Full Disclosure mailing list archives
Re: one of my servers has been compromized
From: John Jacobs <flamdugen () hotmail com>
Date: Mon, 5 Dec 2011 12:07:16 -0600
----------------------------------------
Subject: Re: [Full-disclosure] one of my servers has been compromized From: james () zero-internet org uk Date: Mon, 5 Dec 2011 17:36:53 +0000 CC: tim-security () sentinelchicken org; lucio () sulweb org; full-disclosure () lists grok org uk To: flamdugen () hotmail com John, All good thoughts but can we show the server was rooted? In otherwords; instead of an attacker getting root and then adding this to a botnet this way is it not more likely that the original attack added the server in one step to avoid the need to do this?
James, thank you for your response. I agree with you here, I was speaking more along the lines of defense-in-depth and security generalities. In this case I believe a vulnerability in an unpatched/unprotected version of PHPMyAdmin permitted the Apache process to write to /tmp and spawn a process. In my previous experience, including a few vulnerabilities in Roundcube, I've seen a programmatic scan, exploitation, and then wget/dropping of a Perl IRC bot. Of course this is all speculation based on previous experience, I am not looking at lucio's box. The Apache access/error logs should have the offending log entries and/or any output from the system()/exec() etc PHP functions. Lucio -- what user was the IRC bot running under? It's evident that 10.04.1 LTS is certainly out of date and there are a multitude of vulnerabilities that could be leverage for privilege escalation. Lucio, I would also recommend subscribing to the Ubuntu Security-Announce mailing lists which issue the USNs so you are aware of which packages have been patched and those which require a reboot to effect the changes, such as Kernel update. Thanks again for the dialog Tim and James, this exchange is very beneficial and appreciated. James you are correct regarding the shell; I would assume /bin/sh would be pointed to /bin/dash or /bin/bash on a Ubuntu system. I would assume the user's login shell would be /bin/bash. Again, these are all assumptions made on my part and can certainly be incorrect, however, I would hope if someone is using KSH that they would see past the BASHisms of the previous message. Thanks, John _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: one of my servers has been compromized, (continued)
- Re: one of my servers has been compromized Lucio Crusca (Dec 05)
- Re: one of my servers has been compromized Chris M (Dec 05)
- Re: one of my servers has been compromized Christophe Garault (Dec 05)
- Re: one of my servers has been compromized Paul Schmehl (Dec 05)
- Re: one of my servers has been compromized Lucio Crusca (Dec 05)
- Re: one of my servers has been compromized mitchell (Dec 05)
- Re: one of my servers has been compromized Larry W. Cashdollar (Dec 05)
- Re: one of my servers has been compromized Larry W. Cashdollar (Dec 05)
- Re: one of my servers has been compromized Tim (Dec 05)
- Re: one of my servers has been compromized John Jacobs (Dec 05)
- Re: one of my servers has been compromized James Condron (Dec 05)
- Re: one of my servers has been compromized John Jacobs (Dec 05)
- Re: one of my servers has been compromized Lucio Crusca (Dec 05)
- Re: one of my servers has been compromized John Jacobs (Dec 05)
- Re: one of my servers has been compromized Tim (Dec 05)
- Re: one of my servers has been compromized John Jacobs (Dec 05)
- Re: one of my servers has been compromized Guillaume Friloux (Dec 06)
- Re: one of my servers has been compromized Tim (Dec 05)
- Re: one of my servers has been compromized Valdis . Kletnieks (Dec 06)