Package: cron Version: 3.0pl1-106 Justification: root security hole Severity: critical Tags: security
Hi Guys, I am by no means a security expert. I noticed my server was breached and multiple accounts on it have been logging via cron over and over again. >From the auth log: Mar 29 10:30:01 sinbra CRON[5643]: pam_unix(cron:session): session opened for user arun by (uid=0) Mar 29 10:30:01 sinbra CRON[5642]: pam_unix(cron:session): session closed for user michael Mar 29 10:30:01 sinbra CRON[5643]: pam_unix(cron:session): session closed for user arun Mar 29 10:31:01 sinbra CRON[5729]: pam_unix(cron:session): session opened for user arun by (uid=0) Mar 29 10:31:01 sinbra CRON[5728]: pam_unix(cron:session): session opened for user michael by (uid=0) Mar 29 10:31:01 sinbra CRON[5728]: pam_unix(cron:session): session closed for user michael Mar 29 10:31:01 sinbra CRON[5729]: pam_unix(cron:session): session closed for user arun Mar 29 10:32:01 sinbra CRON[5822]: pam_unix(cron:session): session opened for user michael by (uid=0) Mar 29 10:32:01 sinbra CRON[5823]: pam_unix(cron:session): session opened for user arun by (uid=0) Mar 29 10:32:01 sinbra CRON[5822]: pam_unix(cron:session): session closed for user michael Mar 29 10:32:01 sinbra CRON[5823]: pam_unix(cron:session): session closed for user arun as soon as I removed cron, these session openings where stopped. I removed cron with the --purge flag, and manually erased everything in the /etc/ directory which realted to cron. I then restarted the computer, However, as soon as I re-installed cron, these session openings via uid=0 started again. There is a high possibility I'm wrong, and this is not related to cron, so feel free to downgrade this bug. Thanks Oz. -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (990, 'testing'), (700, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.32-trunk-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages cron depends on: ii adduser 3.112 add and remove users and groups ii debianutils 3.2.2 Miscellaneous utilities specific t ii libc6 2.10.2-6 Embedded GNU C Library: Shared lib ii libpam0g 1.1.1-2 Pluggable Authentication Modules l ii libselinux1 2.0.89-4 SELinux runtime shared libraries ii lsb-base 3.2-23 Linux Standard Base 3.2 init scrip Versions of packages cron recommends: pn exim4 | postfix | mail-transp <none> (no description available) ii lockfile-progs 0.1.13 Programs for locking and unlocking Versions of packages cron suggests: ii anacron 2.3-14 cron-like program that doesn't go ii checksecurity 2.0.13 basic system security checks ii logrotate 3.7.8-4 Log rotation utility
