[prev in list] [next in list] [prev in thread] [next in thread] 

List:       incidents
Subject:    Re: cron exploit?
From:       Vinicius Moreira Mello <vinicius () lineone ! net>
Date:       2003-09-30 23:19:15
[Download RAW message or body]

Jeremy,

	May be it exploits an improper tmp file created by an application run
by root or an improper file permission that you haven't noticed.
Something I always do in systems that users log into is mounting
/tmp,/var with nodev,nosuid,noexec permissions, removing the compiler
and unsetting the suid bit of many executables, including crontab.

Gook luck,

--
Vinicius

Jeremy Hanmer wrote:
 > Unfortunately, the permissions were all fine.  The user apparently poked
 > around cron.daily, but there isn't any evidence that they were ever able
 > to successfully modify anything in there.  All files (and the directory
 > itself) were owned by root.root, and all were 755.  The *only* file
 > found modified by tripwire was /sbin/init.  Nothing else in any library
 > paths, bin paths, or /etc had been touched.
 >


---------------------------------------------------------------------------
----------------------------------------------------------------------------

[prev in list] [next in list] [prev in thread] [next in thread]