|
Security Incidents
mailing list archives
Re: cron exploit?
From: Jeremy Hanmer <jeremy () hq newdream net>
Date: Wed, 01 Oct 2003 21:37:53 -0700
On Mon, 2003-09-29 at 14:24, Matt Zimmerman wrote:
On Mon, Sep 29, 2003 at 11:55:22AM -0700, Jeremy Hanmer wrote:
Did the file 'mkwebuserlist' exist? Is it a local script? It is always
possible that these particular modifications were reversed after the exploit
was successful, or that your tripwire database was compromised.
No, that file didn't exist. In fact, the only part of that script that
was actually recovered was the source code mentioned (which while
generic, was formatted identically so I assumed that was the source of
the code). The tripwire database being compromised is not a possibility
as it resides in an external database heavily seperated from the machine
in question.
Assuming those commands were run interactively (and they certainly look like
it, since vi(1) etc. were used), then there is no reason the intruder would
continue executing these commands if they were failing. It seems likely
that the "echo ... >> mkwebuserlist" succeeded.
---------------------------------------------------------------------------
----------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
| 
Intro
