RE: Systems compromised with ShellBOT perl script - part 2

From: KEM Hosting (security_at_kemhosting.com)
Date: 10/20/04

  • Next message: Martin Mačok: "Re: Systems compromised with ShellBOT perl script - part 2" 
    To: <incidents@securityfocus.com>
Date: Wed, 20 Oct 2004 12:01:32 -0500

    Yes, upgrading Apache should have been done awhile ago. The obstacle there
    is that I'm using Plesk (virtual host web-control panel) which installs all
    their custom RPMs. If you try to upgrade them with standard RPMs, bad thing
    tend to happen. I'm sure there's a way to upgrade, but last time I tried
    (qmail), things got botched badly. Anyone have experience with Plesk?

    Thanks for the responses.

    Ed

    ________________________________________
    From: Dave [mailto:djm@mcoe.k12.ca.us]
    Sent: Wednesday, October 20, 2004 11:26 AM
    To: incidents@securityfocus.com; security@kemhosting.com
    Subject: Re: Systems compromised with ShellBOT perl script - part 2

    I have just a couple:
     
    This is from the httpd-2.0.46-40.ent change log, you'll note that most of
    these can be considered exploitable hacks, and each and every one of them
    applies to your current install of 32.ent
     
    - mod_dav_fs: security fix for indirect lock refresh (CAN-2004-0809)
    - mod_dav_fs: fix indirect lock handling on 64-bit platforms
    - add security fixes for CAN-2004-0747, CAN-2004-0786
    - mod_ssl: add security fix for CAN-2004-0751
    - split security fix for CAN-2004-0748 out from -sslio patch
    - merge ap_rgetline_core NUL-termination fixes from 2.0.5[01]
    - have -devel require httpd of same V-R
    - drop suexec minimum acceptable gid to 100 (#127667)
    - mod_ssl: security fix for overflow in FakeBasicAuth (CVE CAN-2004-0488)
     
    Those are just httpd, leaving out the kernel and php hack fixes.
     
    If you dont have it set automatically, you need to have up2date download and
    update manually once per day.  Judging by your current packages, you havent
    updated since March... This is not a good thing :( 
     
     
    ----- Original Message -----
    From: security@kemhosting.com
    To: incidents@securityfocus.com
    Sent: Tuesday, October 19, 2004 10:04 PM
    Subject: re: Systems compromised with ShellBOT perl script - part 2

    This thread is a couple months old, but I'm having issues with this hack,
    found
    it in the archives and thought it'd be helpful if I 'resusitated' it. See
    bottom of email for rest of thread.

    Today, hackers used the ShellBOT perl script to bring down Apache and start
    up
    their IRC listener.  They (somehow) copied it into /tmp and executed it.
     This
    confuses me because I have my /tmp directory mounted rw,noexec,nosuid. Does
    Perl somehow bypass this?

    While the script was running, I ran lsof and found that it had recursively
    accessed all my (virtual host) httpd logs (probably in an attempt to delete
    it's tracks = the reason I can't see how they copied the script into /tmp)
    which are owned by root.  this is also confusing since the process the
    script
    spawned was owned by user apache.

    Some info on my box:
    Redhat ES kernel 2.4.21-9.0.1.ELsmp
    httpd-2.0.46-32.ent
    php-4.3.2-11.ent

    Anyone have any ideas on how this can happen?  Mainly the executing of a
    script
    on a noexec mount!  Obviously I'm not a guru, so it's probably something
    simple
    - so please, share!

    Thanks,
    Ed
    <<<<<<<<<<<<<CUT>>>>>>>>>>>>>>>

  • Next message: Martin Mačok: "Re: Systems compromised with ShellBOT perl script - part 2"
    • Quantcast