Re: Another overflow exploit for Apache?

From: Bill Pennington (billpat_private)
Date: Thu Jul 03 2003 - 09:12:38 PDT

Next message: James Tollerson: "RE: frontpage extensions; backdoor or initial compromise?"

Previous message: shimi: "Re: Another overflow exploit for Apache?"
In reply to: shimi: "Re: Another overflow exploit for Apache?"
Next in thread: Timmothy Posey: "RE: Another overflow exploit for Apache?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Another thing you might want to watch for is a web application flaw.  
Maybe a flaw in a php page that allowed an attacker to insert PHP  
commands into a page? I would have a line-by-line look at your  
access_log and error_log around the time the file was put on the server.

I would be happy to take a look at the logs if you need some assistance.


On Thursday, July 3, 2003, at 08:17 AM, shimi wrote:

>
> stupid question (but since you didn't mention, i have to ask): is  
> apache
> the only server running on this machine? if so, we have a big problem  
> ;)
>
> On Wed, 2 Jul 2003, Dayne Jordan wrote:
>
>> Greetings,
>>
>> Over the past 2 days we were alerted to 2 machines doing over  
>> 10mbits/sec
>> each. Upon further investigation here is what we found...
>>
>> Lets start with OS and essentials:
>> =====================================
>> - BSDi 4.2, patched current
>> - Apache 1.3.27 (running as nobody:nobody) non-suexec
>> - PHP-4.3.2 (allow_uploads=Off)
>>
>> We have found v2k.tar uploaded to /tmp/ and a new directory: /tmp/v/.
>>
>> su-2.02# ls -la /tmp
>> drwxrwxrwt   2 root    wheel     2560 Jul  2 13:40 .
>> drwxr-xr-x  17 root    wheel      512 Nov  3  2002 ..
>> -rw-r--r--   1 nobody  wheel  1762550 Jul  2 12:07 iprot-ip_log
>> -rw-r--r--   1 nobody  wheel   739326 Jul  2 11:13 iprot-user_log
>> -rw-r--r--   1 nobody  wheel    16384 Jul  2 13:48 iprot.db
>> srwxrwxrwx   1 root    wheel        0 Apr 29 02:16 mysql.sock
>> drwxr-xr-x   3 nobody  wheel      512 Oct  9  2002 v
>> -rw-r--r--   1 nobody  wheel   253952 Jul  2 09:21 v2k.tar
>>
>> Contents of /tmp/v:
>>
>> su-2.02# ls -lR
>> total 164
>> -rwxr-xr-x  1 nobody  wheel   13157 Nov 28  2002 hell
>> -rw-r--r--  1 nobody  wheel  102400 Sep 13  2002 k.tar
>> drwxr-xr-x  2 nobody  wheel     512 Nov 28  2002 netbios
>> -rwxr-xr-x  1 nobody  wheel   21866 Oct  9  2002 usg
>> -rwxr-xr-x  1 nobody  wheel   15807 Nov  8  2002 vadimI
>>
>> ./netbios:
>> total 94
>> -rwxr-xr-x  1 nobody  wheel  53760 Nov 28  2002 nbtscan
>> -rwxr-xr-x  1 nobody  wheel  18070 Nov 28  2002 smbkill
>> -rwxr-xr-x  1 nobody  wheel  23305 Nov 28  2002 smbnuke
>>
>> The program found running was 'hell':
>> An excerpt from ps aux/axl:
>>
>> nobody 3981 1   252 22385e0 0 I   ?? 0:00.01 sh -c v/hell  
>> 62.221.xxx.xx 110 2>&1
>> nobody 3982 3981 252 22385e0 0 RN  ??   10:17.28 v/hell 62.221.xxx.xx  
>> 110
>> nobody 4002 1 252 22385e0 0 I ??  0:00.07 sh -c v/hell 62.221.xxx.xx  
>> 110 2>&1
>> nobody 4003 4002 252 22385e0    0 R     ??    9:53.19 v/hell  
>> 62.221.xxx.xx 110
>> nobody 4033 1 252 22385e0 0 I ?? 0:00.09 sh -c v/hell 202.8.xxx.xxx  
>> 110 2>&1
>> nobody 4034 4033 252 22385e0 0 R  ??  8:18.19 v/hell 202.8.xxx.xxx 110
>> nobody 4051 1 252 22385e0 0 I ?? 0:00.08 sh -c v/hell 202.8.xxx.xxx  
>> 110 2>&1
>> nobody 4052 4051 252 22385e0 0 R ?? 7:40.63 v/hell 202.8.xxx.xxx 110
