Security Incidents mailing list archives
Re: Systems compromised with ShellBOT perl script - part 2
From: Harry de Grote <rik.bobbaers () cc kuleuven ac be>
Date: Wed, 20 Oct 2004 17:59:57 +0200
Op Wednesday 20 October 2004 07:04, security () kemhosting com sgreifde:
This thread is a couple months old, but I'm having issues with this hack, found it in the archives and thought it'd be helpful if I 'resusitated' it. See bottom of email for rest of thread. Today, hackers used the ShellBOT perl script to bring down Apache and start up their IRC listener. They (somehow) copied it into /tmp and executed it. This confuses me because I have my /tmp directory mounted rw,noexec,nosuid. Does Perl somehow bypass this?
try doing this in your no-exec /rmp: /lib/ld-linux.so.2 /bin/bash (should work if you have a 2.4 kernel, not in 2.6 anymore) thats just 1 way to bypass the noexec flag
While the script was running, I ran lsof and found that it had recursively accessed all my (virtual host) httpd logs (probably in an attempt to delete it's tracks = the reason I can't see how they copied the script into /tmp) which are owned by root. this is also confusing since the process the script spawned was owned by user apache. Some info on my box: Redhat ES kernel 2.4.21-9.0.1.ELsmp httpd-2.0.46-32.ent php-4.3.2-11.ent Anyone have any ideas on how this can happen? Mainly the executing of a script on a noexec mount! Obviously I'm not a guru, so it's probably something simple - so please, share!
there are , as you can see easy ways to bypass that... :) -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 Rik.Bobbaers () cc kuleuven ac be -=- http://harry.ulyssis.org "\x41\x20\x63\x6f\x6d\x70\x75\x74\x65\x72\x20\x77\x69\x74\x68\x6f\x75\x74\x20" "\x57\x69\x6e\x64\x6f\x77\x73\x20\x69\x73\x20\x6c\x69\x6b\x65\x20\x61\x20\x66" "\x69\x73\x68\x20\x77\x69\x74\x68\x6f\x75\x74\x20\x61\x20\x62\x69\x63\x79\x63" "\x6c\x65\x0a\x00"
Current thread:
- re: Systems compromised with ShellBOT perl script - part 2 security (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Meder Kydyraliev (Oct 20)
- re: Systems compromised with ShellBOT perl script - part 2 Jim Halfpenny (Oct 20)
- DoS worm David Gillett (Oct 20)
- Re: DoS worm Nick FitzGerald (Oct 21)
- DoS worm David Gillett (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Jeffrey Denton (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Martin Mačok (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Harry de Grote (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Stephen J. Smoogen (Oct 20)
- RE: Systems compromised with ShellBOT perl script - part 2 KEM Hosting (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Thomas Hochstein (Oct 21)
- Re: Systems compromised with ShellBOT perl script - part 2 Paul Schmehl (Oct 22)
- <Possible follow-ups>
- RE: Systems compromised with ShellBOT perl script - part 2 KEM Hosting (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Dave (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Chris Norton (Oct 22)