptkiddies theory.

Or they run out of (oopsing) time, and needed more passwords, to gainsomething else ?

This would be more serious.


--			

		mi.



Quoting Wichert's page:

 >>
2.4.22 on klecker, 2.4.21-rc2 on master and murphy and 2.4.22-rc2 on gluck
(...)
Also klecker, murphy and gluck have aide installed to monitor
filesystem changes and at around the same time [#Nov 20th i saaume
-mi]  it started warning that /sbin/init had been replaced and that
the mtime and ctime timestamps for /usr/lib/locale/en_US had changed.
(...)
On Wednesday 19th November (2003), at approximately 5pm GMT, a sniffed
password was used to access an (unprivileged) account on
klecker.debian.org. Somehow they got root on klecker and installed
suckit. The same account was then used to log into master and gain
root (and install suckit) there too. They then tried to get to murphy
with the same account. This failed because murphy is a restricted box
that only a small subset of developers can log into. They then used
their root access on master to access to an administrative account
used for backup purposes and used that to gain access to Murphy. They
got root on murphy and installed Suckit there too. The next day they
used a password sniffed on master to login into gluck, got root there
and installed suckit.
(...)
     * Klecker init timestamp: Nov 19 17:08
     * Master sk timestamp: Nov 19 17:47
     * Murphy sk timestamp: Nov 19 18:35
     * Oopses on Murphy start: Nov 19 19:25
     * Oopses on Master start: Nov 20 05:38
     * Gluck init timestamp: Nov 20 20:54
<<

Reply to:

Follow-Ups:
- Re: some questions about suckit
  - From: Michael Stone <mstone@debian.org>

Prev by Date: Re: chkrootkit and linux 2.6
Next by Date: Re: When will kernel-image-2.4.23 be available ?
Previous by thread: Re: Thanks to all
Next by thread: Re: some questions about suckit
Index(es):
- Date
- Thread