From owner-freebsd-questions@FreeBSD.ORG Mon Feb 1 09:48:57 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9E381106566B for ; Mon, 1 Feb 2010 09:48:57 +0000 (UTC) (envelope-from fbsd1@a1poweruser.com) Received: from mail-03.name-services.com (mail-03.name-services.com [69.64.155.195]) by mx1.freebsd.org (Postfix) with ESMTP id 886C18FC21 for ; Mon, 1 Feb 2010 09:48:57 +0000 (UTC) Received: from [10.0.10.3] ([202.69.173.143]) by mail-03.name-services.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 1 Feb 2010 01:48:57 -0800 Message-ID: <4B66A375.4090304@a1poweruser.com> Date: Mon, 01 Feb 2010 17:48:37 +0800 From: Fbsd1 User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Bogdan Webb References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 01 Feb 2010 09:48:57.0288 (UTC) FILETIME=[C5E67C80:01CAA323] X-Sender: fbsd1@a1poweruser.com Cc: freebsd-questions@freebsd.org Subject: Re: Server compromised Zen-Cart "record company" Exploit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Feb 2010 09:48:57 -0000 Bogdan Webb wrote: > try php's safe_mode but it is likely to keep the hackers off, indeed they > can get in and snatch some data but they would be kept out of a shell's > reach... but sometimes safe_mode is not enough... try considering Suhosin > but the addon not the patch... and define the > suhosin.executor.func.blacklist witch will deny use of certain php commands > that allow shell execution... but keep in mind it's impossible to prevent > all breaches... this php patch will only keep the hacker kiddos off but > there's still a good chance it can be broken... stay safe ! > > ref's: > http://www.hardened-php.net/suhosin.127.html > http://beta.pgn.ro/phps/phpinfo.php > > 2010/1/31 James Smallacombe > >> Whoever speculated that my server may have been compromised was on to >> something (see bottom). The good news is, it does appear to be contained to >> the "www" unpriveleged user (with no shell). The bad news is, they can >> still cause a lot of trouble. I found the compromised customer site and >> chmod 0 their cart (had php binaries called "core(some number).php that gave >> the hacker a nice browser screen to cause all kinds of trouble) >> >> Not sure if this is related to the UDP floods, but if not, it's a heck of a >> coincidence. At times, CPU went through the roof for the www user, mostly >> running some sort of perl scripts (nothing in the suexec-log). I would kill >> apache, but couldn't restart it as it would show port 80 in use. I would >> have to manually kill processes like these: >> >> www 70471 1.4 0.1 6056 3824 ?? R 4:21PM 0:44.75 [eth0] (perl) >> www 70470 1.2 0.1 6060 3828 ?? R 4:21PM 0:44.50 [bash] (perl) >> www 64779 1.0 0.1 6056 3820 ?? R 4:07PM 2:24.34 >> /sbin/klogd -c 1 -x -x (perl) >> www 70472 1.0 0.1 6060 3828 ?? R 4:21PM 0:44.84 >> >> I could not find ANY file named klogd on the system, let alone in /sbin. >> Clues as to how to dig myself out of this are appreciated.... >> >> I found this in /tmp/bx1.txt: >> >> --More--(5%)#!/usr/bin/php >> > >> # >> # ------- Zen Cart 1.3.8 Remote Code Execution >> # http://www.zen-cart.com/ >> # Zen Cart Ecommerce - putting the dream of server rooting within reach of >> anyone! >> # A new version (1.3.8a) is avaible on http://www.zen-cart.com/ >> # >> # BlackH :) >> # >> >> error_reporting(E_ALL ^ E_NOTICE); >> if($argc < 2) >> { >> echo " >> =___________ Zen Cart 1.3.8 Remote Code Execution Exploit ____________= >> ======================================================================== >> | BlackH | >> ======================================================================== >> | | >> | \$system> php $argv[0] | >> | Notes: ex: http://victim.com/site (no slash) | >> | | >> ======================================================================== >> ";exit(1); >> >> ----------- snipped ------ >> >> It is dated from two nights ago, after these issues started, but it's >> nonetheless larming. Security Focus is aware of the issue and refers you to >> Zen for the fix. Only problem is, this is an old version of Zen cart, and >> the >> >> James Smallacombe PlantageNet, Inc. CEO and Janitor >> up@3.am http://3.am >> ========================================================================= >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to " >> freebsd-questions-unsubscribe@freebsd.org" >> > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > > check out port mod_security for apache31 and mod_security2 for apache22