>Well, not without getting root first. > >And making something listen that spawns a shell usable to gain further >access is a big win. Keeping uploading PHP code to some vulnerable >webserver will at some point be noticed. Uploading something spawning a >shell once probably not. >
When $someone hacked $somebigamericanwebhoster some years ago, $they first found a CMS that allowed online editing of its PHP code. $they were able to use that to run arbitrary shell commands. However, that thing had an edit history, so keeping passing in new code produced a well-visible log each time (in retrospective, $they could just have patched that away, but well...). Uploading and starting ajaxterm, however, cost $them only two edits, and as it went listening on its own port without a firewall logging, $they had an interactive shell that could be configured to keep no record of anything. (Not of any interest here, but $they then found a misconfigured NFS share that mapped all UIDs to root, keeping suid bits... use your imagination for the rest. But $they would not have found that without an interactive shell.) -nik
