root compromise on debian woody

To: debian-user@lists.debian.org
Subject: root compromise on debian woody
From: Selva Nair <selva.nair@gmail.com>
Date: Thu, 26 May 2005 16:49:00 -0400
Message-id: <[🔎] 8752f596050526134936f40e67@mail.gmail.com>
Reply-to: Selva Nair <selva.nair@gmail.com>

Hi all,

   One of my machines running debian woody (up to date with all
security updates)
was broken into yesterday. The attacker gained a normal user access possibly by 
cracking a weak password and then managed to get a root shell, install a 
rootkit etc...

   Looking through evidence left behind (bash_history etc..) I have
figured out that
the privilege escalation was achived using an executable  that the
attacker downloaded
from the net. I have verified that this binary is indeed capable of
giving root shell to any user
and it works on two test systems I tried -- one woody and one redhat 7.2. 

I have taken the system off the net and am in the process of
re-installing but the existence
of such an easy to use and effective  privilege escalation kit is
quite disturbing. As I have only access to the binary left behind by
the attacker I'm pretty clueless as to how the exploit works.
Although pretty well familiar with Linux and have been running servers
for several years,
this is the first time facing a root exploit, so I'm rather clueless
as to what to do.

Any advice would be highly appreciated.

Thanks,

Selva Nair

Reply to:

Follow-Ups:
- Re: root compromise on debian woody
  - From: kamaraju kusumanchi <raju.mailinglists@gmail.com>
- Re: root compromise on debian woody
  - From: Joey Hess <joeyh@debian.org>

Prev by Date: Re: aptitude -t
Next by Date: mouse scroll wheel ZAxisMapping
Previous by thread: Re: aptitude -t
Next by thread: Re: root compromise on debian woody
Index(es):
- Date
- Thread