lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 29 Apr 2005 14:49:42 -0700 (PDT)
From: "Jay D. Dyson" <jdyson@...achery.net>
To: Bugtraq <bugtraq@...urityfocus.com>
Subject: Re: Apache hacks (./atac, d0s.txt)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 29 Apr 2005, Andrew Y Ng wrote:

> My server has been seeing some usual activities today, I don't have much 
> time to get down to the bottom of things, but after I investigated 
> briefly I have decided to disable PERL executable permission for 
> www-data (Apache process's user), also locked /var/tmp so www-data 
> cannot write to it.
>
> Looks like it ignores all the `kill` signals, not sure how I can 
> actually kill it...

 	Seems a bit premature to call this an "Apache hack."  First off, 
it's probably not Apache's fault.  Judging from what I've seen thus far, 
it looks more like a flaw in one of your CGI scripts which allowed someone 
to create and execute an arbitrary file in one of the system's most 
obvious world-writable directories.

 	From what I've seen, the script looks like a vanilla, PERL-based 
IRC bot.  You should be able to kill -9 it via root.

 	Either way, your system got molested.  Take the box offline, back 
up your data, audit your CGI scripts and access policies for flaws and 
weaknesses, scrub the system, reinstall the OS from trusted media, apply 
all the latest patches, bring the box back online, and have a nice day.

- -Jay

    (    (                                                      _______
    ))   ))  .-"There's always time for a good cup of coffee"-.  >====<--.
  C|~~|C|~~| \----- Jay D. Dyson -- jdyson@...achery.net -----/ |    = |-'
   `--' `--'  `-- Pardon me, but am I on the right planet? --'  `------'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQFCcqv9xzN3WIW0edsRAiVfAKCACT2YlymlkBvDuhMVCHY2zqubOwCffTZm
ZzGeGHgc8KpjDCUx33zhtPg=
=xvyc
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists