[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Server hacked - next...?

On Sun, Jun 29, 2003 at 09:47:13PM +0800, Jason Lim wrote:
> The user CGIs run as the user's UID... suexec.

suexec doesn't run PHP suid the owner, unless you're using php-cgi. By
default, PHP is incredibly insecure. If a user is using an insecure PHP
application (or any other insecure CGI application, I use PHP as an
example due to the preponderance of administrators who do not realize
this), they can run arbitrary commands as that user with relatively
little work, and as such gain shell access.

> Is there any tool that could search the system for root suid scripts (so
> the hacker can login again and gain root easily)?

find / -uid 0 -perm 0400

You will need to use a known-good copy of the `find' command. Copy it to
the machine via sneakernet (by floppy) and run it locally. Even then,
there's little gaurantee the command is not being tampered with while

> Hope you can shed some light on the above, so at least the system can get
> back up and running, then we can even setup a new server (with SE Linux

You have few options now by now but to do a complete reinstall. There is
no intermediate step when a machine has been breeched.

I mention PHP above because...

Briefly looking at your previous posts, it would appear that the machine
was taken via the  `www-data' user, suggesting either an Apache exploit,
or an application running as the http daemon (the www-data user), which
was not being run under suexec.

>From there, considering that you were (if I am recalling correctly)
running a 2.4.17 kernel, which has a few known local root exploits
(again, if I am recalling this correctly); I don't believe you mention
if you are using Debian kernel packages, or vanilla source, or patched
source. However, the attack vector seems relatively clear:

Web app/server (if you're running stable, that would be 1.3.26. If you
are indeed keeping up with security updates, it should be patched
against the known Apache remote exploits), to shell, to kernel or suid
buffer overflow or something of that nature. From that point, they have
root access. And don't bother hiding themselves at all, which is lucky
for you, really.

Of course, all of the above is simply a hypothesis based on incomplete
information, but...

I would suggest taking a look at what CGI you or your customers are
running, and searching the web for known security issues with them.
Cyberpunk is dead.  Long live cyberpunk.

Reply to: