[CentOS] an actual hacked machine, in a preserved state

Fri Jan 6 19:52:13 UTC 2012
email builder <emailbuilder88 at yahoo.com>

>>>  1.) Attacker uses apache remote exploit (or other means) to obtain

>>>   your /etc/shadow file (not a remote shell, just GET the file
>>>  without that fact being logged);
>> 
>>  I don't mean to thread-hijack, but I'm curious, if apache runs as 
>> its
>>  own non-root user and /etc/shadow is root-owned and 0400, then
>>  how could any exploit of software not running as root ever have
>>  access to that file??
> 
> Apache starts as root so it can open port 80.  Certain bugs might
> happen before it switched to a non-privileged user.  But, a more
> likely scenario would be to get the ability to run some arbitrary
> command through an apache, app, or library vulnerability, and that
> command would use a different kernel, library, or suid program
> vulnerability to get root access.  Look back through the update
> release notes and you'll find an assortment of suitable bugs that have
> been there...

That makes sense - but that scenario seems like the vulnerability is more
in some third party application or tool that happens to be executable by
apache.  Seems like the best defense against that is not running things
like WordPress  ;-p  :-)