On Sat, 26 Feb 2005, Jonathan Hutchins wrote:
2.4.20-37.7.legacy. Now on 2.4.20-42.7.legacy.
Okay. If I am reading the info correctly, 2.4.20-37.7.legacy was compiled in Sept 2004, before the uselib() root kernel hole was discovered in January, 2005. http://www.isec.pl/vulnerabilites/isec-0021-uselib.txt.
There was also an awstats exploit patched on Feb 16 or so, that allowed remote execution of commands by the apache-owner, "nobody" on Redhat, I believe.
Now, it may be presumptuous of me to assume your box has been rooted, but, given the above information, that's how it looks to me. I did ask you what user had installed the backdoor that you're asking about, but didn't receive an answer. From your examination, you have concluded that your box was not rooted. Given the known security holes that were present in your system and the information that you have given us, my conclusion is that root access was absolutely possible, and it would be foolish, IMO, to ignore this probability. Also, you told us that this box had all of its files deleted, and nobody but root can do that.
I realize that having crackers rooting (figuratively if not literally) around on your system isn't exactly a prescription for a pleasant demeanor. It is not my intention to annoy you, I'm only trying to help. Maybe your box wasn't rooted. But, if not, which user did install the backdoor? And how were the files deleted?
You keep accusing me of making assumptions. I believe you are, in fact, making rather a lot of assumptions given the fact that you haven't examined the system. I have. I have made conclusions, not assumptions.
Okay. You have more information than I, but I'm still drawing a different conclusion than you from the information that I have seen.
Regards,
-Don