Yikes. Think I'll hard-code carriage returns for readability.
Looks to me like it had php create a file in the /tmp folder and
execute it. There' s much more than that, but it probably
could've been prevented by having /tmp mounted as noexec.
Also there is a relative path vulnerability on your server.
That "../../../" etc. should've been booted by Apache.
What version of Apache are you running? Check your
distro's errata / security updates to see if there is a newer
(insert usual cleaning up after being broken into advice here)
EDIT: I take back the relative path vulnerability thing.
That's your PHP script that used that, not Apache. The
script and/or PHP need to be hardened in addition to mounting
/tmp as noexec.
Last edited by BigMoneyJim; 05-18-2005 at 08:27 PM.
Yes, root was gained because I saw root executing the command "find /home/ -name index.* -exec cp /home/index.php" in ps, and it defaced all my index pages. They probably gained control of the web server user through phpBB and then from there used some local root exploit.