On 18 Sep 2003 at 15:02, Markus Schabel wrote: > Christian Storch wrote: > > The problem is starting >>before<< > > I think all the things >>before<< phpshell.php are done via > phpshell.php and the things you can see in the .bash_history > are only the things after he already got in. > [...] > > - known unclosed security hole? > > It seems that it was possible to upload & execute .php-files somewhere > (phpshell.php)
Maybe a directory-traversal-thing when using a certain form provided on a webpage to upload files? Check your scripts. It's quite easy to open such security holes - be careful with fileuploads. Stefan > > -----Original Message----- > > From: Markus Schabel [mailto:[EMAIL PROTECTED] > > Sent: Thursday, September 18, 2003 12:23 PM > > To: debian-security@lists.debian.org > > Subject: Re: [sec] Re: Strange segmentation faults and Zombies > > > > maximilian attems wrote: > > > >>On Thu, 18 Sep 2003, Christian Storch wrote: > >> > >> > >> > >>>Don't forget to try to find the potential hole first! > >>>Otherwise you could have a fast recurrence. > >>>[..] > >>> > >>> > >>>>>in /etc/.rpn theres a .bash_history with the following content: > >>>>> > >>>>> > >>>>>>id > >>>>>>mkdir /etc/.rpn > >>>>>>ps -aux > >>>>>>ps -aux | grep tbk > >>>>>>kill -15292 pid > >>>>>>kill 15292 > >>>>>>netconf > >>>>>>locate httpd.conf > >>>>>>cd /etc/.rpn > >>>>>>ls -al > >>>>>>wget > >>>>>>cd /var/www/cncmap/www/upload/renegade > >>>>>>ls -al > >>>>>>rm -rf phpshell.php > >> > >> ^__________^ > >>was this the exploited hole ? > > > > > > I think so. In fact the problem is that it got there...
