[lug] R00tKIT!! Raah!

Michael Belanger mrb at ciclops.org
Tue Jun 14 17:38:10 MDT 2005

Jeff Schroeder wrote:
> Michael asked:
>>Now, here is a question, can the 'apache' user install a rootkit if
>>they are not root?
> It seems unlikely.  Perhaps there was a different path used to 
> compromise the system... maybe an SSH exploit?  Are you running other 
> services that might not have the latest security patches?  Telnet, FTP, 
> Sendmail, etc.?

All things are possible.  I do have ssh running, but I have it setup to only 
allow access with public/private keys.

-rwxrwxrwx   1 apache   apache      19242 Mar 22 14:23 r0nin
This was what I found -- which definitely points to an apache or php exploit of 
some kind.
I changed the file to 400 to prevent execution -- even accidentally.

our tmp directorys were totally overlooked.  Both are just directories under / 
and /var/.  I found a site that explains how to add a filesystem to /dev/tmpMnt 
via dd and some fancy mount options, but I don't know if that is a good long 
term solution.


Michael Belanger
CICLOPS, Space Science Institute

phone. 720-974-5853   Jabber: mrb at jabber.ciclops.org
fax.   720-974-5860

The Sender and Cassini Imaging Central Laboratory for Operations
accepts no liability for the content of this email, or for the
consequences of any actions taken on the basis of the information
provided, unless that information is subsequently confirmed in
writing. If you are not the intended recipient you are notified
that disclosing, copying, distributing or taking any action in
reliance on the contents of this information is strictly prohibited.

More information about the LUG mailing list