[Gluster-infra] download.gluster.org was rooted

Michael Scherer mscherer at redhat.com
Wed Jun 3 22:49:28 UTC 2015

Le jeudi 04 juin 2015 à 00:01 +0200, Michael Scherer a écrit :
> Le mercredi 03 juin 2015 à 17:09 -0400, Kaleb Keithley a écrit :
> > I just deleted an suid-root /tmp/usr/bin/suexec script from download.gluster.org
> We need to investigate a bit more...

And by that, I mean "we shouldn't remove clues". So it turn out that
supercolony has the same issue :

[root at supercolony tmp]# ls -l usr/sbin/suexec 
-r-s--x---. 1 root root 13984 Dec 19 16:05 usr/sbin/suexec

Looking at the log, I was connected at the same time, but the ip look
like the one of the coworking space I work from, so I do think either
the log have been tempered with, or this didn't came from ssh.

It look furiously similar to a regular suexec, same size of the binary,
and dissambly do not so obvious difference ( I am not good enough to
spot issue in the 3 lines of asm ).

Michael Scherer
Open Source and Standards, Sysadmin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://www.gluster.org/pipermail/gluster-infra/attachments/20150604/a787111e/attachment.sig>

More information about the Gluster-infra mailing list