[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: possible apache flaw ?
> > in php scripts as even the most insecure script would not make apache
> > segfault and "give" someone a shell.
> I doubt segfaulting... but I see no reason why bad PHP programming
> wouldn't happily give me a shell :).
yeah I meant give you a shell as a result of apache segfaulting.
> > I didn't get the chance to portscan the server and
> > see if it really
> > binds a shell to some port because of pf having very restrictrive rules
> > that would
> > explain the idling (user 'www' loggued in for 10 minutes idling before I
> > kill the process).
> Check if there are remote ssh sessions. If I had a way to get Apache
> (or PHP or whatever) to barf while tucked behind a "restrictive"
> firewall I'd have it spawn an 'ssh -R ...' and have it connect to me :).
There are no remote ssh session the shell seems to keep idling. I don't
that the guy (if it really is someone, what i am really starting to believe)
the skills to rewrite a shellcode. Looking at the logs it seems like it is a
script kiddie using someone's else exploit (what cracker would be dumb
enough to trigger over a hundred attacks in a few days without fearing to
get discovered). What I think is that this guy saw that there was something
going wrong but ssh not being accessible he would not be able to get in.
> The segfault bit is disturbing though. Either your *really* screwed
> something up :) or someone's got an interesting exploit.
Well, I don't know what I would have screwed up, really. I believe there
is some exploit but there are just rumors, I don't know what is true and
what is false, but all this makes me wonder.
> So to be clear, this is NOT the default Apache from OpenBSD but the
> latest flavor from apache.org? Same with PHP?
It is apache 1.3.23 and php 4.1.2.
> > is constantly auditing logs in search of weird things.
> Hmmm, and a packet sniffer on another box would be fun :).
Yeah, I configured pf on the gateway to log evvery packet ingoing and
outgoing. I should be able to retrace which client caused apache to segfault
as apache doesn't log the IP address of the client in this particular case.
> Can you tell, from your logs, say login times for the www users and the
> last pages accessed?
Nope, that's why I enabled full logging.
-- bofh at kheos.net && skreel.org - bofh, the choice of a degenerated
'Un jour, un canard qui se prénommait Harry dit à une cane: ris, cane ! Et
la cane a ri.'