Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 01 Feb 2010 17:48:37 +0800
From:      Fbsd1 <fbsd1@a1poweruser.com>
To:        Bogdan Webb <bogdan@pgn.ro>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Server compromised Zen-Cart "record company" Exploit
Message-ID:  <4B66A375.4090304@a1poweruser.com>
In-Reply-To: <c81e6afd1002010044i73455d61wde39310940777ac8@mail.gmail.com>
References:  <alpine.BSF.2.00.1001301829060.97440@mail.pil.net> <c81e6afd1002010044i73455d61wde39310940777ac8@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Bogdan Webb wrote:
> try php's safe_mode but it is likely to keep the hackers off, indeed they
> can get in and snatch some data but they would be kept out of a shell's
> reach... but sometimes safe_mode is not enough... try considering Suhosin
> but the addon not the patch... and define the
> suhosin.executor.func.blacklist witch will deny use of certain php commands
> that allow shell execution... but keep in mind it's impossible to prevent
> all breaches... this php patch will only keep the hacker kiddos off but
> there's still a good chance it can be broken... stay safe !
> 
> ref's:
> http://www.hardened-php.net/suhosin.127.html
> http://beta.pgn.ro/phps/phpinfo.php
> 
> 2010/1/31 James Smallacombe <up@3.am>
> 
>> Whoever speculated that my server may have been compromised was on to
>> something (see bottom).  The good news is, it does appear to be contained to
>> the "www" unpriveleged user (with no shell).  The bad news is, they can
>> still cause a lot of trouble.  I found the compromised customer site and
>> chmod 0 their cart (had php binaries called "core(some number).php that gave
>> the hacker a nice browser screen to cause all kinds of trouble)
>>
>> Not sure if this is related to the UDP floods, but if not, it's a heck of a
>> coincidence.  At times, CPU went through the roof for the www user, mostly
>> running some sort of perl scripts (nothing in the suexec-log).  I would kill
>> apache, but couldn't restart it as it would show port 80 in use.  I would
>> have to manually kill processes like these:
>>
>> www  70471  1.4  0.1  6056  3824  ??  R  4:21PM   0:44.75 [eth0] (perl)
>> www  70470  1.2  0.1  6060  3828  ??  R  4:21PM   0:44.50 [bash] (perl)
>> www  64779  1.0  0.1  6056  3820  ??  R     4:07PM   2:24.34
>> /sbin/klogd -c 1 -x -x (perl)
>> www   70472  1.0  0.1  6060  3828  ??  R     4:21PM   0:44.84
>>
>> I could not find ANY file named klogd on the system, let alone in /sbin.
>> Clues as to how to dig myself out of this are appreciated....
>>
>> I found this in /tmp/bx1.txt:
>>
>> --More--(5%)#!/usr/bin/php
>> <?php
>>
>> #
>> # ------- Zen Cart 1.3.8 Remote Code Execution
>> # http://www.zen-cart.com/
>> # Zen Cart Ecommerce - putting the dream of server rooting within reach of
>> anyone!
>> # A new version (1.3.8a)  is avaible on http://www.zen-cart.com/
>> #
>> # BlackH :)
>> #
>>
>> error_reporting(E_ALL ^ E_NOTICE);
>> if($argc < 2)
>> {
>> echo "
>> =___________ Zen Cart 1.3.8 Remote Code Execution Exploit  ____________=
>> ========================================================================
>> |                  BlackH <Bl4ck.H@gmail.com>                          |
>> ========================================================================
>> |                                                                      |
>> | \$system> php $argv[0] <url>                                        |
>> | Notes: <url>      ex: http://victim.com/site (no slash)              |
>> |                                                                      |
>> ========================================================================
>> ";exit(1);
>>
>> -----------  snipped ------
>>
>> It is dated from two nights ago, after these issues started, but it's
>> nonetheless larming.  Security Focus is aware of the issue and refers you to
>> Zen for the fix.  Only problem is, this is an old version of Zen cart, and
>> the
>>
>> James Smallacombe                     PlantageNet, Inc. CEO and Janitor
>> up@3.am                                                     http://3.am
>> =========================================================================
>> _______________________________________________
>> freebsd-questions@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "
>> freebsd-questions-unsubscribe@freebsd.org"
>>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
> 
>


check out port mod_security for apache31 and mod_security2 for apache22



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B66A375.4090304>