From owner-freebsd-questions@FreeBSD.ORG  Mon Feb  1 16:12:13 2010
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 83012106566C
	for <freebsd-questions@freebsd.org>;
	Mon,  1 Feb 2010 16:12:13 +0000 (UTC) (envelope-from up@3.am)
Received: from mail.pil.net (ns3.pil.net [209.17.170.205])
	by mx1.freebsd.org (Postfix) with SMTP id 55EB08FC0A
	for <freebsd-questions@freebsd.org>;
	Mon,  1 Feb 2010 16:12:12 +0000 (UTC)
Received: (qmail 38688 invoked from network); 1 Feb 2010 11:12:12 -0500
Received: from unknown (HELO localhost) (127.0.0.1)
	by 0 with SMTP; 1 Feb 2010 11:12:12 -0500
Date: Mon, 1 Feb 2010 11:12:12 -0500 (EST)
From: James Smallacombe <up@3.am>
X-X-Sender: up@mail.pil.net
To: freebsd-questions@freebsd.org
In-Reply-To: <alpine.BSF.2.00.1001301829060.97440@mail.pil.net>
Message-ID: <alpine.BSF.2.00.1002011107080.28912@mail.pil.net>
References: <alpine.BSF.2.00.1001301829060.97440@mail.pil.net>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
Subject: Re: Server compromised Zen-Cart "record company" Exploit
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Feb 2010 16:12:13 -0000


(please reply-all; I am not sub'd and sorry for the top posting):

I have safe_mode off due to popular demand.  So many customer apps demand 
that it be kept off.  In fact, here is a post from one of the Zen people 
on the Zen-cart forum.  In light of this exploit, this might be a little 
ironic:

http://www.zen-cart.com/forum/showthread.php?t=76740

"There is one for-sure patch: Turn off safe-mode.

Keep in mind that future versions of PHP will *not* even include a 
safe-mode ... because it's a weak bandage giving a false sense of security 
to hosts who don't otherwise know how to properly secure their servers.

This begs the question: why? ie: why would you want to run your online 
business on a server that's got to use safe-mode in order to think they're 
securing the server?

I'm not trying to badmouth your server administrator; rather I'm 
attempting to strongly make the point that unless safe-mode is being used 
for a very specific reason for which there is no other solution (an 
unlikely situation), it shouldn't be used. And, if it is being used, you 
shouldn't run your business there, because there will be other security 
issues to which you'll be vulnerable but never have a clue about it until 
disaster strikes, because the big picture of security protection has been 
poorly implemented.

That said, Zen Cart will install and run even if Safe Mode is active; 
however, you run the risk of certain features not working with or without 
notice, and the unexpected appearance of warning or fatal errors while 
customers are using the site. And then there's the issue of the admin side 
needing to do various things that safe-mode doesn't like.

So, I guess, in short ... you can do it, but you do so at your own risk.

Maybe that's more than you wanted to hear ... sorry"

----
From:      Bogdan Webb <bogdan@pgn.ro>

try php's safe_mode but it is likely to keep the hackers off, indeed they
can get in and snatch some data but they would be kept out of a shell's
reach... but sometimes safe_mode is not enough... try considering Suhosin
but the addon not the patch... and define the
suhosin.executor.func.blacklist witch will deny use of certain php 
commands
that allow shell execution... but keep in mind it's impossible to prevent
all breaches... this php patch will only keep the hacker kiddos off but
there's still a good chance it can be broken... stay safe !

ref's:
http://www.hardened-php.net/suhosin.127.html
http://beta.pgn.ro/phps/phpinfo.php


On Sun, 31 Jan 2010, James Smallacombe wrote:

>
> Whoever speculated that my server may have been compromised was on to 
> something (see bottom).  The good news is, it does appear to be contained to 
> the "www" unpriveleged user (with no shell).  The bad news is, they can still 
> cause a lot of trouble.  I found the compromised customer site and chmod 0 
> their cart (had php binaries called "core(some number).php that gave the 
> hacker a nice browser screen to cause all kinds of trouble)
>
> Not sure if this is related to the UDP floods, but if not, it's a heck of a 
> coincidence.  At times, CPU went through the roof for the www user, mostly 
> running some sort of perl scripts (nothing in the suexec-log).  I would kill 
> apache, but couldn't restart it as it would show port 80 in use.  I would 
> have to manually kill processes like these:
>
> www  70471  1.4  0.1  6056  3824  ??  R  4:21PM   0:44.75 [eth0] (perl)
> www  70470  1.2  0.1  6060  3828  ??  R  4:21PM   0:44.50 [bash] (perl)
> www  64779  1.0  0.1  6056  3820  ??  R     4:07PM   2:24.34
> /sbin/klogd -c 1 -x -x (perl)
> www   70472  1.0  0.1  6060  3828  ??  R     4:21PM   0:44.84
>
> I could not find ANY file named klogd on the system, let alone in /sbin. 
> Clues as to how to dig myself out of this are appreciated....
>
> I found this in /tmp/bx1.txt:
>
> --More--(5%)#!/usr/bin/php
> <?php
>
> #
> # ------- Zen Cart 1.3.8 Remote Code Execution
> # http://www.zen-cart.com/
> # Zen Cart Ecommerce - putting the dream of server rooting within reach of 
> anyone!
> # A new version (1.3.8a)  is avaible on http://www.zen-cart.com/
> #
> # BlackH :)
> #
>
> error_reporting(E_ALL ^ E_NOTICE);
> if($argc < 2)
> {
> echo "
> =___________ Zen Cart 1.3.8 Remote Code Execution Exploit  ____________=
> ========================================================================
> |                  BlackH <Bl4ck.H@gmail.com>                          |
> ========================================================================
> |                                                                      |
> | \$system> php $argv[0] <url>                                        |
> | Notes: <url>      ex: http://victim.com/site (no slash)              |
> |                                                                      |
> ========================================================================
> ";exit(1);
>
> -----------  snipped ------
>
> It is dated from two nights ago, after these issues started, but it's 
> nonetheless larming.  Security Focus is aware of the issue and refers you to 
> Zen for the fix.  Only problem is, this is an old version of Zen cart, and 
> the
>
> James Smallacombe		      PlantageNet, Inc. CEO and Janitor
> up@3.am							    http://3.am
> =========================================================================
>

James Smallacombe		      PlantageNet, Inc. CEO and Janitor
up@3.am							    http://3.am
=========================================================================