From owner-freebsd-security@FreeBSD.ORG Wed Aug 11 21:32:13 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C68D916A4CE for ; Wed, 11 Aug 2004 21:32:13 +0000 (GMT) Received: from drizzle.sasknow.net (drizzle.sasknow.net [204.83.220.141]) by mx1.FreeBSD.org (Postfix) with ESMTP id 83D9843D1F for ; Wed, 11 Aug 2004 21:32:13 +0000 (GMT) (envelope-from ryan@sasknow.com) Received: from mail.sasknow.com (mail.sasknow.com [207.195.92.135]) by drizzle.sasknow.net (8.12.9p2/8.12.9) with ESMTP id i7BLWC2v020129; Wed, 11 Aug 2004 15:32:12 -0600 (CST) (envelope-from ryan@sasknow.com) Date: Wed, 11 Aug 2004 15:32:12 -0600 (CST) From: Ryan Thompson To: "Gustavo A. Baratto" In-Reply-To: <015701c47fe9$83dc7ff0$9c01a8c0@chivas> Message-ID: <20040811152741.R41454@drizzle.sasknow.net> References: <20040811145637.R41454@drizzle.sasknow.net> <015701c47fe9$83dc7ff0$9c01a8c0@chivas> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Spam-Virus-Status: Clean, ClamAV version devel-20040729, clamav-milter version 0.75b on drizzle.sasknow.net X-Spam-Status: No, hits=-19.582 required=7 tests=MSGID_PINE=-2.1,RT_SUBJ_RE7=-0.3,ALL_TRUSTED=-0.8,BAYES_00=-4.9,BAYES_LOW_AND_TZ_NEAR=-7.0,TIME_13_17_BAYES_LOW=-7.0,AWL=2.5 autolearn=no version=3.000000-pre3 cc: freebsd-security@freebsd.org Subject: Re: FreeBSD-SA-04:13.linux in the wild X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Aug 2004 21:32:13 -0000 Gustavo A. Baratto wrote to Ryan Thompson and freebsd-security@freebsd.org: > I think I may have seen such thing before as well... not a freebsd problem > though... It's php's own fault. > php comes with url_fopen enabled by default, so if someone write a > script.php with something like: > include ("$var"); > > [...] > > just disabling url_fopen in php.ini would prevent that. > > If this is not what you have seen, please, I'd like to know more about it. Yep, that's almost exactly what happened. The PHP injection by itself is fairly pedestrian, and happens on a fairly regular basis (so we have audits for a whole host of things like this). I just mentioned it to give a bit of background to the attack. The linux exploit, though, I hadn't spotted in the wild yet, thus my post, here. - Ryan -- Ryan Thompson SaskNow Technologies - http://www.sasknow.com 901-1st Avenue North - Saskatoon, SK - S7K 1Y4 Tel: 306-664-3600 Fax: 306-244-7037 Saskatoon Toll-Free: 877-727-5669 (877-SASKNOW) North America