hacked?

Harold Hallikainen harold at hallikainen.com
Tue Apr 10 04:34:10 UTC 2007 

>
> On Mon, April 9, 2007 12:26 pm, Rick Stevens wrote:
>> On Mon, 2007-04-09 at 11:00 -0700, Harold Hallikainen wrote:
>>> > On Mon, 2007-04-09 at 10:28 -0700, Harold Hallikainen wrote:
>>> >> > On Sat, 2007-04-07 at 10:19 -0700, Harold Hallikainen wrote:
>>> >> >> It looks like my system has been hacked! It looks like someone in
>>> >> Russia
>>> >> >> uploaded a php script, then wandered around my system, then
>>> deleted
>>> >> the
>>> >> >> script. Im running phpwiki, which allows for uploads. Apparently,
>>> it
>>> >> >> allows for php scripts to be uploaded. I kinda thought php didn't
>>> >> allow
>>> >> >> access outside the public_html director, but it looks like
>>> they've
>>> >> >> wandered through the system. Here are a few lines from the log...
>>> >> >>
>>> >> >> 89.110.7.202 - - [07/Apr/2007:01:19:39 -0700] "POST
>>> >> >> /BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6602
>>> >> >>
>>> >> >> 89.110.7.202 - - [07/Apr/2007:01:19:58 -0700] "GET
>>> >> >> /BroadcastHistory/uploads/100.php3 HTTP/1.1" 200 160099
>>> >> >>
>>> >> >> 89.110.7.202 - - [07/Apr/2007:01:23:24 -0700] "POST
>>> >> >> /BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6604
>>> >> >>
>>> >> >> 89.110.7.202 - - [07/Apr/2007:01:23:24 -0700] "POST
>>> >> >> /BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6604
>>> >> >>
>>> >> >> 89.110.7.202 - - [07/Apr/2007:01:23:48 -0700] "GET
>>> >> >> /BroadcastHistory/uploads/100.php.3?act=img&img=home HTTP/1.1"
>>> 200
>>> >> 209
>>> >> >>
>>> >> >> 89.110.7.202 - - [07/Apr/2007:01:23:49 -0700] "GET
>>> >> >> /BroadcastHistory/uploads/100.php.3?act=img&img=back HTTP/1.1"
>>> 200
>>> >> 119
>>> >> >>
>>> >> >> 89.110.7.202 - - [07/Apr/2007:01:23:49 -0700] "GET
>>> >> >> /BroadcastHistory/uploads/100.php.3?act=img&img=forward HTTP/1.1"
>>> 200
>>> >> >> 119
>>> >> >>
>>> >> >> 89.110.7.202 - - [07/Apr/2007:01:23:50 -0700] "GET
>>> >> >> /BroadcastHistory/uploads/100.php.3?act=img&img=up HTTP/1.1" 200
>>> 199
>>> >> >>
>>> >> >> 89.110.7.202 - - [07/Apr/2007:01:23:46 -0700] "GET
>>> >> >> /BroadcastHistory/uploads/100.php.3 HTTP/1.1" 200 18400
>>> >> >>
>>> >> >> 89.110.7.202 - - [07/Apr/2007:01:23:50 -0700] "GET
>>> >> >> /BroadcastHistory/uploads/100.php.3?act=img&img=refresh HTTP/1.1"
>>> 200
>>> >> >> 200
>>> >> >>
>>> >> >> 89.110.7.202 - - [07/Apr/2007:01:24:40 -0700] "GET
>>> >> >> /BroadcastHistory/uploads/100.php.3?act=ls&d=%2Fhome%2Fharold%2F&sort=0a
>>> >> >> HTTP/1.1" 200 2867
>>> >> >>
>>> >> >> 91.122.3.139 - - [07/Apr/2007:01:28:20 -0700] "GET
>>> >> >> /BroadcastHistory/uploads/100.php.3?act=chmod&f=temp&d=%2Fhome%2Fharold%2Fpublic_html%2Fmusic
>>> >> >> HTTP/1.1"
>>> >> >>
>>> >> >> 91.122.3.139 - - [07/Apr/2007:01:36:27 -0700] "GET
>>> >> >> /BroadcastHistory/uploads/100.php.3?act=selfremove HTTP/1.1" 200
>>> 2975
>>> >> >>
>>> >> >> 91.122.3.139 - - [07/Apr/2007:01:36:35 -0700] "GET
>>> >> >> /BroadcastHistory/uploads/100.php.3?act=selfremove&rndcode=767&submit=767
>>> >> >>
>>> >> >>
>>> >> >> Looking through the logs, it appears that only stuff in the
>>> >> public_html
>>> >> >> directory was accessed. I'm still looking, though.
>>> >> >>
>>> >> >> I'm guessing I should really do a fresh install of the OS and
>>> >> >> everything.
>>> >> >> I'll look at security fixes for phpwiki, or maybe get rid of it.
>>> >> >>
>>> >> >> Any other ideas on securing the system?
>>> >> >
>>> >> > Yes.
>>> >> >
>>> >> > 1. Enable SElinux and put it in "enforcing" mode
>>> >> >
>>> >> > 2. Make sure Apache is set to run as "apache" (not root)
>>> >> >
>>> >> > 3. Make sure you have "safe_mode = on" in your /etc/php.ini script
>>> >> >
>>> >> > 4. Limit uploads to a specific directory and do NOT allow them to
>>> be
>>> >> >    executed unless you approve them (upload quarantine)
>>> >> >
>>> >> > 5. Set permissions on "significant" directories so they can't be
>>> read
