Re: Systems compromised with ShellBOT perl script - part 2

[Harry de Grote <rik.bobbaers () cc kuleuven ac be>]

Op Wednesday 20 October 2004 07:04, security () kemhosting com sgreifde:
> This thread is a couple months old, but I'm having issues with this hack,
> found it in the archives and thought it'd be helpful if I 'resusitated' it.
> See bottom of email for rest of thread.
>
> Today, hackers used the ShellBOT perl script to bring down Apache and start
> up their IRC listener.  They (somehow) copied it into /tmp and executed it.
>  This confuses me because I have my /tmp directory mounted
> rw,noexec,nosuid. Does Perl somehow bypass this?

try doing this in your no-exec /rmp: /lib/ld-linux.so.2 /bin/bash
(should work if you have a 2.4 kernel, not in 2.6 anymore)

thats just 1 way to bypass the noexec flag

> While the script was running, I ran lsof and found that it had recursively
> accessed all my (virtual host) httpd logs (probably in an attempt to delete
> it's tracks = the reason I can't see how they copied the script into /tmp)
> which are owned by root.  this is also confusing since the process the
> script spawned was owned by user apache.
>
> Some info on my box:
> Redhat ES kernel 2.4.21-9.0.1.ELsmp
> httpd-2.0.46-32.ent
> php-4.3.2-11.ent
>
> Anyone have any ideas on how this can happen?  Mainly the executing of a
> script on a noexec mount!  Obviously I'm not a guru, so it's probably
> something simple - so please, share!

there are , as you can see easy ways to bypass that... :)

-- 
harry
aka Rik Bobbaers

K.U.Leuven - LUDIT             -=- Tel: +32 485 52 71 50
Rik.Bobbaers () cc kuleuven ac be -=- http://harry.ulyssis.org

"\x41\x20\x63\x6f\x6d\x70\x75\x74\x65\x72\x20\x77\x69\x74\x68\x6f\x75\x74\x20"
"\x57\x69\x6e\x64\x6f\x77\x73\x20\x69\x73\x20\x6c\x69\x6b\x65\x20\x61\x20\x66"
"\x69\x73\x68\x20\x77\x69\x74\x68\x6f\x75\x74\x20\x61\x20\x62\x69\x63\x79\x63"
"\x6c\x65\x0a\x00"