Re: /dev/shm/r?

To: "Guntram Trebs" <gt@trebs.net>
Cc: debian-security@lists.debian.org
Subject: Re: /dev/shm/r?
From: "Wade Richards" <wade@wabyn.net>
Date: Tue, 2 Jun 2009 09:42:36 -0700 (PDT)
Message-id: <[🔎] d9f5069dd067084d3c2787fe27fb7df5.squirrel@mail.wabyn.net>
In-reply-to: <[🔎] 4A24D647.5030804@trebs.net>
References: <[🔎] 20090601084652.GA22462@sun.ac.za> <[🔎] 200906011226.49721.vladislav.kurz@webstep.net> <[🔎] e2e2e5500906012332g54e96eadk6195af7c837a2c84@mail.gmail.com> <[🔎] 4A24D647.5030804@trebs.net>

Although it's worse if an attacker has root, don't think that just because
the attacker doesn't have root, it's no big deal.  If an attacker can run
(even as an ordinary user) unauthorized software on your machine, then
your machine may be part of a botnet.  And having unauthorized user access
to a machine leaves the door open for trojan horse type programs which may
give the user root access.  Finally, depending on the user account which
is compromised, the attacker may already have access to sensitive data.

Don't obsess on root access.  Any unauthorized use is a problem.

     --- Wade

On Tue, June 2, 2009 00:35, Guntram Trebs wrote:
> Izak Burger schrieb:
>> On Mon, Jun 1, 2009 at 12:26 PM, Vladislav Kurz
>>
>> I agree, chances are the box hasn't been exploited just yet, but I
>> would be worried about just how he got that file there in the first
>> place. We know that directory is world writable, so it could have been
>> written by anything, but what? Sometimes the ownership of the file
>> will give it away, for example, if the file is owned by www-data, you
>> know some exploit in apache (usually php!) was used to gain file
>> system access.
>>
> Yes, chances are, that it's just some unsecure script in a webspace. Not
> good, but if you are a webservice provider, you always have some special
> customer.
> I even know companies which buy a cms and don't think of who cares for
> it over the time as long as it's running ...
>
> On the other hand, you should keep in mind, that it could be someone who
> has gained root provileges and hides some of his activities. If he is
> root, then there has to be some other traces left of him.
>
> So you should collect other information:
>  - lsof and /proc, if you find suspicious processes
>  - intrusion detection software
>  - logfile scanning software and manual examining log files including
> firewall logs
>
> Good point is, when you can trace times of activity. But always keep in
> mind, that the information could be wrong.
>
> --
> Guntram Trebs
> freier Programmierer und Administrator
>
> gt@trebs.net
> +49 (30) 42 80 61 55
> +49 (178) 686 77 55
>
>
>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
>


-- 
Wade Richards  (wade@wabyn.net)

Reply to:

Follow-Ups:
- Re: /dev/shm/r?
  - From: Izak Burger <isburger@gmail.com>

References:
- /dev/shm/r?
  - From: Johann Spies <jspies@sun.ac.za>
- Re: /dev/shm/r?
  - From: Vladislav Kurz <vladislav.kurz@webstep.net>
- Re: /dev/shm/r?
  - From: Izak Burger <isburger@gmail.com>
- Re: /dev/shm/r?
  - From: Guntram Trebs <gt@trebs.net>

Prev by Date: Re: /dev/shm/r?
Next by Date: Re: /dev/shm/r?
Previous by thread: Re: /dev/shm/r?
Next by thread: Re: /dev/shm/r?
Index(es):
- Date
- Thread