Security Incidents mailing list archives

Re: Suspicious files in /tmp

From: "Jamie Riden" <jamie.riden () gmail com>
Date: Mon, 18 Jun 2007 18:08:19 +0100

Hi there,

It looks like the bot exploits a remote file include in
mosConfig_absolute_path - I think this would be Mambo or a component
of Mambo. It looks a lot like a compromise attempt I saw a year or so
back - http://infosecwriters.com/texts.php?op=display&id=416  [pdf,
sorry].

In the one I saw, initially, the mosConfig_absolute_path vulnerability
was exploited to drop and execute a connect-back shell. (Cb.pl and
cback seem to be connect back shells of the same type as I saw.) In
mine, the connect back shell immediately downloaded a perl bot which
had similar spreading code in it to your 'bot' file. (ie. search
google for potentially vulnerable Mambo installs and attempt to
exploit them.)

Have you ever had Mambo on this box? Try grepping your apache logs for
'mosConfig_absolute_path=http'

If it's any consolation, in the one I saw, they didn't bother to make
the bot persistent after reboot, nor to install a rootkit.

cheers,
Jamie

On 16/06/07, kladizkov.thehome <kladizkov.thehome () gmail com> wrote:

Hi,

My firewall LFD, pulled out three perl scripts from /tmp. It was found
to be executing in my server. I have attached the scripts along with
this mail. Is this issue familiar to anyone?

How can a script uploaded to /tmp be executed when it has noexec privilege?


-------------------------------------------------------------------------
This list sponsored by: SPI Dynamics

ALERT: .How a Hacker Launches a SQL Injection Attack!.- White Paper
It's as simple as placing additional SQL commands into a Web Form input box
giving hackers complete access to all your backend systems! Firewalls and IDS
will not stop such attacks because SQL Injections are NOT seen as intruders.
Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!


--
Jamie Riden, CISSP / jamesr () europe com / jamie () honeynet org uk
UK Honeynet Project: http://www.ukhoneynet.org/

-------------------------------------------------------------------------
This list sponsored by: SPI Dynamics

ALERT: .How a Hacker Launches a SQL Injection Attack!.- White PaperIt's as simple as placing additional SQL commands into a Web Form input boxgiving hackers complete access to all your backend systems! Firewalls and IDSwill not stop such attacks because SQL Injections are NOT seen as intruders.Download this *FREE* white paper from SPI Dynamics for a complete guide to protection!

https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000Cn8E
--------------------------------------------------------------------------

Current thread:

Re: Suspicious files in /tmp, (continued)
- - Re: Suspicious files in /tmp Rainer Duffner (Jun 19)
  - Re: Suspicious files in /tmp Rainer Duffner (Jun 19)
  - Re: Suspicious files in /tmp Robin Sheat (Jun 19)
    - Re: Suspicious files in /tmp Valdis . Kletnieks (Jun 20)
    - RE: Suspicious files in /tmp Thyago Braga da Silva (Jun 21)
    - RE: Suspicious files in /tmp kaneda (Jun 21)
    - Re: Suspicious files in /tmp Eduardo Tongson (Jun 22)
  - Re: Suspicious files in /tmp Remko Lodder (Jun 21)
    - Re: Suspicious files in /tmp Cy Schubert (Jun 21)
- Re: Suspicious files in /tmp Jamie Riden (Jun 18)
- Re: Suspicious files in /tmp Jamie Riden (Jun 18)
- Re: Suspicious files in /tmp Juha-Matti Laurio (Jun 19)