hacked?
Karl Pearson
karlp at ourldsfamily.com
Tue Apr 10 02:39:39 UTC 2007
On Mon, April 9, 2007 12:26 pm, Rick Stevens wrote:
> On Mon, 2007-04-09 at 11:00 -0700, Harold Hallikainen wrote:
>> > On Mon, 2007-04-09 at 10:28 -0700, Harold Hallikainen wrote:
>> >> > On Sat, 2007-04-07 at 10:19 -0700, Harold Hallikainen wrote:
>> >> >> It looks like my system has been hacked! It looks like someone in
>> >> Russia
>> >> >> uploaded a php script, then wandered around my system, then deleted
>> >> the
>> >> >> script. Im running phpwiki, which allows for uploads. Apparently, it
>> >> >> allows for php scripts to be uploaded. I kinda thought php didn't
>> >> allow
>> >> >> access outside the public_html director, but it looks like they've
>> >> >> wandered through the system. Here are a few lines from the log...
>> >> >>
>> >> >> 89.110.7.202 - - [07/Apr/2007:01:19:39 -0700] "POST
>> >> >> /BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6602
>> >> >>
>> >> >> 89.110.7.202 - - [07/Apr/2007:01:19:58 -0700] "GET
>> >> >> /BroadcastHistory/uploads/100.php3 HTTP/1.1" 200 160099
>> >> >>
>> >> >> 89.110.7.202 - - [07/Apr/2007:01:23:24 -0700] "POST
>> >> >> /BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6604
>> >> >>
>> >> >> 89.110.7.202 - - [07/Apr/2007:01:23:24 -0700] "POST
>> >> >> /BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6604
>> >> >>
>> >> >> 89.110.7.202 - - [07/Apr/2007:01:23:48 -0700] "GET
>> >> >> /BroadcastHistory/uploads/100.php.3?act=img&img=home HTTP/1.1" 200
>> >> 209
>> >> >>
>> >> >> 89.110.7.202 - - [07/Apr/2007:01:23:49 -0700] "GET
>> >> >> /BroadcastHistory/uploads/100.php.3?act=img&img=back HTTP/1.1" 200
>> >> 119
>> >> >>
>> >> >> 89.110.7.202 - - [07/Apr/2007:01:23:49 -0700] "GET
>> >> >> /BroadcastHistory/uploads/100.php.3?act=img&img=forward HTTP/1.1" 200
>> >> >> 119
>> >> >>
>> >> >> 89.110.7.202 - - [07/Apr/2007:01:23:50 -0700] "GET
>> >> >> /BroadcastHistory/uploads/100.php.3?act=img&img=up HTTP/1.1" 200 199
>> >> >>
>> >> >> 89.110.7.202 - - [07/Apr/2007:01:23:46 -0700] "GET
>> >> >> /BroadcastHistory/uploads/100.php.3 HTTP/1.1" 200 18400
>> >> >>
>> >> >> 89.110.7.202 - - [07/Apr/2007:01:23:50 -0700] "GET
>> >> >> /BroadcastHistory/uploads/100.php.3?act=img&img=refresh HTTP/1.1" 200
>> >> >> 200
>> >> >>
>> >> >> 89.110.7.202 - - [07/Apr/2007:01:24:40 -0700] "GET
>> >> >> /BroadcastHistory/uploads/100.php.3?act=ls&d=%2Fhome%2Fharold%2F&sort=0a
>> >> >> HTTP/1.1" 200 2867
>> >> >>
>> >> >> 91.122.3.139 - - [07/Apr/2007:01:28:20 -0700] "GET
>> >> >> /BroadcastHistory/uploads/100.php.3?act=chmod&f=temp&d=%2Fhome%2Fharold%2Fpublic_html%2Fmusic
>> >> >> HTTP/1.1"
>> >> >>
>> >> >> 91.122.3.139 - - [07/Apr/2007:01:36:27 -0700] "GET
>> >> >> /BroadcastHistory/uploads/100.php.3?act=selfremove HTTP/1.1" 200 2975
>> >> >>
>> >> >> 91.122.3.139 - - [07/Apr/2007:01:36:35 -0700] "GET
>> >> >> /BroadcastHistory/uploads/100.php.3?act=selfremove&rndcode=767&submit=767
>> >> >>
>> >> >>
>> >> >> Looking through the logs, it appears that only stuff in the
>> >> public_html
>> >> >> directory was accessed. I'm still looking, though.
>> >> >>
>> >> >> I'm guessing I should really do a fresh install of the OS and
>> >> >> everything.
>> >> >> I'll look at security fixes for phpwiki, or maybe get rid of it.
>> >> >>
>> >> >> Any other ideas on securing the system?
>> >> >
>> >> > Yes.
