gaining Root access

Posted on 2006-05-09
Last Modified: 2010-04-20
I have a friend who has a machine that has Debian 3.0 (woody). he wasn't updating some of the software as he said debian is relaible. anyway, somebody gain a root access to the machine. he took it off to see how it gets that. I scanned it with nessus and found there were some high risk services without updates such as

wu-ftpd 2.6.2
send mail ESMTP 8.12.3/Debian-6.6

How would somebody gain access to the machine as root?
thanks for any comments or links.

Question by:fm250
    LVL 15

    Assisted Solution

    Number of ways. There was a direct remote root exploit in wu-ftpd once for example: , chances are this is possible in the future as well. Bad security in wu-ftpd was one of the reasons RedHat replaced it with vsftpd in back 9.0(?).

    Nessus might give you some clues, however the best method to determine how it happened would be to investigate the application logs on the server (that is, if this was a script kiddie who didn't clean up after himself).
    LVL 10

    Author Comment

    But that was Debian.
    LVL 15

    Expert Comment

    So? It's the same wu-ftpd wherever it is. The vulnerability I provided as an example was fixed at around, what I meant there probably was another one in either wuftpd or someplace else. All in all, nessus will not do all your work for you - you gotta dig the logs.
    LVL 10

    Author Comment

    Well, there was no helpfull logs. But he just wondering how somebody could get a root access without even having normal user access and ways to prevent such thing with limited monitoring to the server. it is not his main job.  
    LVL 15

    Expert Comment

    1) stay patched and updated
    2) minimize the services exposed to the outer world
    3) install "hardening" kernel patches
    4) hire somebody for whom it would be their main job (i.e. either switch to managed hosting or hire a sysadmin).
    LVL 19

    Assisted Solution

    just a comment here

    "but it is a debian" is a *very bad* approach to security. debian is reliable, but not secure by defiition. even openbsd which has all it's code AUDITED is not 100% secure out of the box.

    the Sysadmin should take care that EVERY hole done to the firewall, has an application listening, and then such application should be monitored to maintain it current.

    from here on, the last comment from m1kt4 is the way to go =)

    (p.s. I use slackware and I consider it much more secure than debian because it makes me do all the job and then recheck everything, but still on an unmonitored server we had an intrusion a year ago... since then I patch all servers with out disctintion)
    LVL 23

    Assisted Solution

    If somebody gained root access, then you need to assume, that from that point onward, the system
    is compromised, until you do a clean re-install of the OS.

    One thing to note is that it is very likely that the intruder cleansed the system logs that might otherwise
    indicate who and how they got in; other changes may have been made to the system that you don't know
    about, to hide future activities, or to ensure the intruder can regain access to the system in the future
    (backdoors, trojans, etc).

    Recovering the information about how the intruder got in with a live analysis would probably be impossible,
    if the attacker cleansed the logs -- your best bet at figuring out  would have been to cut off the system soon after
    the compromise was detected, and permanently preserve the contents of the disk  using an image copy
    of the filesystem (for use as evidence).

    The fact that WU-FTPD was  not updated with the latest security fixes, Alone could have resulted
    in the compromise.

    It is important to keep software up-to-date,  ESPECIALLY  popular software  that is installed on many
    machines, and will definitely by on the average kiddie's list of services to attempt to exploit including...

    * Web servers, FTP servers, Mail Servers, IMAP, POP,  NFS, RPC,...
    * Login servers, SSH, Rlogin, ...

    It's fairly important to keep server software up-to-date.  

    Every service you enable for access from the outside world, whether it's a FTP service or a Mail service,
    poses a risk of system compromise.

    And that risk may reach an especially intolerable level, if the updates that fix an exploitable security
    vulnerability are not applied on a timely basis.

    LVL 14

    Assisted Solution


    Same as the other comments, but here goes...

    Running an ftp server in non-anonymous  mode (normal users can login) is the same as giving your username and password to the world...

    Other really good ways to get hacked is to;

    -have standard accounts with standard passwords
    -have accounts that have the same name/password (for example: user: test password: test = hacked!!!)
    -use ftp, telnet, webmail in non-ssl mode, snmp with same password as a user, snmp as a rw community... (long list)

    My general advice is the same as m1kt4, update ASAP and get to know what you are doing... (or find someone that does...)

    Install a firewall that blockes inbound AND outbound traffic. That way the script-kids are lost...


    LVL 10

    Author Comment

    thank you all for the comments. I have prvided him with some links about how to keep his box secure in addition to some scripts that are out there for impliminting the exploits such as:  for wu-ftp since he was more interested of how they get it in.

    So any more comments on the how part such as, can these exploit first use some of the system accounts with nologin sucha as ftp, mail, nobody etc.

    Thanks and will spilt the points.
    LVL 19

    Assisted Solution

    some software expose your server to a compromise. ok.

    but some other has vulnerabilities that can lead to a privilege escalation. this is, you exploit that software, which is running as root, and then now you have root privileges. what to do first? if the exploit takes too much time, then just change root (not recommended), create another user with root privileges (way better), etc. etc. etc.

    this is why a system must be up to date always.
    LVL 4

    Accepted Solution

    I'm no expert but generaly speaking, remote attackers can cause a buffer overflow in remote services without the need of a local account.  A buffer overflow can contain code to cause the program to error and execute code as root.  If such a buffer overflow were exploited and linked or contained code that modifies /etc/passwd for example, they could just insert a local account of their chosing or even possibly get a remote root prompt.  If you really want to know the how and why I suggest putting Google and SecurityFocus to work for you.  Here are some of the many examples of problems with wu-ftp.

    There are many over the years those are just some ideas to get you in the right direction.  Bottom line is ... always monitor your systems, logs and update with security patches as soon as possible.  If you can't patch immediately for whatever reasons at least be aware of the patches and find work arounds or test patches on other systems not in production.
    LVL 11

    Assisted Solution

    Hi, i'm doing also debian - sarge 3.1 rc2.
    some usefull hints:
    -nessus is not the only and last remedy ;
    --make a cron job on the woody server for running chkrookit ,quiet mode is also OK!!!: --> this is the real importaint tool against the rootkits!
    -or try out also :snort,netcat,ethereal:  ;
    -make a good iptables script for the server,MonMotha's script is a good one,perhaps you need to modificate it for your needs:
    but i think his own server is currently down ;( => do a google for to find the latest version.
    -use only ssh and no telnet for remote administration;
    -use only ssh for sFTP as best use gFTP or any other client which is ssh/ssh2 capable;
    -add to your sources list in /etc/apt/ :

    deb stable/updates main

    deb stable/updates main contrib non-free

    and do regularly:
    #apt-get update    and
    #apt-get upgrade
    -subscribe to the debian security mailing-lists:  so you can get per e-mail every annaunce for a very security update.
    --subscribe to debian users mailing list where you can get also superb support regrding your distri: --> you can ask here for security support and everykind of debian problems/issues
    --subscribe to another security mailing list ,something like:
    -run crack at least once a month from a remote machine to scan your server for leak passwords
    -if you wish install also clamav,but it isn't really needed:
    -check out these links:
    (-buy a firewall router on the ebay ,perhaps you can get a cheaper one for not more than 150-200 bucks...)
    -check out also:
    also as firewall:
    -update to sarge,it's really better than woody at all.



    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
    The purpose of this article is to demonstrate how we can use conditional statements using Python.
    Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
    Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now