[SAC] LDAP users still being created during maintainance

Sandro Santilli strk at keybit.net
Wed May 11 08:46:01 PDT 2016


I spotted a new user which was created _after_ we put the form
back to maintainance mode. The POST was directly done to the
renamed script. I think the renamed script URL was at some point
found in the form but I don't know who made the change.

The files modification dates are (UTC):

   May 10 06:41 for the renamed script with exposed new url
   May  9 13:39 for the renamed script with no exposed new url
   May  9 18:31 when the form was put in maintainance mode

The POST to renamed script happened 24 hours after the exposed url

   11/May/2016:05:54:01 -0700

And resulted in the creation of a "vvk" user (with .ru email address):

   createTimestamp: 20160511125401Z

The POST came from ip 77.242.110.178, which also issued a GET
for the the renamed-form URL at:

   11/May/2016:05:51:36 -0700

The very first request to the renamed script was issued on

   [09/May/2016:22:59:33 -0700] from 173.247.202.130
   That is:  May 10 05:59 UTC

For now I removed the execute bit from the disabled script, but let
me know if it was an "internal" backdoor legitimately used.

--strk;


More information about the Sac mailing list