| 1 |
On Thu, 29 Jul 2004 21:25:48 +0100 |
| 2 |
Rui Pedro Figueira Covelo <rpfc@××××××××××××.pt> wrote: |
| 3 |
|
| 4 |
> -----BEGIN PGP SIGNED MESSAGE----- |
| 5 |
> Hash: SHA1 |
| 6 |
> |
| 7 |
> I noticed that the .bash_history it's from the root account. Not guest |
| 8 |
> or test. If this .bash_history is real, the fact that someone got root |
| 9 |
> proves that someone used an exploit rather than guessing a weak password |
| 10 |
> of a guest or test account, right? |
| 11 |
> |
| 12 |
|
| 13 |
The listing at |
| 14 |
|
| 15 |
http://www.mail-archive.com/debian-user%40lists.debian.org/msg110879.html |
| 16 |
|
| 17 |
shows a tool called "brk" use by the intruder. It's still online, and |
| 18 |
seems to be the infamous do_brk() exploit. |
| 19 |
|
| 20 |
Obviously the attacker is using those weird accounts to get unpriviliged |
| 21 |
acces and in then trying to become root through the do_brk() vulnerability |
| 22 |
found in older kernels. |
| 23 |
|
| 24 |
Two separate weaknesses, nothing to fear for an up to date system. |
| 25 |
|
| 26 |
Regards |
| 27 |
|
| 28 |
-- |
| 29 |
gentoo-security@g.o mailing list |
Archives