[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PHPwestoz] are there any know php vulnerabilities around?



On Wednesday 16 February 2005 17:11, Sol Hanna wrote:
> The crack involved index.php files in all directories under the web
> root being overwritten with an intelligent bit of cracker poetry
> thus:

> "Noturnos Crimez... OwnZ yOu, By Lord Cha0s.. * Mais um Dia se
> passa..tudo novo.. mais pq eu sempre me ferro? fiko triste.. e tudo
> por causa de uma minina que eu amo d+... nossa.. eu daria tudo pra
> tela comigo. nos meus braços abraçala , beijala.. pedir desculpas a
> ela.. nossa.. eu seria o cara mais feliz se vesse ela a ultima vez..
> soh queria dizer .. GISLAINE EU TI AMO! d+!!!!!"

> Just a text file.

> That seems to be the extent of the damage, though I'm still quite
> pissed off. Given that it has only affected index.php files in this
> way, it seems that a PHP vulnerability is to blame.

Not necessarily so, in fact the odds are against it. They may have 
pulled the index file name from your Apache config and got in by any 
one of a number of vulnerabilities. What other services does the box 
run? Do a thorough portscan from outside to be sure of what you're 
running and to be sure that your firewalling and/or tcpwrappers are 
working. Are they all needed? What other modules are loaded (mod_perl, 
forex) into Apache? Are they all needed? Does the webserver have write 
permission anywhere in the web tree (it shouldn't, it needs only read 
permission)? If it has write permission anywhere, have you configured 
Apache to prevent that place from being read or executed?

> Anyone know anything about this so I know how to take action
> to prevent it????? 

Switch off everything you don't need. Run chkrootkit and do a package 
rescan looking for kits and changed files. Run as much as possible 
chroot'ed. Don't give write permission to anything anywhere unless it's 
vital (mount -o remount,ro on a partition is good when write is not 
required at all, likewise -o remount,noexec for data-only partitions, 
chattr +i, yadda yadda). Don't let any servers read back or execute 
stuff that's been written. Don't use weak passwords. Update. Check your 
assumptions. Check machines that have ssh keys for this box.

Cheers; Leon

-- 
http://cyberknights.com.au/     Modern tools; traditional dedication
http://plug.linux.org.au/       Member, Perth Linux User Group
http://osia.net.au/             Member, Open Source Industry Australia
http://slpwa.asn.au/            Member, Linux Professionals WA
http://linux.org.au/            Member, Linux Australia