[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [suse-security] perl script drop
Gerhard Stegmann wrote:
i have 2.4.20 with apache 1.3.26 and mod_php 4.2.2
somehow it was possible for a guy, to drop a file /tmp/.ps on the machine, and to start perl on that file
1234 perl /tmp/.ps
the file was created under wwwrun.www - ownership, which tells me that apache created it.
the script just listens for incoming connections on p 4098, and opens a shell if the correct password is entered.
is this issue known to someone here ?
Is your Server SSL-enabled? Many exploit for unpatched mod_ssl/ssl in
general are out and used. It's a normal practice to upload a script
and run it on the remote server to gain a shell (as wwwrun, then
use exploits like ptrace bug to gain root). SSL and Chunked Transfer
Encoding bugs can be a door for you (old apache). Did you run Online
Update or fou4s recently? Use chkrootkit (www.chkrootkit.org) to check
for rootkits and other compromises and mark the server as not longer
trusted in your head and schedule the server for a reinstallation.
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here