>> nobody 4122 1 252 22385e0 0 I ?? 0:00.04 sh -c v/hell 202.73.xxx.xxx  
>> 110\r\nwhoami; 2>&1
>> nobody 4179 1 252 22385e0 0 I ?? 0:00.06 sh -c v/hell 202.73.xxx.xxx  
>> 110\r\nwhoami; 2>&1
>> nobody 4180 4179 252 22385e0 0 R ?? 4:43.55 v/hell 202.73.xxx.xxx  
>> 110\r
>> nobody 4213 1 252 22385e0 0 I  ?? 0:00.05 sh -c v/hell 66.151.xx.xx  
>> 110\r\nwhoami; 2>&1
>>
>> su-2.02# strings hell
>> /lib/ld-linux.so.2
>> __gmon_start__
>> libc.so.6
>> printf
>> connect
>> socket
>> bzero
>> send
>> __deregister_frame_info
>> bcopy
>> gethostbyname
>> htons
>> exit
>> atoi
>> _IO_stdin_used
>> __libc_start_main
>> __register_frame_info
>> GLIBC_2.0
>> PTRh
>> Bombing %s, port %d
>> Unknown host: %s
>> Syntax: ./hell host port
>> Port can be any port, any of them work equally well
>> FUCKER!!!!
>> su-2.02#
>>
>> -System binaries are fine checking via known good BSDi 4.2 machines  
>> md5 output
>> -Nothing unusual running via netstat/sockstat
>> -Scanned externally for anything rogue listening - 0 found.
>> -root/admin accounts are not compromised
>>
>> The v2k.tar date/time was 09:21 July 2nd, 2003. A grep thru all the  
>> webserver
>> logs for 1-2 minutes on either side of that time do not reveal any  
>> unusual
>> requests that would look like an overflow type string that we've seen  
>> attempted
>> in the past.
>>
>> Any clues?
>>
>> D.
>> ===========
>>
>> ---------------------------------------------------------------------- 
>> ------
>> Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas,  
>> the
>> world's premier technical IT security event! 10 tracks, 15 training  
>> sessions,
>> 1,800 delegates from 30 nations including all of the top experts,  
>> from CSO's to
>> "underground" security specialists.  See for yourself what the buzz  
>> is about!
>> Early-bird registration ends July 3.  This event will sell out.  
>> www.blackhat.com
>> ---------------------------------------------------------------------- 
>> ------
>>
>
> -- 
>
>   Best regards,
>      Shimi
>
>
> ----
>
>    "Outlook is a massive flaming horrid blatant security violation,  
> which
>     also happens to be a mail reader."
>
>    "Sure UNIX is user friendly; it's just picky about who its friends  
> are."
>
>
> ----------------------------------------------------------------------- 
> -----
> Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas,  
> the
> world's premier technical IT security event! 10 tracks, 15 training  
> sessions,
> 1,800 delegates from 30 nations including all of the top experts, from  
> CSO's to
> "underground" security specialists.  See for yourself what the buzz is  
> about!
> Early-bird registration ends July 3.  This event will sell out.  
> www.blackhat.com
> ----------------------------------------------------------------------- 
> -----
>
>

---
Bill Pennington, CISSP, CCNA
Chief Technology Officer
WhiteHat Security Inc.
http://www.whitehatsec.com


----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Next message: James Tollerson: "RE: frontpage extensions; backdoor or initial compromise?"
Previous message: shimi: "Re: Another overflow exploit for Apache?"
In reply to: shimi: "Re: Another overflow exploit for Apache?"
Next in thread: Timmothy Posey: "RE: Another overflow exploit for Apache?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 03 2003 - 09:16:27 PDT