| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue May 10 22:57:57 2005 From: adrian at senn.ch (Adrian Senn) Subject: Another exploit against apache or kernel Hello together Since some weeks we have an intruder which is exploiting us and poisoning us with the Virus Unix/RST.A I found now how it happens at it isn't clear to me what he is doing. I found in the apache log file some interesting strings. Repeating entries as this ip-hide - - [10/May/2005:19:58:00 +0200] "\v\xa5\xe5)(\xdd\xb7|\xd5\xad&\xd79" 400 - "-" "-" and sometimes this one ip-hide - - [10/May/2005:19:58:20 +0200] "f\x0e\xbcQ\xc4k\x01\xe4l\x02]\xbe\xbaye\x96\x87\xa5\xfc#\xc5\x17f\x0e\xbcQ\xc4k\x01\xe4l\x02]\xbe\xbaye\x96\x87\xa5\xfc#\xc5\x17" 200 11466 "-" "-" I had the possibility to made a tcpdump of this session of the cracker. It doesn't initiate a normal http session. After the treeway handshake he is sending (HTTP: Continuation or non-HTTP traffic") 0000: 0B A5 E5 29 28 DD B7 7C D5 AD 26 D7 39 00 7E E1 ...)(..|..&.9.~. 0010: D7 CE 46 BA C5 11 ..F... After this, our server is also initiating a session from an non privileged Port to an unprivileged port on the other side. He is also sending this string 0000: 66 0E BC 51 C4 6B 01 E4 6C 02 5D BE BA 79 65 96 f..Q.k..l.]..ye. 0010: 87 A5 FC 23 C5 17 ...#.. after this the server is answering with a 200 message. I don't have any idea why our server is opening a separate session to the crackers ip. Could this to be an exploit against the kernel or php? I made last week a change from the older apache 1.3.26 to 1.3.33 but the problem remains. Could this also probably be an rootkit which is answering? Kind regards Adrian Senn
Powered by blists - more mailing lists