From owner-freebsd-security@FreeBSD.ORG  Wed Aug 11 21:07:15 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 67BED16A4CE
	for <freebsd-security@freebsd.org>;
	Wed, 11 Aug 2004 21:07:15 +0000 (GMT)
Received: from drizzle.sasknow.net (drizzle.sasknow.net [204.83.220.141])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C164A43D46
	for <freebsd-security@freebsd.org>;
	Wed, 11 Aug 2004 21:07:14 +0000 (GMT)
	(envelope-from ryan@sasknow.com)
Received: from mail.sasknow.com (mail.sasknow.com [207.195.92.135])
	by drizzle.sasknow.net (8.12.9p2/8.12.9) with ESMTP id i7BL7B2v018509
	for <freebsd-security@freebsd.org>;
	Wed, 11 Aug 2004 15:07:11 -0600 (CST)
	(envelope-from ryan@sasknow.com)
Date: Wed, 11 Aug 2004 15:07:11 -0600 (CST)
From: Ryan Thompson <ryan@sasknow.com>
To: freebsd-security@freebsd.org
Message-ID: <20040811145637.R41454@drizzle.sasknow.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Spam-Virus-Status: Clean, ClamAV version devel-20040729, clamav-milter
	version 0.75b on drizzle.sasknow.net
X-Spam-Status: No, hits=-19.409 required=7
	tests=MSGID_PINE=-2.1,ALL_TRUSTED=-0.8,BAYES_00=-4.9,BAYES_LOW_AND_TZ_NEAR=-7.0,TIME_13_17_BAYES_LOW=-7.0,AWL=2.4
	autolearn=no version=3.000000-pre3
Subject: FreeBSD-SA-04:13.linux in the wild
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Aug 2004 21:07:15 -0000


Has anyone else seen this in the wild?

We just had an attempted attack yesterday from a live attacker on one of
our machines using this vulnerability. It wasn't all that clever, and
they're long gone, but I *did* manage to catch them in the act and grab
a copy of the binary they tried to run from /tmp/, as well as the PHP
injection code they used to subvert a virtual web site's poorly-written
index.php script to execute commands as a local user.

Their first order of business was uname -a, and the timing of the
requests appeared to be random and experimental ("cd /tmp; ls -la", a
few times). If any @FreeBSD.org developers would like more information,
I'd be happy to share my findings and log output off-list.

- Ryan

-- 
   Ryan Thompson <ryan@sasknow.com>

   SaskNow Technologies - http://www.sasknow.com
   901-1st Avenue North - Saskatoon, SK - S7K 1Y4

         Tel: 306-664-3600   Fax: 306-244-7037   Saskatoon
   Toll-Free: 877-727-5669     (877-SASKNOW)     North America