Op Wednesday 20 October 2004 07:04, security@kemhosting.com sgreifde:
This thread is a couple months old, but I'm having issues with this hack,
found it in the archives and thought it'd be helpful if I 'resusitated' it.
See bottom of email for rest of thread.
Today, hackers used the ShellBOT perl script to bring down Apache and start
up their IRC listener. They (somehow) copied it into /tmp and executed it.
This confuses me because I have my /tmp directory mounted
rw,noexec,nosuid. Does Perl somehow bypass this?
try doing this in your no-exec /rmp: /lib/ld-linux.so.2 /bin/bash
(should work if you have a 2.4 kernel, not in 2.6 anymore)
thats just 1 way to bypass the noexec flag
While the script was running, I ran lsof and found that it had recursively
accessed all my (virtual host) httpd logs (probably in an attempt to delete
it's tracks = the reason I can't see how they copied the script into /tmp)
which are owned by root. this is also confusing since the process the
script spawned was owned by user apache.
Some info on my box:
Redhat ES kernel 2.4.21-9.0.1.ELsmp
httpd-2.0.46-32.ent
php-4.3.2-11.ent
Anyone have any ideas on how this can happen? Mainly the executing of a
script on a noexec mount! Obviously I'm not a guru, so it's probably
something simple - so please, share!
there are , as you can see easy ways to bypass that... :)
--
harry
aka Rik Bobbaers
K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50
Rik.Bobbaers@cc.kuleuven.ac.be -=- http://harry.ulyssis.org
"\x41\x20\x63\x6f\x6d\x70\x75\x74\x65\x72\x20\x77\x69\x74\x68\x6f\x75\x74\x20"
"\x57\x69\x6e\x64\x6f\x77\x73\x20\x69\x73\x20\x6c\x69\x6b\x65\x20\x61\x20\x66"
"\x69\x73\x68\x20\x77\x69\x74\x68\x6f\x75\x74\x20\x61\x20\x62\x69\x63\x79\x63"
"\x6c\x65\x0a\x00"
