Date: Tue, 10 Dec 1996 00:15:52 -0500 (EST) From: Brian Tao <taob@io.org> To: FREEBSD-SECURITY-L <freebsd-security@freebsd.org> Subject: URGENT: Packet sniffer found on my system Message-ID: <Pine.BSF.3.95.961210000201.1328A-100000@nap.io.org>
next in thread | raw e-mail | index | archive | help
I happened across an interesting little process today on a few of ous servers. It appears to be the "sniffit" packet sniffer found in the Linux RootKit. I can mail the binary to anyone who wants to analyse it. What it does is use bpf to log every connection between a pair of hosts and save all the good parts to a series of files. The guy running the sniffer logged well over 17000 connections today and god knows how many username/password combinations. He was watching the FTP and POP3 ports, mainly. I'd like to know how he was able to run the process as root. The binary is *not* setuid, and a "ps auxo ruser" shows the real owner is also root. The three servers I found it running on have 2.2-961014 installed, upgraded to sendmail 8.8.3. The two shell servers have had all but six setuid root binaries chmod 500'd. The Web/FTP server does not grant shell access. Is there something with Apache 1.1.1 or wu-ftpd I don't know about that allows a user to execute arbitrary code as root? I noticed lpr still had its setuid bit on the FTP server, but afaik, there is no way to tell wu-ftpd to run arbitrary programs as root. We are running wu-ftpd 2.4(1). Any ideas how root access was available so easily? -- Brian Tao (BT300, taob@io.org, taob@ican.net) Senior Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.961210000201.1328A-100000>