> What was the full URI ? Are you sure it wasn't some box infected with > Code Red II or the like ? > > On a side note, how could this vulnerability yeild a root shell when > apache isn't/shouldn't be running as root. > > -Blake Apache runs as root. It uses a root process to bind to port 80 and to spawn and kill setuid child processes. Also, people have advised to run apache chroot()-ed, this adds another layer in the security but...is useless if the cracker actually gets to bind a root shell as it is not so hard to break out of a chroot with root privileges if you want to. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Feb 04 2002 - 09:17:41 PST