Openbsd 3.2 wtmp delay and named backdoor

From: Eric Weaver (internetat_private)
Date: Wed Jan 15 2003 - 06:19:52 PST

  • Next message: Ryan Yagatich: "Re: Hacked web server" 

    
 ('binary' encoding is not supported, stored as-is)
Can anyone explain what would cause a wtmp delay like this? Notice I am 
invisible, until the third iteration of 'w'. I hope this is nothing more 
than some sort of filesystem lag or sshd delay.

The only known vulnerability on this box is Named. Openbsd 3.2 named has a 
possible remote exploit, but since its jailed, the security is "mitigated" 
(so they say).  

My observation is that there may be a way out of the jail through the 
default socket to syslogd (via the -a flag (shown below)). Syslogd runs as 
root. Doesn't this seem unsafe to anyone else? If a process is truely 
jailed, it should have its own non-root logging mechanism. Agreed?

Eric Weaver
wHTTP consulting
----------------


<suser@silver:/home/suser:1>$ w
 5:37AM  up 5 days,  1:35, 0 users, load averages: 0.42, 0.16, 0.10
USER    TTY FROM              LOGIN@  IDLE WHAT
<suser@silver:/home/suser:2>$ ps -aux
USER       PID %CPU %MEM   VSZ   RSS TT   STAT STARTED       TIME COMMAND
suser     7019  0.0  0.0   264   156 p0  R+     5:37AM    0:00.01 ps -aux 
root      3023  0.0  0.0   100   376 ??  Ss    Fri04AM    0:01.44 syslogd -
a /var/named/dev/log 
root     20857  0.0  0.0   328   184 ??  Ss    Fri04AM    0:12.36 pflogd 
named    24326  0.0  0.0   940  1224 ??  Ss    Fri04AM    0:22.56 named -
t /var/named -u named 
root     29615  0.0  0.0   356   868 ??  Ss    Fri04AM    
0:02.20 /usr/sbin/sshd 
root      5861  0.0  0.0   228   460 ??  Is    Fri04AM    0:02.01 cron 
root      2034  0.0  0.0    48   420 C0  Is+   Fri04AM    
0:00.01 /usr/libexec/getty Pc ttyC0 
root     23329  0.0  0.0   880   820 ??  Ss    Fri04AM    0:18.16 
sendmail: accepting connections (sendmail)
www       8816  0.0  0.0  4528  5184 ??  Ss    Fri04AM    0:08.10 httpd: 
parent [chroot /var/www] (httpd)
www       7158  0.0  0.0  4960  4488 ??  I     Fri04AM    0:01.23 httpd: 
child (httpd)
www      30780  0.0  0.0  4936  4504 ??  I     Fri04AM    0:01.18 httpd: 
child (httpd)
www        432  0.0  0.0  4932  4452 ??  I     Fri04AM    0:00.79 httpd: 
child (httpd)
www      31496  0.0  0.0  4936  4436 ??  I     Fri04AM    0:01.01 httpd: 
child (httpd)
www       4692  0.0  0.0  4900  4412 ??  I     Fri04AM    0:01.06 httpd: 
child (httpd)
www      23742  0.0  0.0  4936  4448 ??  I     Fri04AM    0:00.85 httpd: 
child (httpd)
www      13186  0.0  0.0  4948  4484 ??  I     Fri04AM    0:01.26 httpd: 
child (httpd)
www      18151  0.0  0.0  4892  4308 ??  I     Sun12AM    0:00.26 httpd: 
child (httpd)
root     19734  0.0  0.0   464  1164 ??  Ss     5:37AM    0:00.05 sshd: 
suser [priv] (sshd)
suser     2391  0.0  0.0   400  1036 ??  S      5:37AM    0:00.02 sshd: 
suser@ttyp0 (sshd)
suser    14872  0.0  0.0   400   320 p0  Ss     5:37AM    0:00.03 -ksh 
(ksh)
root         1  0.0  0.0   336   200 ??  Is    Fri04AM    
0:00.03 /sbin/init 
<suser@silver:/home/suser:3>$ w
 5:37AM  up 5 days,  1:35, 0 users, load averages: 0.42, 0.16, 0.10
USER    TTY FROM              LOGIN@  IDLE WHAT
<suser@silver:/home/suser:4>$ w
 5:37AM  up 5 days,  1:36, 1 user, load averages: 0.38, 0.15, 0.10
USER    TTY FROM              LOGIN@  IDLE WHAT
suser    p0 192.168.25.104    5:37AM     0 w 
<suser@silver:/home/suser:5>$ w
 5:37AM  up 5 days,  1:36, 1 user, load averages: 0.35, 0.15, 0.10
USER    TTY FROM              LOGIN@  IDLE WHAT
suser    p0 192.168.25.104    5:37AM     0 w 
<suser@silver:/home/suser:6>$ 


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    

    



    

    


This archive was generated by hypermail 2b30 
: Sun Jan 19 2003 - 21:16:03 PST