[Gluster-infra] download.gluster.org was rooted
Michael Scherer
mscherer at redhat.com
Wed Jun 3 22:49:28 UTC 2015
Le jeudi 04 juin 2015 à 00:01 +0200, Michael Scherer a écrit :
> Le mercredi 03 juin 2015 à 17:09 -0400, Kaleb Keithley a écrit :
> > I just deleted an suid-root /tmp/usr/bin/suexec script from download.gluster.org
>
> We need to investigate a bit more...
And by that, I mean "we shouldn't remove clues". So it turn out that
supercolony has the same issue :
[root at supercolony tmp]# ls -l usr/sbin/suexec
-r-s--x---. 1 root root 13984 Dec 19 16:05 usr/sbin/suexec
Looking at the log, I was connected at the same time, but the ip look
like the one of the coworking space I work from, so I do think either
the log have been tempered with, or this didn't came from ssh.
It look furiously similar to a regular suexec, same size of the binary,
and dissambly do not so obvious difference ( I am not good enough to
spot issue in the 3 lines of asm ).
--
Michael Scherer
Open Source and Standards, Sysadmin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://www.gluster.org/pipermail/gluster-infra/attachments/20150604/a787111e/attachment.sig>
More information about the Gluster-infra
mailing list