RE: PHP and remote execution

From: Ryan Macfarlane (
Date: 05/12/03

  • Next message: Alaric Darconville: "Re: block internet at two workstations"
    To: "Strider" <>, <>
    Date: Mon, 12 May 2003 13:36:17 -0400

    Tripwire is excellent for tracking compromises along these lines. There is
    an open source version for *nix out there. A company called Sana provides a
    tool called Primary Response that I am currently evaluating... (I will send
    more when I am finished) Primary Response is application specific IDS /
    prevention tool that is behavior based and maps the typical code paths
    (systems call, files, network connections) that your application uses...
    best used in high traffic, relatively non-dynamic environments...

    Hope this helps,


    -----Original Message-----
    From: Strider []
    Sent: Sunday, May 11, 2003 12:52 PM
    Subject: PHP and remote execution

    After our latest fun with one of our boxes becoming a DoS source, we've
    spent much time tracking how it was compromised. It was all because of a
    forum called CyBoards. There exists a bug that is known to exists and has
    not been fix that allows execution of code on the hosting server. In this
    case, the attacker wanted to conceal is activity as much as possible so he
    made use of the exploit as little as possible by making it install a back
    door. Through the back door, he installed a DoS client and initiated 2 DoS
    attacks. We found the DoS client without a problem. It was in /tmp with
    the name of
    milk', which seems to be a lesser known packet fragmentation DoS attack
    program originating from Brasil. The two attacks were launched against
    Basilian sites, so this clued us in that it was a rather local attack.
    With 400+ site logs to navigate, it wasn't easy looking for something we
    didn't know to look for. We quickly figured out that it was in fact done via
    the web server due to the fact the attack binary was owned by the user and
    group as the httpd, and we also fairly quickly figured out the DoS attack
    was not launched via an interactive web script (php, cgi, etc). It was
    either a script specifically used for this purpose, or an installed backdoor
       It took hours of scouring, several cups of coffee, and several packs of
    cigarettes to find the initial attack. An exploit was done on an
    installation of CyBoards which instructed a hole to execute a script from
    another server in Brasil, which instructed our server to download, compile,
    and execute a shell backdoor. From there, the attacker logged into the shell
    backdoor and downloaded the milk binary to the server, already compiled.
    The measures we have taken to prevent this so far is to prevent php from
    executing remote scripts, and modifying the kernel with grsec for better
    access control. Does anyone know of any other measures we should take to
    prevent these things? Is there a way to move the tmp dir access to the user
    dirs? Beau (Strider) Steward

    FastTrain has your solution for a great CISSP Boot Camp. The industry's most
    recognized corporate security certification track, provides a comprehensive
    prospectus based upon the core principle concepts of security. This ALL
    INCLUSIVE curriculum utilizes lectures, case studies and true hands-on
    of pertinent security tools. For a limited time you can enter for a chance
    to win one of the latest technological innovations, the SEGWAY HT.
    Log onto

    Thinking About Security Training? You Can't Afford Not To!

    Vigilar's industry leading curriculum includes: Security +, Check Point,
    Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now!
    --UP TO 30% off classes in select cities--

  • Next message: Alaric Darconville: "Re: block internet at two workstations"