[Modsecurity] Shellbot installation via lynx -lp
Michael Shinn
mike at gotroot.com
Fri Sep 14 15:41:50 EDT 2007
Also what are the groups that can execute lynx?
On Fri, 2007-09-14 at 11:10 -0400, Michal Wallace wrote:
> On Thu, 13 Sep 2007 admin at efastservers.com wrote:
>
> > I cant understand how lynx -lp is being executed. If its chmod 750 nobody
> > from the internet can execute the command. Why do I think its lynx -lp?
> > Because I killed a pid that was executing lynx -lp as the user nobody.
>
> I bet it's not lynx. I bet the app just changes the
> name of the running process to make it LOOK normal.
> If you freeze it with kill -STOP and poke around in
> the /proc dir for the process, you'll probably see
> it started from another directory.
>
> Sincerely,
>
> Michal J Wallace
> Sabren Enterprises, Inc.
> -------------------------------------
> contact: michal at sabren.com
> hosting: http://www.cornerhost.com/
> my site: http://www.withoutane.com/
> -------------------------------------
>
> _______________________________________________
> Modsecurity mailing list
> Modsecurity at gotroot.com
> http://lists.gotroot.com/mailman/listinfo/modsecurity
--
Michael T. Shinn KeyID:0xDAE2EC86
Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86
SANS Advisory Board Member
Got Root? http://www.gotroot.com
modsecurity rules: http://www.modsecurityrules.com
Troubleshooting Firewalls: http://troubleshootingfirewalls.com
More information about the Modsecurity
mailing list