Re: backdoor or bot?

[Mark Collins <me () THISISNURGLE ORG UK>]

you list mysql as an OK user...

MySQL includes a command to execute files (EXEC I think, but don't quote me
on that).

If there is a web form that inserts data into a table, for example (or
selects), you can force the command to execute prematurely with \q and then
stick some funky stuff like this:

\q%23EXEC nastyd\q

into the web form. That process would be ran as MySQL user (whoever that may
be) so your script would consider that to be ok. Of course, you need to get
the nasty process there in the first place.

If you do get a shell account, that's even easier. I know for a fact that
the mysql command allows the EXEC command, and the processes do spawn from
the mysql daemon (well, they did when I tried a while ago).

(Disclaimer: I've never actually tried this, and I don't have MySQL
installed on my Linux box... I'm a game programmer, not a database
developer...)

The Imfamous Mark 'Nurgle' Collins
Lead Author - 'Linux Game Programming'
----- Original Message -----
From: Mark Symonds <mark () SYMONDS NET>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Wednesday, December 27, 2000 11:29 PM
Subject: Re: backdoor or bot?



> ... example OKu file:
>
> mysql
> root
> www-data
> daemon
>
> Does anyone know of an easy way to thwart this?
> Surely there are many.
>
> --
> Mark
> (jr. sysadmin for hire!)