hacked?
Rick Stevens
rstevens at internap.com
Mon Apr 9 17:41:33 UTC 2007
On Mon, 2007-04-09 at 10:28 -0700, Harold Hallikainen wrote:
> > On Sat, 2007-04-07 at 10:19 -0700, Harold Hallikainen wrote:
> >> It looks like my system has been hacked! It looks like someone in Russia
> >> uploaded a php script, then wandered around my system, then deleted the
> >> script. Im running phpwiki, which allows for uploads. Apparently, it
> >> allows for php scripts to be uploaded. I kinda thought php didn't allow
> >> access outside the public_html director, but it looks like they've
> >> wandered through the system. Here are a few lines from the log...
> >>
> >> 89.110.7.202 - - [07/Apr/2007:01:19:39 -0700] "POST
> >> /BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6602
> >>
> >> 89.110.7.202 - - [07/Apr/2007:01:19:58 -0700] "GET
> >> /BroadcastHistory/uploads/100.php3 HTTP/1.1" 200 160099
> >>
> >> 89.110.7.202 - - [07/Apr/2007:01:23:24 -0700] "POST
> >> /BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6604
> >>
> >> 89.110.7.202 - - [07/Apr/2007:01:23:24 -0700] "POST
> >> /BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6604
> >>
> >> 89.110.7.202 - - [07/Apr/2007:01:23:48 -0700] "GET
> >> /BroadcastHistory/uploads/100.php.3?act=img&img=home HTTP/1.1" 200 209
> >>
> >> 89.110.7.202 - - [07/Apr/2007:01:23:49 -0700] "GET
> >> /BroadcastHistory/uploads/100.php.3?act=img&img=back HTTP/1.1" 200 119
> >>
> >> 89.110.7.202 - - [07/Apr/2007:01:23:49 -0700] "GET
> >> /BroadcastHistory/uploads/100.php.3?act=img&img=forward HTTP/1.1" 200
> >> 119
> >>
> >> 89.110.7.202 - - [07/Apr/2007:01:23:50 -0700] "GET
> >> /BroadcastHistory/uploads/100.php.3?act=img&img=up HTTP/1.1" 200 199
> >>
> >> 89.110.7.202 - - [07/Apr/2007:01:23:46 -0700] "GET
> >> /BroadcastHistory/uploads/100.php.3 HTTP/1.1" 200 18400
> >>
> >> 89.110.7.202 - - [07/Apr/2007:01:23:50 -0700] "GET
> >> /BroadcastHistory/uploads/100.php.3?act=img&img=refresh HTTP/1.1" 200
> >> 200
> >>
> >> 89.110.7.202 - - [07/Apr/2007:01:24:40 -0700] "GET
> >> /BroadcastHistory/uploads/100.php.3?act=ls&d=%2Fhome%2Fharold%2F&sort=0a
> >> HTTP/1.1" 200 2867
> >>
> >> 91.122.3.139 - - [07/Apr/2007:01:28:20 -0700] "GET
> >> /BroadcastHistory/uploads/100.php.3?act=chmod&f=temp&d=%2Fhome%2Fharold%2Fpublic_html%2Fmusic
> >> HTTP/1.1"
> >>
> >> 91.122.3.139 - - [07/Apr/2007:01:36:27 -0700] "GET
> >> /BroadcastHistory/uploads/100.php.3?act=selfremove HTTP/1.1" 200 2975
> >>
> >> 91.122.3.139 - - [07/Apr/2007:01:36:35 -0700] "GET
> >> /BroadcastHistory/uploads/100.php.3?act=selfremove&rndcode=767&submit=767
> >>
> >>
> >> Looking through the logs, it appears that only stuff in the public_html
> >> directory was accessed. I'm still looking, though.
> >>
> >> I'm guessing I should really do a fresh install of the OS and
> >> everything.
> >> I'll look at security fixes for phpwiki, or maybe get rid of it.
> >>
> >> Any other ideas on securing the system?
> >
> > Yes.
> >
> > 1. Enable SElinux and put it in "enforcing" mode
> >
> > 2. Make sure Apache is set to run as "apache" (not root)
> >
> > 3. Make sure you have "safe_mode = on" in your /etc/php.ini script
> >
> > 4. Limit uploads to a specific directory and do NOT allow them to be
> > executed unless you approve them (upload quarantine)
> >
> > 5. Set permissions on "significant" directories so they can't be read or
> > traversed by apache.
> >
> > I also like to build Apache so all the stuff it needs can be put in a
> > chroot jail, and chroot it. Not easy, but useful.
> >
> >>
> >> THANKS!
> >>
> >> Harold
> >>
>
>
> THANKS to those who have commented thus far. This all happened within
> about 20 minutes. The writer of the phpWiki upload plugin has supplied a
> fix, but, of course, I want to do more than depend on that! As user
> apache, it looks like the intruder was only able to look at stuff in my
> public_html, which is public anyway. I do see an ls of my home directory
> (the directory below the public_html), but since apache does not own that
> directory, I don't think anything could be read. When I originally
> installed FC4, I had trouble with SE Linux preventing stuff from working.
> I finally disabled it. I'm in the middle of moving the server to FC6
> (cloned the hard drive, now trying to get it to work...). I'll definitely
> try harder on SE Linux! My httpd access_log shows they used Google to find
> my system with the broken wiki upload. Here's the log entry:
>
> 89.110.7.202 - - [07/Apr/2007:01:18:10 -0700] "GET
> /BroadcastHistory/index.php/PhpWikiDocumentation HTTP/1.1" 200 31993
> "http:
> //www.google.com/search?q=UpLoadPlugin+site:org&hl=en&rls=GGLG,GGLG:2006-04,GGLG:en&start=20&sa=N"
> "Mozilla/4.0 (compatible; M
> SIE 6.0; Windows NT 5.1; DeluxeNetwork)"
>
> I'm sure it's buried in the documentation, but how do I tell Apache to not
> interpret anything in a particular directory, just pass it back to the
> user? This upload directory is full of pdfs contributed by users.
You could add an "AddHandler send-as-is .pdf" to an .htaccess file in
that directory which would cause Apache to send the PDFs as-is (with
http headers added, of course).
> In my 10 years or so of running my own linux server, this is the second
> intrusion I've found. One was using an ssl bug that had been fixed, but I
> had not installed. This one, apparently, I'm the first to discover. The
> writer of the wiki plugin fixed it within hours of my asking about it.
Good response by the developer and he/she should be commended for it.
However, one should never rely on third parties to secure one's
machines...but you know that. :-)
----------------------------------------------------------------------
- Rick Stevens, Principal Engineer rstevens at internap.com -
- VitalStream, Inc. http://www.vitalstream.com -
- -
- If this is the first day of the rest of my life... -
- I'm in BIG trouble! -
----------------------------------------------------------------------
More information about the Redhat-install-list
mailing list