[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Hack attempt

To: focus-linux@securityfocus.com
Subject: Re: Hack attempt
From: Jan.Albrecht@bertelsmann.de
Date: Fri, 23 Jul 2004 08:06:18 +0200
Delivered-to: shane@homeo.stud.ntnu.no
Delivered-to: mailing list focus-linux@securityfocus.com
Delivered-to: moderator for focus-linux@securityfocus.com
List-help: <mailto:focus-linux-help@securityfocus.com>
List-id: <focus-linux.list-id.securityfocus.com>
List-post: <mailto:focus-linux@securityfocus.com>
List-subscribe: <mailto:focus-linux-subscribe@securityfocus.com>
List-unsubscribe: <mailto:focus-linux-unsubscribe@securityfocus.com>
Mailing-list: contact focus-linux-help@securityfocus.com; run by ezmlm

Hi Norbert,

> -----Original Message-----
> From: Norbert Crettol [mailto:norbert.crettol@idiap.ch] 
> Sent: Wednesday, July 21, 2004 5:03 PM
>
> We've had a undesired visitor, last night, that I discovered in the 
> reports of tripwire.
>
> Has someone seen this kind of attack ? (chkrootkit doesn't detect it).
> Has someone heard of this www.bosscalvin.com (or www.calvinmumu.org) ?
> Is there a way to stop this guy ? His nickname (CaEm) appears in the 
> the uploaded scripts.


this is a "File Injection Bug" attack. As far as I know this script gains
access as nobody (or webserver user), reads files placed in /tmp (or where
the webserver user can read), places some files an executes them.

Problem: Some of your scripts accepts user data without validation. This is
the most common way to inject files onto a webserver.

Resolution: Shutdown system, clean it up, update it to the latest versions
and recheck your scripts.

Regards

Jan

Prev by Date: Re: Hack attempt
Next by Date: Re: Hack attempt
Previous by thread: Re: Hack attempt
Index(es):
- Date
- Thread