Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > incidents > 03 > 010407.html (Request Expert securityfocus.com Support)

Openbsd 3.2 wtmp delay and named backdoor

From: Eric Weaver <internet(at)whttp.com>
Date: Wed Jan 15 2003 - 09:19:52 EST
('binary' encoding is not supported, stored as-is)

Can anyone explain what would cause a wtmp delay like this? Notice I am invisible, until the third iteration of 'w'. I hope this is nothing more than some sort of filesystem lag or sshd delay.

The only known vulnerability on this box is Named. Openbsd 3.2 named has a possible remote exploit, but since its jailed, the security is "mitigated" (so they say).

My observation is that there may be a way out of the jail through the default socket to syslogd (via the -a flag (shown below)). Syslogd runs as root. Doesn't this seem unsafe to anyone else? If a process is truely jailed, it should have its own non-root logging mechanism. Agreed?

Eric Weaver
wHTTP consulting

<suser@silver:/home/suser:1>$ w

 5:37AM up 5 days, 1:35, 0 users, load averages: 0.42, 0.16, 0.10 USER TTY FROM LOGIN@ IDLE WHAT
<suser@silver:/home/suser:2>$ ps -aux 

USER       PID %CPU %MEM   VSZ   RSS TT   STAT STARTED       TIME COMMAND
suser     7019  0.0  0.0   264   156 p0  R+     5:37AM    0:00.01 ps -aux 
root      3023  0.0  0.0   100   376 ??  Ss    Fri04AM    0:01.44 syslogd -
a /var/named/dev/log 
root     20857  0.0  0.0   328   184 ??  Ss    Fri04AM    0:12.36 pflogd
named 24326 0.0 0.0 940 1224 ?? Ss Fri04AM 0:22.56 named - t /var/named -u named
root 29615 0.0 0.0 356 868 ?? Ss Fri04AM 0:02.20 /usr/sbin/sshd 
root      5861  0.0  0.0   228   460 ??  Is    Fri04AM    0:02.01 cron 
root      2034  0.0  0.0    48   420 C0  Is+   Fri04AM    
0:00.01 /usr/libexec/getty Pc ttyC0 
root     23329  0.0  0.0   880   820 ??  Ss    Fri04AM    0:18.16 
sendmail: accepting connections (sendmail)
www       8816  0.0  0.0  4528  5184 ??  Ss    Fri04AM    0:08.10 httpd: 
parent [chroot /var/www] (httpd)
www       7158  0.0  0.0  4960  4488 ??  I     Fri04AM    0:01.23 httpd: 
child (httpd)
www      30780  0.0  0.0  4936  4504 ??  I     Fri04AM    0:01.18 httpd: 
child (httpd)
www        432  0.0  0.0  4932  4452 ??  I     Fri04AM    0:00.79 httpd: 
child (httpd)
www      31496  0.0  0.0  4936  4436 ??  I     Fri04AM    0:01.01 httpd: 
child (httpd)
www       4692  0.0  0.0  4900  4412 ??  I     Fri04AM    0:01.06 httpd: 
child (httpd)
www      23742  0.0  0.0  4936  4448 ??  I     Fri04AM    0:00.85 httpd: 
child (httpd)
www      13186  0.0  0.0  4948  4484 ??  I     Fri04AM    0:01.26 httpd: 
child (httpd)
www      18151  0.0  0.0  4892  4308 ??  I     Sun12AM    0:00.26 httpd: 
child (httpd)
root     19734  0.0  0.0   464  1164 ??  Ss     5:37AM    0:00.05 sshd: 
suser [priv] (sshd)
suser     2391  0.0  0.0   400  1036 ??  S      5:37AM    0:00.02 sshd: 
suser@ttyp0 (sshd)
suser    14872  0.0  0.0   400   320 p0  Ss     5:37AM    0:00.03 -ksh 
(ksh)
root         1  0.0  0.0   336   200 ??  Is    Fri04AM
0:00.03 /sbin/init
<suser@silver:/home/suser:3>$ w

 5:37AM up 5 days, 1:35, 0 users, load averages: 0.42, 0.16, 0.10 USER TTY FROM LOGIN@ IDLE WHAT
<suser@silver:/home/suser:4>$ w

 5:37AM up 5 days, 1:36, 1 user, load averages: 0.38, 0.15, 0.10 
USER    TTY FROM              LOGIN@  IDLE WHAT
suser    p0 192.168.25.104    5:37AM     0 w 

Do you need help?X

<suser@silver:/home/suser:5>$ w

 5:37AM up 5 days, 1:36, 1 user, load averages: 0.35, 0.15, 0.10 
USER    TTY FROM              LOGIN@  IDLE WHAT
suser    p0 192.168.25.104    5:37AM     0 w

<suser@silver:/home/suser:6>$

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Mon Jan 20 00:16:38 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:56 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library