hack lesson?
R Scott Belford
sctinc at mac.com
Fri Jan 11 20:40:37 PST 2002
I guess that I was asking for this, if such a thing is possible. Some
of you will laugh and some may be interested. It's a good story. This
morning, a little after I posted a response about rpm's and webmin,
someone entered my machine. It was right as I was being responded to
and warned about the explicit dangers perl creates. I obviously should
have realized this as someone was determined to teach me a lesson by
damage rather than words.
I noticed around 2:30 this afternoon, when running top, that several
pid's owned by root had been consuming a lot of processor cycles for
about 5.25 hours. They were running /usr/bin/perl. When I looked at my
gui process manager, several programs with unfamiliar names were
running. I was unable to terminate these by kill -9 pid. I elected to
restart my machine. Typical windoze fix, but I was hoping to stop the
processes. Upon restarting, I am unable to get a terminal on the redhat
box. It keeps flashing for a second, this disappears. Someone has put
the x server in some kind of loop that keeps me from the prompt. I'd
log in from my Debian box, but they went in there too. I log in to it,
enter a password, and am returned to the login prompt. At least I get a
prompt on it. Unkind but funny. I ssh in from my windoze box and ps
-ax shows a complicated x command running that seems to be causing my
redhat login difficulties. Attempts to kill this pid fail as its pid
number keeps changing. These are teasing hacks, I know, but I just
can't fix them (yet.)
So, obviously there is some kind of vulnerability that perl has created
for me which I was warned about then exploited through. No harm done, I
keep backups of my worthless data. My time is not so valuable that I
care about reinstalling. Someone can pat their self on the back for
it. What is a shame, though, is that I clearly upset someone reading
this mailing list earlier who decided to show me how smart they were.
The coincidence is too uncanny. Rather than share their knowledge to
the better of all, they have abused my poor little box. I guess that
shows me how much smarter real sysadmins are than newbies.
I have an appetite for humble pie, though, and will only grow wiser from
this experience. If this perl vulnerability is in anyway related to
webmin, then let me be the first to say to be wary of it. I have no
certainty of this, though, and would be more wary about spreading fud.
When I learn what is of value from this hack, I'll let any of you know
who are interested. If you have any insights in to what tricks have
been played here, perhaps you will share them. I'd love to make
something good out of this.
scott
More information about the LUAU
mailing list