Help, hacker uploading files /tmp with external PHP code

Most of this files would be empty or not harmful if you disable = "system, exec" in your php.ini also set safe mode = on (you can disable some of the safe mode individually on your httpd.conf if some customer require)

i wrote a small perl script that i use as a cron each 10 minutes looking for strange files in my /tmp

then by the time i can grep all .php in domlogs and the execute some of the pages in order to discover which of then is causing the file injection or jamming it on /tmp

good luck ; )

Claudio

 

mod_security and a good rule set should stop most of those type of attacks, catches a lot on one of my boxes, also mounting /tmp noexec would be a good idea, this has been discussed many times on this board so just do a search

 

Really, care to enlighten all of use as to how you would disable safe mode on an individual basis?

 

nice thingy, would be nice if you shared it with us.

 

Get mod_security and a good ruleset, and use this code:

SecFilter "page=http"

The problem is poorly written PHP code that just fopen's a page / URL and doesn't check / use an array to grab from.

 

Upgrading your PHP CMS/blog/forum/whatever would be the ultimate solution. index2.php looks mambo-ish. make sure you client is running the most current version - go so far as to disable their site until they do upgarde. Security should be as large an issue for them as it is for you (IMHO).

As for mod_security, use it, love it, embrace it, be one with it.

Current ruleset that works for me:

Code:

# WEB-ATTACKS wget command attempt
SecFilterSelective THE_REQUEST "wget "

# WEB-ATTACKS uname -a command attempt
SecFilterSelective THE_REQUEST "uname -a"

# WEB-ATTACKS .htgroup access
SecFilterSelective THE_REQUEST "\.htgroup"

# WEB-ATTACKS .htaccess access
SecFilterSelective THE_REQUEST "\.htaccess"

# WEB-CLIENT Javascript URL host spoofing attempt
SecFilter "javascript\://"

# WEB-MISC cross site scripting \(img src=javascript\) attempt
SecFilter "img src=javascript"

# WEB-MISC cd..
SecFilterSelective THE_REQUEST "cd\.\."

# WEB-MISC ///cgi-bin access
SecFilterSelective THE_REQUEST "///cgi-bin"

# WEB-MISC /cgi-bin/// access
SecFilterSelective THE_REQUEST "/cgi-bin///"

# WEB-MISC /~root access
SecFilterSelective THE_REQUEST "/~root"

# WEB-MISC /~ftp access
SecFilterSelective THE_REQUEST "/~ftp"

# WEB-MISC htgrep attempt
SecFilterSelective THE_REQUEST "/htgrep" chain
SecFilter "hdr=/"

# WEB-MISC htgrep access
SecFilterSelective THE_REQUEST "/htgrep" log,pass

# WEB-MISC .history access
SecFilterSelective THE_REQUEST "/\.history"

# WEB-MISC .bash_history access
SecFilterSelective THE_REQUEST "/\.bash_history"

# WEB-MISC /~nobody access
SecFilterSelective THE_REQUEST "/~nobody"

# WEB-PHP PHP-Wiki cross site scripting attempt
SecFilterSelective THE_REQUEST "<script"

# WEB-PHP strings overflow
SecFilterSelective THE_REQUEST "\?STRENGUR"

# WEB-PHP PHPLIB remote command attempt
SecFilter "_PHPLIB\[libdir\]"

#More PHPBB worms
SecFilterSelective REQUEST_URI "/viewtopic\.php\?" chain
SecFilterSelective ARGS "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(([0-9a-fA-Fx]{1,3})\)" 

 

Hi Have u run /scripts/securetmp before?

 

Securetmp wouldn't help, as it's running a perl script.

You can try chmod 750 /usr/bin/wget and also chmod 750 /usr/bin/curl

As curl is being used to download the item. Many different ways to secure against this attack.

 

Try to set allow_url_fopen = Off. You can find that in php.ini file.

Regards, Erik

 

How do you add that ruleset for mod_security by the way ??

Can i get a step by step instruction for that please as i would like to use yours destr0yr

 

destr0yr

The ruleset destr0yr is using looks like the default for mod_security and won't help much.

You need to login by shell and have the ruleset edited then restart apache. If you have more questions about this PM me.