The UNIX and Linux Forums  

Go Back   The UNIX and Linux Forums > Special Forums > Security
Google UNIX.COM


Security Anything involving computer security goes here.

More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
NTP server with aix & wintel clients chongkls77 AIX 0 09-05-2007 06:53 PM
Map Drive from UNIX Server to Windows Clients kafaween UNIX for Dummies Questions & Answers 3 09-12-2006 07:37 AM
SUSE 9 and 10 NIS clients with RedHat 8.0 NIS server not working fishsponge UNIX for Advanced & Expert Users 1 12-13-2005 06:13 AM
HTTP server jaibw Linux 4 11-21-2005 01:37 AM
Solaris 8 server and Jumpstarting 2.6 clients rambo15 SUN Solaris 4 07-15-2005 02:36 PM

Reply
 
Submit Tools LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 09-25-2005
indo1144's Avatar
Registered User
 

Join Date: Jun 2002
Location: Netherlands
Posts: 53
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit! Stumble this Post!Spurl this Post!
List of HTTP/FTP-clients on a server

The other day, a friend of mine had his Linux webserver compromised because he was running a vulnerable PHP-script. The "hacker" had used a malformed URL to include a wget-command to fetch some stuff off the net and install it in /dev/shm where it ran undetected. Fortunately, the webserver ran as a non-priviledged user, so no serious harm was done.

I cleaned his machine for him and took some preventive measures.

I mounted /dev/shm noexec and I moved (what I thought) all HTTP- and FTP-clients to /root/bin and symlinked those from their original location. This way, only the root-user can use these clients. However... my list of clients was not complete and the "hacker" tried once again (using GET) to compromise the system. This time he failed though, because /dev/shm did not allow execution of his scripts.

The clients I moved to /root/bin included:
  • links
  • lynx
  • wget
  • curl
  • GET (the one I initially forgot)
  • ftp
  • tftp
  • lftp thanks to LanceBoyles
  • snarf thanks to LanceBoyles

but I somehow feel this list is not complete.

Can you help me assemble a complete list of all clients that can be used to download stuff off the net.

Last edited by indo1144; 09-28-2005 at 02:15 AM.
Reply With Quote
Forum Sponsor
  #2 (permalink)  
Old 09-27-2005
Registered User
 

Join Date: Sep 2005
Posts: 8
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit! Stumble this Post!Spurl this Post!
lftp and snarf are the only other ones I can think of off the top of my head.

Did you remove the vulnerable PHP script? You really should consider rebuilding that box from scratch and restoring from pre-compromise backup in the event that trojaned programs or backdoors were installed that you didn't detect.
Reply With Quote
  #3 (permalink)  
Old 09-28-2005
indo1144's Avatar
Registered User
 

Join Date: Jun 2002
Location: Netherlands
Posts: 53
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit! Stumble this Post!Spurl this Post!
Quote:
Originally Posted by LanceBoyles
lftp and snarf are the only other ones I can think of off the top of my head.

Did you remove the vulnerable PHP script? You really should consider rebuilding that box from scratch and restoring from pre-compromise backup in the event that trojaned programs or backdoors were installed that you didn't detect.
The box could not be brought down, since it was a production-machine for my friend, who hosts websites on it. His businesspartner could not be pursuaded to bring the box down while investigating the incident.
Bitter irony... the box died a week later and had some hardware replaced and its OS newly installed... It's clean now...

I tried to close the box as much as I could and in the end I was very happy with the result (and not to mention the enormous amount of "hacker-goodies" that were left behind). A very good learning-experience!

We did remove the PHP-script, which was part of a PHP-Nuke photo-gallery and asked the owner to look for either a non-vulnerable version of find another gallery. Furthermore, my friend started using a firewall on the box itself and uses very strict rules now.

I also created a script that continuously checks if user "httpd" runs any other software than the webserver itself (which is how I found out about the hack in the first place) and this script was very userful in finding other hidden scripts. I must admit that those trojans are cleverly hidden and are a nice piece of work!

Anyway, thanks for the addition to my list!
Reply With Quote
Google UNIX.COM
Reply

Thread Tools
Display Modes


The 50 most popular UNIX and Linux searches.
Google Search Cloud for The UNIX and Linux Forums
421 service not available, remote server has closed connection ^m automate ftp autosys awk trim bash eval bash for loop boot: cannot open kernel/sparcv9/unix command copy/move folder in unix curses.h cut command in unix daemon process find grep find mtime find null character in a unix file from ip can we get machine name +unix glance unix grep multiple lines grep or grep recursive how to redirect console logs in unix inaddr_any inappropriate ioctl for device lynx javascript mailx attachment mget mtime perl array length ping port remove first character from string in k shell replace space by comma , perl script scp recursive segmentation fault(coredump) sftp script snoop unix stale nfs file handle syn_sent tar exclude tar extract to folder unix unix .profile unix forum unix forums unix internals unix interview questions unix mtime unix simulator unix.com vi substitute while loop within while loop shell script


All times are GMT -7. The time now is 12:10 AM.


Powered by: vBulletin, Copyright ©2000 - 2006, Jelsoft Enterprises Limited.
The UNIX and Linux Forums Content Copyright ©1993-2008 The CEP Blog All Rights Reserved -Ad Management by RedTyger Visit The Global Fact Book

Content Relevant URLs by vBSEO 3.2.0

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101