The Boston Diaries

The ongoing saga of a programmer who doesn't live in Boston, nor does he even like Boston, but yet named his weblog/journal “The Boston Diaries.”

Go figure.

Tuesday, May 02, 2006

Another one for the Cracker Files …

/*
* expand_stack SMP race local root exploit
*
* Copyright (C) 2005 Christophe Devine and Julien Tinnes
*
* This program is quite unreliable - you may have to run it
* several times before getting a rootshell. It was only tested
* so far on a bi-xeon running Debian testing / Linux 2.4.29-rc1.
*
* Vulnerability discovered by Paul Starzetz <ihaquer at isec.pl>
* http://www.isec.pl/vulnerabilities/isec-0022-pagefault.txt

Nice try, I'll give them that.

I got a call from Dan the Network engineer that a machine I manage had registered a large network spike overnight. When I heard that it was a large spike from the machine, I knew it wasn't a DoS attack, but was probably participating in one.

I unplugged the machine from the network then logged in from the console. I was able to find the rouge process (masquerading as an Apache process—nice job!) listening in one some randomly picked port, giving anyone that connected to that port a commande line:

#!/usr/bin/perl
# Telnet-like Standard Daemon 1.0
#
#    Dark_Anjo - dark_anjo666@hotmail.com
#            - dark_anjo@nucleozero.com.br
#            - www.xn.rg3.net
#            - www.red.not.br/xn
#
#  For those guys that still like to open ports
#  and use non-rooted boxes
#
#  This has been developed to join in the TocToc
#  project code, now it's done and I'm distributing
#  this separated
#
#  This one i made without IO::Pty so it uses
#  only standard modules... enjoy it
#
#  tested on linux boxes.. probably will work fine on others
#  any problem... #expl0its@irc.brasnet.org
#

But fortunately, the exploit (quoted at the top) didn't work on the machine so the shell obtained was a non-root shell.

Apparently, the customer account information was leaked and the crackers were able to FTP their scripts onto the server. Not much that can be done about that, other than telling the customer to keep a tighter lid on their login information.

And as I like to remind myself, it could have been worse

Obligatory Picture

[The future's so bright, I gotta wear shades]

Obligatory Contact Info

Obligatory Feeds

Obligatory Links

Obligatory Miscellaneous

You have my permission to link freely to any entry here. Go ahead, I won't bite. I promise.

The dates are the permanent links to that day's entries (or entry, if there is only one entry). The titles are the permanent links to that entry only. The format for the links are simple: Start with the base link for this site: https://boston.conman.org/, then add the date you are interested in, say 2000/08/01, so that would make the final URL:

https://boston.conman.org/2000/08/01

You can also specify the entire month by leaving off the day portion. You can even select an arbitrary portion of time.

You may also note subtle shading of the links and that's intentional: the “closer” the link is (relative to the page) the “brighter” it appears. It's an experiment in using color shading to denote the distance a link is from here. If you don't notice it, don't worry; it's not all that important.

It is assumed that every brand name, slogan, corporate name, symbol, design element, et cetera mentioned in these pages is a protected and/or trademarked entity, the sole property of its owner(s), and acknowledgement of this status is implied.

Copyright © 1999-2024 by Sean Conner. All Rights Reserved.