hacked?

Mailing List

Home

Forum Home

Linux - General Red Hat Linux discussion list

Installation - Getting started with Red Hat Linux

Enterprise Linux 3 - Discussion of Red Hat Enterprise Linux 3 (Taroon)

Red Hat Linux 9 - Discussion of Red Hat Linux 9 (Shrike)

Red Hat Linux 7.2 - Discussion of Red Hat Linux 7.2 (Enigma)

Red Hat Linux 7.3 - Discussion of Red Hat Linux 7.3 (Valhalla)

Apache Web Server

Oracle database, Microsoft SQL server ...

Subjects

•	application/x mplayer2 plugin
•	RPM error: db4 error(16) from dbenv >remove: Device or resource busy
•	Command stream end of file while reading
•	X Windows problem (xauth)
•	Upgrading openoffice 1 1 rpm
•	FTP: connection refused
•	FTP: connection refused
•	mount: /dev/cdrom: is not a valid block device
•	Dell Precision 650, RedHat 9, no sound
•	how to trace the cause resulting in the crash of bind server
•	Virus on the list
•	UNINSTALL RPM MYSQL
•	usb pen drives: mounting as a user
•	broadcom network interface
•	make mrproper
•	Couldn 't open PID file /var/run/named/named pid Permission denied
•	sendmail configuration on redhat
•	kernel 2 6 and /dev/sound/mixer not found
•	Promise 378 controller
•	Problem using up2date
•	mrtg step by step howto/configuration for a newbie?
•	Compiling and Installing Kernel 2 6
•	Can 't locate module ppp0, can 't locate module ppp compress 21
•	Lotus Notes under Wine
•	HOW I CAN MAKE BOOTABLE FLOPPY DISKET
•	/etc/security/limits conf question
•	Intel E/1000 driver
•	rpm database corrupt
•	Command stream end of file while reading
•	qla2300 modules

hacked?

hacked?

