Once they had exploited the vulnerability, they had uploaded a malicious Lua script that allowed them to execute system commands on the server. The script was cleverly disguised as a legitimate configuration file, but John was able to spot it using his monitoring tools.
In Apache 2.4.18 with the mod_prefork MPM (Multi-Processing Module), the scoreboard shared memory segment is often created with world-writable permissions. Because the Apache child processes drop privileges to www-data , but the parent runs as root , a race condition or direct write to shm can lead to root execution. apache httpd 2.4.18 exploit
The internet is littered with exploits claiming to target Apache 2.4.18. The vast majority are: Once they had exploited the vulnerability, they had
