httpd/mod_php/fileupload & segmentation faults
(I am reposting this because of a wrong In-Reply-To address in the original post - sorry for the inconvenience!) Hi, I am new to this list and I have a question concerning possible attacks on a webserver I am maintaining at my university. Regular checks of our logfiles turned up some strange requests coming from various IP addresses over the last week. They usually lasted for half an hour leaving the following entries in our logfiles: in /var/log/access_log: xxx.xxx.xxx.xxx - - [01/Jul/2002:19:24:51 +0200] "POST /index.php HTTP/1.1" 200 12781 ... (every 5 secs.) in /var/log/error_log: [Mon Jul 1 19:24:48 2002] [notice] child pid 877 exit signal Segmentation fault (11) ... (roughly 4000 segfaults altogether) The machine is running SuSE 7.3 with the following packages that may be related to these events: nue007:~ # rpm -q --all | grep "apache\|php" apache-devel-1.3.20-66 mod_php4-core-4.0.6-160 mod_php4-4.0.6-160 phpMyAdmin-2.2.0-21 apache-doc-1.3.20-66 apache-1.3.20-66 Perhaps this is nothing to worry about, but I was not sure and had a look on the internet. I assumed a connection with the PHP file upload vulnerabilities and exploits as discussed in http://www.cert.org/advisories/CA-2002-05.html, and http://lists.insecure.org/vuln-dev/2002/Mar/0025.html but thought that these were already patched using the above packages as described in http://www.suse.de/de/support/security/2002_007_mod_php4_txt.html. Does anybody know if there are other explanations for these segfaults? Am I still vulnerable even after doing regular security updates of all packages? How can I find out if my machine has been hacked? Perhaps this information is available somewhere on the Internet, but I didn´t find anything and am hoping that someone on this list can give me a hint. Thanks in advance, Bastian
On Wed, Jul 03, 2002 at 10:21:26AM +0200, Bastian Schmick wrote:
Does anybody know if there are other explanations for these segfaults? Am I still vulnerable even after doing regular security updates of all packages?
The security fix we issued should plug the hole. So either you're seeing a different attack, or the patch we issued for 7.3 still has problems. In any case it would be good if you had a trace of what input the attacker was sending to your httpd. Do you?
How can I find out if my machine has been hacked?
Now that's a good question :-) Quite often, root kits will create directories in places where you usually won't check - subdirectories in /dev, /etc or /bin, for instance (sometimes using funky names like "..." oder " ". Some replace syslogd with a trojaned version, or add a line to /etc/inetd.conf. Etc etc. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
--On Mittwoch, 3. Juli 2002 10:31 +0200 Olaf Kirch
[...] The security fix we issued should plug the hole. So either you're seeing a different attack, or the patch we issued for 7.3 still has problems.
In any case it would be good if you had a trace of what input the attacker was sending to your httpd. Do you? [...]
No, I don´t, at least unless this happens again. If I can get more details that might be interesting to this list, I will draw your attention to them. Thanks for your help! Bastian.
On Wed, Jul 03, 2002 at 10:31:01AM +0200, Olaf Kirch wrote:
The security fix we issued should plug the hole. So either you're seeing a different attack, or the patch we issued for 7.3 still has problems.
Okay, I went back and checked the patch. There is a problem with the patch distributed by the PHP team. php will crash if someone tries to exploit the file upload bug. This is not exploitable however; php dies trying to derefence a pointer containing the address 0x01. So far, I've verified this problem only with php 4.0.6; PHP 4.1 as shipped with SL 8.0 should not be affected. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
--On Mittwoch, 3. Juli 2002 10:51 +0200 Olaf Kirch
[...] Okay, I went back and checked the patch. There is a problem with the patch distributed by the PHP team. php will crash if someone tries to exploit the file upload bug. This is not exploitable however; php dies trying to derefence a pointer containing the address 0x01.
So far, I've verified this problem only with php 4.0.6; PHP 4.1 as shipped with SL 8.0 should not be affected.
Olaf [...]
This seems to clear things up for me - thank you very much! Bastian.
participants (2)
-
Bastian Schmick
-
Olaf Kirch