hacked?

Rick Stevens rstevens at internap.com
Mon Apr 9 18:26:54 UTC 2007


On Mon, 2007-04-09 at 11:00 -0700, Harold Hallikainen wrote:
> > On Mon, 2007-04-09 at 10:28 -0700, Harold Hallikainen wrote:
> >> > On Sat, 2007-04-07 at 10:19 -0700, Harold Hallikainen wrote:
> >> >> It looks like my system has been hacked! It looks like someone in
> >> Russia
> >> >> uploaded a php script, then wandered around my system, then deleted
> >> the
> >> >> script. Im running phpwiki, which allows for uploads. Apparently, it
> >> >> allows for php scripts to be uploaded. I kinda thought php didn't
> >> allow
> >> >> access outside the public_html director, but it looks like they've
> >> >> wandered through the system. Here are a few lines from the log...
> >> >>
> >> >> 89.110.7.202 - - [07/Apr/2007:01:19:39 -0700] "POST
> >> >> /BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6602
> >> >>
> >> >> 89.110.7.202 - - [07/Apr/2007:01:19:58 -0700] "GET
> >> >> /BroadcastHistory/uploads/100.php3 HTTP/1.1" 200 160099
> >> >>
> >> >> 89.110.7.202 - - [07/Apr/2007:01:23:24 -0700] "POST
> >> >> /BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6604
> >> >>
> >> >> 89.110.7.202 - - [07/Apr/2007:01:23:24 -0700] "POST
> >> >> /BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6604
> >> >>
> >> >> 89.110.7.202 - - [07/Apr/2007:01:23:48 -0700] "GET
> >> >> /BroadcastHistory/uploads/100.php.3?act=img&img=home HTTP/1.1" 200
> >> 209
> >> >>
> >> >> 89.110.7.202 - - [07/Apr/2007:01:23:49 -0700] "GET
> >> >> /BroadcastHistory/uploads/100.php.3?act=img&img=back HTTP/1.1" 200
> >> 119
> >> >>
> >> >> 89.110.7.202 - - [07/Apr/2007:01:23:49 -0700] "GET
> >> >> /BroadcastHistory/uploads/100.php.3?act=img&img=forward HTTP/1.1" 200
> >> >> 119
> >> >>
> >> >> 89.110.7.202 - - [07/Apr/2007:01:23:50 -0700] "GET
> >> >> /BroadcastHistory/uploads/100.php.3?act=img&img=up HTTP/1.1" 200 199
> >> >>
> >> >> 89.110.7.202 - - [07/Apr/2007:01:23:46 -0700] "GET
> >> >> /BroadcastHistory/uploads/100.php.3 HTTP/1.1" 200 18400
> >> >>
> >> >> 89.110.7.202 - - [07/Apr/2007:01:23:50 -0700] "GET
> >> >> /BroadcastHistory/uploads/100.php.3?act=img&img=refresh HTTP/1.1" 200
> >> >> 200
> >> >>
> >> >> 89.110.7.202 - - [07/Apr/2007:01:24:40 -0700] "GET
> >> >> /BroadcastHistory/uploads/100.php.3?act=ls&d=%2Fhome%2Fharold%2F&sort=0a
> >> >> HTTP/1.1" 200 2867
> >> >>
> >> >> 91.122.3.139 - - [07/Apr/2007:01:28:20 -0700] "GET
> >> >> /BroadcastHistory/uploads/100.php.3?act=chmod&f=temp&d=%2Fhome%2Fharold%2Fpublic_html%2Fmusic
> >> >> HTTP/1.1"
> >> >>
> >> >> 91.122.3.139 - - [07/Apr/2007:01:36:27 -0700] "GET
> >> >> /BroadcastHistory/uploads/100.php.3?act=selfremove HTTP/1.1" 200 2975
> >> >>
> >> >> 91.122.3.139 - - [07/Apr/2007:01:36:35 -0700] "GET
> >> >> /BroadcastHistory/uploads/100.php.3?act=selfremove&rndcode=767&submit=767
> >> >>
> >> >>
> >> >> Looking through the logs, it appears that only stuff in the
> >> public_html
> >> >> directory was accessed. I'm still looking, though.
> >> >>
> >> >> I'm guessing I should really do a fresh install of the OS and
> >> >> everything.
> >> >> I'll look at security fixes for phpwiki, or maybe get rid of it.
> >> >>
> >> >> Any other ideas on securing the system?
> >> >
> >> > Yes.
> >> >
> >> > 1. Enable SElinux and put it in "enforcing" mode
> >> >
> >> > 2. Make sure Apache is set to run as "apache" (not root)
> >> >
> >> > 3. Make sure you have "safe_mode = on" in your /etc/php.ini script
> >> >
> >> > 4. Limit uploads to a specific directory and do NOT allow them to be
> >> >    executed unless you approve them (upload quarantine)
> >> >
