mailing list archives
Another exploit against apache or kernel
From: Adrian Senn <adrian () senn ch>
Date: Tue, 10 May 2005 23:57:40 +0200
Since some weeks we have an intruder which is exploiting us and poisoning us
with the Virus Unix/RST.A
I found now how it happens at it isn't clear to me what he is doing.
I found in the apache log file some interesting strings.
Repeating entries as this
ip-hide - - [10/May/2005:19:58:00 +0200] "\v\xa5\xe5)(\xdd\xb7|\xd5\xad&\xd79" 400 - "-" "-"
and sometimes this one
ip-hide - - [10/May/2005:19:58:20 +0200]
200 11466 "-" "-"
I had the possibility to made a tcpdump of this session of the cracker.
It doesn't initiate a normal http session. After the treeway handshake
he is sending (HTTP: Continuation or non-HTTP traffic")
0000: 0B A5 E5 29 28 DD B7 7C D5 AD 26 D7 39 00 7E E1 ...)(..|..&.9.~.
0010: D7 CE 46 BA C5 11 ..F...
After this, our server is also initiating a session from an non privileged Port
to an unprivileged port on the other side.
He is also sending this string
0000: 66 0E BC 51 C4 6B 01 E4 6C 02 5D BE BA 79 65 96 f..Q.k..l.]..ye.
0010: 87 A5 FC 23 C5 17 ...#..
after this the server is answering with a 200 message.
I don't have any idea why our server is opening a separate session to the crackers ip.
Could this to be an exploit against the kernel or php?
I made last week a change from the older apache 1.3.26 to 1.3.33 but the problem remains.
Could this also probably be an rootkit which is answering?
Kind regards Adrian Senn
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Another exploit against apache or kernel Adrian Senn (May 10)