[PHPwestoz] are there any know php vulnerabilities around?
Leon Brooks
leon at cyberknights.com.au
Wed Feb 16 18:10:02 UTC 2005
On Wednesday 16 February 2005 17:11, Sol Hanna wrote:
> The crack involved index.php files in all directories under the web
> root being overwritten with an intelligent bit of cracker poetry
> thus:
> "Noturnos Crimez... OwnZ yOu, By Lord Cha0s.. * Mais um Dia se
> passa..tudo novo.. mais pq eu sempre me ferro? fiko triste.. e tudo
> por causa de uma minina que eu amo d+... nossa.. eu daria tudo pra
> tela comigo. nos meus braços abraçala , beijala.. pedir desculpas a
> ela.. nossa.. eu seria o cara mais feliz se vesse ela a ultima vez..
> soh queria dizer .. GISLAINE EU TI AMO! d+!!!!!"
> Just a text file.
> That seems to be the extent of the damage, though I'm still quite
> pissed off. Given that it has only affected index.php files in this
> way, it seems that a PHP vulnerability is to blame.
Not necessarily so, in fact the odds are against it. They may have
pulled the index file name from your Apache config and got in by any
one of a number of vulnerabilities. What other services does the box
run? Do a thorough portscan from outside to be sure of what you're
running and to be sure that your firewalling and/or tcpwrappers are
working. Are they all needed? What other modules are loaded (mod_perl,
forex) into Apache? Are they all needed? Does the webserver have write
permission anywhere in the web tree (it shouldn't, it needs only read
permission)? If it has write permission anywhere, have you configured
Apache to prevent that place from being read or executed?
> Anyone know anything about this so I know how to take action
> to prevent it?????
Switch off everything you don't need. Run chkrootkit and do a package
rescan looking for kits and changed files. Run as much as possible
chroot'ed. Don't give write permission to anything anywhere unless it's
vital (mount -o remount,ro on a partition is good when write is not
required at all, likewise -o remount,noexec for data-only partitions,
chattr +i, yadda yadda). Don't let any servers read back or execute
stuff that's been written. Don't use weak passwords. Update. Check your
assumptions. Check machines that have ssh keys for this box.
Cheers; Leon
--
http://cyberknights.com.au/ Modern tools; traditional dedication
http://plug.linux.org.au/ Member, Perth Linux User Group
http://osia.net.au/ Member, Open Source Industry Australia
http://slpwa.asn.au/ Member, Linux Professionals WA
http://linux.org.au/ Member, Linux Australia
More information about the PHPwestoz
mailing list