[iheartmemcache]

It looks like they first buffer overflowed Litespeed to spawn a shell (which was ironically running as a user 'apache'). The http headers that are being returned from Astalavista are consistent with this theory (in addition to the obvious output of the first binary run). Apparently Litespeed has a pretty dodgy security record after doing a cursory search.

Far more interesting was the root escalation exploit. 2.6.18 is a relatively recent kernel, and I haven't heard of exploits publically disclosing something of that caliber. Has anyone seen anything on securityfocus/bugtraq/milw0rm etc regarding this?

[duskwuff]

There's a nasty bug in the vmsplice() syscall in anything from 2.6.17 to 2.6.24.1. Exploits have been public since early 2008.

http://www.milw0rm.com/exploits/5092

http://www.milw0rm.com/exploits/5093

[bdr]

One of the files on their server is an exploit for that vulnerability. If they know about it, I would guess they aren't vulnerable, but who knows.

[duskwuff]

Good point. The kernel version in the transcript looks like the version I've got on a CentOS machine, so it's probably patched. Interestingly, the strings ("r00tr00t", "Executing shell") from the local-root tool they're using don't appear anywhere online, suggesting that it's something private and potentially unknown.

[oscardelben]

maybe it's just not indexed.

[sev]

It's easy to modify strings in a simple C function/program. That's all that would be needed to modify and display the "r00tr00t" etc you are mentioning.

[ableal]

The version string "2.6.18-128.1.10el5" is exactly what CentOS 5.3 shows (toy VM I installed last week, updated to May 31, no updates today). They may have turned off SELinux for convenience ...

[P.S. my VM is 32 bits, because VirtualBox has an issue with 64 bit CentOS 5.3 and AMD PhenomIIs: http://www.virtualbox.org/ticket/3927 ]