Re: possible apache flaw ?

[Marc Matteo <marcm@lectroid.net>]

On Mon, 2002-03-11 at 00:23, veins wrote:
> in php scripts as even the most insecure script would not make apache
> segfault and
> "give" someone a shell.

I doubt segfaulting... but I see no reason why bad PHP programming
wouldn't happily give me a shell :).

> I didn't get the chance to portscan the server and
> see if it really
> binds a shell to some port because of pf having very restrictrive rules but
> that would
> explain the idling (user 'www' loggued in for 10 minutes idling before I
> kill the process).

Check if there are remote ssh sessions.  If I had a way to get Apache
(or PHP or whatever) to barf while tucked behind a "restrictive"
firewall I'd have it spawn an 'ssh -R ...' and have it connect to me :).

The segfault bit is disturbing though.  Either your *really* screwed
something up :) or someone's got an interesting exploit.

So to be clear, this is NOT the default Apache from OpenBSD but the
latest flavor from apache.org?  Same with PHP?

> is constantly auditing logs in search of weird things.

Hmmm, and a packet sniffer on another box would be fun :).

Can you tell, from your logs, say login times for the www users and the
last pages accessed?

Marc