tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Attacks in Apache servers
Date Thu, 02 May 2013 17:28:14 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

On 5/2/13 7:42 AM, Mark Thomas wrote:
> On 02/05/2013 12:29, Jess Holle wrote:
>> http://blogs.cisco.com/security/linuxcdorked-faqs/ claims this is
>> not a cPanel vulnerability per se...
> 
> To quote the relevant part of that article:
> 
> <quote> How are attackers gaining access to the host servers? How
> the attackers are gaining root access to begin with is a separate 
> matter, still unresolved. Attackers may have stolen login
> credentials via phishing, or via a localized infection on a
> management system, or simply by brute-force guessing the login. 
> </quote>
> 
> httpd is simply the vehicle the attackers are using to run their
> malware *once they already have root access*
> 
> There is no Apache http vulnerability to see here. Move along. Move
> along.

Didn't you know that 'rm' was vulnerable on Linux?!?!

An attacker with escalated privileges can -- through clever use of
this misunderstood command with code so complicated, that this
enormous vulnerability went unnoticed for decades -- wreak havoc on
any Linux system connected to the iterwebs. The only plausible
mitigation of this egregious vulnerability is to uninstall the 'rm'
package or switch to a more secure OS.

...

The fact that this exploit is being called Linux/CDorked leads me to
believe that cPanel is definitely the vector. Why the attackers
decided to use httpd and not the gopher-over-uucp service is beyond me.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJRgqIuAAoJEBzwKT+lPKRYCloQAKEUioBthFMYvLPkCk41B+pb
fVXyMwouHbG3HrJzzt8AP+7PtcJvqRwtsBYjOlzrxlbUyOhusKsucZGGAgy4ftWz
aH8iVRFenU43y5yd3GEep0eS8WaRpc9SFqGN/lEVElAQgR0ukK3iZqJUlskN8tra
x4mthXTtBGrPgA5L4lwZtkSasrqO74QrjNCqQ1lXKWDpB16HCi16DyTNCF3tGXV3
wuCIr7HtHdNHS0gbK+7yq0K02BArBj+HQ7ol13h6KIYGGhlLtehRD7e+gY1nfdQ7
ILwrX/knzQV/R6X+x4L1vP7sHI4nYjROVPtj3R15JB/Dcvj2F1wdiYulk8AYLfQD
3caDOzt616MKvWU4rQTtVlAWKkIcsHCyka2KGn8Yb+e2EYx2nd6p5SDGw87gxvgv
Er/nrlHbIjMZfbvkcrMF/jgKx7CVA2lqpqBleUCjBJUoBxCz57AoaBvq6PiEKySJ
kflCiSAA/Z6zoHl5Pt0Dzjd6We4bEohdWiMQNbFCZCLnrliqBK5Zls7Kww7k4QZ8
z/zDyJ2sT/NZIAwdVj/tafZq5pS8tp6FzPo7WOGTC8F+SAzqPAlgh8SAsgAZHMGs
iY7oocCu5C/3hfAtgcGDJIPhLIbb7Eyi3Fyi/0olP6v4RqxrumH+i1EfgKuV58uP
r3NWLf3DUOhP+nf+08Ix
=kyVJ
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message