| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <0323F56F2584C41C3F9C942D@utd71538.utdallas.edu> Date: Mon, 05 Dec 2011 12:13:50 -0600 From: Paul Schmehl <pschmehl_lists@...rr.com> To: Christophe Garault <letoff@...il.com>, full-disclosure@...ts.grok.org.uk Subject: Re: one of my servers has been compromized --On December 5, 2011 1:48:24 PM +0100 Christophe Garault <letoff@...il.com> wrote: >> > Having your /tmp partition with noexec,nosuid is also considered a good > practice. That's not a bad generic suggestion, but it won't do a thing for this hack. They deposit perl scripts in /tmp/.m and then run them by calling perl, which is not in tmp. This is a very common hack of a poorly written web application. I doubt seriously that the "box" has been hacked - only the webserver is affected - especially based on his description of how he found and got rid of its elements. (IOW, they didn't get root on the box - they only compromised the web application and then ran shells in perl off of that.) -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson "There are some ideas so wrong that only a very intelligent person could believe in them." George Orwell _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists