| |
| |
| |
|
Page: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Comments:
<0> scp?
<1> 1 -rw-r--r-- 1 nobody machine - 116 Mar 29 00:59 hem.html
<2> if the cracker has interactive access then things are much worse off
<0> grep nobody /etc/p***wd
<2> does http run as nobody?
<1> nobody:*:65534:65334:Unpriviledged user:/nonexistent:/sbin/nologin
<1> httpd runs as nobody
<0> so no valid shell
<0> that's good
<0> wait
<0> grep nologin /etc/shells
<2> I really have to support his first instinct here.
<0> just making sure
<2> pop, can you make that hem.html (I ***ume to be a phish attempt) available somewhere?
<1> no results
<0> ok
<0> so it's likely not ftp or scp
<1> Actually I changed it - and didn't make a backup. However, let me see if I have one of the older ones.
<0> unless they're really clever and enjoy tossing red herrings around
<2> or he's clever enough to chown the file to the httpd's user/group (stretching your absence of proof is not disproof)
<0> i still won't totally discount that possibility but i am no longer willing to pursue it for now
<0> so what cgi or php is common to all the websites that have been exploited?
<2> kp, say something
<0> something
<0> popeyeoil
<0> do you provide stats for your customers?
<1> http://www.advertechcorp.com/phishingfiles Okay - I just zipped up the old ones - if you go to the directory directly it says "Error! You cannot run codelock directly ..."
<0> do you provide stats for your customers?
<2> tcpdump -lXi bge0 |awk '/>/ { if (index(text, "roycroft")) print $0 ":", text; text = ""; next } { text = sprintf("%s%s", text, $NF ) }'
<2> a trivial packet sniffer that dumps traffic containing the string "roycroft"
<2> should use tools installed on freebsd by default
<1> I have tried to do that - but logrotate wouldn't cooporate - so I just do it one in a while when someone asks for it.
<0> what do you use for stats?
<2> it may seriously peg your cpu if the webserver is very busy
<3> very odd, from my shell to my domain 60ms pings, from this shell to irc 30ms pings, now the oddness. me to my shell 11ms pings
<0> ping is an almost totally useless metric
<0> it's more of an annoyance than anything
<1> webalizer (c) weblog (perl -very slow but insightful) and analyzerx I think is the last one I was monkeying with.
<1> None of them are running automatically.
<3> any one of those on gentoo?
<0> i don't know of any exploits for those offhand
<0> so we eliminate that for now
<0> you still haven't told us what cgi/php is common to the sites that get exploited
<0> actually they may not need to be common to all
<4> any of them running phpbb, wordpress, or use any xmlrpc code?
<1> I originally thought it was an ftp exploit - but the freebsd community was adament that it was impossible.
<0> since you don't do suexec
<2> wow, that's some severely dense base64'd php...
<0> it's not "impossible"
<1> is suexec su to root?
<0> but it's unlikely
<1> If so then thats how I go to root is su
<2> it's a method of giving your webserver powers no webserver should have
<0> suexec runs cgi as the owner of the website
<4> no suexec lets you run webscripts as another user.
<0> as opposed to the standard way of running it as the owner of the httpd process
<1> I don't know of any php or cgi that is available to all the sites that have been hit. Everyone is pretty much independent.
<1> Mainly brochure type sites.
<0> do your users maintain their own sites or do you maintain them for them?
<1> No xwindows on the box.
<1> Its a mix - but mostly we maintain them - probably about 80% us /20% individual
<0> what php packages do you usually use
<0> ?
<1> That's a good question - and I don't use any - the other admin that just quit used php so I'll ask him what he was using but I'm sure they were pretty simply things. Maybe a php shopping cart would be the most complex.
<2> hrmph
<2> this problem needs a good sledgehammer, honest
<0> we're looking for common php exploits
<4> what PHP version?
<0> i would really really really start parsing weblogs to see what's going on
<1> I'm not very PHP literate - I do everything with perl or c scripts. Problem is some of the websites - mainly ones I've done use NO php at all.
<0> that's how i've found the last two problems we had
<0> c scripts?
<1> 5.0.3
<1> Yeah - like catalog. Its perl and C. But so esoteric I doubt anyone would go to the trouble just to attack the one server in the world who actually bothered to install it.
<2> tcpdump -nlXi bge0 -s 1500 |awk '/>/ { if (index(text, "fZGF0YSwkY29kZWxvY2tfY") || index(text, "247Cn0KZnVuY3Rpb24gZ2V") || index(text, "b25mb2N1cz0idGhpcy52") || index(text, "YzwvYj4gdG8gNzc1LiI")) print $0 ":", text; text = ""; next } { text = sprintf("%s%s", text, $NF ) }'
<2> I doubt that'll step on any toes.