2007-04-09 - By Rick Stevens

Back

Reply: 1 2 3 4 5 6 7 8 9 10 >>

On Mon, 2007-04-09 at 10:28 -0700, Harold Hallikainen wrote:
> > On Sat, 2007-04-07 at 10:19 -0700, Harold Hallikainen wrote:
> >> It looks like my system has been hacked! It looks like someone in Russia
> >> uploaded a php script, then wandered around my system, then deleted the
> >> script. Im running phpwiki, which allows for uploads. Apparently, it
> >> allows for php scripts to be uploaded. I kinda thought php didn't allow
> >> access outside the public_html director, but it looks like they've
> >> wandered through the system. Here are a few lines from the log...
> >>
> >> 89.110.7.202 - - [07/Apr/2007:01:19:39 -0700] "POST
> >> /BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6602
> >>
> >> 89.110.7.202 - - [07/Apr/2007:01:19:58 -0700] "GET
> >> /BroadcastHistory/uploads/100.php3 HTTP/1.1" 200 160099
> >>
> >> 89.110.7.202 - - [07/Apr/2007:01:23:24 -0700] "POST
> >> /BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6604
> >>
> >> 89.110.7.202 - - [07/Apr/2007:01:23:24 -0700] "POST
> >> /BroadcastHistory/index.php/UpLoad HTTP/1.1" 200 6604
> >>
> >> 89.110.7.202 - - [07/Apr/2007:01:23:48 -0700] "GET
> >> /BroadcastHistory/uploads/100.php.3?act=img&img=home HTTP/1.1" 200 209
> >>
> >> 89.110.7.202 - - [07/Apr/2007:01:23:49 -0700] "GET
> >> /BroadcastHistory/uploads/100.php.3?act=img&img=back HTTP/1.1" 200 119
> >>
> >> 89.110.7.202 - - [07/Apr/2007:01:23:49 -0700] "GET
> >> /BroadcastHistory/uploads/100.php.3?act=img&img=forward HTTP/1.1" 200
> >> 119
> >>
> >> 89.110.7.202 - - [07/Apr/2007:01:23:50 -0700] "GET
> >> /BroadcastHistory/uploads/100.php.3?act=img&img=up HTTP/1.1" 200 199
> >>
> >> 89.110.7.202 - - [07/Apr/2007:01:23:46 -0700] "GET
> >> /BroadcastHistory/uploads/100.php.3 HTTP/1.1" 200 18400
> >>
> >> 89.110.7.202 - - [07/Apr/2007:01:23:50 -0700] "GET
> >> /BroadcastHistory/uploads/100.php.3?act=img&img=refresh HTTP/1.1" 200
> >> 200
> >>
> >> 89.110.7.202 - - [07/Apr/2007:01:24:40 -0700] "GET
> >> /BroadcastHistory/uploads/100.php.3?act=ls&d=%2Fhome%2Fharold%2F&sort=0a
> >> HTTP/1.1" 200 2867
> >>
> >> 91.122.3.139 - - [07/Apr/2007:01:28:20 -0700] "GET
> >> /BroadcastHistory/uploads/100.php.3?act=chmod&f=temp&d=%2Fhome%2Fharold
%2Fpublic_html%2Fmusic
> >> HTTP/1.1"
> >>
> >> 91.122.3.139 - - [07/Apr/2007:01:36:27 -0700] "GET
> >> /BroadcastHistory/uploads/100.php.3?act=selfremove HTTP/1.1" 200 2975
> >>
> >> 91.122.3.139 - - [07/Apr/2007:01:36:35 -0700] "GET
> >> /BroadcastHistory/uploads/100.php.3?act=selfremove&rndcode=767&submit=767
> >>
> >>
> >> Looking through the logs, it appears that only stuff in the public_html
> >> directory was accessed. I'm still looking, though.
> >>
> >> I'm guessing I should really do a fresh install of the OS and
> >> everything.
> >> I'll look at security fixes for phpwiki, or maybe get rid of it.
> >>
> >> Any other ideas on securing the system?
> >
> > Yes.
> >
> > 1. Enable SElinux and put it in "enforcing" mode
> >
> > 2. Make sure Apache is set to run as "apache" (not root)
> >
> > 3. Make sure you have "safe_mode = on" in your /etc/php.ini script
> >
> > 4. Limit uploads to a specific directory and do NOT allow them to be
> > executed unless you approve them (upload quarantine)
> >
> > 5. Set permissions on "significant" directories so they can't be read or
> > traversed by apache.
> >
> > I also like to build Apache so all the stuff it needs can be put in a
> > chroot jail, and chroot it. Not easy, but useful.
> >
> >>
> >> THANKS!
> >>
> >> Harold
> >>
>
>
> THANKS to those who have commented thus far. This all happened within
> about 20 minutes. The writer of the phpWiki upload plugin has supplied a
> fix, but, of course, I want to do more than depend on that! As user
> apache, it looks like the intruder was only able to look at stuff in my
> public_html, which is public anyway. I do see an ls of my home directory
> (the directory below the public_html), but since apache does not own that
> directory, I don't think anything could be read. When I originally
> installed FC4, I had trouble with SE Linux preventing stuff from working.
> I finally disabled it. I'm in the middle of moving the server to FC6
> (cloned the hard drive, now trying to get it to work...). I'll definitely
> try harder on SE Linux! My httpd access_log shows they used Google to find
> my system with the broken wiki upload. Here's the log entry:
>
> 89.110.7.202 - - [07/Apr/2007:01:18:10 -0700] "GET
> /BroadcastHistory/index.php/PhpWikiDocumentation HTTP/1.1" 200 31993
> "http:
> //www.google.com/search?q=UpLoadPlugin+site:org&hl=en&rls=GGLG,GGLG:2006-04
,GGLG:en&start=20&sa=N"
> "Mozilla/4.0 (compatible; M
> SIE 6.0; Windows NT 5.1; DeluxeNetwork)"
>
> I'm sure it's buried in the documentation, but how do I tell Apache to not
> interpret anything in a particular directory, just pass it back to the
> user? This upload directory is full of pdfs contributed by users.

You could add an "AddHandler send-as-is .pdf" to an .htaccess file in
that directory which would cause Apache to send the PDFs as-is (with
http headers added, of course).

> In my 10 years or so of running my own linux server, this is the second
> intrusion I've found. One was using an ssl bug that had been fixed, but I
> had not installed. This one, apparently, I'm the first to discover. The
> writer of the wiki plugin fixed it within hours of my asking about it.

Good response by the developer and he/she should be commended for it.
However, one should never rely on third parties to secure one's
machines...but you know that. :-)

-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --
- Rick Stevens, Principal Engineer rstevens@(protected) -
- VitalStream, Inc. http://www.vitalstream.com -
- -
- If this is the first day of the rest of my life... -
- I'm in BIG trouble! -
-- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- --

__ ____ ____ ____ ____ ____ ____ ____ ____ ____
Redhat-install-list mailing list
Redhat-install-list@(protected)
https://www.redhat.com/mailman/listinfo/redhat-install-list
To Unsubscribe Go To ABOVE URL or send a message to:
redhat-install-list-request@(protected)
Subject: unsubscribe