Re: /dev/shm/r?

To: Johann Spies <jspies@sun.ac.za>
Cc: debian-security@lists.debian.org
Subject: Re: /dev/shm/r?
From: Izak Burger <isburger@gmail.com>
Date: Tue, 2 Jun 2009 08:32:10 +0200
Message-id: <[🔎] e2e2e5500906012332g54e96eadk6195af7c837a2c84@mail.gmail.com>
In-reply-to: <[🔎] 200906011226.49721.vladislav.kurz@webstep.net>
References: <[🔎] 20090601084652.GA22462@sun.ac.za> <[🔎] 200906011226.49721.vladislav.kurz@webstep.net>

On Mon, Jun 1, 2009 at 12:26 PM, Vladislav Kurz
<vladislav.kurz@webstep.net> wrote:
> Well, this really looks suspicious. Look for unexpected processes running,
> open ports, etc. Directory /dev/shm/ is world-writable like /tmp, so chances
> are that the attacker did not gain root yet. But he might have shell
> listening on some port and trying hard to get root using some local exploit.

I agree, chances are the box hasn't been exploited just yet, but I
would be worried about just how he got that file there in the first
place. We know that directory is world writable, so it could have been
written by anything, but what? Sometimes the ownership of the file
will give it away, for example, if the file is owned by www-data, you
know some exploit in apache (usually php!) was used to gain file
system access.

Reply to:

Follow-Ups:
- Re: /dev/shm/r?
  - From: Guntram Trebs <gt@trebs.net>

References:
- /dev/shm/r?
  - From: Johann Spies <jspies@sun.ac.za>
- Re: /dev/shm/r?
  - From: Vladislav Kurz <vladislav.kurz@webstep.net>

Prev by Date: Re: vserver path leak?
Next by Date: Re: /dev/shm/r?
Previous by thread: Re: /dev/shm/r?
Next by thread: Re: /dev/shm/r?
Index(es):
- Date
- Thread