[CentOS] an actual hacked machine, in a preserved state

Les Mikesell lesmikesell at gmail.com
Tue Jan 3 16:11:24 UTC 2012


On Tue, Jan 3, 2012 at 3:14 AM, Rudi Ahlers <Rudi at softdux.com> wrote:
>
>>> Very often, a single user with a
>>> weak password has his account cracked and then a hacker can get a copy
>>> of /etc/shadow and brute force the root password.
>>
>> This is incorrect. The whole reasoning behind /etc/shadow is to hide the
>> actual hashes from normal system users. /etc/shadow is chown root.root
>> and chmod 0400. Without root access /etc/shadow is not accessible.
>>
>
> So, explain this then:
>
>
> How does something like c99shell allow a local user (not root) to read
> the /etc/shadow file?
>

The description from here:
http://jigneshdhameliya.blogspot.com/2010/03/backdoorphpc99shellw.html
and other places says
 "16.  exploit a range of Linux kernel and bash command interpreter
vulnerabilies"

In other words, all those things that get listed as 'local'
vulnerabilities become remote vulnerabilities as soon as any app or
service allows running an arbitrary command.

-- 
   Les Mikesell
     lesmikesell at gmail.com



More information about the CentOS mailing list