>>> >> or
>>> >> >    traversed by apache.
>>> >> >
>>> >> > I also like to build Apache so all the stuff it needs can be put
>>> in a
>>> >> > chroot jail, and chroot it.  Not easy, but useful.
>>> >> >
>>> >> >>
>>> >> >> THANKS!
>>> >> >>
>>> >> >> Harold
>>> >> >>
>>> >>
>>> >>
>>> >> THANKS to those who have commented thus far. This all happened
>>> within
>>> >> about 20 minutes. The writer of the phpWiki upload plugin has
>>> supplied a
>>> >> fix, but, of course, I want to do more than depend on that! As user
>>> >> apache, it looks like the intruder was only able to look at stuff in
>>> my
>>> >> public_html, which is public anyway. I do see an ls of my home
>>> directory
>>> >> (the directory below the public_html), but since apache does not own
>>> >> that
>>> >> directory, I don't think anything could be read. When I originally
>>> >> installed FC4, I had trouble with SE Linux preventing stuff from
>>> >> working.
>>> >> I finally disabled it. I'm in the middle of moving the server to FC6
>>> >> (cloned the hard drive, now trying to get it to work...). I'll
>>> >> definitely
>>> >> try harder on SE Linux! My httpd access_log shows they used Google
>>> to
>>> >> find
>>> >> my system with the broken wiki upload. Here's the log entry:
>>> >>
>>> >> 89.110.7.202 - - [07/Apr/2007:01:18:10 -0700] "GET
>>> >> /BroadcastHistory/index.php/PhpWikiDocumentation HTTP/1.1" 200 31993
>>> >> "http:
>>> >> //www.google.com/search?q=UpLoadPlugin+site:org&hl=en&rls=GGLG,GGLG:2006-04,GGLG:en&start=20&sa=N"
>>> >> "Mozilla/4.0 (compatible; M
>>> >> SIE 6.0; Windows NT 5.1; DeluxeNetwork)"
>>> >>
>>> >> I'm sure it's buried in the documentation, but how do I tell Apache
>>> to
>>> >> not
>>> >> interpret anything in a particular directory, just pass it back to
>>> the
>>> >> user? This upload directory is full of pdfs contributed by users.
>>> >
>>> > You could add an "AddHandler send-as-is .pdf" to an .htaccess file in
>>> > that directory which would cause Apache to send the PDFs as-is (with
>>> > http headers added, of course).
>>> >
>>> >> In my 10 years or so of running my own linux server, this is the
>>> second
>>> >> intrusion I've found. One was using an ssl bug that had been fixed,
>>> but
>>> >> I
>>> >> had not installed. This one, apparently, I'm the first to discover.
>>> The
>>> >> writer of the wiki plugin fixed it within hours of my asking about
>>> it.
>>> >
>>> > Good response by the developer and he/she should be commended for it.
>>> > However, one should never rely on third parties to secure one's
>>> > machines...but you know that.  :-)
>>> >
>>> > ----------------------------------------------------------------------
>>> > - Rick Stevens, Principal Engineer             rstevens at internap.com
>>> -
>>>
>>>
>>> It seems like I always have to depend on someone to secure the machines
>>> to
>>> some extent, whther it's the OS writers, the ap writers, or whatever.
>>> But,
>>> I'll do my best (and, yes, I am learning!).
>>>
>>> In the .htaccess, it seems that send-as-is *.pdf would not get around
>>> this
>>> problem, since the hacker put in something called 100.php.3 . But,
>>> could I
>>> put in send-as-is * and just have EVERYTHING sent as is, nothing
>>> interpreted?
>>
>> Yes, that would do it.  And make sure you do that ESPECIALLY in the
>> upload directory.
>
> Doesn't that prevent index.cgi type files from working correctly?
>
> Karl
>

Since the upload directory is exclusively user contributed pdfs, I don't
want Apache to interpret anything (its interpreting a php is what got me
in trouble). So, I think "AddHandler send-as-is *" in the .htaccess of
this directory is appropriate. By the way, if anyone is interested, you
can see the wiki in question at
http://www.hallikainen.org/BroadcastHistory .

THANKS!

Harold

-- 
FCC Rules Updated Daily at http://www.hallikainen.com - Advertising
opportunities available!

More information about the Redhat-install-list mailing list