[nycbug-talk] Searching for suspect PHP files...

Andy Kosela akosela at andykosela.com
Tue Mar 3 17:48:10 EST 2009

Max Gribov <max at neuropunks.org> wrote:

> Matt Juszczak wrote:
> >
> > perl run as the www user... well, if its being run as the www user, 
> > not much they can do right?  Not with the permissions of the www user, 
> > anyway.
> well, you can upload a local exploit, run it as www user, gain root and 
> make it bind a shell or drop in some php backdoor or whatever..

You can launch a passwordless remote shell on an arbitrary port (>1023) 
using perl(1) or nc(1) as www user, then reverse bind it to your local 
host bypassing any firewalls in between using ssh(1) and *then* gain 
root by so many techniques that it is not even worth it to write about 
them here.  My point is that sh(1), ssh(1), wget (why not use fetch?), 
nc(1), cc(1), as(1), perl(1) are definetly methods of easy exploitation 
of your systems even by script bots.   

> Andy made a good point about using MAC, and also you can use something 
> like tripwire to check your upload dirs/web application source/etc, but 
> tripwire gets pretty tedious cause someone has to parse the input..

Tripwire became a bloated beast nowadays.  I'm using mtree(8) for
checking files integrity and it is a very good tool for such job.


More information about the talk mailing list