Monthly Archives: February 2008

A familiar hacker visits my home network

My oldest son is away at college. He’s finishing his senior year and deciding what to do next. I’m very proud of him, but sometimes I can’t help compare his life to mine. To earn money for living expenses during college, I had jobs washing dishes, changing oil, stocking shelves and eventually moving all the way up to cashier at Smith’s Food King. Good times. My son has had summer jobs programming for Berkeley Data Systems (Mozy) and this little Internet startup named Google. During the school year, he works on Linux boxes for the astronomy department at his school. His jobs sound like a huge amount of fun to me, and I think he has enjoyed them, but he takes things so seriously sometimes. Sigh. At that age, I did too.

I keep expecting to get traditional letters (or at least emails) from him asking for money, but instead I received this email last week:

so, sorry i haven't called recently, as i miss talking to you.

nevertheless, i thought it would be a good idea to let you know that
your server machines are all completely rootable

on bub, the code /home/jtolds/vmsplice-exploit will give you root on
nearly every 2.6 kernel machine
/home/jtolds/disable-vmsplice-if-exploitable will disable the vmsplice
code in memory by overwriting the first line of the vmsplice function
calls with the RET assembly command
I ran that on bub since it's network accessible

you may want to install new kernels or recompile or something.

if you don't and do reboot bub, you should run the exploit disabler again

love you! talk to you soon
-jt

I would have used the phrase “RET assembly instruction” instead of “RET assembly command”. Assembly ain’t no scripting language. I’m not sure what they are teaching kids in school these days.

I have, of course, upgraded my Linux kernels on the machines in question.