Christian Storch wrote:
The problem is starting >>before<<
I think all the things >>before<< phpshell.php are done via
phpshell.php and the things you can see in the .bash_history
are only the things after he already got in.
id
mkdir /etc/.rpn
...
you should think about all what's listening on a port:
- an outdated sshd? (!)
It was a NOW outdated sshd but I believe that the new packages weren't
availiable on sunday - after getting the DSA-mails i usually update my
systems.
- security updates all up to date?
the same state as DSA announcements
- known unclosed security hole?
It seems that it was possible to upload & execute .php-files somewhere
(phpshell.php)
- some nice scripts like 'rootshell.php'? ;)
no. at least not found till now.
- perl without tainting checks in cgi-bin?
what exactly do you mean? how can i do/check that?
thanks, markus
etc.
etc.
Christian
-----Original Message-----
From: Markus Schabel [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 18, 2003 12:23 PM
To: debian-security@lists.debian.org
Subject: Re: [sec] Re: Strange segmentation faults and Zombies
maximilian attems wrote:
On Thu, 18 Sep 2003, Christian Storch wrote:
Don't forget to try to find the potential hole first!
Otherwise you could have a fast recurrence.
[..]
in /etc/.rpn theres a .bash_history with the following content:
id
mkdir /etc/.rpn
ps -aux
ps -aux | grep tbk
kill -15292 pid
kill 15292
netconf
locate httpd.conf
cd /etc/.rpn
ls -al
wget
cd /var/www/cncmap/www/upload/renegade
ls -al
rm -rf phpshell.php
^__________^
was this the exploited hole ?
I think so. In fact the problem is that it got there...
regards
Markus