[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] Re: Backdoor over http(s)??



On Tue, Jan 13, 2004 at 05:04:11PM +0100, Tobias Weisserth wrote:
> Is this just another compromised machine or the origin? A portscan shows
> several open ports and the machine seems to be a Solaris 8 with an
> estimated uptime of 33 days according to nmap.

Probably just another compromised machine.


> > http://218.234.171.84/manual/.x/

Complete directory listing, very nice ;-)


> I've given them a look. Has anybody ever heard of a "pokemon squadron
> hacking team"?!

No, never heard of and did not find usefull information.


> Do you know how this CGI ended up on the machine? By some Apache exploit
> maybe?

Some known or anonymous FTP Account with access to a cgi directory?
Some PHP or CGI Script? Mátyás Tibor might not be the only admin on
the machine where he did find the stuff. But that is only speculation.


> Can such a CGI do any harm by running as this user? Or are CGI scripts
> run by Apache given initiated by another user?

suexec may be used, but if not the CGI is just executed by the
apache child process (which is not able to use setuid (again))


-- 
Stefan Tichy <listuser@xxxxxxxxx>

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here