SecurityFocus

what is this? Jan 13 2008 04:01PM
crazy frog crazy frog (i m crazy frog gmail com) (5 replies)

Re: what is this? Jan 16 2008 08:57AM
Yousef Syed (yousef syed gmail com)

Re: what is this? Jan 15 2008 05:16AM
Denis (sp23 internode on net) (3 replies)

RE: what is this? Jan 15 2008 04:33PM
Memisyazici, Aras (arasm vt edu) (1 replies)

Re[2]: what is this? Jan 15 2008 04:41PM
Denis (sp23 internode on net)

Re: what is this? Jan 15 2008 04:28PM
Jamie Riden (jamie riden gmail com)

On 15/01/2008, Denis <sp23 (at) internode.on (dot) net [email concealed]> wrote:
> This is a very serious new threat affecting Linux servers and thousands
> of boxes have been compromised since December 2007.
>
> Each box serving the nasty javascript has been rooted. One person has
> found a way to CLEAN the infection (ie. stop your server from serving
> the bad javascript), however not the root hole ie. the servers in
> question are still rooted as nobody so far has found what hole is being
> exploited to gain root access in the first place.

You don't need root to deface web servers in general. Even if the
attackers want to run bots, they often stay as the unprivileged user
they get in as. Sometimes a few privilege escalation exploits are
tried, but even then people seem willing to make use of normal users
if they can't get root.

(Unless you meant 'root' as in 'root cause', or the Aussie sense of
rooted, as in 'f**ed' :)

cheers,
Jamie
--
Jamie Riden / jamesr (at) europe (dot) com [email concealed] / jamie (at) honeynet.org (dot) uk [email concealed]
UK Honeynet Project: http://www.ukhoneynet.org/

[ reply ]

Re: what is this? Jan 15 2008 06:12AM
crazy frog crazy frog (i m crazy frog gmail com) (2 replies)

Re[2]: what is this? Jan 15 2008 05:26PM
none (updates digitalis com au)

Re: [Full-disclosure] what is this? Jan 15 2008 06:45AM
Nick FitzGerald (nick virus-l demon co uk) (1 replies)

Re: [Full-disclosure] what is this? Jan 15 2008 08:26AM
crazy frog crazy frog (i m crazy frog gmail com) (1 replies)

Re: [Full-disclosure] what is this? Jan 15 2008 05:22PM
Gadi Evron (ge linuxbox org) (1 replies)

Re: [Full-disclosure] what is this? Jan 15 2008 05:24PM
crazy frog crazy frog (i m crazy frog gmail com)

Re: what is this? Jan 14 2008 09:46PM
Gadi Evron (ge linuxbox org)

Re: what is this? Jan 14 2008 03:44PM
Jose Nazario (jose monkey org) (3 replies)

Re[2]: [Full-disclosure] what is this? Jan 14 2008 09:39PM
3APA3A (3APA3A SECURITY NNOV RU)

RE: what is this? Jan 14 2008 07:09PM
Mario Contestabile (marioc computer org)

Re: what is this? Jan 14 2008 03:56PM
crazy frog crazy frog (i m crazy frog gmail com)

Re: [Full-disclosure] what is this? Jan 14 2008 09:34AM
3APA3A (3APA3A SECURITY NNOV RU) (1 replies)

Re: [Full-disclosure] what is this? Jan 14 2008 11:52AM
Nick FitzGerald (nick virus-l demon co uk) (1 replies)

Re: [Full-disclosure] what is this? Jan 14 2008 01:56PM
crazy frog crazy frog (i m crazy frog gmail com)