[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] one of my servers has been compromized
- To: <james@xxxxxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] one of my servers has been compromized
- From: John Jacobs <flamdugen@xxxxxxxxxxx>
- Date: Mon, 5 Dec 2011 12:07:16 -0600
----------------------------------------
> Subject: Re: [Full-disclosure] one of my servers has been compromized
> From: james@xxxxxxxxxxxxxxxxxxxx
> Date: Mon, 5 Dec 2011 17:36:53 +0000
> CC: tim-security@xxxxxxxxxxxxxxxxxxx; lucio@xxxxxxxxxx;
> full-disclosure@xxxxxxxxxxxxxxxxx
> To: flamdugen@xxxxxxxxxxx
>
> John,
>
> All good thoughts but can we show the server was rooted?
>
> In otherwords; instead of an attacker getting root and then adding this to a
> botnet this way is it not more likely that the original attack added the
> server in one step to avoid the need to do this?
James, thank you for your response. I agree with you here, I was speaking more
along the lines of defense-in-depth and security generalities. In this case I
believe a vulnerability in an unpatched/unprotected version of PHPMyAdmin
permitted the Apache process to write to /tmp and spawn a process.
In my previous experience, including a few vulnerabilities in Roundcube, I've
seen a programmatic scan, exploitation, and then wget/dropping of a Perl IRC
bot. Of course this is all speculation based on previous experience, I am not
looking at lucio's box. The Apache access/error logs should have the offending
log entries and/or any output from the system()/exec() etc PHP functions.
Lucio -- what user was the IRC bot running under?
It's evident that 10.04.1 LTS is certainly out of date and there are a
multitude of vulnerabilities that could be leverage for privilege escalation.
Lucio, I would also recommend subscribing to the Ubuntu Security-Announce
mailing lists which issue the USNs so you are aware of which packages have been
patched and those which require a reboot to effect the changes, such as Kernel
update.
Thanks again for the dialog Tim and James, this exchange is very beneficial and
appreciated.
James you are correct regarding the shell; I would assume /bin/sh would be
pointed to /bin/dash or /bin/bash on a Ubuntu system. I would assume the
user's login shell would be /bin/bash. Again, these are all assumptions made
on my part and can certainly be incorrect, however, I would hope if someone is
using KSH that they would see past the BASHisms of the previous message.
Thanks,
John
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/