Re: Systems compromised with ShellBOT perl script - part 2

From: Harry de Grote (
Date: 10/20/04

  • Next message: Stephen J. Smoogen: "Re: Systems compromised with ShellBOT perl script - part 2"
    Date: Wed, 20 Oct 2004 17:59:57 +0200

    Op Wednesday 20 October 2004 07:04, sgreifde:
    > This thread is a couple months old, but I'm having issues with this hack,
    > found it in the archives and thought it'd be helpful if I 'resusitated' it.
    > See bottom of email for rest of thread.
    > Today, hackers used the ShellBOT perl script to bring down Apache and start
    > up their IRC listener. They (somehow) copied it into /tmp and executed it.
    > This confuses me because I have my /tmp directory mounted
    > rw,noexec,nosuid. Does Perl somehow bypass this?

    try doing this in your no-exec /rmp: /lib/ /bin/bash
    (should work if you have a 2.4 kernel, not in 2.6 anymore)

    thats just 1 way to bypass the noexec flag

    > While the script was running, I ran lsof and found that it had recursively
    > accessed all my (virtual host) httpd logs (probably in an attempt to delete
    > it's tracks = the reason I can't see how they copied the script into /tmp)
    > which are owned by root. this is also confusing since the process the
    > script spawned was owned by user apache.
    > Some info on my box:
    > Redhat ES kernel 2.4.21-9.0.1.ELsmp
    > httpd-2.0.46-32.ent
    > php-4.3.2-11.ent
    > Anyone have any ideas on how this can happen? Mainly the executing of a
    > script on a noexec mount! Obviously I'm not a guru, so it's probably
    > something simple - so please, share!

    there are , as you can see easy ways to bypass that... :)

    aka Rik Bobbaers
    K.U.Leuven - LUDIT             -=- Tel: +32 485 52 71 50 -=-

  • Next message: Stephen J. Smoogen: "Re: Systems compromised with ShellBOT perl script - part 2"

    Relevant Pages

    • Re: [kde] Suspend Issues, or soft kernel locks + no networking, which is worse?
      ... And thats kernel 3.0 essentially) ... I don't claim to be a laptop or wireless guru, by a long shot, but I do ... at least try loading that ubuntu/mint kernel on fedora and see if it ... custom sleep script for ehci-hcd that worked for them. ...
    • systemtap 1.2 release notes
      ... The systemtap team announces release 1.2. ... a script if any warnings are produced. ... where the kernel supports the ... Probe points may refer to low-level ...
    • Re: cx88 totally fried in 2.6.15-rcX -was- Re: HD3000 - no NTSC via tuner
      ... On Monday 28 November 2005 20:17, Michael Krufky wrote: ... as it would apply to a working 2.6.14.x kernel. ... that I comment/uncomment stuff in the buildit (thats another script I ... message by Gene Heskett are: ...
    • systemtap release 1.4
      ... The systemtap team announces release 1.4. ... prototype script remote-execution via ssh, ... More kernel tracepoints are accessible to the kernel.tracemechanism, ... Some kernel crashes continue to be reported when a script probes ...
    • Re: 2.6.22-rc5 regression
      ... Bisecting: 128 revisions left to test after this ... of the fact that I use the same directory tree to build the kernel ... [torvalds@woody linux]$ git bisect bad v2.6.22-rc5 ... -# Simple script to generate a deb package for a Linux kernel. ...