|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: cron exploit?
From: Jeremy Hanmer (jeremy
hq.newdream.net)
Date: Wed Oct 01 2003 - 23:37:53 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I would love to do this as well, but it'd be of little use since it's a
web hosting situation and we obviously can't control the scripts that
are run and certainly can't limit write permissions to people's home
directories...
On Tue, 2003-09-30 at 16:19, Vinicius Moreira Mello wrote:
> Jeremy,
>
> May be it exploits an improper tmp file created by an application run
> by root or an improper file permission that you haven't noticed.
> Something I always do in systems that users log into is mounting
> /tmp,/var with nodev,nosuid,noexec permissions, removing the compiler
> and unsetting the suid bit of many executables, including crontab.
>
> Gook luck,
>
> --
> Vinicius
>
> Jeremy Hanmer wrote:
> > Unfortunately, the permissions were all fine. The user apparently poked
> > around cron.daily, but there isn't any evidence that they were ever able
> > to successfully modify anything in there. All files (and the directory
> > itself) were owned by root.root, and all were 755. The *only* file
> > found modified by tripwire was /sbin/init. Nothing else in any library
> > paths, bin paths, or /etc had been touched.
> >
>
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
>
>
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]