The problem is starting >>before<<
I think all the things >>before<< phpshell.php are done via phpshell.php and the things you can see in the .bash_history are only the things after he already got in.
id mkdir /etc/.rpn ...
you should think about all what's listening on a port: - an outdated sshd? (!)
It was a NOW outdated sshd but I believe that the new packages weren't availiable on sunday - after getting the DSA-mails i usually update my systems.
- security updates all up to date?
the same state as DSA announcements
- known unclosed security hole?
It seems that it was possible to upload & execute .php-files somewhere (phpshell.php)
- some nice scripts like 'rootshell.php'? ;)
no. at least not found till now.
- perl without tainting checks in cgi-bin?
what exactly do you mean? how can i do/check that?
thanks, markus
etc. etc.
Christian
-----Original Message----- From: Markus Schabel [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2003 12:23 PM To: [EMAIL PROTECTED] Subject: Re: [sec] Re: Strange segmentation faults and Zombies
maximilian attems wrote:
On Thu, 18 Sep 2003, Christian Storch wrote:
Don't forget to try to find the potential hole first! Otherwise you could have a fast recurrence. [..]
in /etc/.rpn theres a .bash_history with the following content:
id mkdir /etc/.rpn ps -aux ps -aux | grep tbk kill -15292 pid kill 15292 netconf locate httpd.conf cd /etc/.rpn ls -al wget cd /var/www/cncmap/www/upload/renegade ls -al rm -rf phpshell.php
^__________^ was this the exploited hole ?
I think so. In fact the problem is that it got there...
regards Markus
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]