<4> 5.0.3 has security flaws related to it.
<5> wonder what programs bell labs used with unix?
<5> like the ones pertaining to the telco
<2> oops, a flaw
<4> unserialize IIRC.
<0> the folks at bell labs generally used dwb and wwb
<2> tcpdump -nlXi bge0 -s 1500 |awk '/>/ { if (index(text, "fZGF0YSwkY29kZWxvY2tfY") || index(text, "247Cn0KZnVuY3Rpb24gZ2V") || index(text, "b25mb2N1cz0idGhpcy52") || index(text, "YzwvYj4gdG8gNzc1LiI")) print ip ":", text; text = ""; ip = $0; next } { text = sprintf("%s%s", text, $NF ) }'
<5> what are dwb ans wwb?
<0> documenter's workbench and writer's workbench
<0> yes
<0> it smells of backdoor
<2> leave it to mouring to offer such insight :P
<1> I couldn't get the update for PHP to install. I'm going to hang a new server - so I guess I'll bandaid this one for now. Thanks for all the help.
<0> don't give up now
<2> popeye, run the tcpdump for five minutes and see what turns up :P
<1> Figz - Do I just past what you typed above?
<2> popeye, you need to replace "bge0" with the name of your external interface
<5> roycroft: what were those programs used for?
<2> oh, and add -c 5000 to the tcpdump
<2> ie
<0> word processing
<1> This is co-located - not local.
<2> tcpdump -nlXi bge0 -s 1500 -c 5000 |awk '/>/ { if (index(text, "fZGF0YSwkY29kZWxvY2tfY") || index(text, "247Cn0KZnVuY3Rpb24gZ2V") || index(text, "b25mb2N1cz0idGhpcy52") || index(text, "YzwvYj4gdG8gNzc1LiI")) print ip ":", text; text = ""; ip = $0; next } { text = sprintf("%s%s", text, $NF ) }'
<0> when unix was first created it was done to port a game to a new machine
<2> if that exits fairly soon without pegging the system, you can make the -c 5000 bigger
<5> roycroft: so they never used any programs to monitor performance of the bell system?
<0> but after it started doing interesting stuff the folks in bell labs wrote a bunch of text processing utilities
<2> if it stalls the system, it'll exit on its own fairly quickly
<0> and at&t legal started using it for all their word processing needs
<0> which funded the project
<0> you asked, i thought, what the main use was within bell labs
<6> freekaleek
<5> roycroft: so it was mainly used for word proccessing within bell labs
<0> yes
<5> yeah
<5> ahh, ok
<0> however, some at&t phone switches, most notably the 5ess, run a realtime variant of unix
<5> were there any utilities they used to monitor or switch phone systems?
<5> ahh
<6> what they should have been doing is inventing a spreadsheet that you can stare at for several hours with out hurting your eyes
<0> staring at a spreadsheet for hours on end SHOULD hurt one's eyes
<6> i've discovered i can only work on excel for an hour or two at a stretch, then i need a break
<5> roycroft: so they used unix with phone switches in the early days?
<0> the 5ess is still widely-deployed
<0> i don't recall exactly when it came out
<0> in the '70s for sure
<5> 82 from wikipedia
<2> hmm
<5> think it would be quite an undertaking to get a unix switch and start playing with it?
<0> we have some opensource pbx system that runs on linux at work
<0> i don't recall what the hardware is
<6> astrisks?
<0> i haven't gotten around to installing it yet
<0> probably
<6> dsmouse has it at his home, he likes it
<0> we got a 4 pots line card for about $500, including the software
<0> i don't think that would be too serious an undertaking
<6> my friends bought a new house
<6> their house has cat5, phone, coax to every room
<0> logging into a 5ess would be a significant undertaking
<6> except the moronic builders didn't put cat5 near the tv
<0> it would require either breaking into a central office or spending a heck of a lot of money purchasing one
<6> or some time on ebay
<5> roycroft: i want to get a PDP11 system or something because i want to play with the early unix
<6> http://search.ebay.com/5ess
<6> CCFL_Man a 5ess wouldn't do you much good at home anyways
<2> CCFL, prepare to be underwealmed :)
<5> eucalre: could i run my own pbx though?
<5> Figz: doesn't unix system 7 have tcp/ip?
<0> ccfl_man: ip was added in 4.3bsd
<0> v7 used uucp
<6> CCFL_Man far cheaper to use this, http://www.asterisk.org/
<0> and you don't need a pdp11
Return to
#unixhelp
or
Go to some related
logs:
#gamedev
#solaris
actionscript _lastframe
#windows
fooly coolie porn
babe wtmf
thadius is gay
winxp system cannot see sd cards
#opengl
p239 hammer spring
|
|