> >> > 5. Set permissions on "significant" directories so they can't be read
> >> or
> >> >    traversed by apache.
> >> >
> >> > I also like to build Apache so all the stuff it needs can be put in a
> >> > chroot jail, and chroot it.  Not easy, but useful.
> >> >
> >> >>
> >> >> THANKS!
> >> >>
> >> >> Harold
> >> >>
> >>
> >>
> >> THANKS to those who have commented thus far. This all happened within
> >> about 20 minutes. The writer of the phpWiki upload plugin has supplied a
> >> fix, but, of course, I want to do more than depend on that! As user
> >> apache, it looks like the intruder was only able to look at stuff in my
> >> public_html, which is public anyway. I do see an ls of my home directory
> >> (the directory below the public_html), but since apache does not own
> >> that
> >> directory, I don't think anything could be read. When I originally
> >> installed FC4, I had trouble with SE Linux preventing stuff from
> >> working.
> >> I finally disabled it. I'm in the middle of moving the server to FC6
> >> (cloned the hard drive, now trying to get it to work...). I'll
> >> definitely
> >> try harder on SE Linux! My httpd access_log shows they used Google to
> >> find
> >> my system with the broken wiki upload. Here's the log entry:
> >>
> >> 89.110.7.202 - - [07/Apr/2007:01:18:10 -0700] "GET
> >> /BroadcastHistory/index.php/PhpWikiDocumentation HTTP/1.1" 200 31993
> >> "http:
> >> //www.google.com/search?q=UpLoadPlugin+site:org&hl=en&rls=GGLG,GGLG:2006-04,GGLG:en&start=20&sa=N"
> >> "Mozilla/4.0 (compatible; M
> >> SIE 6.0; Windows NT 5.1; DeluxeNetwork)"
> >>
> >> I'm sure it's buried in the documentation, but how do I tell Apache to
> >> not
> >> interpret anything in a particular directory, just pass it back to the
> >> user? This upload directory is full of pdfs contributed by users.
> >
> > You could add an "AddHandler send-as-is .pdf" to an .htaccess file in
> > that directory which would cause Apache to send the PDFs as-is (with
> > http headers added, of course).
> >
> >> In my 10 years or so of running my own linux server, this is the second
> >> intrusion I've found. One was using an ssl bug that had been fixed, but
> >> I
> >> had not installed. This one, apparently, I'm the first to discover. The
> >> writer of the wiki plugin fixed it within hours of my asking about it.
> >
> > Good response by the developer and he/she should be commended for it.
> > However, one should never rely on third parties to secure one's
> > machines...but you know that.  :-)
> >
> > ----------------------------------------------------------------------
> > - Rick Stevens, Principal Engineer             rstevens at internap.com -
> 
> 
> It seems like I always have to depend on someone to secure the machines to
> some extent, whther it's the OS writers, the ap writers, or whatever. But,
> I'll do my best (and, yes, I am learning!).
> 
> In the .htaccess, it seems that send-as-is *.pdf would not get around this
> problem, since the hacker put in something called 100.php.3 . But, could I
> put in send-as-is * and just have EVERYTHING sent as is, nothing
> interpreted?

Yes, that would do it.  And make sure you do that ESPECIALLY in the
upload directory.

----------------------------------------------------------------------
- Rick Stevens, Principal Engineer             rstevens at internap.com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-   To understand recursion, you must first understand recursion.    -
----------------------------------------------------------------------




More information about the Redhat-install-list mailing list