Security Incidents mailing list archives
Re: backdoor or bot?
From: Mark Collins <me () THISISNURGLE ORG UK>
Date: Thu, 28 Dec 2000 21:59:05 -0800
you list mysql as an OK user... MySQL includes a command to execute files (EXEC I think, but don't quote me on that). If there is a web form that inserts data into a table, for example (or selects), you can force the command to execute prematurely with \q and then stick some funky stuff like this: \q%23EXEC nastyd\q into the web form. That process would be ran as MySQL user (whoever that may be) so your script would consider that to be ok. Of course, you need to get the nasty process there in the first place. If you do get a shell account, that's even easier. I know for a fact that the mysql command allows the EXEC command, and the processes do spawn from the mysql daemon (well, they did when I tried a while ago). (Disclaimer: I've never actually tried this, and I don't have MySQL installed on my Linux box... I'm a game programmer, not a database developer...) The Imfamous Mark 'Nurgle' Collins Lead Author - 'Linux Game Programming' ----- Original Message ----- From: Mark Symonds <mark () SYMONDS NET> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Wednesday, December 27, 2000 11:29 PM Subject: Re: backdoor or bot?
... example OKu file: mysql root www-data daemon Does anyone know of an easy way to thwart this? Surely there are many. -- Mark (jr. sysadmin for hire!)
Current thread:
- backdoor or bot? Jon Lewis (Dec 27)
- Re: backdoor or bot? Robert van der Meulen (Dec 27)
- Re: backdoor or bot? Dave Dittrich (Dec 27)
- Re: backdoor or bot? Daniel Wittenberg (Dec 27)
- Re: backdoor or bot? Aviram Jenik (Dec 27)
- Re: backdoor or bot? Mark Symonds (Dec 28)
- Re: backdoor or bot? George Milliken (Dec 28)
- Re: backdoor or bot? Mark Collins (Dec 28)
- <Possible follow-ups>
- Re: backdoor or bot? Jon Lewis (Dec 27)
- Re: backdoor or bot? Patrick Oonk (Dec 28)
- Re: backdoor or bot? Calhoun, Heath (Dec 27)
- Re: backdoor or bot? Robert van der Meulen (Dec 27)