|
Full Disclosure
mailing list archives
Re: one of my servers has been compromized
From: John Jacobs <flamdugen () hotmail com>
Date: Mon, 5 Dec 2011 12:07:16 -0600
----------------------------------------
Subject: Re: [Full-disclosure] one of my servers has been compromized
From: james () zero-internet org uk
Date: Mon, 5 Dec 2011 17:36:53 +0000
CC: tim-security () sentinelchicken org; lucio () sulweb org; full-disclosure () lists grok org uk
To: flamdugen () hotmail com
John,
All good thoughts but can we show the server was rooted?
In otherwords; instead of an attacker getting root and then adding this to a botnet this way is it not more likely
that the original attack added the server in one step to avoid the need to do this?
James, thank you for your response. I agree with you here, I was speaking more along the lines of defense-in-depth and
security generalities. In this case I believe a vulnerability in an unpatched/unprotected version of PHPMyAdmin
permitted the Apache process to write to /tmp and spawn a process.
In my previous experience, including a few vulnerabilities in Roundcube, I've seen a programmatic scan, exploitation,
and then wget/dropping of a Perl IRC bot. Of course this is all speculation based on previous experience, I am not
looking at lucio's box. The Apache access/error logs should have the offending log entries and/or any output from the
system()/exec() etc PHP functions. Lucio -- what user was the IRC bot running under?
It's evident that 10.04.1 LTS is certainly out of date and there are a multitude of vulnerabilities that could be
leverage for privilege escalation.
Lucio, I would also recommend subscribing to the Ubuntu Security-Announce mailing lists which issue the USNs so you are
aware of which packages have been patched and those which require a reboot to effect the changes, such as Kernel update.
Thanks again for the dialog Tim and James, this exchange is very beneficial and appreciated.
James you are correct regarding the shell; I would assume /bin/sh would be pointed to /bin/dash or /bin/bash on a
Ubuntu system. I would assume the user's login shell would be /bin/bash. Again, these are all assumptions made on my
part and can certainly be incorrect, however, I would hope if someone is using KSH that they would see past the
BASHisms of the previous message.
Thanks,
John
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
- Re: one of my servers has been compromized, (continued)
Re: one of my servers has been compromized mitchell (Dec 05)
Re: one of my servers has been compromized Tim (Dec 05)
Re: one of my servers has been compromized Tim (Dec 05)
Re: one of my servers has been compromized John Jacobs (Dec 05)
Re: one of my servers has been compromized Guillaume Friloux (Dec 06)
Re: one of my servers has been compromized Lucio Crusca (Dec 05)
Re: one of my servers has been compromized Dave (Dec 05)
Re: one of my servers has been compromized Paul Schmehl (Dec 05)
Re: one of my servers has been compromized Aris Adamantiadis (Dec 06)
|
