Results 26 to 41 of 41
Thread: Shadow pass exploit !
-
08-09-2005, 02:49 PM #26Junior Guru Wannabe
- Join Date
- Apr 2005
- Location
- HCMC
- Posts
- 82
Hi i was get this:
CentOS 3.5 i686 - WHM X v3.1.0
package kernel-smp-2.4.21-32.0.1.EL
-
08-09-2005, 03:34 PM #27Web Hosting Master
- Join Date
- Apr 2003
- Location
- NC
- Posts
- 3,093
With those permissions and that kernel you should be ok. Has he done anything to verify that he can read the shadow file or is he just threatening?
John W, CISSP, C|EH
MS Information Security and Assurance
ITEagleEye.com - Server Administration and Security
Yawig.com - Managed VPS and Dedicated Servers with VIP Service
-
08-09-2005, 04:30 PM #28Junior Guru Wannabe
- Join Date
- Apr 2005
- Location
- HCMC
- Posts
- 82
By the way, disable telnet just block the port. How to prevent they run cgi-telnet with php , cgi ?
Because i can se they use .pl and still can run command and do many thing ...
-
08-09-2005, 05:00 PM #29Hosting provider
- Join Date
- May 2002
- Location
- Moscow
- Posts
- 1,602
cgi-telnet.pl as any perl script have a possibilities use any features which have in your system. for thism hacker not need cgi-telnet.pl, just perl (even suexeced) will be enough. for example, there is not way block to cgi application to walk around other directories or files, especially if they open for group reading.
but, your /etc/shadow have a correct permission so. most likely he use may be some suid application and exploit for gaining access to this or maybe hacker use sudo.
also, may be he just use some trojan virus which inserted to you local computer and just keylog your root password - BTW. it is very easy way for gaining root access.
PS. regarding exploit - i remember that in past year one of our customer have a similar problem and hacker activity was terminated when we disable sudo on machine.Last edited by rustelekom; 08-09-2005 at 05:10 PM.
TK Rustelekom LLC Dedicated server since 2002, RIPE NCC member, LIR
-
08-13-2005, 05:27 AM #30Web Hosting Master
- Join Date
- Apr 2004
- Location
- Singapore
- Posts
- 620
Beside set the file to be read only by root for /etc/shadow
can we set it for
/etc/passwd and httpd.conf ?
any other files needed to be make it not viewable by normal user..?Linux System admin (since 2001)
* cPanel/WHM, Directadmin, Apache, DNS, PHP, HyperVM, Lxadmin, Openvz*
-
08-13-2005, 06:53 AM #31Junior Guru
- Join Date
- Jul 2004
- Location
- U.A.E >> Dubai
- Posts
- 218
Originally posted by jayzee
Beside set the file to be read only by root for /etc/shadow
can we set it for
/etc/passwd and httpd.conf ?
any other files needed to be make it not viewable by normal user..?
you can chmod :
/home to 711
/tmp to 1777
/etc/php.ini : 711
/usr/local/apache/conf/httpd.conf :744
/backup (backup folder ) to 700
and so on....
you can chmod any root directory to 711 , but be careful , it may stop any feature/service(like cpanel feature) so you have to customize it .
Cheers.Last edited by SmartActive; 08-13-2005 at 06:56 AM.
ٍSecurityWay.Net Managed Solutions
Linux Security,Domain Registration Service,eNom Reseller Account from an ETP.
http://domains.securityway.net/
Believe an expert, believe on who has had experience.
-
08-13-2005, 04:26 PM #32Junior Guru Wannabe
- Join Date
- Apr 2005
- Location
- HCMC
- Posts
- 82
Hi, thanks all. But when i test with the newest remview version, It still can upload with Folder chmod 711.
You can take a look with my files include hereLast edited by VIETHOSTING; 08-13-2005 at 04:29 PM.
-
08-13-2005, 04:58 PM #33Hosting provider
- Join Date
- May 2002
- Location
- Moscow
- Posts
- 1,602
2SV_Ngheo
You may easily block remview using open_base php function. Also, you should understand that with php as module and with non enabld safe mode you can't get more security than you have if you not use something that jail or chroot EACH user.TK Rustelekom LLC Dedicated server since 2002, RIPE NCC member, LIR
-
08-13-2005, 05:23 PM #34Web Hosting Master
- Join Date
- Jun 2003
- Location
- United Kingdom
- Posts
- 716
Humans are lazy, and most even for root password normally use this format <word><2 digit number
-
08-13-2005, 05:37 PM #35Junior Guru
- Join Date
- Jul 2004
- Location
- U.A.E >> Dubai
- Posts
- 218
Yes , you should have safemode on , and disable some php functions , and use phpbasedir & I Prefer the use of phpsuexec .
ٍSecurityWay.Net Managed Solutions
Linux Security,Domain Registration Service,eNom Reseller Account from an ETP.
http://domains.securityway.net/
Believe an expert, believe on who has had experience.
-
08-16-2005, 05:55 PM #36Junior Guru Wannabe
- Join Date
- Apr 2005
- Location
- HCMC
- Posts
- 82
Hi,
In fact, i know all that solutions, but hacker attacked with this:
Run command: ln /etc/shadow.shadow >> This will make a hardlink to shadow. After that chmod to 777 then reinstall frontpage.
Please tell me a solution ?
-
08-16-2005, 06:05 PM #37Hosting provider
- Join Date
- May 2002
- Location
- Moscow
- Posts
- 1,602
are you give him non jailed ssh?
BTW. you may restrict access for ordinary users to some system command.TK Rustelekom LLC Dedicated server since 2002, RIPE NCC member, LIR
-
08-16-2005, 06:24 PM #38Junior Guru Wannabe
- Join Date
- Apr 2005
- Location
- HCMC
- Posts
- 82
They use SSH through PHP shell and .pl files. It normal support by Apache. How can we prevent ?
Pls check some first my posts, see all functions i was disable and what i've done.
-
08-16-2005, 06:51 PM #39Hosting provider
- Join Date
- May 2002
- Location
- Moscow
- Posts
- 1,602
he can't use phpshell if you use open_base and also disable system function. but he may use perl system command.
but ordinary user can't make hardlink with perl. just because perl is suexeced and rights and permission will assign to user script when he run it.
but, he can run his script by cron and this may give to him chance. same about sudo command. also same for system utilits which have suid flag and may have exploit (on older, not updated system).TK Rustelekom LLC Dedicated server since 2002, RIPE NCC member, LIR
-
08-17-2005, 12:59 PM #40New Member
- Join Date
- Aug 2005
- Posts
- 1
Have you thought about installing mod_security
This gives you the ability to log the "POST" events and then you can build up a rough idea of what they are doing and consequently using mod_security again you can block them.
A good site with a constantly updated list of mod_security rules is gotroot.com
Definitly worth an install
-
08-31-2005, 06:45 AM #41Disabled
- Join Date
- Dec 2004
- Posts
- 229
Run command: ln /etc/shadow.shadow >> This will make a hardlink to shadow. After that chmod to 777 then reinstall frontpage.
Please tell me a solution ?
Having everything under / is plain bad practice.
You can't hard link across partitions.