Mailinglist Archive: opensuse-security (320 mails)

< Previous Next >
Re: [suse-security] perl script drop
  • From: Sven 'Darkman' Michels <sven@xxxxxxxxxx>
  • Date: Mon, 12 May 2003 13:19:04 +0200
  • Message-id: <3EBF8328.6070307@xxxxxxxxxx>
Gerhard Stegmann wrote:
hi there
i have 2.4.20 with apache 1.3.26 and mod_php 4.2.2

somehow it was possible for a guy, to drop a file /tmp/.ps on the machine, and to start perl on that file
#>ps ax

1234 perl /tmp/.ps

the file was created under wwwrun.www - ownership, which tells me that apache created it.
the script just listens for incoming connections on p 4098, and opens a shell if the correct password is entered.

is this issue known to someone here ?

Is your Server SSL-enabled? Many exploit for unpatched mod_ssl/ssl in
general are out and used. It's a normal practice to upload a script
and run it on the remote server to gain a shell (as wwwrun, then
use exploits like ptrace bug to gain root). SSL and Chunked Transfer
Encoding bugs can be a door for you (old apache). Did you run Online
Update or fou4s recently? Use chkrootkit ( to check
for rootkits and other compromises and mark the server as not longer
trusted in your head and schedule the server for a reinstallation.


< Previous Next >