[sf-lug] ebay security analysis: phishers targeting linux (fwd)

Rick Moen rick at linuxmafia.com
Thu Oct 11 21:44:52 PDT 2007

I wrote:

> Some of the same observations have now also been made by Chad Perrin in
> his article "Linux phishing botnet statistics can be deceptive"
> (http://blogs.techrepublic.com.com/security/?p=296).  Worth reading, and
> please note his observations about non-root compromise of innumerable
> Linux/BSD/Solaris/etc. sites on account of badly written PHP apps.

Here's an excellent write-up of what an intruder did _after_ he/she
broke into a reasonably well maintained Ubuntu 6.06 LTS box, and then
somehow escalated to root authority:


Author could not determine the means of entry, as the article concludes:

    The most important question is, how did he get access in the
    first time? The server was running Ubuntu 6.06 LTS (i386) and was fairly
    updated. The compromised could be caused by:
          * An exploit unknown to the public.
          * A user accessing this server from an already compromised
            host. The attacker could then sniff the the password. 

(Nor did the author determine how the intruder gained root.  Of course, 
this being an Ubuntu box and defaulting to a sudo setup, stealing the
regular password of the main user would be sufficient.)

However, the article is excellent in detailing what subsequent steps the
bad guy took -- made possible by that person's failure to take some
obvious steps to cover his/her tracks, and in general being extremely
clumsy and obvious.

One of the comments on the related discussion thread includes someone
speculating that the avenue of entry might have been unpatched PHP-Nuke 
/ Post-Nuke, leading to ability to remotely fetch and run a script -- 
based on that happening to him/her, in a very similar attack.
(As I said.)

I also like this comment:

   Nice report, this surely took you a couple hours.

   You seem to be neglecting known vulnerable Web applications as a
   possible entry point. This is one of the most common ways semi-automatic
   (local root exploit is mostly run manually as it's not too easy to
   handle the various different environments by a script) takeovers work
   nowadays. As the security status of Web applications is often not
   tracked (nor is it tracked which Web applications are installed at all,
   and this is especially so but not limited to shared hosting
   environments), it is very difficult for an admin to keep track of their
   de facto vulnerabilities. Attackers, however, can (and do) easily scan
   multiple Web servers for known security issues and, as the scan takes so
   little time, do not need to know whether or not a system is vulnerable
   before starting to run exploits against it.

   Moritz Naumann, security[at]moritz-naumann.com

More information about the sf-lug mailing list