|
Home > Archive > Red Hat General > January 2004 > Need help to identify (apache?) exploit...
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Need help to identify (apache?) exploit...
|
|
| Jason Vance 2004-01-23, 6:56 pm |
| My Related URL References:
[http://www.webhostingtalk.com/showt...threadid=169024] and
[http://www.experts-exchange.com/Sec...Q_20691048.html]
I need help identifying an unknown exploit of some kind that allowed a
remote attacker to gain control of the apache user, and compile a back door
program in the /tmp directory (
http://www.myxpls.hpg.com.br/exploit/locais/bd.c) found in error_log here:
--error_log snippet--
sh: option `-c' requires an argument
--20:06:54-- http://www.myxpls.hpg.com.br/exploit/locais/bd.c
=> `bd.c'
Resolving www.myxpls.hpg.com.br... done.
Connecting to www.myxpls.hpg.com.br[200.226.137.9]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1,828 [text/plain]
0K . 100% 1.74
MB/s
20:06:54 (1.74 MB/s) - `bd.c' saved [1828/1828]
bd.c: In function `main':
bd.c:77: warning: comparison between pointer and integer
--error_log snippet--
When I stepped in the user was running the backdoor as the apache user in
memory disguised as httpd and further re-ran the backdoor program
(/tmp/localroot) and (/tmp/ptrace) shown from 'ps waux' below:
apache 32744 0.0 0.0 1364 272 ? S Jul25 0:00 ./ptrace
apache 32767 98.6 0.0 1348 288 ? R Jul25 378:36 ./localroot
apache 317 0.0 0.0 1348 296 ? S Jul25 0:00 httpd
I thought I was all about security until this happened. I was up2date,
firewalled, all services/ports not being used I've turned off, CGI suexec'd,
php_safe_mode=true, etc... before this happened.
I've looked for .bash_history files, scanned apache logs ( both SSL and
error_logs and client access_logs ), /var/log/messages, recently uploaded
client files, recently added files to the system, recently modified system
files, etc... for anomolies ( SEGFAULTs, SIGHUPs, PHP, forum board abuse ),
and compared md5sum of system binaries with uninfected systems all for
naught! The only pieces of information I have of how this exploit occurred
was in the apache error_log snippet above.
Does anyone have experience with this sort of thing?
| |
|
| "Jason Vance" <jason@vancetech.com> wrote in message
news:vij80qa91u2845@corp.supernews.com...
quote:
> Does anyone have experience with this sort of thing?
Excellent post, what exactly do you want help with. I'll admit I've not checked
your related links, but if you define what exactly the problem is atmo others
may be able to help. What OS, Apache version would be a good start. Depending on
how important the box is, I'd be up all night rebuilding if it were me. Rebuild
= format.
|
|
|
|
|