[ILUG] fascinating paypal spam
Brian Foster
blf at blf.utvinternet.ie
Fri Apr 22 18:29:50 IST 2005
| Date: Fri, 22 Apr 2005 15:53:12 +0100 (IST)
| From: Paul Jakma <paul at clubi.ie>
|
| On Thu, 21 Apr 2005, kevin lyda wrote:
| > directory: http://searchfar.com/.bashrc/ .
| >
| > an amusing way to hide your evil files.
| >
| > anyway, something else to search for in security
| > scripts: normal rc files existing as directories.
|
| Not only that, but you'd have to actually inspect the contents of
| .bashrc (from a shell context which /did not/ use that bashrc).
eh? the hacked `.bashrc' is a directory.
bash(1) requires a file, and complains if it
finds a directory (when run interactively):
bash: /home/luser/.bashrc: is a directory
yes, if you have/had a writable `.bashrc' _file_,
or the (home) directory itself is writable, then
there is an inspection issue. but I do not see
an inspection problem per se for this attack,
where it is a directory. (but, since the system
clearly has been compromised, you should not be
using anything on the system to inspect/repair
it!) IMHO, the attack is rather clumsy — amusing
but nonetheless clumsy — since it is so obvious.
cheers!
-blf-
--
Experienced (20+ yrs) kernel/software Eng: | Brian Foster Montpellier,
• Unix, embedded, &tc; • Linux; • doc; | blf at utvinternet.ie FRANCE
• IDL, automated testing, process, &tc. | Stop E$$o (ExxonMobile)!
Résumé (CV) http://www.blf.utvinternet.ie | http://www.stopesso.com
More information about the ILUG
mailing list