Security Bug in My_eGallery 2.7.9 Date: Wednesday, November 19 @ 09:47:39 CET Topic: Security I discovered that there seems to be a big security bug in My_eGallery and every day someone is exploiting and reinstalling some processes on my webserver. Very dangerous, because the Hacker uploads a file on the server and does put it in the /tmp directory and then can execute it (I do not know HOW by now!!!). But the LOGS show that the file is uploaded by My_eGallery... If somebody has an idea???? Everybody should check his /tmp Directory for files with suspicous names like telnetd or bind.txt or files which have readable names. Look into those files if their are not Hacks... I discovered on my server following processes: 6926 ? S 0:00 getty 6932 ? T 0:00 ./telnetd 6933 ? S 0:00 getty 6936 ? Z 0:00 [telnetd ] 6939 ? T 0:00 ./telnetd 6940 ? S 0:00 getty 6942 ? Z 0:00 [telnetd ] 6947 ? S 0:00 getty 7005 ? T 0:00 ./telnetd 7006 ? S 0:00 getty 7009 ? Z 0:00 [telnetd ] 7012 ? T 0:00 ./telnetd 7013 ? S 0:00 getty 7016 ? Z 0:00 [telnetd ] Then: -----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<----- ?????:/tmp # stat telnetd File: `telnetd' Size: 170613 Blocks: 336 IO Block: 4096 Regular File Device: 302h/770d Inode: 260574 Links: 1 Access: (7777/-rwsrwsrwt) Uid: ( 30/ wwwrun) Gid: (65534/ nogroup) Access: 2003-11-18 22:52:41.000000000 +0100 Modify: 2003-02-07 18:35:31.000000000 +0100 Change: 2003-11-18 22:21:35.000000000 +0100 -----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<----- Looking further: 002 30 6926 1 17 0 2012 488 schedu S ? 0:00 getty SHELL=/bin/sh MAILTO=root OLDPWD=/???/www/?????/www.????????.de/modules/My_eGallery/public LD_LIBRARY_PATH=:/lib COLUMNS=80 PATH=/usr/bin:/usr/sbin:/sbin:/bin:/usr/lib/news/bin RUNLEVEL=3 PWD=/tmp DAEMON=/usr/sbin/httpd PREVLEVEL=N LINES=24 DBROOT=/dev/null HOME=/root SHLVL=4 LOGNAME=root ORACLE_HOME= _=./telnetd 002 30 6932 1 17 0 2008 452 do_sig T ? 0:00 ./telnetd SHELL=/bin/sh MAILTO=root OLDPWD=/???/www/??????/www.???????.de/modules/My_eGallery/public LD_LIBRARY_PATH=:/lib COLUMNS=80 PATH=/usr/bin:/usr/sbin:/sbin:/bin:/usr/lib/news/bin RUNLEVEL=3 PWD=/tmp DAEMON=/usr/sbin/httpd PREVLEVEL=N LINES=24 DBROOT=/dev/null HOME=/root SHLVL=4 LOGNAME=root ORACLE_HOME= _=./telnetd This article comes from NukeCops http://www.nukecops.com The URL for this story is: http://www.nukecops.com/modules.php?name=News&file=article&sid=1015