Re: [sec] Re: Strange segmentation faults and Zombies
On 18 Sep 2003 at 15:02, Markus Schabel wrote:
> Christian Storch wrote:
> > The problem is starting >>before<<
>
> I think all the things >>before<< phpshell.php are done via
> phpshell.php and the things you can see in the .bash_history
> are only the things after he already got in.
>
[...]
> > - known unclosed security hole?
>
> It seems that it was possible to upload & execute .php-files somewhere
> (phpshell.php)
Maybe a directory-traversal-thing when using a certain form provided
on a webpage to upload files? Check your scripts. It's quite easy to
open such security holes - be careful with fileuploads.
Stefan
> > -----Original Message-----
> > From: Markus Schabel [mailto:markus.schabel@tgm.ac.at]
> > Sent: Thursday, September 18, 2003 12:23 PM
> > To: debian-security@lists.debian.org
> > Subject: Re: [sec] Re: Strange segmentation faults and Zombies
> >
> > maximilian attems wrote:
> >
> >>On Thu, 18 Sep 2003, Christian Storch wrote:
> >>
> >>
> >>
> >>>Don't forget to try to find the potential hole first!
> >>>Otherwise you could have a fast recurrence.
> >>>[..]
> >>>
> >>>
> >>>>>in /etc/.rpn theres a .bash_history with the following content:
> >>>>>
> >>>>>
> >>>>>>id
> >>>>>>mkdir /etc/.rpn
> >>>>>>ps -aux
> >>>>>>ps -aux | grep tbk
> >>>>>>kill -15292 pid
> >>>>>>kill 15292
> >>>>>>netconf
> >>>>>>locate httpd.conf
> >>>>>>cd /etc/.rpn
> >>>>>>ls -al
> >>>>>>wget
> >>>>>>cd /var/www/cncmap/www/upload/renegade
> >>>>>>ls -al
> >>>>>>rm -rf phpshell.php
> >>
> >> ^__________^
> >>was this the exploited hole ?
> >
> >
> > I think so. In fact the problem is that it got there...
Reply to: