[CentOS] an actual hacked machine, in a preserved state

Fri Jan 6 05:08:21 UTC 2012
Les Mikesell <lesmikesell at gmail.com>

On Thu, Jan 5, 2012 at 10:13 PM, email builder <emailbuilder88 at yahoo.com> wrote:
>> 1.) Attacker uses apache remote exploit (or other means) to obtain
>
>>  your /etc/shadow file (not a remote shell, just GET the file
>> without that fact being logged);
>
> I don't mean to thread-hijack, but I'm curious, if apache runs as its
> own non-root user and /etc/shadow is root-owned and 0400, then
> how could any exploit of software not running as root ever have
> access to that file??

Apache starts as root so it can open port 80.  Certain bugs might
happen before it switched to a non-privileged user.  But, a more
likely scenario would be to get the ability to run some arbitrary
command through an apache, app, or library vulnerability, and that
command would use a different kernel, library, or suid program
vulnerability to get root access.  Look back through the update
release notes and you'll find an assortment of suitable bugs that have
been there...

-- 
   Les Mikesell
    lesmikesell at gmail.com