hi there i have 2.4.20 with apache 1.3.26 and mod_php 4.2.2 somehow it was possible for a guy, to drop a file /tmp/.ps on the machine, and to start perl on that file #>ps ax 1234 perl /tmp/.ps the file was created under wwwrun.www - ownership, which tells me that apache created it. the script just listens for incoming connections on p 4098, and opens a shell if the correct password is entered. is this issue known to someone here ? thanks, gerhard the script : ---------------------------------->8-------------- <<.ps>> ~~~~~~~~~~~~~~~~~~~~~~
Gerhard Stegmann wrote:
hi there i have 2.4.20 with apache 1.3.26 and mod_php 4.2.2
somehow it was possible for a guy, to drop a file /tmp/.ps on the machine, and to start perl on that file
#>ps ax
1234 perl /tmp/.ps
the file was created under wwwrun.www - ownership, which tells me that apache created it. the script just listens for incoming connections on p 4098, and opens a shell if the correct password is entered.
is this issue known to someone here ?
Is your Server SSL-enabled? Many exploit for unpatched mod_ssl/ssl in general are out and used. It's a normal practice to upload a script and run it on the remote server to gain a shell (as wwwrun, then use exploits like ptrace bug to gain root). SSL and Chunked Transfer Encoding bugs can be a door for you (old apache). Did you run Online Update or fou4s recently? Use chkrootkit (www.chkrootkit.org) to check for rootkits and other compromises and mark the server as not longer trusted in your head and schedule the server for a reinstallation. HTH, Sven
participants (2)
-
Gerhard Stegmann -
Sven 'Darkman' Michels