Security Basics mailing list archives
PHP and remote execution
From: "Strider" <strider () chatcircuit com>
Date: Sun, 11 May 2003 11:51:38 -0500 (Central Daylight Time)
After our latest fun with one of our boxes becoming a DoS source, we've spent much time tracking how it was compromised. It was all because of a forum called CyBoards. There exists a bug that is known to exists and has not been fix that allows execution of code on the hosting server. In this case, the attacker wanted to conceal is activity as much as possible so he made use of the exploit as little as possible by making it install a back door. Through the back door, he installed a DoS client and initiated 2 DoS attacks. We found the DoS client without a problem. It was in /tmp with the name of milk', which seems to be a lesser known packet fragmentation DoS attack program originating from Brasil. The two attacks were launched against Basilian sites, so this clued us in that it was a rather local attack. With 400+ site logs to navigate, it wasn't easy looking for something we didn't know to look for. We quickly figured out that it was in fact done via the web server due to the fact the attack binary was owned by the user and group as the httpd, and we also fairly quickly figured out the DoS attack was not launched via an interactive web script (php, cgi, etc). It was either a script specifically used for this purpose, or an installed backdoor It took hours of scouring, several cups of coffee, and several packs of cigarettes to find the initial attack. An exploit was done on an installation of CyBoards which instructed a hole to execute a script from another server in Brasil, which instructed our server to download, compile, and execute a shell backdoor. From there, the attacker logged into the shell backdoor and downloaded the milk binary to the server, already compiled. The measures we have taken to prevent this so far is to prevent php from executing remote scripts, and modifying the kernel with grsec for better access control. Does anyone know of any other measures we should take to prevent these things? Is there a way to move the tmp dir access to the user dirs? Beau (Strider) Steward strider () chatcircuit com http://www.arteryplanet.net http://www.chatcircuit.com --------------------------------------------------------------------------- FastTrain has your solution for a great CISSP Boot Camp. The industry's most recognized corporate security certification track, provides a comprehensive prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization of pertinent security tools. For a limited time you can enter for a chance to win one of the latest technological innovations, the SEGWAY HT. Log onto http://www.securityfocus.com/FastTrain-security-basics ----------------------------------------------------------------------------
Current thread:
- PHP and remote execution Strider (May 12)
- RE: PHP and remote execution Ryan Macfarlane (May 13)