RE: Systems compromised with ShellBOT perl script - part 2

From: Poof (poof_at_fansubber.com)
Date: 10/20/04

  • Next message: Dave: "Re: Systems compromised with ShellBOT perl script - part 2" 
    To: "'KEM Hosting'" <security@kemhosting.com>, <incidents@securityfocus.com>
Date: Wed, 20 Oct 2004 14:51:30 -0700

    Well, just so you know... Back a BACKUP of your suexec file before upgrading
    httpd when you have plesk then just replace the file after upgrading with
    your backup.

    Then you'll be fine. Otherwise... You SHOULD leave qmail/etc alone when
    having PSA. =/

    ~

    > -----Original Message-----
    > From: KEM Hosting [mailto:security@kemhosting.com]
    > Sent: Wednesday, October 20, 2004 10:02 AM
    > To: incidents@securityfocus.com
    > Subject: RE: Systems compromised with ShellBOT perl script - part 2
    >
    > Yes, upgrading Apache should have been done awhile ago. The obstacle
    > there
    > is that I'm using Plesk (virtual host web-control panel) which installs
    > all
    > their custom RPMs. If you try to upgrade them with standard RPMs, bad
    > thing
    > tend to happen. I'm sure there's a way to upgrade, but last time I tried
    > (qmail), things got botched badly. Anyone have experience with Plesk?
    >
    > Thanks for the responses.
    >
    > Ed
    >
    > ________________________________________
    > From: Dave [mailto:djm@mcoe.k12.ca.us]
    > Sent: Wednesday, October 20, 2004 11:26 AM
    > To: incidents@securityfocus.com; security@kemhosting.com
    > Subject: Re: Systems compromised with ShellBOT perl script - part 2
    >
    > I have just a couple:
    >
    > This is from the httpd-2.0.46-40.ent change log, you'll note that most of
    > these can be considered exploitable hacks, and each and every one of them
    > applies to your current install of 32.ent
    >
    > - mod_dav_fs: security fix for indirect lock refresh (CAN-2004-0809)
    > - mod_dav_fs: fix indirect lock handling on 64-bit platforms
    > - add security fixes for CAN-2004-0747, CAN-2004-0786
    > - mod_ssl: add security fix for CAN-2004-0751
    > - split security fix for CAN-2004-0748 out from -sslio patch
    > - merge ap_rgetline_core NUL-termination fixes from 2.0.5[01]
    > - have -devel require httpd of same V-R
    > - drop suexec minimum acceptable gid to 100 (#127667)
    > - mod_ssl: security fix for overflow in FakeBasicAuth (CVE CAN-2004-0488)
    >
    > Those are just httpd, leaving out the kernel and php hack fixes.
    >
    > If you dont have it set automatically, you need to have up2date download
    > and
    > update manually once per day.  Judging by your current packages, you
    > havent
    > updated since March... This is not a good thing :(
    >
    >
    > ----- Original Message -----
    > From: security@kemhosting.com
    > To: incidents@securityfocus.com
    > Sent: Tuesday, October 19, 2004 10:04 PM
    > Subject: re: Systems compromised with ShellBOT perl script - part 2
    >
    > This thread is a couple months old, but I'm having issues with this hack,
    > found
    > it in the archives and thought it'd be helpful if I 'resusitated' it. See
    > bottom of email for rest of thread.
    >
    >
    > Today, hackers used the ShellBOT perl script to bring down Apache and
    > start
    > up
    > their IRC listener.  They (somehow) copied it into /tmp and executed it.
    >  This
    > confuses me because I have my /tmp directory mounted rw,noexec,nosuid.
    > Does
    > Perl somehow bypass this?
    >
    >
    > While the script was running, I ran lsof and found that it had recursively
    > accessed all my (virtual host) httpd logs (probably in an attempt to
    > delete
    > it's tracks = the reason I can't see how they copied the script into /tmp)
    > which are owned by root.  this is also confusing since the process the
    > script
    > spawned was owned by user apache.
    >
    >
    > Some info on my box:
    > Redhat ES kernel 2.4.21-9.0.1.ELsmp
    > httpd-2.0.46-32.ent
    > php-4.3.2-11.ent
    >
    >
    > Anyone have any ideas on how this can happen?  Mainly the executing of a
    > script
    > on a noexec mount!  Obviously I'm not a guru, so it's probably something
    > simple
    > - so please, share!
    >
    >
    > Thanks,
    > Ed
    > <<<<<<<<<<<<<CUT>>>>>>>>>>>>>>>

  • Next message: Dave: "Re: Systems compromised with ShellBOT perl script - part 2"

    Relevant Pages

    • Re: [opensuse] Login screen, can it be changed?
      ... I changed my desktop to Gnome because after upgrading to KDE4 my backup ... I didn't have time to track down the cause and tried Gnome ... and the script worked. ... fglrx driver -- that is if you have an ATI card. ...
      (SuSE)
    • Re: Ignore empty fields in Criteria append
      ... disappoint people who are upgrading, there are already a lot of questions in ... Hopefully the script works in A2003 as ... But when it comes to sharing data, it becomes a problem, ...
      (microsoft.public.access.reports)
    • Re: Expect: sending larger files with ftp-inband
      ... >> There was a bug in 5.42 related to send having problems with ... >> buffering. ... Try upgrading to 5.43. ... the script is so simple in essence - that if it's bombing ...
      (comp.lang.tcl)
    • selinux again, and x forwarding
      ... I just solved one selinux problem only to find another. ... httpd wouldn't serve up userdir files after upgrading to FC 4 with selinux. ...
      (Fedora)
    • Re: Problems with help files using IE5.5 on W2Ksp4
      ... Upgrading to IE6 sp1 fixed the problems with broken links the .CHM files. ... I remember that issue coming up in a script group ... likely the reason. ...
      (microsoft.public.vb.general.discussion)