RE: PHP and remote execution

From: Ryan Macfarlane (rmacfarlane_at_pivotgroup.net)
Date: 05/12/03

  • Next message: Alaric Darconville: "Re: block internet at two workstations"
    To: "Strider" <strider@chatcircuit.com>, <security-basics@securityfocus.com>
    Date: Mon, 12 May 2003 13:36:17 -0400
    
    

    Tripwire is excellent for tracking compromises along these lines. There is
    an open source version for *nix out there. A company called Sana provides a
    tool called Primary Response that I am currently evaluating... (I will send
    more when I am finished) Primary Response is application specific IDS /
    prevention tool that is behavior based and maps the typical code paths
    (systems call, files, network connections) that your application uses...
    best used in high traffic, relatively non-dynamic environments...

    Hope this helps,

    -rmac

    -----Original Message-----
    From: Strider [mailto:strider@chatcircuit.com]
    Sent: Sunday, May 11, 2003 12:52 PM
    To: security-basics@securityfocus.com
    Subject: PHP and remote execution

    After our latest fun with one of our boxes becoming a DoS source, we've
    spent much time tracking how it was compromised. It was all because of a
    forum called CyBoards. There exists a bug that is known to exists and has
    not been fix that allows execution of code on the hosting server. In this
    case, the attacker wanted to conceal is activity as much as possible so he
    made use of the exploit as little as possible by making it install a back
    door. Through the back door, he installed a DoS client and initiated 2 DoS
    attacks. We found the DoS client without a problem. It was in /tmp with
    the name of
    milk', which seems to be a lesser known packet fragmentation DoS attack
    program originating from Brasil. The two attacks were launched against
    Basilian sites, so this clued us in that it was a rather local attack.
    With 400+ site logs to navigate, it wasn't easy looking for something we
    didn't know to look for. We quickly figured out that it was in fact done via
    the web server due to the fact the attack binary was owned by the user and
    group as the httpd, and we also fairly quickly figured out the DoS attack
    was not launched via an interactive web script (php, cgi, etc). It was
    either a script specifically used for this purpose, or an installed backdoor
       It took hours of scouring, several cups of coffee, and several packs of
    cigarettes to find the initial attack. An exploit was done on an
    installation of CyBoards which instructed a hole to execute a script from
    another server in Brasil, which instructed our server to download, compile,
    and execute a shell backdoor. From there, the attacker logged into the shell
    backdoor and downloaded the milk binary to the server, already compiled.
    The measures we have taken to prevent this so far is to prevent php from
    executing remote scripts, and modifying the kernel with grsec for better
    access control. Does anyone know of any other measures we should take to
    prevent these things? Is there a way to move the tmp dir access to the user
    dirs? Beau (Strider) Steward strider@chatcircuit.com
    http://www.arteryplanet.net http://www.chatcircuit.com

    ---------------------------------------------------------------------------
    FastTrain has your solution for a great CISSP Boot Camp. The industry's most
    recognized corporate security certification track, provides a comprehensive
    prospectus based upon the core principle concepts of security. This ALL
    INCLUSIVE curriculum utilizes lectures, case studies and true hands-on
    utilization
    of pertinent security tools. For a limited time you can enter for a chance
    to win one of the latest technological innovations, the SEGWAY HT.
    Log onto http://www.securityfocus.com/FastTrain-security-basics
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Thinking About Security Training? You Can't Afford Not To!

    Vigilar's industry leading curriculum includes: Security +, Check Point,
    Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now!
    --UP TO 30% off classes in select cities--
    http://www.securityfocus.com/Vigilar-security-basics
    ----------------------------------------------------------------------------


  • Next message: Alaric Darconville: "Re: block internet at two workstations"

    Relevant Pages

    • [UNIX] DoS Attack Against FreeRADIUS (Other RADIUS Servers Affected)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... to create a high-performance and highly configurable GPL'd RADIUS server. ... program with failed requests causing a denial of service attack. ... Access-Request to the RADIUS server, ...
      (Securiteam)
    • RE: DOS ATTACK
      ... Subject: DOS ATTACK ... server which I guess is your problem. ... block traffic based on referrer. ...
      (Incidents)
    • RE: [Owasp-dotnet] Re: (Asp.Net Full Trust Vulnerabilities) RE: Apache VS IIS Security model questio
      ... > b) Each client of the server (say, each department of a company, or each ... > c) Each website is placed into its own custom application pool ... password attack to all accounts. ... download the ANBS (Asp.Net Baseline Security) Open Source tool (that I ...
      (Pen-Test)
    • Re: MS and security: good effort but no cigar
      ... And last but not least, no fat, no dos, no multiboot. ... build upon the progress it's already made in security. ... a Windows system, it is still surprisingly easy to completely own that ... Then there's the issue of poorly secured server applications. ...
      (microsoft.public.windowsxp.general)
    • Re: ping Purl Gurl? Beginner Level Perl
      ... This is an excellent _free_ secondary DNS server, ... Both countries are technology Neandertals. ... Only worthy DoS attack we enjoyed is this one of which I recently ... For security, I run a commercial service remote hacker test against ...
      (alt.usage.english)