[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] Apache exploit

On Tue, Apr 2, 2013 at 1:37 PM, Jim Kinney <jim.kinney at gmail.com> wrote:

> from the malware must die
> The malware was found in web server systems with below characteristic:
> ? <http://malwaremustdie.blogspot.com/2013/03/the-evil-came-back-darkleechs-apache.html#>
> 1
> 2
> 3
> Linux RedHat-base distribution without SE Linux properly set
> Apache httpd web server 2.x (rpm-base, as per it is)
> Cgi-base web admin panel and/or Wordpress system's served
> I'm assuming then that ALL 3 must be present for this process to occur.

That seems likely.

> from much further down:
> "It looks like the attackers were beforehand well-prepared with some
> penetration method to gain web exploitation which were used to gain shell
> access and did the privilege escalation unto root. (I am not allowed to
> expose this detail further at this moment)."
> So run your web server with selinux in enforcing mode. It stops crap like
> this. Apparmor works similarly but not as fine-grained.
Unless you do something stupid like letting apache write to your apache
configs (yes, I've seen g+rw on /etc/apache2/...)

David Tomaschik
OpenPGP: 0x5DEA789B
david at systemoverlord.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130402/3c48b3cf/attachment-0001.html>