[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Break-in attempts to Linux host



UF>> Just to calm down everyone, the PC-Week security hole exploited
UF>> was due to a commercial CGI script. This specific security hole
UF>> is NOT present in a normal Redhat installation (although I bet
UF>> there are other holes waiting to be found and exploited...).

Exactly. In the course of the crack he used one of the holes (local
crontab exploit) which *is* present on Redhat 6.0 and fix was out by 26
August (same day as it was published), but obviously nobody at PCWeek
cared to apply it. And without this hole the guy would get as much as
"nobody" account, which basically gives nothing - unless you have local
exploit ready. I do not say that simple tripwire installation would go
wild in the middle of the crack attempts and admins would know something
wrong is going on.

BTW, I tried the exploit on one unpatched machine, it didn't work. Seems
that or shellcode is tied to particular compilation of cron, or something
was basically wrong with the exploit.
-- 
frodo@sharat.co.il	\/  There shall be counsels taken
Stanislav Malyshev	/\  Stronger than Morgul-spells
phone +972-3-9316425	/\  		JRRT LotR.
http://sharat.co.il/frodo/	whois:!SM8333



=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il