Crap!
This is not the iframe method!
We had exact same issues our our customers webservers.
We have investigated this issue and found the following:
1. A php shell script (which contain numerous php/apache/zend vulnerabilities) has been uploaded trough a XSS attack.
2. Script has been used to gather usernames from the servers.
3. Script has modified the passwords of the accounts located in /etc/passwd
4. Hackers connected from different IPs to the FTP accounts and uploaded/deleted files.
Solution:
1. Upgrade to Apache 2.2 with latest PHP versions! (a must)! and compile with suhosin, suphp, suexec!
2. Install mod_Security from cpanel addons!
3. Install mod_security rules from gotroot.com (they have a free rules download also).
4. Install clamv addon from cpanel.
5. Forbid the following functions in php:
Quote:
|
exec,popen,pclose,ini_set,php_eval,safe_dir,zend,g lob,root,chdir,ftok,posix_access,egy_perl,symlink, set_time_limit,ini_restore, shell_exec, passthru, error_log, ini_alter, dl, openlog, syslog, readlink, symlink, link, leak, popen, escapeshellcmd,proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, escapeshellarg, pcntl_exec, exec, passthru, popen, wscript, curl_exec,apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode,realpath
|
Please note that some functions like realpath or chdir may be used by some websites.
5. Enable FTP TLS Encryption Support as Required!
6. Change your SSH port to something else.
7. Enable Brute-Force protection.
8. Install firewall.
We found that the shell scripts uploaded were base64 encoded.
Use this search command in ssh to find files that are base64 encoded and take a look at them as they may be backdoors:
Quote:
|
find /home -type f -print0 -name "*.php*" | xargs -0 grep -l "eval(gzinflate(base64_decode"
|
Replace "/home" with your path.
Also find files that are using php command: "posix_getpwuid" as this is how they list the server's usernames!
There are other vulnerabilities with zend also!
Even if you enable Safe Mode in PHP they can still list /etc/passwd or any other system file even though Open_basedir restriction is enabled.
We are still investigating this and I will update you as soo as we have a solution.
Also we found another Perl script that came with the shell code above.
It uses the symlink() function to create symlink into vulnerable account to any other account or directory in server. this way they have access to everything.
If someone has more ideas how to secure the server againts these vulnerabilities please let us know.
I will also keep you updated.
Thanks.