Re: backdoor named tvic / Kayten / ttyshd download in apache logfile

From: Chris Kronberg (smil_at_agleia.de)
Date: 04/28/05

Next message: Moe Trin: "Re: Good passwords and security priorities"

Previous message: Security Alert: "SSRT5958 rev.0 - HP OpenView Radia Management Portal (RMP) Radia Management Agent (RMA) Remote Unauthorized Privileged Access and Denial of Service (DoS)"
In reply to: Henning: "Re: backdoor named tvic / Kayten / ttyshd download in apache logfile"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 28 Apr 2005 19:08:26 GMT

Henning schrieb im Artikel <7d202f03.0504280000.6466224e@posting.google.com>:
>> Are you sure that your www-data user is/was not part of that group?
> no apache runs as www-data:www-data and www-data is only in www-data

That's odd. From what you have written so far it should not have
been possible to issue the wget command.

>> Btw. what does your access log say? If those were GET requests the
>> commands given can be reconstructed.
> Thats my problem. I searched all access.log's for GET commands around
> the Timestamp of the attack. But id didn't find any cgi-bin/php access
> with GET at that time.

  So it was a POST request? Are there any entries matching the
  time in question? If not, the attacker might have cleaned the
  access_log and simply forgotten about the error log. Stupid,
  but luckily these things are happening.

> So i don't know whick script the attack used. I looked at the phpBB
> Version but it was a newer Version without serious Security bugs.
> I hope my actions secured the system. My Server may be on a list of
> "hackable" Servers so there will be more attacks... :(

  Not necessarily. From what I can see on my server there are scans
  running again and again and again. If the scan gives some kind
  of positive information, someone may pass by for an attack. Other-
  wise there is no much activity.

> But luckily it isn't on any Mail Blacklist.

:-) Is this a hint to procede via email?

Cheers,

Chris.

Next message: Moe Trin: "Re: Good passwords and security priorities"

Previous message: Security Alert: "SSRT5958 rev.0 - HP OpenView Radia Management Portal (RMP) Radia Management Agent (RMA) Remote Unauthorized Privileged Access and Denial of Service (DoS)"
In reply to: Henning: "Re: backdoor named tvic / Kayten / ttyshd download in apache logfile"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: RPc server is unavailable since SP1
... After these commands run successfully, ... RPc server is unavailable since SP1 ... >> when the member server update certificate you get the error message RPC ... >> interface security settings before the installation of SP1 will be lost. ...
(microsoft.public.windows.server.sbs)
Re: Interactive netcat?
... server - basically every minutes it communicates to our server. ... limited commands, ... If there is no firewall protecting the target and there is nc available (or ... From the attacker: ...
(alt.2600)
[NT] NetWin DMail Authentication Bypass (dlist.exe) and Format String (dsmtp.exe)
... either be used as a small personal mail server or as a 10 Million user ISP ... password hash) when sending the administrative commands. ... the DList server using a numeric hash of the administrative password. ...
(Securiteam)
RE: copy permissions from one user to another?
... THIS STORED PROCEDURE GENERATES COMMANDS ... -- ADD USER TO SERVER ... -- CREATE TABLE TO HOLD LIST OF USERS IN CURRENT DATABASE ... -- SET COMMAND TO FIND USER PERMISSIONS HAS IN CURRENT DATABASE ...
(microsoft.public.sqlserver.security)
Re: copy permissions from one user to another?
... THIS STORED PROCEDURE GENERATES COMMANDS ... -- ADD USER TO SERVER ... -- CREATE TABLE TO HOLD LIST OF USERS IN CURRENT DATABASE ... -- GRANT USER ACCESS TO SERVER ROLES ...
(microsoft.public.sqlserver.security)