Full Disclosure mailing list archives
Re: Automated ssh scanning
From: Deigo Dude <deigodude () aol com>
Date: Thu, 26 Aug 2004 14:06:09 -0400
Maybe running this test again, and this time removing the setuid bit from any programs that don't really need it. Then youd have a smaller attack vector (the few setuid binaries that are left, and the kernel, since we know it isn't an ssh exploit and you said that was the only service you were running.)
dufresne () winternet com wrote:
On Thu, 26 Aug 2004, Todd Towles wrote:Hey Ron, Guest isn't a admin so they let the tool get in. But the real questions is, how does it get root access on a fully patched server? It appears to use a local exploit to gain root access. This is a problem.The better question to ask is; on a fully patched *nix system, which apps are not exploitable to gain elivated privledge. KDE, GNOME, other X apps are prime targets, as well as things like vi, jed, etc. The smaller number on a fully installed system is going to be those apps that have either been audited to the point all overflows have been fixed. Now, how they gained root is likely in the logs or .history files, if they have not been removed or truncated in the exploitation. System forensics is the key to trying to track this down on the server i question and is a whole area unto itself in systems security. Thanks, Ron Dufresne ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Automated ssh scanning, (continued)
- Re: Automated ssh scanning Jan Luehr (Aug 26)
- RE: Automated ssh scanning Todd Towles (Aug 26)
- RE: Automated ssh scanning Todd Towles (Aug 26)
- Re: Automated ssh scanning KF_lists (Aug 26)
- Re: Automated ssh scanning Richard Verwayen (Aug 26)
- Re: Automated ssh scanning Valdis . Kletnieks (Aug 26)
- RE: Automated ssh scanning Ron DuFresne (Aug 26)
- Re: Automated ssh scanning Deigo Dude (Aug 26)
- Re: Automated ssh scanning KF_lists (Aug 26)
- RE: Automated ssh scanning Todd Towles (Aug 26)
- Re: Automated ssh scanning Tremaine (Aug 26)
- Re: Automated ssh scanning Deigo Dude (Aug 26)
- Re: Automated ssh scanning Gary E. Miller (Aug 26)
- Re: Automated ssh scanning Ron DuFresne (Aug 26)
- Re: Automated ssh scanning VeNoMouS (Aug 26)
- Re: Automated ssh scanning Tremaine (Aug 27)
- Re: Automated ssh scanning Tremaine (Aug 26)
- Re: Automated ssh scanning Ng Pheng Siong (Aug 26)
- Malware can silently open holes in SP2 Firewall jklemenc (Aug 26)