[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] one of my servers has been compromized
- To: Christophe Garault <letoff@xxxxxxxxx>, full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] one of my servers has been compromized
- From: Paul Schmehl <pschmehl_lists@xxxxxxxxx>
- Date: Mon, 05 Dec 2011 12:13:50 -0600
--On December 5, 2011 1:48:24 PM +0100 Christophe Garault
<letoff@xxxxxxxxx> wrote:
>>
> Having your /tmp partition with noexec,nosuid is also considered a good
> practice.
That's not a bad generic suggestion, but it won't do a thing for this hack.
They deposit perl scripts in /tmp/.m and then run them by calling perl,
which is not in tmp. This is a very common hack of a poorly written web
application. I doubt seriously that the "box" has been hacked - only the
webserver is affected - especially based on his description of how he found
and got rid of its elements. (IOW, they didn't get root on the box - they
only compromised the web application and then ran shells in perl off of
that.)
--
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/