[CentOS] an actual hacked machine, in a preserved state

Corey Henderson corman at cormander.com
Fri Jan 6 04:22:26 UTC 2012


On 1/5/2012 9:13 PM, email builder wrote:
>> 1.) Attacker uses apache remote exploit (or other means) to obtain
>
>>   your /etc/shadow file (not a remote shell, just GET the file
>> without that fact being logged);
>
> I don't mean to thread-hijack, but I'm curious, if apache runs as its
> own non-root user and /etc/shadow is root-owned and 0400, then
> how could any exploit of software not running as root ever have
> access to that file??
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

It's possible if the kernel is vulnerable to a local root exploit, and 
the attacker who gained entry to the system via apache, was able to use 
it and elevate privileges.

-- 
Corey Henderson
http://cormander.com/



More information about the CentOS mailing list