[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Hacker Goes On Defacement Spree In Australia
- Subject: Re: [cobalt-security] Hacker Goes On Defacement Spree In Australia
- From: Glen Scott <glen@xxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 7 Sep 2001 08:40:00 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Just thought I would let you all know that I found the hacker/s that
defaced one of my virtual sites on a RaQ3. I still haven't figured
out all that could have been done, but I did find the hacker got
through using a cgi. I did a grep on the web.log file for "dwarf"
and then found that bbs_forum.cgi was being used to execute perl
scripts. Here is a partial line which contains a perl command:
bbs_forum.cgi?forum=open&read=|perl%20/tmp/shell2.p|
The following web.log line shows some info on the attacker:
62.236.118.98 - - [27/Jul/2001:20:33:09 -0400] "GET / HTTP/1.0" 200
16891 "http://defaced.alldas.de/defaced.php?attacker=dwarf&p=1"
"Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0)"
I found that dwarf had somehow written into /tmp a sub directory
named ". " and hid all sorts of files. Now, I still don't know what
to do to prevent this from happening in the future. Maybe someone
else has experienced this sort of hack and can give some advice?
see the following url for a newsbyte on the subject:
http://www.newsbytes.com/news/01/167607.html
"... according to Alldas, all sites were hosted on the Microsoft Web
server platform. The Alldas archive is at http://defaced.alldas.de/ "
Note that even though my raq is not a microsoft web server, the raq
was still hacked. I tried going to this site, and it seems to no
longer be online. I think there were some peeved folks!
Thanks for any insights you may give!
bbs_forum.cgi has a vulnerability. Read this for more information:
http://www.secureroot.com/security/advisories/9790497045.html
download a new, secure version from here:
http://www.extropia.com/hacks/security/bbs_security.html
Regards,
Glen Scott
--
---
Design Solution Limited
t: +44 (0)1502 513008
f: +44 (0)1502 588622
e: info@xxxxxxxxxxxxxxxxxxxx
w: http://www.designsolution.co.uk
Nouvotech House, Harbour Road,
Oulton Broad, Suffolk, NR32 3LZ, UK
---
DS Knowledge Base http://faq.dessol.co.uk