Re: Systems compromised with ShellBOT perl script - part 2
From: Harry de Grote (rik.bobbaers_at_cc.kuleuven.ac.be)
To: firstname.lastname@example.org Date: Wed, 20 Oct 2004 17:59:57 +0200
Op Wednesday 20 October 2004 07:04, email@example.com sgreifde:
> This thread is a couple months old, but I'm having issues with this hack,
> found it in the archives and thought it'd be helpful if I 'resusitated' it.
> See bottom of email for rest of thread.
> Today, hackers used the ShellBOT perl script to bring down Apache and start
> up their IRC listener. They (somehow) copied it into /tmp and executed it.
> This confuses me because I have my /tmp directory mounted
> rw,noexec,nosuid. Does Perl somehow bypass this?
try doing this in your no-exec /rmp: /lib/ld-linux.so.2 /bin/bash
(should work if you have a 2.4 kernel, not in 2.6 anymore)
thats just 1 way to bypass the noexec flag
> While the script was running, I ran lsof and found that it had recursively
> accessed all my (virtual host) httpd logs (probably in an attempt to delete
> it's tracks = the reason I can't see how they copied the script into /tmp)
> which are owned by root. this is also confusing since the process the
> script spawned was owned by user apache.
> Some info on my box:
> Redhat ES kernel 2.4.21-9.0.1.ELsmp
> Anyone have any ideas on how this can happen? Mainly the executing of a
> script on a noexec mount! Obviously I'm not a guru, so it's probably
> something simple - so please, share!
there are , as you can see easy ways to bypass that... :)
-- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 Rik.Bobbaers@cc.kuleuven.ac.be -=- http://harry.ulyssis.org "\x41\x20\x63\x6f\x6d\x70\x75\x74\x65\x72\x20\x77\x69\x74\x68\x6f\x75\x74\x20" "\x57\x69\x6e\x64\x6f\x77\x73\x20\x69\x73\x20\x6c\x69\x6b\x65\x20\x61\x20\x66" "\x69\x73\x68\x20\x77\x69\x74\x68\x6f\x75\x74\x20\x61\x20\x62\x69\x63\x79\x63" "\x6c\x65\x0a\x00"