Date: Tue, 10 Dec 1996 00:15:52 -0500 (EST) From: Brian Tao <taob@io.org> To: FREEBSD-SECURITY-L <freebsd-security@freebsd.org> Subject: URGENT: Packet sniffer found on my system Message-ID: <Pine.BSF.3.95.961210000201.1328A-100000@nap.io.org>
next in thread | raw e-mail | index | archive | help
I happened across an interesting little process today on a few of
ous servers. It appears to be the "sniffit" packet sniffer found in
the Linux RootKit. I can mail the binary to anyone who wants to
analyse it.
What it does is use bpf to log every connection between a pair of
hosts and save all the good parts to a series of files. The guy
running the sniffer logged well over 17000 connections today and god
knows how many username/password combinations. He was watching the
FTP and POP3 ports, mainly.
I'd like to know how he was able to run the process as root. The
binary is *not* setuid, and a "ps auxo ruser" shows the real owner is
also root. The three servers I found it running on have 2.2-961014
installed, upgraded to sendmail 8.8.3. The two shell servers have had
all but six setuid root binaries chmod 500'd. The Web/FTP server does
not grant shell access. Is there something with Apache 1.1.1 or
wu-ftpd I don't know about that allows a user to execute arbitrary
code as root? I noticed lpr still had its setuid bit on the FTP
server, but afaik, there is no way to tell wu-ftpd to run arbitrary
programs as root. We are running wu-ftpd 2.4(1).
Any ideas how root access was available so easily?
--
Brian Tao (BT300, taob@io.org, taob@ican.net)
Senior Systems and Network Administrator, Internet Canada Corp.
"Though this be madness, yet there is method in't"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.961210000201.1328A-100000>