>> >> >
>> >> > 1. Enable SElinux and put it in "enforcing" mode
>> >> >
>> >> > 2. Make sure Apache is set to run as "apache" (not root)
>> >> >
>> >> > 3. Make sure you have "safe_mode = on" in your /etc/php.ini script
>> >> >
>> >> > 4. Limit uploads to a specific directory and do NOT allow them to be
>> >> > executed unless you approve them (upload quarantine)
>> >> >
>> >> > 5. Set permissions on "significant" directories so they can't be read
>> >> or
>> >> > traversed by apache.
>> >> >
>> >> > I also like to build Apache so all the stuff it needs can be put in a
>> >> > chroot jail, and chroot it. Not easy, but useful.
>> >> >
>> >> >>
>> >> >> THANKS!
>> >> >>
>> >> >> Harold
>> >> >>
>> >>
>> >>
>> >> THANKS to those who have commented thus far. This all happened within
>> >> about 20 minutes. The writer of the phpWiki upload plugin has supplied a
>> >> fix, but, of course, I want to do more than depend on that! As user
>> >> apache, it looks like the intruder was only able to look at stuff in my
>> >> public_html, which is public anyway. I do see an ls of my home directory
>> >> (the directory below the public_html), but since apache does not own
>> >> that
>> >> directory, I don't think anything could be read. When I originally
>> >> installed FC4, I had trouble with SE Linux preventing stuff from
>> >> working.
>> >> I finally disabled it. I'm in the middle of moving the server to FC6
>> >> (cloned the hard drive, now trying to get it to work...). I'll
>> >> definitely
>> >> try harder on SE Linux! My httpd access_log shows they used Google to
>> >> find
>> >> my system with the broken wiki upload. Here's the log entry:
>> >>
>> >> 89.110.7.202 - - [07/Apr/2007:01:18:10 -0700] "GET
>> >> /BroadcastHistory/index.php/PhpWikiDocumentation HTTP/1.1" 200 31993
>> >> "http:
>> >> //www.google.com/search?q=UpLoadPlugin+site:org&hl=en&rls=GGLG,GGLG:2006-04,GGLG:en&start=20&sa=N"
>> >> "Mozilla/4.0 (compatible; M
>> >> SIE 6.0; Windows NT 5.1; DeluxeNetwork)"
>> >>
>> >> I'm sure it's buried in the documentation, but how do I tell Apache to
>> >> not
>> >> interpret anything in a particular directory, just pass it back to the
>> >> user? This upload directory is full of pdfs contributed by users.
>> >
>> > You could add an "AddHandler send-as-is .pdf" to an .htaccess file in
>> > that directory which would cause Apache to send the PDFs as-is (with
>> > http headers added, of course).
>> >
>> >> In my 10 years or so of running my own linux server, this is the second
>> >> intrusion I've found. One was using an ssl bug that had been fixed, but
>> >> I
>> >> had not installed. This one, apparently, I'm the first to discover. The
>> >> writer of the wiki plugin fixed it within hours of my asking about it.
>> >
>> > Good response by the developer and he/she should be commended for it.
>> > However, one should never rely on third parties to secure one's
>> > machines...but you know that. :-)
>> >
>> > ----------------------------------------------------------------------
>> > - Rick Stevens, Principal Engineer rstevens at internap.com -
>>
>>
>> It seems like I always have to depend on someone to secure the machines to
>> some extent, whther it's the OS writers, the ap writers, or whatever. But,
>> I'll do my best (and, yes, I am learning!).
>>
>> In the .htaccess, it seems that send-as-is *.pdf would not get around this
>> problem, since the hacker put in something called 100.php.3 . But, could I
>> put in send-as-is * and just have EVERYTHING sent as is, nothing
>> interpreted?
>
> Yes, that would do it. And make sure you do that ESPECIALLY in the
> upload directory.
Doesn't that prevent index.cgi type files from working correctly?
Karl
> ----------------------------------------------------------------------
> - Rick Stevens, Principal Engineer rstevens at internap.com -
> - VitalStream, Inc. http://www.vitalstream.com -
> - -
> - To understand recursion, you must first understand recursion. -
> ----------------------------------------------------------------------
>
> _______________________________________________
> Redhat-install-list mailing list
> Redhat-install-list at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-install-list
> To Unsubscribe Go To ABOVE URL or send a message to:
> redhat-install-list-request at redhat.com
> Subject: unsubscribe
>
--
karl
_/ _/ _/ _/_/_/ ____________ __o
_/ _/ _/ _/ _/ ____________ _-\<._
_/_/ _/ _/_/_/ (_)/ (_)
_/ _/ _/ _/ ......................
_/ _/ arl _/_/_/ _/ earson KarlP at ourldsfamily.com
---
Senior Consulting Sys/DB Analyst
http://consulting.ourldsfamily.com
---
My Thoughts on Terrorism In America right after 9/11/2001:
http://www.ourldsfamily.com/wtc.shtml
---
The world is a dangerous place to live... not because of
the people who are evil, but because of the people who
don't do anything about it.
- Albert Einstein
---
More information about the Redhat-install-list
mailing list