hacked?

Harold Hallikainen harold at hallikainen.com
Mon Apr 9 17:28:11 UTC 2007 

> On Sat, 2007-04-07 at 10:19 -0700, Harold Hallikainen wrote:
>> It looks like my system has been hacked! It looks like someone in Russia
>> uploaded a php script, then wandered around my system, then deleted the
>> script. Im running phpwiki, which allows for uploads. Apparently, it
>> allows for php scripts to be uploaded. I kinda thought php didn't allow
>> access outside the public_html director, but it looks like they've
>> wandered through the system. Here are a few lines from the log...
>>
>> 89.110.7.202 - - [07/Apr/2007:01:19:39 -0700] "POST
>> /BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6602
>>
>> 89.110.7.202 - - [07/Apr/2007:01:19:58 -0700] "GET
>> /BroadcastHistory/uploads/100.php3 HTTP/1.1" 200 160099
>>
>> 89.110.7.202 - - [07/Apr/2007:01:23:24 -0700] "POST
>> /BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6604
>>
>> 89.110.7.202 - - [07/Apr/2007:01:23:24 -0700] "POST
>> /BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6604
>>
>> 89.110.7.202 - - [07/Apr/2007:01:23:48 -0700] "GET
>> /BroadcastHistory/uploads/100.php.3?act=img&img=home HTTP/1.1" 200 209
>>
>> 89.110.7.202 - - [07/Apr/2007:01:23:49 -0700] "GET
>> /BroadcastHistory/uploads/100.php.3?act=img&img=back HTTP/1.1" 200 119
>>
>> 89.110.7.202 - - [07/Apr/2007:01:23:49 -0700] "GET
>> /BroadcastHistory/uploads/100.php.3?act=img&img=forward HTTP/1.1" 200
>> 119
>>
>> 89.110.7.202 - - [07/Apr/2007:01:23:50 -0700] "GET
>> /BroadcastHistory/uploads/100.php.3?act=img&img=up HTTP/1.1" 200 199
>>
>> 89.110.7.202 - - [07/Apr/2007:01:23:46 -0700] "GET
>> /BroadcastHistory/uploads/100.php.3 HTTP/1.1" 200 18400
>>
>> 89.110.7.202 - - [07/Apr/2007:01:23:50 -0700] "GET
>> /BroadcastHistory/uploads/100.php.3?act=img&img=refresh HTTP/1.1" 200
>> 200
>>
>> 89.110.7.202 - - [07/Apr/2007:01:24:40 -0700] "GET
>> /BroadcastHistory/uploads/100.php.3?act=ls&d=%2Fhome%2Fharold%2F&sort=0a
>> HTTP/1.1" 200 2867
>>
>> 91.122.3.139 - - [07/Apr/2007:01:28:20 -0700] "GET
>> /BroadcastHistory/uploads/100.php.3?act=chmod&f=temp&d=%2Fhome%2Fharold%2Fpublic_html%2Fmusic
>> HTTP/1.1"
>>
>> 91.122.3.139 - - [07/Apr/2007:01:36:27 -0700] "GET
>> /BroadcastHistory/uploads/100.php.3?act=selfremove HTTP/1.1" 200 2975
>>
>> 91.122.3.139 - - [07/Apr/2007:01:36:35 -0700] "GET
>> /BroadcastHistory/uploads/100.php.3?act=selfremove&rndcode=767&submit=767
>>
>>
>> Looking through the logs, it appears that only stuff in the public_html
>> directory was accessed. I'm still looking, though.
>>
>> I'm guessing I should really do a fresh install of the OS and
>> everything.
>> I'll look at security fixes for phpwiki, or maybe get rid of it.
>>
>> Any other ideas on securing the system?
>
> Yes.
>
> 1. Enable SElinux and put it in "enforcing" mode
>
> 2. Make sure Apache is set to run as "apache" (not root)
>
> 3. Make sure you have "safe_mode = on" in your /etc/php.ini script
>
> 4. Limit uploads to a specific directory and do NOT allow them to be
>    executed unless you approve them (upload quarantine)
>
> 5. Set permissions on "significant" directories so they can't be read or
>    traversed by apache.
>
> I also like to build Apache so all the stuff it needs can be put in a
> chroot jail, and chroot it.  Not easy, but useful.
>
>>
>> THANKS!
>>
>> Harold
>>


THANKS to those who have commented thus far. This all happened within
about 20 minutes. The writer of the phpWiki upload plugin has supplied a
fix, but, of course, I want to do more than depend on that! As user
apache, it looks like the intruder was only able to look at stuff in my
public_html, which is public anyway. I do see an ls of my home directory
(the directory below the public_html), but since apache does not own that
directory, I don't think anything could be read. When I originally
installed FC4, I had trouble with SE Linux preventing stuff from working.
I finally disabled it. I'm in the middle of moving the server to FC6
(cloned the hard drive, now trying to get it to work...). I'll definitely
try harder on SE Linux! My httpd access_log shows they used Google to find
my system with the broken wiki upload. Here's the log entry:

89.110.7.202 - - [07/Apr/2007:01:18:10 -0700] "GET
/BroadcastHistory/index.php/PhpWikiDocumentation HTTP/1.1" 200 31993
"http:
//www.google.com/search?q=UpLoadPlugin+site:org&hl=en&rls=GGLG,GGLG:2006-04,GGLG:en&start=20&sa=N"
"Mozilla/4.0 (compatible; M
SIE 6.0; Windows NT 5.1; DeluxeNetwork)"

I'm sure it's buried in the documentation, but how do I tell Apache to not
interpret anything in a particular directory, just pass it back to the
user? This upload directory is full of pdfs contributed by users.

In my 10 years or so of running my own linux server, this is the second
intrusion I've found. One was using an ssl bug that had been fixed, but I
had not installed. This one, apparently, I'm the first to discover. The
writer of the wiki plugin fixed it within hours of my asking about it.

THANKS!

Harold


-- 
FCC Rules Updated Daily at http://www.hallikainen.com - Advertising
opportunities available!

More information about the Redhat-install-list mailing list