1. Forum
  2. FSXNet
  3. FSX GEN

  • general insecurity

    From Spectre@21:3/101 to Nobody on Tuesday, December 31, 2019 06:32:00
    Despite the previous efforts I've still got some issues with the BBS user, thats used to ssh to TLP. Somehow they're able to exploit the account to insert a crontab. I've subsequently taken write perms off the users home directory, and innoculated the user crontab and then locked it by removing write permissions....

    Have to say I don't quite know what the result is, but the injection is,

    # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
    #0 0 */3 * * /dev/shm/.lwp/.rsync/a/upd>/dev/null 2>&1
    #5 8 * * 0 /dev/shm/.lwp/.rsync/b/sync>/dev/null 2>&1
    #@reboot /dev/shm/.lwp/.rsync/b/sync>/dev/null 2>&1
    #0 0 */3 * * /dev/shm/.lwp/.rsync/c/aptitude>/dev/null 2>&1

    Its rsyncing to something? and it also tries to install something? I haven't looked at these in a terminal removing the /dev/null at this point, I s'pose I should look at the files its calling. The result is a rogue ./cron task, and a load average that shoots through the roof, on the octo core its out past 18 so it uses everything it can.

    Spec


    --- SuperBBS v1.17-3 (Eval)
    * Origin: (21:3/101)
  • From Spectre@21:3/101 to Nobody on Tuesday, December 31, 2019 06:32:00
    Despite the previous efforts I've still got some issues with the BBS user, thats used to ssh to TLP. Somehow they're able to exploit the account to insert a crontab. I've subsequently taken write perms off the users home directory, and innoculated the user crontab and then locked it by removing write permissions....

    Have to say I don't quite know what the result is, but the injection is,

    # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
    #0 0 */3 * * /dev/shm/.lwp/.rsync/a/upd>/dev/null 2>&1
    #5 8 * * 0 /dev/shm/.lwp/.rsync/b/sync>/dev/null 2>&1
    #@reboot /dev/shm/.lwp/.rsync/b/sync>/dev/null 2>&1
    #0 0 */3 * * /dev/shm/.lwp/.rsync/c/aptitude>/dev/null 2>&1

    Its rsyncing to something? and it also tries to install something? I haven't looked at these in a terminal removing the /dev/null at this point, I s'pose
    I should look at the files its calling. The result is a rogue ./cron task,
    and a load average that shoots through the roof, on the octo core its out
    past 18 so it uses everything it can.

    Spec


    --- SuperBBS v1.17-3 (Eval)
    * Origin: (21:3/101)
  • From Spectre@21:3/101 to Nobody on Tuesday, December 31, 2019 06:32:00
    Despite the previous efforts I've still got some issues with the BBS user, thats used to ssh to TLP. Somehow they're able to exploit the account to insert a crontab. I've subsequently taken write perms off the users home directory, and innoculated the user crontab and then locked it by removing write permissions....

    Have to say I don't quite know what the result is, but the injection is,

    # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
    #0 0 */3 * * /dev/shm/.lwp/.rsync/a/upd>/dev/null 2>&1
    #5 8 * * 0 /dev/shm/.lwp/.rsync/b/sync>/dev/null 2>&1
    #@reboot /dev/shm/.lwp/.rsync/b/sync>/dev/null 2>&1
    #0 0 */3 * * /dev/shm/.lwp/.rsync/c/aptitude>/dev/null 2>&1

    Its rsyncing to something? and it also tries to install something? I haven't looked at these in a terminal removing the /dev/null at this point, I s'pose I should look at the files its calling. The result is a rogue ./cron task, and a load average that shoots through the roof, on the octo core its out past 18 so it uses everything it can.

    Spec


    --- SuperBBS v1.17-3 (Eval)
    * Origin: (21:3/101)