Yikes. Think I'll hard-code carriage returns for readability.
Looks to me like it had php create a file in the /tmp folder and
execute it. There' s much more than that, but it probably
could've been prevented by having /tmp mounted as noexec.
Also there is a relative path vulnerability on your server.
That "../../../" etc. should've been booted by Apache.
What version of Apache are you running? Check your
distro's errata / security updates to see if there is a newer
(insert usual cleaning up after being broken into advice here)
EDIT: I take back the relative path vulnerability thing.
That's your PHP script that used that, not Apache. The
script and/or PHP need to be hardened in addition to mounting
/tmp as noexec.
Last edited by BigMoneyJim; 05-18-2005 at 08:27 PM.
Yes, root was gained because I saw root executing the command "find /home/ -name index.* -exec cp /home/index.php" in ps, and it defaced all my index pages. They probably gained control of the web server user through phpBB and then from there used some local root exploit.
That sure is an old kernel. I would get the os reloaded to a newer os such as centos 3.4 and then secure the server / php scripts running on the server.
Steven Ciaburri | Industry's Best Server Management- Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance