PHP :: Bug #23373 :: Possible security vulnerability: bindshell found running

Bug #23373	Possible security vulnerability: bindshell found running
Submitted:	2003-04-27 12:03 UTC	Modified:	2003-04-27 14:23 UTC
From:	dyls at dylansmith dot co dot im	Assigned:
Status:	Not a bug	Package:	Unknown/Other Function
PHP Version:	4.3.1	OS:	Linux 2.4.19
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	dyls at dylansmith dot co dot im
New email:
PHP Version:		OS:

New/Additional Comment:

[2003-04-27 12:03 UTC] dyls at dylansmith dot co dot im

I didn't witness this actually in progress - it happened a 
short while before I logged on. 
 
I have a PHP news site running ThatWare. It looks like an 
attacker managed to get a file /tmp/bindshell uploaded and 
executed. The attacker was trying to exploit the ptrace() 
vulnerability (which I have implemented a workaround to 
prevent, fortunately). I can't find anything suspicious in 
the HTTP logs, but bindshell owned by apache with the name 
in the process table 'th1s iz my 3l33t backdoor' was 
running on port 1234/tcp, and its CWD was set to the 
virtual host of the PHP news site. 
 
I will continue to look for details on this and update the 
bug report if I find anything significant.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-04-27 12:12 UTC] rasmus@php.net

What makes you think that this isn't a ThatWare-specific issue?

[2003-04-27 12:33 UTC] magnus@php.net

After a quick search on google I found these results: 
http://www.securityfocus.com/archive/1/301811/2002-11-25/2002-12-01/0 
http://packetstormsecurity.nl/0009-exploits/thatware.txt 
http://www.securitytracker.com/alerts/2002/Dec/1005733.html 
 
which probably explains how someone managed exploit your 
machine. Patches are also included with the reports for 
these issues, there are several. 
 
If you find proof that it isn't related to ThatWare, you 
can open the report again.

[2003-04-27 14:23 UTC] dyls at dylansmith dot co dot im

Mea culpa. Further examination of the logs showed the 
exact problem. Good job I had ptrace patched, really.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Jul 06 09:01:29 2024 UTC