On Sun, Jun 29, 2003 at 09:47:13PM +0800, Jason Lim wrote: > The user CGIs run as the user's UID... suexec.
suexec doesn't run PHP suid the owner, unless you're using php-cgi. By default, PHP is incredibly insecure. If a user is using an insecure PHP application (or any other insecure CGI application, I use PHP as an example due to the preponderance of administrators who do not realize this), they can run arbitrary commands as that user with relatively little work, and as such gain shell access. > Is there any tool that could search the system for root suid scripts (so > the hacker can login again and gain root easily)? find / -uid 0 -perm 0400 You will need to use a known-good copy of the `find' command. Copy it to the machine via sneakernet (by floppy) and run it locally. Even then, there's little gaurantee the command is not being tampered with while running... > Hope you can shed some light on the above, so at least the system can get > back up and running, then we can even setup a new server (with SE Linux You have few options now by now but to do a complete reinstall. There is no intermediate step when a machine has been breeched. I mention PHP above because... Briefly looking at your previous posts, it would appear that the machine was taken via the `www-data' user, suggesting either an Apache exploit, or an application running as the http daemon (the www-data user), which was not being run under suexec. >From there, considering that you were (if I am recalling correctly) running a 2.4.17 kernel, which has a few known local root exploits (again, if I am recalling this correctly); I don't believe you mention if you are using Debian kernel packages, or vanilla source, or patched source. However, the attack vector seems relatively clear: Web app/server (if you're running stable, that would be 1.3.26. If you are indeed keeping up with security updates, it should be patched against the known Apache remote exploits), to shell, to kernel or suid buffer overflow or something of that nature. From that point, they have root access. And don't bother hiding themselves at all, which is lucky for you, really. Of course, all of the above is simply a hypothesis based on incomplete information, but... I would suggest taking a look at what CGI you or your customers are running, and searching the web for known security issues with them. -- bda Cyberpunk is dead. Long live cyberpunk. http://mirrorshades.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
