Your message dated Tue, 6 Apr 2010 01:57:59 +0200
with message-id <20100405235759.gb19...@javifsp.no-ip.org>
and subject line Re: Bug#575784: cron: security hole ? allowes opening user
sessions ?
has caused the Debian Bug report #575784,
regarding cron: security hole ? allowes opening user sessions ?
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
575784: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=575784
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: cron
Version: 3.0pl1-106
Justification: root security hole
Severity: critical
Tags: security
Hi Guys,
I am by no means a security expert.
I noticed my server was breached and multiple accounts on it have been
logging via cron over and over again.
>From the auth log:
Mar 29 10:30:01 sinbra CRON[5643]: pam_unix(cron:session): session opened
for user arun by (uid=0)
Mar 29 10:30:01 sinbra CRON[5642]: pam_unix(cron:session): session closed
for user michael
Mar 29 10:30:01 sinbra CRON[5643]: pam_unix(cron:session): session closed
for user arun
Mar 29 10:31:01 sinbra CRON[5729]: pam_unix(cron:session): session opened
for user arun by (uid=0)
Mar 29 10:31:01 sinbra CRON[5728]: pam_unix(cron:session): session opened
for user michael by (uid=0)
Mar 29 10:31:01 sinbra CRON[5728]: pam_unix(cron:session): session closed
for user michael
Mar 29 10:31:01 sinbra CRON[5729]: pam_unix(cron:session): session closed
for user arun
Mar 29 10:32:01 sinbra CRON[5822]: pam_unix(cron:session): session opened
for user michael by (uid=0)
Mar 29 10:32:01 sinbra CRON[5823]: pam_unix(cron:session): session opened
for user arun by (uid=0)
Mar 29 10:32:01 sinbra CRON[5822]: pam_unix(cron:session): session closed
for user michael
Mar 29 10:32:01 sinbra CRON[5823]: pam_unix(cron:session): session closed
for user arun
as soon as I removed cron, these session openings where stopped.
I removed cron with the --purge flag, and manually erased everything in the
/etc/ directory which realted to cron.
I then restarted the computer,
However, as soon as I re-installed cron, these session openings via uid=0
started again.
There is a high possibility I'm wrong, and this is not related to cron, so
feel free to downgrade this bug.
Thanks Oz.
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (990, 'testing'), (700, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-trunk-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages cron depends on:
ii adduser 3.112 add and remove users and groups
ii debianutils 3.2.2 Miscellaneous utilities
specific t
ii libc6 2.10.2-6 Embedded GNU C Library: Shared
lib
ii libpam0g 1.1.1-2 Pluggable Authentication
Modules l
ii libselinux1 2.0.89-4 SELinux runtime shared
libraries
ii lsb-base 3.2-23 Linux Standard Base 3.2 init
scrip
Versions of packages cron recommends:
pn exim4 | postfix | mail-transp <none> (no description available)
ii lockfile-progs 0.1.13 Programs for locking and
unlocking
Versions of packages cron suggests:
ii anacron 2.3-14 cron-like program that doesn't
go
ii checksecurity 2.0.13 basic system security checks
ii logrotate 3.7.8-4 Log rotation utility
--- End Message ---
--- Begin Message ---
On Mon, Mar 29, 2010 at 01:24:55PM +0200, Oz Nahum wrote:
> Hi Javier,
> Thanks for your message. I've ran a rkhunter on my computer, and it seems
> like I have a few rootkits in it.
>
>
> So, feel free to close the bug.
>
Ok. I'm closing the bug then.
Regards
Javier
signature.asc
Description: Digital signature
--- End Message ---
