movEAX_444
11-15-2004, 09:34 PM
Just read a note left by the person in my ~.. I know it was through Apache. Any way.. so what should I do now? I can't trust any binary on the system, I didn't make backup binaries when I installed the distro.
Click to See Complete Forum and Search --> : I think I may have been rooted, can I trust my system?
Gertrude
11-15-2004, 09:53 PM
Unplugg the computer from the network, backup config files and any other data, then reinstall. When installed patch/update all software, and limit any unneeded network services that are available to the internet.
movEAX_444
11-15-2004, 10:14 PM
I have an upload script I wrote (upload.cgi) - the uploaded files rae stored in /files/ I see this in my Apache logs..
x.y.z.o - - [25/Oct/2004:02:31:31 -0400] "GET /~username/upload/files/bla.php HTTP/1.0" 200 268
x.y.z.o - - [25/Oct/2004:02:32:31 -0400] "GET /~username/upload/files/bla.php?b=perl%20m.pl HTTP/1.0" 200 -
x.y.z.o - - [25/Oct/2004:02:36:37 -0400] "GET /~username/upload/files/bla.php?b=perl%20m.pl HTTP/1.0" 200 -
x.y.z.o - - [25/Oct/2004:02:37:56 -0400] "GET /~username/upload/files/bla.php HTTP/1.0" 200 268
x.y.z.o - - [25/Oct/2004:02:43:07 -0400] "GET /~username/upload/files/bla.php?b=perl%20m.pl HTTP/1.0" 200 -
x.y.z.o - - [25/Oct/2004:02:53:01 -0400] "GET /~username/upload/files/bla.php?b=perl%20m.pl HTTP/1.0" 200 -
x.y.z.o - - [25/Oct/2004:02:56:33 -0400] "POST /~username/cgi-bin/upload.cgi HTTP/1.0" 200 34449
x.y.z.o - - [25/Oct/2004:02:58:31 -0400] "POST /~username/cgi-bin/upload.cgi HTTP/1.0" 200 34805
x.y.z.o - - [25/Oct/2004:02:59:11 -0400] "GET /~username/cgi-bin HTTP/1.0" 301 320
x.y.z.o - - [25/Oct/2004:02:59:11 -0400] "GET /~username/cgi-bin/ HTTP/1.0" 302 279
x.y.z.o - - [25/Oct/2004:02:59:12 -0400] "GET / HTTP/1.0" 200 1237
I'll unplug this machine asap and format.
x.y.z.o - - [25/Oct/2004:02:31:31 -0400] "GET /~username/upload/files/bla.php HTTP/1.0" 200 268
x.y.z.o - - [25/Oct/2004:02:32:31 -0400] "GET /~username/upload/files/bla.php?b=perl%20m.pl HTTP/1.0" 200 -
x.y.z.o - - [25/Oct/2004:02:36:37 -0400] "GET /~username/upload/files/bla.php?b=perl%20m.pl HTTP/1.0" 200 -
x.y.z.o - - [25/Oct/2004:02:37:56 -0400] "GET /~username/upload/files/bla.php HTTP/1.0" 200 268
x.y.z.o - - [25/Oct/2004:02:43:07 -0400] "GET /~username/upload/files/bla.php?b=perl%20m.pl HTTP/1.0" 200 -
x.y.z.o - - [25/Oct/2004:02:53:01 -0400] "GET /~username/upload/files/bla.php?b=perl%20m.pl HTTP/1.0" 200 -
x.y.z.o - - [25/Oct/2004:02:56:33 -0400] "POST /~username/cgi-bin/upload.cgi HTTP/1.0" 200 34449
x.y.z.o - - [25/Oct/2004:02:58:31 -0400] "POST /~username/cgi-bin/upload.cgi HTTP/1.0" 200 34805
x.y.z.o - - [25/Oct/2004:02:59:11 -0400] "GET /~username/cgi-bin HTTP/1.0" 301 320
x.y.z.o - - [25/Oct/2004:02:59:11 -0400] "GET /~username/cgi-bin/ HTTP/1.0" 302 279
x.y.z.o - - [25/Oct/2004:02:59:12 -0400] "GET / HTTP/1.0" 200 1237
I'll unplug this machine asap and format.
Dark Ninja
11-15-2004, 10:16 PM
Yeah...just FYI - once you have been rooted (or even suspect it), you really can't trust anything on your system.
It stinks, I know. But, this is why it's important to practice good security measures in the first place.
It stinks, I know. But, this is why it's important to practice good security measures in the first place.
Hypz
11-15-2004, 11:28 PM
What did the note say?
mangeli
11-16-2004, 12:24 AM
Originally posted by Hypz
What did the note say?
It said (in a crappy engrish voice over)
HAHA ALL YOUR BASE ARE BELONG TO US!
(Actually, I don't know what it said... I'm just guessing....)
What did the note say?
It said (in a crappy engrish voice over)
HAHA ALL YOUR BASE ARE BELONG TO US!
(Actually, I don't know what it said... I'm just guessing....)
movEAX_444
11-16-2004, 12:28 PM
Just said 'please upgrade your Kernel'
vhg119
11-16-2004, 10:29 PM
What's your setup?
I want to know what the vulnerabilities are so it wont happen to me.
</vince>
I want to know what the vulnerabilities are so it wont happen to me.
</vince>
movEAX_444
11-16-2004, 10:56 PM
Slackware 9.1.. whatever kernel came with it, I did not update it. 2.4.21 I think. Apache and PHP are up to date.
nabis
11-17-2004, 02:10 AM
After reinstall, take a look here:
ftp://carroll.cac.psu.edu/pub/linux/distributions/slackware/slackware-9.1/patches/
(there are patches for both Apache and PHP)
use `installpkg apache-1.3.33-i486-1.tgz` to apply it.
And do update your kernel.
Also it wouldn't hurt to harden your system, a quick search on "hardening Linux" or "hardening Slackware" in Google would give you a lot of hits.
ftp://carroll.cac.psu.edu/pub/linux/distributions/slackware/slackware-9.1/patches/
(there are patches for both Apache and PHP)
use `installpkg apache-1.3.33-i486-1.tgz` to apply it.
And do update your kernel.
Also it wouldn't hurt to harden your system, a quick search on "hardening Linux" or "hardening Slackware" in Google would give you a lot of hits.
bwkaz
11-17-2004, 08:30 PM
Updating your kernel would not have prevented this person from getting a shell on your machine. However, it would have prevented them from turning that shell (as user "apache" or "http" or "www-docs" or "nobody") into a root shell.
Recent 2.4 kernels (I think any before 2.4.26) had some local root exploits. Any local user could use them to become root.
He probably got the initial "nobody" or "www-data" or whatever-user shell through Apache, though I'm not sure.
Recent 2.4 kernels (I think any before 2.4.26) had some local root exploits. Any local user could use them to become root.
He probably got the initial "nobody" or "www-data" or whatever-user shell through Apache, though I'm not sure.
justlinux.com
Copyright Internet.com Inc. All Rights Reserved.
Copyright Internet.com Inc. All Rights Reserved.