Decent summary of how machines can get rooted. *Part 3: Conclusion and food for thought* *To conclude on what happened:* 1) The attacker used the *zencart* vulnerability to create the * imagedisplay.php* file. 2) Using the imagedisplay.php file he was able to make the server download * foobar.ext* from his server. 3) Using the imagedisplay.php file he was able to run the server run foobar.ext which is a *reverse shell*. He could now connect to the machine. 4) Using some *local exploit*(s) he was probably able to become root. 5) Since he was root he uploaded/compiled *ld-linuxv.so.1* and he created * /etc/ld.so.preload*. Now every executable would first load this “trojaned” library which allows him backdoor access to the box and is hidding from the system. So there is his rootkit [image: :)]
Stan On Mon, Mar 15, 2010 at 9:49 AM, Rene Churchill <[email protected]> wrote: > FYI, here's an interesting rootkit detection story in that it goes into the > details of how the author figured out there was a rootkit installed on a > Debian machine and how he figured out how it got there. > > http://www.void.gr/kargig/blog/2009/08/21/theres-a-rootkit-in-the-closet/ > > -- > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > René Churchill [email protected] > Geek Two 802-244-7880 x527 > Your Source for Local Information http://www.wherezit.com >
