Security Incidents mailing list archives
Re: cron exploit?
From: Jeremy Hanmer <jeremy () hq newdream net>
Date: Wed, 01 Oct 2003 21:37:53 -0700
I would love to do this as well, but it'd be of little use since it's a web hosting situation and we obviously can't control the scripts that are run and certainly can't limit write permissions to people's home directories... On Tue, 2003-09-30 at 16:19, Vinicius Moreira Mello wrote:
Jeremy, May be it exploits an improper tmp file created by an application run by root or an improper file permission that you haven't noticed. Something I always do in systems that users log into is mounting /tmp,/var with nodev,nosuid,noexec permissions, removing the compiler and unsetting the suid bit of many executables, including crontab. Gook luck, -- Vinicius Jeremy Hanmer wrote: > Unfortunately, the permissions were all fine. The user apparently poked > around cron.daily, but there isn't any evidence that they were ever able > to successfully modify anything in there. All files (and the directory > itself) were owned by root.root, and all were 755. The *only* file > found modified by tripwire was /sbin/init. Nothing else in any library > paths, bin paths, or /etc had been touched. > --------------------------------------------------------------------------- ----------------------------------------------------------------------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: cron exploit? Vinicius Moreira Mello (Oct 01)
- Re: cron exploit? Barry Fitzgerald (Oct 01)
- Re: cron exploit? Steffen Kluge (Oct 02)
- Re: cron exploit? Jeremy Hanmer (Oct 02)
- <Possible follow-ups>
- Re: cron exploit? Jeremy Hanmer (Oct 02)
- Re: cron exploit? Matt Zimmerman (Oct 10)
- Re: cron exploit? Barry Fitzgerald (Oct 01)