Chris Robertson wrote: > > Where's the posix api and dl-functionality report? Any specific > keywords to narrow it down? disable_*** in php.ini? > I actually started with PHP as my most likely culprit but in digging in > one of the servers that was compromised doesn't have any php web pages, > i.e. the module is loaded but not in use. well, is it possible it crossed process boundries to other processes also running as user 'wwwrun'? > I'm also somewhat confused as to how privileges were escalated since the > httpd binaries were running as the user "wwwrun". I'm not an Apache > expert (obviously :) but my understanding was that all httpd processes > would run under the effective permissions of that user, i.e. you'd need > to get a buffer overflow (or similar) that got through the PHP layer and > the httpd code before you could get a root level exploit. Yeah/nay? Whoops. Don't tell us you started httpd as wwwrun? That means you don't have a protected space in .../logs etc that aren't writeable as wwwrun. The point of starting apache as 'root', backing down to 'User wwwrun' is that httpd the daemon can open otherwise protected files, and then discard it's permissions to do any further damage. Bill --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|