[lug] root password

bgiles at coyotesong.com bgiles at coyotesong.com
Thu Aug 3 13:38:32 MDT 2006

An apache exploit, e.g., that mod_ssl one a few years ago, will get you a
local process.  That local process can attempt local, not remote, root
exploits.  It can also cause damage as a regular account, e.g., setting up
a DDOS or spam server.

Given root access, you don't need to crack /etc/shadow.  You just replace
a critical file or two and hope that nobody notices.  /bin/login,
/bin/passwd, add a new PAM module,....

This isn't all theoretical -- one of the Red Hat systems I inherited a
while back had been compromised by several different parties.  The most
recent one had used mod_ssl to insert an IRC server, but fortunately
nothing else.  An earlier exploit had replaced /etc/passwd so it would
send off a message with your new password every time you changed it.  It
was fun to explain to my boss that I had found clear evidence of at least
three separate - and successful - attacks.


More information about the LUG mailing list