Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

Matts (1087)

Matts
  (email not shown publicly)
I work for MessageLabs [messagelabs.com] in Toronto, ON, Canada. I write spam filters, MTA software, high performance network software, string matching algorithms, and other cool stuff mostly in Perl and C.

Journal of Matts (1087)

Saturday May 18, 2002
11:35 AM

Possible hack

[ #5043 ]

I'm not really sure what's going on yet...

This morning at about 8am, I got a cvs update message from my CVS server. One of my anonymous CVS users (specifically cvs-axkit, which I don't think I advertise) added a passwd file to the CVSROOT project on the axkit.org CVS server. My stupid fault for not making the anonymous users just "readers". But I'm not really sure what the purpose was.

Is there some hack there I don't know about? Is my server compromised? The annoying thing is that CVS doesn't seem to keep any IP address information, so I have no idea who was connecting at that time. Can't find anything in my logs about it whatsoever.

I simply can't afford a complete re-install at this time. That would be my idea of a nightmare...

So for now I've disabled xinetd (which was running pserver), until I figure out more :-(


List all Journal entries
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Possible hack 8 Comments More | Login | Reply /

 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • Do you run CVS pserver as root? In this case "hacker" could create CVS login entry which can give him/her root rights.

    For example:

    # access CVS as root with alternative password
    root:HACKER'S_CRYPTED_PASSWORD
    # alias some CVS login name to root UID
    hacker:HACKER'S_CRYPTED_PASSWORD:root

    Have you checked if commitinfo/loginfo/etc files are not modified. They can be used to run arbitrary code.

    You may want to check if you don't have any rootkits on your computer. Try www.chkrootkit.org [chkrootkit.org].

    --

    Ilya Martynov (http://martynov.org/ [martynov.org])

    • Here's the log entry in it's entirety:

      Date:   Saturday May 18, 2002 @ 8:10
      Author: cvs-axkit
       
      Update of /home/cvs/CVSROOT
      In directory ted:/tmp/cvs-serv32715
       
      Modified Files:
              passwd
      Log Message:
      hmm, try that again
       
      Index: passwd
      ===================================================================
      RCS file: /home/cvs/CVSROOT/passwd,v
      retrieving revision 1.1
      retrieving revision 1.2
      diff -b -u -r1.1 -r1.2
      --- passwd      2002/05/18 07:06:38 

  • find / -mtime 1
    • Wouldn't you know I did an apt-get update yesterday evening, making that next to useless. However a check of files modified more recently than something I know I modified yesterday evening before going to bed didn't reveal anything scary.

      Neither did chkrootkit.

      I hate this sort of thing. It feels like such a waste of my day - especially when it's targetted at open source resources like my server. The jollies of the few ruin it for the rest of us.
  • that's why you want to get your stuff hosted by the ASF or at perl.org; others will take care of most such worries and hassles for you! :-)
    --

    -- ask bjoern hansen [askbjoernhansen.com], !try; do();

    • Well I host AxKit on apache.org. However that still leaves approx 60 projects in my CVS server... I suppose I could bump every single damn one onto sourceforge, but really, do I want to do that? Some of course are private projects (but then if they were just private projects I wouldn't need anoncvs I guess) which I couldn't host anywhere but here.

  • I'm way into using CVSROOT=:ext:user@host:/path/to/repos CVS_RSH=ssh. It's easier to set up than pserver, and probably more secure. I'm pretty sure you could set up an account with no login shell and only read-only access to the repository files and make it work. (But I've never tried it, so YMWV.)

    I hope no damage was done. Maybe the guy didn't know what he was doing and just did all that accidentally (hence the log message)? (Or was just trying something out to see if it would work, as opposed to tr

    --
    J. David works really hard, has a passion for writing good software, and knows many of the world's best Perl programmers
    • I'm considering dropping pserver. I allow it only for anonymous access right now, because people like to follow my projects, and I also prefer people to submit patches against current CVS.

      But if it's going to be a security risk then I'll just kill that.
Stories, comments, journals, and other submissions on use Perl; are Copyright 1998-2006, their respective owners.