[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ale] Apache exploit
- Subject: [ale] Apache exploit
- From: allen at ua.edu (Beddingfield, Allen)
- Date: Wed, 3 Apr 2013 13:39:57 +0000
- In-reply-to: <[email protected]om>
After researching this some more, I think you are right - it seems to be related to one or more of the web control panels, such as Plesk, CPanel, etc . . .
We are just using Apache with PHP and supPHP/fastcgi.
On a side note, our web team kept insisting on wanting one of those panels, and after looking under the hood of them, I dug in my heels to resist. Luckily, I won out.
The University of Alabama
From: David Tomaschik <david at systemoverlord.com<mailto:david at systemoverlord.com>>
Reply-To: Atlanta Linux Enthusiasts <ale at ale.org<mailto:ale at ale.org>>
Date: Tuesday, April 2, 2013 5:20 PM
To: Atlanta Linux Enthusiasts <ale at ale.org<mailto:ale at ale.org>>
Subject: Re: [ale] Apache exploit
On Tue, Apr 2, 2013 at 1:37 PM, Jim Kinney <jim.kinney at gmail.com<mailto:jim.kinney at gmail.com>> wrote:
from the malware must die
The malware was found in web server systems with below characteristic:
RedHat-base distribution without SE Linux properly set
Apache httpd web server 2.x (rpm-base, as per it is)
Cgi-base web admin panel and/or Wordpress system's served
I'm assuming then that ALL 3 must be present for this process to occur.
That seems likely.
from much further down:
"It looks like the attackers were beforehand well-prepared with some penetration method to gain web exploitation which were used to gain shell access and did the privilege escalation unto root. (I am not allowed to expose this detail further at this moment)."
So run your web server with selinux in enforcing mode. It stops crap like this. Apparmor works similarly but not as fine-grained.
Unless you do something stupid like letting apache write to your apache configs (yes, I've seen g+rw on /etc/apache2/...)
david at systemoverlord.com<mailto:david at systemoverlord.com>