|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: cron exploit?
From: Jeremy Hanmer (jeremy
hq.newdream.net)
Date: Wed Oct 01 2003 - 23:37:53 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mon, 2003-09-29 at 14:24, Matt Zimmerman wrote:
> On Mon, Sep 29, 2003 at 11:55:22AM -0700, Jeremy Hanmer wrote:
> Did the file 'mkwebuserlist' exist? Is it a local script? It is always
> possible that these particular modifications were reversed after the exploit
> was successful, or that your tripwire database was compromised.
>
No, that file didn't exist. In fact, the only part of that script that
was actually recovered was the source code mentioned (which while
generic, was formatted identically so I assumed that was the source of
the code). The tripwire database being compromised is not a possibility
as it resides in an external database heavily seperated from the machine
in question.
> Assuming those commands were run interactively (and they certainly look like
> it, since vi(1) etc. were used), then there is no reason the intruder would
> continue executing these commands if they were failing. It seems likely
> that the "echo ... >> mkwebuserlist" succeeded.
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]