Hi all, One of my machines running debian woody (up to date with all security updates) was broken into yesterday. The attacker gained a normal user access possibly by cracking a weak password and then managed to get a root shell, install a rootkit etc...
Looking through evidence left behind (bash_history etc..) I have figured out that the privilege escalation was achived using an executable that the attacker downloaded from the net. I have verified that this binary is indeed capable of giving root shell to any user and it works on two test systems I tried -- one woody and one redhat 7.2. I have taken the system off the net and am in the process of re-installing but the existence of such an easy to use and effective privilege escalation kit is quite disturbing. As I have only access to the binary left behind by the attacker I'm pretty clueless as to how the exploit works. Although pretty well familiar with Linux and have been running servers for several years, this is the first time facing a root exploit, so I'm rather clueless as to what to do. Any advice would be highly appreciated. Thanks, Selva Nair
