Re: backdoor named tvic / Kayten / ttyshd download in apache logfile

From: Henning (Henning.Lieder_at_gmail.com)
Date: 04/28/05 

Date: 28 Apr 2005 01:00:04 -0700

> Are you sure that your www-data user is/was not part of that group?
no apache runs as www-data:www-data and www-data is only in www-data

> Btw. what does your access log say? If those were GET requests the
> commands given can be reconstructed.
Thats my problem. I searched all access.log's for GET commands around
the Timestamp of the attack. But id didn't find any cgi-bin/php access
with GET at that time.
So i don't know whick script the attack used. I looked at the phpBB
Version but it was a newer Version without serious Security bugs.
I hope my actions secured the system. My Server may be on a list of
"hackable" Servers so there will be more attacks... :(
But luckily it isn't on any Mail Blacklist.

ciao

Henning

Relevant Pages

  • Re: Sudo tricks
    ... like path attack as example or clean exec? ... installing a root kit on monitored system will yell alarms. ... in the example given by the author we compromise the user A which have ... execute commands in the context of a user B which can execute commands ...
    (Bugtraq)
  • Re: Calling commands from php - xhost access by www-data?
    ... Added the following commands to the php ... and in sudoers I've added ... www-data ALL=NOPASSWD: ALL ...
    (comp.os.linux.x)
  • Re: CryptRL 0.6340 first ASCII release
    ... Then I spent several minutes looking for an ... 'attack' command. ... After playing ZDay ) i understand why CrypRL ... CryptRL commands are closer to NetHack commands than to ZDay's ones. ...
    (rec.games.roguelike.development)