Re: /dev/shm/r?

To: Wade Richards <wade@wabyn.net>, Johann Spies <jspies@sun.ac.za>
Cc: debian-security@lists.debian.org
Subject: Re: /dev/shm/r?
From: Izak Burger <isburger@gmail.com>
Date: Tue, 2 Jun 2009 19:25:05 +0200
Message-id: <[🔎] e2e2e5500906021025l6b392676n81d04c546b6bfbb2@mail.gmail.com>
In-reply-to: <[🔎] d9f5069dd067084d3c2787fe27fb7df5.squirrel@mail.wabyn.net>
References: <[🔎] 20090601084652.GA22462@sun.ac.za> <[🔎] 200906011226.49721.vladislav.kurz@webstep.net> <[🔎] e2e2e5500906012332g54e96eadk6195af7c837a2c84@mail.gmail.com> <[🔎] 4A24D647.5030804@trebs.net> <[🔎] d9f5069dd067084d3c2787fe27fb7df5.squirrel@mail.wabyn.net>

On Tue, Jun 2, 2009 at 6:42 PM, Wade Richards <wade@wabyn.net> wrote:
> Don't obsess on root access.  Any unauthorized use is a problem.

You are right of course. Right after I sent my message saying that
"perhaps the machine hasn't been exploited yet" I realised how wrong
such a view is. Someone gained access to an area they should not have
access to, it has been exploited already.

I have been fortunate enough to only be in this situation twice in the
last ten years. The first time was due to a weak password, and luckily
our attacker only installed an irc bouncer (renamed to "bash" so it
wouldn't stand out in a process listing). We could literally get away
with not reinstalling the entire machine, because the damage was
limited to one user account (yes, we did check for replaced binaries
:-) ).

The second time was caused by a php hosting control panel, which gave
the attackers (Turkish crackers unhappy with that Danish cartoon) the
ability to create ftp accounts and deface websites. Once again, the
damage was limited and we got away without a full reinstall. It was in
this sense that I hoped Johann (a former colleague of mine) might be
lucky enough to get away with limited damage.

Wait, there was a third time. On a CentOS box, I found a core file in
/etc/cron.d. I immediately realised what it was as I had an argument
about which kernel versions is affected with someone just the previous
week (thread here:
http://lists.clug.org.za/pipermail/clug-tech/2006-July/032952.html).
In this case, we eventually found that a former employee of the
organisation tried several exploits on the machine and left some
tell-tale signs behind. In this instance, though it seemed none of the
exploits succeeded, we decided to trash the CentOS install and move to
Debian :-)

In any case, enough about me. Good luck Johann, and I look forward to
more information on exactly what happened here.

regards,
Izak

Reply to:

References:
- /dev/shm/r?
  - From: Johann Spies <jspies@sun.ac.za>
- Re: /dev/shm/r?
  - From: Vladislav Kurz <vladislav.kurz@webstep.net>
- Re: /dev/shm/r?
  - From: Izak Burger <isburger@gmail.com>
- Re: /dev/shm/r?
  - From: Guntram Trebs <gt@trebs.net>
- Re: /dev/shm/r?
  - From: "Wade Richards" <wade@wabyn.net>

Prev by Date: Re: /dev/shm/r?
Next by Date: Re: /dev/shm/r?
Previous by thread: Re: /dev/shm/r?
Next by thread: Re: /dev/shm/r?
Index(es):
- Date
- Thread