[CentOS] an actual hacked machine, in a preserved state

Les Mikesell lesmikesell at gmail.com
Fri Jan 6 05:08:21 UTC 2012

On Thu, Jan 5, 2012 at 10:13 PM, email builder <emailbuilder88 at yahoo.com> wrote:
>> 1.) Attacker uses apache remote exploit (or other means) to obtain
>>  your /etc/shadow file (not a remote shell, just GET the file
>> without that fact being logged);
> I don't mean to thread-hijack, but I'm curious, if apache runs as its
> own non-root user and /etc/shadow is root-owned and 0400, then
> how could any exploit of software not running as root ever have
> access to that file??

Apache starts as root so it can open port 80.  Certain bugs might
happen before it switched to a non-privileged user.  But, a more
likely scenario would be to get the ability to run some arbitrary
command through an apache, app, or library vulnerability, and that
command would use a different kernel, library, or suid program
vulnerability to get root access.  Look back through the update
release notes and you'll find an assortment of suitable bugs that have
been there...

   Les Mikesell
    lesmikesell at gmail.com

More information about the CentOS mailing list