[lug] R00tKIT!! Raah!

Lee Woodworth blug-mail at duboulder.com
Tue Jun 14 21:08:36 MDT 2005


Michael Belanger wrote:
> Greetings.
> I feel very violated.
> 
> I found two suspect files on our public webserver.
> /tmp/dc.pl
> /var/tmp/r0nin
> 
> The latter is confirmed as a rootkit.
> 
> Now, here is a question, can the 'apache' user install a rootkit if they
> are not root?
The more general question is can non-privileged users get root privs? The
answer is yes, using local vulnerabilities for sure, and through misconfigured
software (suid or daemons with root).

You can scan bugtrack to see what kinds of local vulnerabilities
are publicly announced. One thing I see on that list is a lot of PHP
vulnerabilites.
> 
> I think somehow it did.  The network host reported an excessive amount
> of web traffic coming from our server about the same day the rootkit
> file is dated.. I take this to mean that it has been compromised.
> 
> I fear I may need to travel out there to rebuild the server... Anyone
> know if it is possible to 'clean' the system?
> 
> -M




More information about the LUG mailing list