[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: possible apache flaw ?

To: veins <veins@skreel.org>
Subject: Re: possible apache flaw ?
From: John Eisenschmidt <jweisen@eisenschmidt.org>
Date: Mon, 11 Mar 2002 05:58:01 +0000
Cc: misc@openbsd.org
Content-Disposition: inline
References: <01bb01c1c8c0$d176bba0$0403a8c0@guinness>
User-Agent: Mutt/1.2.5i

Are you familiar with the recent PHP problems? Make sure you have those
patches applied.

http://security.e-matters.de/advisories/012002.html

Unless the Voices are Mistaken, veins (veins@skreel.org) Wrote:
> I know this isn't the right mailing list, but as it is, in my opinion,
pretty
> important...
>
> I have the latest version of apache running with the latest version of php,
no
> modules
> that are not included in core. I took extreme caution while configuring
both
> and I am
> pretty sure (after checking the logs) that this is not related to the way
both
> of them
> are configured or even to some badly written scripts. The logs also show
> clearly that
> it was apache that was attacked and no other services.
>
> Here's what happened. I loggued in a few minutes ago and started checking
out
> the
> logs when I noticed that many apache processes received a sigsegv. I
grepped
> them
> out and did a quick count, there were 132 for the last three days. I did a
ps
> and saw
> that there was actually a shell running with 'www' privileges, as I thought
it
> could be
> a cron job, I typed 'who' and saw that there was a user loggued in on that
> account.
> He was loggued in for about 10 minutes, I waited a few minutes to see if he
> was
> doing something or just idling and finally killed his shell. Now i'm running
a
> script
> that will tell when 'www' has a shell running, but I am really wondering
where
> could
> the problem be. I am running OpenBSD-3.0-stable, every patches applied and
as
> far
> as I know, apache has been running for years without a remote flaw.
>
> I don't know what the hell happened, but I thought I should warn you to at
> least look
> at your log files these days, who knows, maybe some private exploit is in
the
> wild.
>
> veins
> -- bofh at kheos.net && skreel.org - bofh, the choice of a degenerated
> administration.
> 'Un jour, un canard qui se prénommait Harry dit à une cane: ris, cane ! Et
la
> cane a ri.'

--
John W. Eisenschmidt <jweisen@eisenschmidt.org>
 Homepage URL    | http://www.eisenschmidt.org/jweisen
 PGP Public Key  | http://www.eisenschmidt.org/jweisen/misc/jeisenschmidt.asc
 PGP Fingerprint | 5F9B F916 5AD1 3295 CF99 BC1E 1F97 E6A3 37E3 BEF2

[demime 0.98d removed an attachment of type application/pgp-signature]

Follow-Ups:
- Re: possible apache flaw ?
  - From: "veins" <veins@skreel.org>

References:
- possible apache flaw ?
  - From: "veins" <veins@skreel.org>

Prev by Date: possible apache flaw ?
Next by Date: Re: possible apache flaw ?
Prev by thread: possible apache flaw ?
Next by thread: Re: possible apache flaw ?
Index(es):
- Date
- Thread