Security Incidents mailing list archives
Re: Suspicious files in /tmp
From: "Jamie Riden" <jamie.riden () gmail com>
Date: Mon, 18 Jun 2007 18:08:19 +0100
Hi there, It looks like the bot exploits a remote file include in mosConfig_absolute_path - I think this would be Mambo or a component of Mambo. It looks a lot like a compromise attempt I saw a year or so back - http://infosecwriters.com/texts.php?op=display&id=416 [pdf, sorry]. In the one I saw, initially, the mosConfig_absolute_path vulnerability was exploited to drop and execute a connect-back shell. (Cb.pl and cback seem to be connect back shells of the same type as I saw.) In mine, the connect back shell immediately downloaded a perl bot which had similar spreading code in it to your 'bot' file. (ie. search google for potentially vulnerable Mambo installs and attempt to exploit them.) Have you ever had Mambo on this box? Try grepping your apache logs for 'mosConfig_absolute_path=http' If it's any consolation, in the one I saw, they didn't bother to make the bot persistent after reboot, nor to install a rootkit. cheers, Jamie On 16/06/07, kladizkov.thehome <kladizkov.thehome () gmail com> wrote:
Hi, My firewall LFD, pulled out three perl scripts from /tmp. It was found to be executing in my server. I have attached the scripts along with this mail. Is this issue familiar to anyone? How can a script uploaded to /tmp be executed when it has noexec privilege? ------------------------------------------------------------------------- This list sponsored by: SPI Dynamics ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! Firewalls and IDS will not stop such attacks because SQL Injections are NOT seen as intruders. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!
-- Jamie Riden, CISSP / jamesr () europe com / jamie () honeynet org uk UK Honeynet Project: http://www.ukhoneynet.org/ ------------------------------------------------------------------------- This list sponsored by: SPI DynamicsALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper It's as simple as placing additional SQL commands into a Web Form input box giving hackers complete access to all your backend systems! Firewalls and IDS will not stop such attacks because SQL Injections are NOT seen as intruders. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!
https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8E --------------------------------------------------------------------------
Current thread:
- Re: Suspicious files in /tmp, (continued)
- Re: Suspicious files in /tmp Rainer Duffner (Jun 19)
- Re: Suspicious files in /tmp Rainer Duffner (Jun 19)
- Re: Suspicious files in /tmp Robin Sheat (Jun 19)
- Re: Suspicious files in /tmp Valdis . Kletnieks (Jun 20)
- RE: Suspicious files in /tmp Thyago Braga da Silva (Jun 21)
- RE: Suspicious files in /tmp kaneda (Jun 21)
- Re: Suspicious files in /tmp Eduardo Tongson (Jun 22)
- Re: Suspicious files in /tmp Cy Schubert (Jun 21)