Re: Centos 5.3 -> Apache - Under Attack ? Oh hell....

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

> B .Can i conclude that the attacker  came through the horde framework ( cmdshell.php) ? The horde framework was  installed from the centos repo.....!!!
> C. BUT THE WORST THING OF ALL IS THESE LINES BELOW....><snip>> 14:47:47 (35,1 KB/s) - `unix.tgz' saved [1614224/1614224]

To answer B & C, I'm reasonably certain that the answer to both isYes. I got curious so I downloaded the file at:http://mv.do.am/unix.tgz into a secured area of my computer. I wassurprised the hacker hasn't moved on but it contains the files youidentified sitting in /dev/shm/unix.
It looks to me like the hacker exploited a weakness in horde'scmdshell.php to upload the file "unix.tgz" to /dev/shm, then unpackedit and off he/she went.
Going forward I would recommend, after doing a wipe & reinstall,investigate putting Apache into a chroot jail and hardening php usingsuhosin/hardened-php or the like. The jail will will limit the damagea hacker can do when they break in, and Suhosin will make it harderfor them to do so.

-- Drew
"Nothing in life is to be feared. It is only to be understood."--Marie Curie_______________________________________________CentOS mailing listCentOS@xxxxxxxxxxxxxx://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux