[SAC] LDAP users still being created during maintainance
Sandro Santilli
strk at keybit.net
Wed May 11 08:46:01 PDT 2016
I spotted a new user which was created _after_ we put the form
back to maintainance mode. The POST was directly done to the
renamed script. I think the renamed script URL was at some point
found in the form but I don't know who made the change.
The files modification dates are (UTC):
May 10 06:41 for the renamed script with exposed new url
May 9 13:39 for the renamed script with no exposed new url
May 9 18:31 when the form was put in maintainance mode
The POST to renamed script happened 24 hours after the exposed url
11/May/2016:05:54:01 -0700
And resulted in the creation of a "vvk" user (with .ru email address):
createTimestamp: 20160511125401Z
The POST came from ip 77.242.110.178, which also issued a GET
for the the renamed-form URL at:
11/May/2016:05:51:36 -0700
The very first request to the renamed script was issued on
[09/May/2016:22:59:33 -0700] from 173.247.202.130
That is: May 10 05:59 UTC
For now I removed the execute bit from the disabled script, but let
me know if it was an "internal" backdoor legitimately used.
--strk;
More information about the Sac
mailing list