Home page logo

basics logo Security Basics mailing list archives

RE: PHP and remote execution
From: "Ryan Macfarlane" <rmacfarlane () pivotgroup net>
Date: Mon, 12 May 2003 13:36:17 -0400

Tripwire is excellent for tracking compromises along these lines. There is
an open source version for *nix out there. A company called Sana provides a
tool called Primary Response that I am currently evaluating... (I will send
more when I am finished) Primary Response is application specific IDS /
prevention tool that is behavior based and maps the typical code paths
(systems call, files, network connections) that your application uses...
best used in high traffic, relatively non-dynamic environments...

Hope this helps,


-----Original Message-----
From: Strider [mailto:strider () chatcircuit com]
Sent: Sunday, May 11, 2003 12:52 PM
To: security-basics () securityfocus com
Subject: PHP and remote execution

After our latest fun with one of our boxes becoming a DoS source, we've
spent much time tracking how it was compromised. It was all because of a
forum called CyBoards. There exists a bug that is known to exists and has
not been fix that allows execution of code on the hosting server. In this
case, the attacker wanted to conceal is activity as much as possible so he
made use of the exploit as little as possible by making it install a back
door. Through the back door, he installed a DoS client and initiated 2 DoS
attacks.   We found the DoS client without a problem. It was in /tmp with
the name of
milk', which seems to be a lesser known packet fragmentation DoS attack
program originating from Brasil. The two attacks were launched against
Basilian sites, so this clued us in that it was a rather local attack.
With 400+ site logs to navigate, it wasn't easy looking for something we
didn't know to look for. We quickly figured out that it was in fact done via
the web server due to the fact the attack binary was owned by the user and
group as the httpd, and we also fairly quickly figured out the DoS attack
was not launched via an interactive web script (php, cgi, etc). It was
either a script specifically used for this purpose, or an installed backdoor
   It took hours of scouring, several cups of coffee, and several packs of
cigarettes to find the initial attack. An exploit was done on an
installation of CyBoards which instructed a hole to execute a script from
another server in Brasil, which instructed our server to download, compile,
and execute a shell backdoor. From there, the attacker logged into the shell
backdoor and downloaded the milk binary to the server, already compiled.
The measures we have taken to prevent this so far is to prevent php from
executing remote scripts, and modifying the kernel with grsec for better
access control. Does anyone know of any other measures we should take to
prevent these things? Is there a way to move the tmp dir access to the user
dirs?   Beau (Strider) Steward strider () chatcircuit com
http://www.arteryplanet.net http://www.chatcircuit.com

FastTrain has your solution for a great CISSP Boot Camp. The industry's most
recognized corporate security certification track, provides a comprehensive
prospectus based upon the core principle concepts of security. This ALL
INCLUSIVE curriculum utilizes lectures, case studies and true hands-on
of pertinent security tools. For a limited time you can enter for a chance
to win one of the latest technological innovations, the SEGWAY HT.
Log onto http://www.securityfocus.com/FastTrain-security-basics

Thinking About Security Training? You Can't Afford Not To!

Vigilar's industry leading curriculum includes:  Security +, Check Point, 
Hacking & Assessment, Cisco Security, Wireless Security & more! Register Now!
--UP TO 30% off classes in select cities-- 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]