Security Incidents mailing list archives

Re: cron exploit?

From: Jeremiah Cornelius <jeremiah () nur net>
Date: Tue, 30 Sep 2003 06:13:51 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Monday 29 September 2003 15:34, Jeremy Hanmer wrote:

What pointed me to cron were some entries in a .viminfo file located in
the home directory for the Suckit rootkit that was installed.
Unfortunately, that isn't very substantial to say the least.  While I
didn't find any evidence of the rest of that script being executed, we
*did* find an exact copy of the source code mentioned in that script
that'd been uploaded to /tmp shortly before init had been overwritten.

<SNIP>

I know it's all a little too late now, but for the future, I would look into 
making /tmp (/var/tmp ?) a separate mount.  The fstab entry for this mount 
can be specified with the options noexec, nodev, and nosuid.  

This will stop a whole lot of monkey business with priv escalation.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/eYGPJi2cv3XsiSARAnwEAJ0WyF6E1KIP3K6s1ODuAc7UF1ZK1ACff+tR
f9kZ18oV9Y77pYSjQXrD8eE=
=2P2A
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

cron exploit? Jeremy Hanmer (Sep 29)
- Re: cron exploit? Pavel Kankovsky (Sep 29)
- Re: cron exploit? Matt Zimmerman (Sep 29)
  - Re: cron exploit? Jeremy Hanmer (Sep 29)
    - Re: cron exploit? Barry Fitzgerald (Sep 29)
    - Re: cron exploit? Jeremy Hanmer (Sep 29)
    - Re: cron exploit? Matt Zimmerman (Sep 29)
    - Re: cron exploit? Jeremiah Cornelius (Sep 30)
    - Re: cron exploit? Tim Greer (Sep 30)
    - Re: cron exploit? Matt Zimmerman (Sep 29)