hacked?

Harold Hallikainen harold at hallikainen.com
Mon Apr 9 18:00:01 UTC 2007 

> On Mon, 2007-04-09 at 10:28 -0700, Harold Hallikainen wrote:
>> > On Sat, 2007-04-07 at 10:19 -0700, Harold Hallikainen wrote:
>> >> It looks like my system has been hacked! It looks like someone in
>> Russia
>> >> uploaded a php script, then wandered around my system, then deleted
>> the
>> >> script. Im running phpwiki, which allows for uploads. Apparently, it
>> >> allows for php scripts to be uploaded. I kinda thought php didn't
>> allow
>> >> access outside the public_html director, but it looks like they've
>> >> wandered through the system. Here are a few lines from the log...
>> >>
>> >> 89.110.7.202 - - [07/Apr/2007:01:19:39 -0700] "POST
>> >> /BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6602
>> >>
>> >> 89.110.7.202 - - [07/Apr/2007:01:19:58 -0700] "GET
>> >> /BroadcastHistory/uploads/100.php3 HTTP/1.1" 200 160099
>> >>
>> >> 89.110.7.202 - - [07/Apr/2007:01:23:24 -0700] "POST
>> >> /BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6604
>> >>
>> >> 89.110.7.202 - - [07/Apr/2007:01:23:24 -0700] "POST
>> >> /BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6604
>> >>
>> >> 89.110.7.202 - - [07/Apr/2007:01:23:48 -0700] "GET
>> >> /BroadcastHistory/uploads/100.php.3?act=img&img=home HTTP/1.1" 200
>> 209
>> >>
>> >> 89.110.7.202 - - [07/Apr/2007:01:23:49 -0700] "GET
>> >> /BroadcastHistory/uploads/100.php.3?act=img&img=back HTTP/1.1" 200
>> 119
>> >>
>> >> 89.110.7.202 - - [07/Apr/2007:01:23:49 -0700] "GET
>> >> /BroadcastHistory/uploads/100.php.3?act=img&img=forward HTTP/1.1" 200
>> >> 119
>> >>
>> >> 89.110.7.202 - - [07/Apr/2007:01:23:50 -0700] "GET
>> >> /BroadcastHistory/uploads/100.php.3?act=img&img=up HTTP/1.1" 200 199
>> >>
>> >> 89.110.7.202 - - [07/Apr/2007:01:23:46 -0700] "GET
>> >> /BroadcastHistory/uploads/100.php.3 HTTP/1.1" 200 18400
>> >>
>> >> 89.110.7.202 - - [07/Apr/2007:01:23:50 -0700] "GET
>> >> /BroadcastHistory/uploads/100.php.3?act=img&img=refresh HTTP/1.1" 200
>> >> 200
>> >>
>> >> 89.110.7.202 - - [07/Apr/2007:01:24:40 -0700] "GET
>> >> /BroadcastHistory/uploads/100.php.3?act=ls&d=%2Fhome%2Fharold%2F&sort=0a
>> >> HTTP/1.1" 200 2867
>> >>
>> >> 91.122.3.139 - - [07/Apr/2007:01:28:20 -0700] "GET
>> >> /BroadcastHistory/uploads/100.php.3?act=chmod&f=temp&d=%2Fhome%2Fharold%2Fpublic_html%2Fmusic
>> >> HTTP/1.1"
>> >>
>> >> 91.122.3.139 - - [07/Apr/2007:01:36:27 -0700] "GET
>> >> /BroadcastHistory/uploads/100.php.3?act=selfremove HTTP/1.1" 200 2975
>> >>
>> >> 91.122.3.139 - - [07/Apr/2007:01:36:35 -0700] "GET
>> >> /BroadcastHistory/uploads/100.php.3?act=selfremove&rndcode=767&submit=767
>> >>
>> >>
>> >> Looking through the logs, it appears that only stuff in the
>> public_html
>> >> directory was accessed. I'm still looking, though.
>> >>
>> >> I'm guessing I should really do a fresh install of the OS and
>> >> everything.
>> >> I'll look at security fixes for phpwiki, or maybe get rid of it.
>> >>
>> >> Any other ideas on securing the system?
>> >
>> > Yes.
>> >
>> > 1. Enable SElinux and put it in "enforcing" mode
>> >
>> > 2. Make sure Apache is set to run as "apache" (not root)
>> >
>> > 3. Make sure you have "safe_mode = on" in your /etc/php.ini script
>> >
>> > 4. Limit uploads to a specific directory and do NOT allow them to be
>> >    executed unless you approve them (upload quarantine)
>> >
>> > 5. Set permissions on "significant" directories so they can't be read
>> or
>> >    traversed by apache.
>> >
>> > I also like to build Apache so all the stuff it needs can be put in a
>> > chroot jail, and chroot it.  Not easy, but useful.
>> >
>> >>
>> >> THANKS!
>> >>
>> >> Harold
>> >>
>>
>>
>> THANKS to those who have commented thus far. This all happened within
>> about 20 minutes. The writer of the phpWiki upload plugin has supplied a
>> fix, but, of course, I want to do more than depend on that! As user
>> apache, it looks like the intruder was only able to look at stuff in my
>> public_html, which is public anyway. I do see an ls of my home directory
>> (the directory below the public_html), but since apache does not own
>> that
>> directory, I don't think anything could be read. When I originally
>> installed FC4, I had trouble with SE Linux preventing stuff from
>> working.
>> I finally disabled it. I'm in the middle of moving the server to FC6
>> (cloned the hard drive, now trying to get it to work...). I'll
>> definitely
>> try harder on SE Linux! My httpd access_log shows they used Google to
>> find
>> my system with the broken wiki upload. Here's the log entry:
>>
>> 89.110.7.202 - - [07/Apr/2007:01:18:10 -0700] "GET
>> /BroadcastHistory/index.php/PhpWikiDocumentation HTTP/1.1" 200 31993
>> "http:
>> //www.google.com/search?q=UpLoadPlugin+site:org&hl=en&rls=GGLG,GGLG:2006-04,GGLG:en&start=20&sa=N"
>> "Mozilla/4.0 (compatible; M
>> SIE 6.0; Windows NT 5.1; DeluxeNetwork)"
>>
>> I'm sure it's buried in the documentation, but how do I tell Apache to
>> not
>> interpret anything in a particular directory, just pass it back to the
>> user? This upload directory is full of pdfs contributed by users.
>
> You could add an "AddHandler send-as-is .pdf" to an .htaccess file in
> that directory which would cause Apache to send the PDFs as-is (with
> http headers added, of course).
>
>> In my 10 years or so of running my own linux server, this is the second
>> intrusion I've found. One was using an ssl bug that had been fixed, but
>> I
>> had not installed. This one, apparently, I'm the first to discover. The
>> writer of the wiki plugin fixed it within hours of my asking about it.
>
> Good response by the developer and he/she should be commended for it.
> However, one should never rely on third parties to secure one's
> machines...but you know that.  :-)
>
> ----------------------------------------------------------------------
> - Rick Stevens, Principal Engineer             rstevens at internap.com -


It seems like I always have to depend on someone to secure the machines to
some extent, whther it's the OS writers, the ap writers, or whatever. But,
I'll do my best (and, yes, I am learning!).

In the .htaccess, it seems that send-as-is *.pdf would not get around this
problem, since the hacker put in something called 100.php.3 . But, could I
put in send-as-is * and just have EVERYTHING sent as is, nothing
interpreted?

THANKS!

Harold

-- 
FCC Rules Updated Daily at http://www.hallikainen.com - Advertising
opportunities available!

More information about the Redhat-install-list mailing list