RE: Hack attempt
Jan.Albrecht_at_bertelsmann.de
Date: 07/23/04
- Previous message: John: "Re: Hack attempt"
- Maybe in reply to: Norbert Crettol: "Hack attempt"
- Next in thread: Eric Paynter: "Re: Hack attempt"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: focus-linux@securityfocus.com Date: Fri, 23 Jul 2004 08:06:18 +0200
Hi Norbert,
> -----Original Message-----
> From: Norbert Crettol [mailto:norbert.crettol@idiap.ch]
> Sent: Wednesday, July 21, 2004 5:03 PM
>
> We've had a undesired visitor, last night, that I discovered in the
> reports of tripwire.
>
> Has someone seen this kind of attack ? (chkrootkit doesn't detect it).
> Has someone heard of this www.bosscalvin.com (or www.calvinmumu.org) ?
> Is there a way to stop this guy ? His nickname (CaEm) appears in the
> the uploaded scripts.
this is a "File Injection Bug" attack. As far as I know this script gains
access as nobody (or webserver user), reads files placed in /tmp (or where
the webserver user can read), places some files an executes them.
Problem: Some of your scripts accepts user data without validation. This is
the most common way to inject files onto a webserver.
Resolution: Shutdown system, clean it up, update it to the latest versions
and recheck your scripts.
Regards
Jan
- Previous message: John: "Re: Hack attempt"
- Maybe in reply to: Norbert Crettol: "Hack attempt"
- Next in thread: Eric Paynter: "Re: Hack attempt"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
