XML-RPC for PHP Vulnerability Attack
Robert Canary
phantom at ohiocounty.net
Sat Dec 24 23:01:47 UTC 2005
We have recntly suffered an attack under this exploit, and disabled the our phpBB (Buletin
Board). Although I understand the attack came in through a XML-PHP exploit, I can't find
anything that tells me exactly what needs to be updated.
This is a RHL 7.2 server.
reference this article:
http://isc.sans.org/diary.php?storyid=823
We had 12 perl scripts running under the apache username. They each were running a script
located in the /tmp folder. And created a very healthy list of other php pages (mostly
buletin boards and group forums). It total killed our trunk line, 110% saturation.
Anyone familiar with this attack?? It is a very cripling attack and I am surprised I did
not find more information about it.
it was br0k3d whose name was on the script file. The system itself wasn't comprised
because apache is very limited on which folders it can enter and permissions it has. Near
as I can tell the exploit allowed a user to download a script file using http protocol and
save it to the /tmp fold. Then the exploit told apache to run /usr/bin/perl
/tmp/nameofscriptfile that is when the fun began.
Another good reason *not* to setup a webserver as root or even a super user.
--
robert
More information about the redhat-list
mailing list