Re: [cobalt-users] Raq2 Hack

[flash22@xxxxxxx]

On Sun, 19 Aug 2001, Hacked Raq2 wrote:

> on 8/19/01 1:27 PM, flash22@xxxxxxx at flash22@xxxxxxx wrote:
> 
> >> Here are a list of the files he put into /tmp:
> >> 
> >> echo "[icesk] createing suid shellscript"
> >> echo <<EOF > /tmp/suid.sh
> >> #!/bin/sh
> >> cp /bin/sh /tmp/sh;chmod +s /tmp/sh
> > 
> > Hmm, this isn't supposed to work on raq2's anymore, one of the updates was
> > supposed to remove the stucky bit from /tmp
> 
> Here's the permissions of my /tmp directory.
> 
> drwxrwxrwt   2 root     root         3072 Aug 19 14:01 tmp
> 
> Do you think he was able to spawn a shell? I assume that he was, otherwise,
> how would he be able to untar the various programs in /tmp?

he can untar anything he wants in /tmp, that doesn't mean he gets any
special permissions there, if you don't have a root owned 'sh' in there,
it didn't work, since he only had user access to httpd user , and httpd
isn't in anyone elses 'special' groups (eg wheel) i doubt his hack really
worked, however, you should assume data integrity on the server is
suspect, since he had read access to most things....(.htpasswd etc)

I think the exploit was probably supposed to use the existing sendmail on
the machine which is running as a privledged user, you didn't have that
version so he uploaded the version he wanted, but without installing it
properly , all he got was a sendmail that ran as httpd, so it didn't have
any permissions to give away, i think he was somewhat confused ;)

You should also be looking at last-access times on the server btw, that
will tell you what he looked at, possibly modified, etc, but from a
security point of view you should generally assume the worst and hope for
the best, it's best to be a pessamist ;) [eg change all your passwords,
possible even think about reinstalling the main server software unless you
are dammed sure nothing was touched]

gsh