hacked?
Rick Stevens
rstevens at internap.com
Mon Apr 9 16:55:15 UTC 2007
On Sat, 2007-04-07 at 10:19 -0700, Harold Hallikainen wrote:
> It looks like my system has been hacked! It looks like someone in Russia
> uploaded a php script, then wandered around my system, then deleted the
> script. Im running phpwiki, which allows for uploads. Apparently, it
> allows for php scripts to be uploaded. I kinda thought php didn't allow
> access outside the public_html director, but it looks like they've
> wandered through the system. Here are a few lines from the log...
>
> 89.110.7.202 - - [07/Apr/2007:01:19:39 -0700] "POST
> /BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6602
>
> 89.110.7.202 - - [07/Apr/2007:01:19:58 -0700] "GET
> /BroadcastHistory/uploads/100.php3 HTTP/1.1" 200 160099
>
> 89.110.7.202 - - [07/Apr/2007:01:23:24 -0700] "POST
> /BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6604
>
> 89.110.7.202 - - [07/Apr/2007:01:23:24 -0700] "POST
> /BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6604
>
> 89.110.7.202 - - [07/Apr/2007:01:23:48 -0700] "GET
> /BroadcastHistory/uploads/100.php.3?act=img&img=home HTTP/1.1" 200 209
>
> 89.110.7.202 - - [07/Apr/2007:01:23:49 -0700] "GET
> /BroadcastHistory/uploads/100.php.3?act=img&img=back HTTP/1.1" 200 119
>
> 89.110.7.202 - - [07/Apr/2007:01:23:49 -0700] "GET
> /BroadcastHistory/uploads/100.php.3?act=img&img=forward HTTP/1.1" 200 119
>
> 89.110.7.202 - - [07/Apr/2007:01:23:50 -0700] "GET
> /BroadcastHistory/uploads/100.php.3?act=img&img=up HTTP/1.1" 200 199
>
> 89.110.7.202 - - [07/Apr/2007:01:23:46 -0700] "GET
> /BroadcastHistory/uploads/100.php.3 HTTP/1.1" 200 18400
>
> 89.110.7.202 - - [07/Apr/2007:01:23:50 -0700] "GET
> /BroadcastHistory/uploads/100.php.3?act=img&img=refresh HTTP/1.1" 200 200
>
> 89.110.7.202 - - [07/Apr/2007:01:24:40 -0700] "GET
> /BroadcastHistory/uploads/100.php.3?act=ls&d=%2Fhome%2Fharold%2F&sort=0a
> HTTP/1.1" 200 2867
>
> 91.122.3.139 - - [07/Apr/2007:01:28:20 -0700] "GET
> /BroadcastHistory/uploads/100.php.3?act=chmod&f=temp&d=%2Fhome%2Fharold%2Fpublic_html%2Fmusic
> HTTP/1.1"
>
> 91.122.3.139 - - [07/Apr/2007:01:36:27 -0700] "GET
> /BroadcastHistory/uploads/100.php.3?act=selfremove HTTP/1.1" 200 2975
>
> 91.122.3.139 - - [07/Apr/2007:01:36:35 -0700] "GET
> /BroadcastHistory/uploads/100.php.3?act=selfremove&rndcode=767&submit=767
>
>
> Looking through the logs, it appears that only stuff in the public_html
> directory was accessed. I'm still looking, though.
>
> I'm guessing I should really do a fresh install of the OS and everything.
> I'll look at security fixes for phpwiki, or maybe get rid of it.
>
> Any other ideas on securing the system?
Yes.
1. Enable SElinux and put it in "enforcing" mode
2. Make sure Apache is set to run as "apache" (not root)
3. Make sure you have "safe_mode = on" in your /etc/php.ini script
4. Limit uploads to a specific directory and do NOT allow them to be
executed unless you approve them (upload quarantine)
5. Set permissions on "significant" directories so they can't be read or
traversed by apache.
I also like to build Apache so all the stuff it needs can be put in a
chroot jail, and chroot it. Not easy, but useful.
>
> THANKS!
>
> Harold
>
>
----------------------------------------------------------------------
- Rick Stevens, Principal Engineer rstevens at internap.com -
- VitalStream, Inc. http://www.vitalstream.com -
- -
- Is that a buffer overflow or are you just happy to see me? -
----------------------------------------------------------------------
More information about the Redhat-install-list
mailing list