[lug] R00tKIT!! Raah!
mrb at ciclops.org
Tue Jun 14 17:38:10 MDT 2005
Jeff Schroeder wrote:
> Michael asked:
>>Now, here is a question, can the 'apache' user install a rootkit if
>>they are not root?
> It seems unlikely. Perhaps there was a different path used to
> compromise the system... maybe an SSH exploit? Are you running other
> services that might not have the latest security patches? Telnet, FTP,
> Sendmail, etc.?
All things are possible. I do have ssh running, but I have it setup to only
allow access with public/private keys.
-rwxrwxrwx 1 apache apache 19242 Mar 22 14:23 r0nin
This was what I found -- which definitely points to an apache or php exploit of
I changed the file to 400 to prevent execution -- even accidentally.
our tmp directorys were totally overlooked. Both are just directories under /
and /var/. I found a site that explains how to add a filesystem to /dev/tmpMnt
via dd and some fancy mount options, but I don't know if that is a good long
CICLOPS, Space Science Institute
phone. 720-974-5853 Jabber: mrb at jabber.ciclops.org
The Sender and Cassini Imaging Central Laboratory for Operations
accepts no liability for the content of this email, or for the
consequences of any actions taken on the basis of the information
provided, unless that information is subsequently confirmed in
writing. If you are not the intended recipient you are notified
that disclosing, copying, distributing or taking any action in
reliance on the contents of this information is strictly prohibited.
More information about the LUG