>nothing else you mention even raises an eyebrow. These two are likely >your culprits if you run untrusted scripts. I'd disable all the posix >api functions and dl-functionality based on a recent report. > >As far as /root/2/ that doesn't correspond to something I know of, but >limiting users who run PHP, or even better, running them with cgiwrap >or fastcgi in a nobody sandbox is an even better solution. Thanks for the response. Where's the posix api and dl-functionality report? Any specific keywords to narrow it down? I actually started with PHP as my most likely culprit but in digging in one of the servers that was compromised doesn't have any php web pages, i.e. the module is loaded but not in use. I'm also somewhat confused as to how privileges were escalated since the httpd binaries were running as the user "wwwrun". I'm not an Apache expert (obviously :) but my understanding was that all httpd processes would run under the effective permissions of that user, i.e. you'd need to get a buffer overflow (or similar) that got through the PHP layer and the httpd code before you could get a root level exploit. Yeah/nay? Thanks again, Chris --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|