 | | | Unpatched security exploits? (stackgrow2, elflb1, etc.) | Unpatched security exploits? (stackgrow2, elflb1, etc.) 2005-02-04 - By Pete Deffendol
Back
Hi,
One of our ES Update 4 servers (running kernel 2.4.21-27.0.2.ELsmp) was
compromised recently, apparently through the "apache" account. The
following executables were found in /tmp, all owned by "apache":
stackgrow2
elflb1
_elf_lib
remap
bt
uselib24
w00t
Processes masqerading as "/usr/local/apache/bin/httpd" were found
running under the apache account.
The only reference in bugzilla that I could find was
https://bugzilla.redhat.com/beta/show_bug.cgi?id=144136 and this is for
RHEL4 beta. The executables mentioned previously appear to be local
root exploits planted after remote access was gained - but I am unable
to determine how the apache account (or something else) was compromised.
Has anyone seen this before? Is there an exploit for which Red Hat has
not yet provided a patch? Any suggestions on preventing it from
happening in the future?
(If additional information is needed, feel free to e-mail)
Pete
--
Taroon-list mailing list
Taroon-list@(protected)
http://www.redhat.com/mailman/listinfo/taroon-list
Earn $52 per hosting referral at Lunarpages.
|
|
|