nagios backdoor

Andreas Ericsson ae at op5.se
Wed Jun 12 18:50:55 CEST 2013


On 06/06/2013 10:46 PM, William Leibzon wrote:
> Sounds like they got through some sort of security hole in apache and
> accessed database on the server, probably as apache/www user and not
> root. Unsure from the information given if this apache backdoor would
> have had anything to do with nagios cgi or not.
>
> BTW the description of how it happened is rather interesting. I
> remember 6 or 7 years ago when I was still following security more
> closely people have been talking about possibility of this (hacking
> with only in-memory application replacement) on certain forum that
> shall remain unnamed. I have never seen or heard of this being done at
> any company I consult for though.
>

It's not particularly difficult. All exploits work by modifying
executable code in memory to make a program do what they want. If one
can get root access that way, it's possible to freeze a process and
replace it entirely.

-- 
Andreas Ericsson                   andreas.ericsson at op5.se
OP5 AB                             www.op5.se
Tel: +46 8-230225                  Fax: +46 8-230231

Considering the successes of the wars on alcohol, poverty, drugs and
terror, I think we should give some serious thought to declaring war
on peace.

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list