Re: Apache hacks (./atac, d0s.txt)

From: Jay D. Dyson (jdyson_at_treachery.net)
Date: 04/29/05

  • Next message: Steve Kemp: "Re: Apache hacks (./atac, d0s.txt)"
    Date: Fri, 29 Apr 2005 14:49:42 -0700 (PDT)
    To: Bugtraq <bugtraq@securityfocus.com>
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    On Fri, 29 Apr 2005, Andrew Y Ng wrote:

    > My server has been seeing some usual activities today, I don't have much
    > time to get down to the bottom of things, but after I investigated
    > briefly I have decided to disable PERL executable permission for
    > www-data (Apache process's user), also locked /var/tmp so www-data
    > cannot write to it.
    >
    > Looks like it ignores all the `kill` signals, not sure how I can
    > actually kill it...

             Seems a bit premature to call this an "Apache hack." First off,
    it's probably not Apache's fault. Judging from what I've seen thus far,
    it looks more like a flaw in one of your CGI scripts which allowed someone
    to create and execute an arbitrary file in one of the system's most
    obvious world-writable directories.

             From what I've seen, the script looks like a vanilla, PERL-based
    IRC bot. You should be able to kill -9 it via root.

             Either way, your system got molested. Take the box offline, back
    up your data, audit your CGI scripts and access policies for flaws and
    weaknesses, scrub the system, reinstall the OS from trusted media, apply
    all the latest patches, bring the box back online, and have a nice day.

    - -Jay

        ( ( _______
        )) )) .-"There's always time for a good cup of coffee"-. >====<--.
      C|~~|C|~~| \----- Jay D. Dyson -- jdyson@treachery.net -----/ | = |-'
       `--' `--' `-- Pardon me, but am I on the right planet? --' `------'

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (TreacherOS)
    Comment: See http://www.treachery.net/~jdyson/ for current keys.

    iD8DBQFCcqv9xzN3WIW0edsRAiVfAKCACT2YlymlkBvDuhMVCHY2zqubOwCffTZm
    ZzGeGHgc8KpjDCUx33zhtPg=
    =xvyc
    -----END PGP SIGNATURE-----


  • Next message: Steve Kemp: "Re: Apache hacks (./atac, d0s.txt)"

    Relevant Pages

    • Re: Top Kill Has Begun
      ... The network shows a live feed of the oil gushing out of the bottom of ... the well and if the top kill is successful, in a few hours mud will ... come out of the bottom and eventually nothing at all. ... DRILL BABY ...
      (soc.retirement)
    • Re: Hp Technology forum (New Orleans sept 12-15)
      ... >>know how to shoot and kill, and they are more than willing to do so, and ... Well take it up with the governor, the mayor and the president who are ... believe a number went to the bottom of various waterways in the first ...
      (comp.os.vms)
    • Re: asks for usernm/passwd, wont let me log on
      ... My reply is at the bottom of your sent message: ... > after disk check ran, a strange blue screen flashed suddenly with ... Kill the existing password. ... You should be able to find the username. ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Top Kill Has Begun
      ... the well and if the top kill is successful, in a few hours mud will ... come out of the bottom and eventually nothing at all. ... CNN has some engineers explaining what is going on. ... DRILL BABY ...
      (soc.retirement)
    • Re: Minister warns of expanding obesity problem
      ... I discern that when folks write that they will put me in their kill ... Servant to the humblest person in the universe, ... Dr. Andrew B. Chung, MD/PhD ...
      (sci.med.cardiology)