Mailinglist Archive: opensuse-security (320 mails)

< Previous Next >
Re: [suse-security] perl script drop
  • From: Sven 'Darkman' Michels <sven@xxxxxxxxxx>
  • Date: Mon, 12 May 2003 13:19:04 +0200
  • Message-id: <3EBF8328.6070307@xxxxxxxxxx>
Gerhard Stegmann wrote:
hi there
i have 2.4.20 with apache 1.3.26 and mod_php 4.2.2

somehow it was possible for a guy, to drop a file /tmp/.ps on the machine, and to start perl on that file
#>ps ax

1234 perl /tmp/.ps

the file was created under wwwrun.www - ownership, which tells me that apache created it.
the script just listens for incoming connections on p 4098, and opens a shell if the correct password is entered.

is this issue known to someone here ?

Is your Server SSL-enabled? Many exploit for unpatched mod_ssl/ssl in
general are out and used. It's a normal practice to upload a script
and run it on the remote server to gain a shell (as wwwrun, then
use exploits like ptrace bug to gain root). SSL and Chunked Transfer
Encoding bugs can be a door for you (old apache). Did you run Online
Update or fou4s recently? Use chkrootkit (www.chkrootkit.org) to check
for rootkits and other compromises and mark the server as not longer
trusted in your head and schedule the server for a reinstallation.

HTH,
Sven




< Previous Next >
References