Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: cron exploit?

From: Jeremy Hanmer <jeremy () hq newdream net>
Date: Wed, 01 Oct 2003 21:37:53 -0700
I would love to do this as well, but it'd be of little use since it's a
web hosting situation and we obviously can't control the scripts that
are run and certainly can't limit write permissions to people's home
directories...

On Tue, 2003-09-30 at 16:19, Vinicius Moreira Mello wrote:

Jeremy,

      May be it exploits an improper tmp file created by an application run
by root or an improper file permission that you haven't noticed.
Something I always do in systems that users log into is mounting
/tmp,/var with nodev,nosuid,noexec permissions, removing the compiler
and unsetting the suid bit of many executables, including crontab.

Gook luck,

--
Vinicius

Jeremy Hanmer wrote:
 > Unfortunately, the permissions were all fine.  The user apparently poked
 > around cron.daily, but there isn't any evidence that they were ever able
 > to successfully modify anything in there.  All files (and the directory
 > itself) were owned by root.root, and all were 755.  The *only* file
 > found modified by tripwire was /sbin/init.  Nothing else in any library
 > paths, bin paths, or /etc had been touched.
 >


---------------------------------------------------------------------------
----------------------------------------------------------------------------





---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: