Date: Thu, 4 Feb 2010 15:28:58 -0500 (EST) From: James Smallacombe <up@3.am> To: freebsd-questions@freebsd.org Subject: Re: Server compromised Zen-Cart "record company" Exploit Message-ID: <alpine.BSF.2.00.1002041525250.83398@mail.pil.net> In-Reply-To: <alpine.BSF.2.00.1002011107080.28912@mail.pil.net> References: <alpine.BSF.2.00.1001301829060.97440@mail.pil.net> <alpine.BSF.2.00.1002011107080.28912@mail.pil.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Replying to Bogdan Webb's reply recommending sohusin: This appears to be exactly what I needed, thanks! The stock ports PHP install already has the suhosin patch, but the extension is a godsend! Not only does it log everything, but it let's you manage php functions on a per virtual host basis, not just in php.ini. Fantastic and is working great. About the only thing I could want more would be to control the functions under the apache <Directory> directives (on top of in <VirtualHost>). On Mon, 1 Feb 2010, James Smallacombe wrote: > > (please reply-all; I am not sub'd and sorry for the top posting): > > I have safe_mode off due to popular demand. So many customer apps demand > that it be kept off. In fact, here is a post from one of the Zen people on > the Zen-cart forum. In light of this exploit, this might be a little ironic: > > http://www.zen-cart.com/forum/showthread.php?t=76740 > > "There is one for-sure patch: Turn off safe-mode. > > Keep in mind that future versions of PHP will *not* even include a safe-mode > ... because it's a weak bandage giving a false sense of security to hosts who > don't otherwise know how to properly secure their servers. > > This begs the question: why? ie: why would you want to run your online > business on a server that's got to use safe-mode in order to think they're > securing the server? > > I'm not trying to badmouth your server administrator; rather I'm attempting > to strongly make the point that unless safe-mode is being used for a very > specific reason for which there is no other solution (an unlikely situation), > it shouldn't be used. And, if it is being used, you shouldn't run your > business there, because there will be other security issues to which you'll > be vulnerable but never have a clue about it until disaster strikes, because > the big picture of security protection has been poorly implemented. > > That said, Zen Cart will install and run even if Safe Mode is active; > however, you run the risk of certain features not working with or without > notice, and the unexpected appearance of warning or fatal errors while > customers are using the site. And then there's the issue of the admin side > needing to do various things that safe-mode doesn't like. > > So, I guess, in short ... you can do it, but you do so at your own risk. > > Maybe that's more than you wanted to hear ... sorry" > > ---- > From: Bogdan Webb <bogdan@pgn.ro> > > try php's safe_mode but it is likely to keep the hackers off, indeed they > can get in and snatch some data but they would be kept out of a shell's > reach... but sometimes safe_mode is not enough... try considering Suhosin > but the addon not the patch... and define the > suhosin.executor.func.blacklist witch will deny use of certain php commands > that allow shell execution... but keep in mind it's impossible to prevent > all breaches... this php patch will only keep the hacker kiddos off but > there's still a good chance it can be broken... stay safe ! > > ref's: > http://www.hardened-php.net/suhosin.127.html > http://beta.pgn.ro/phps/phpinfo.php > > > On Sun, 31 Jan 2010, James Smallacombe wrote: > >> >> Whoever speculated that my server may have been compromised was on to >> something (see bottom). The good news is, it does appear to be contained >> to the "www" unpriveleged user (with no shell). The bad news is, they can >> still cause a lot of trouble. I found the compromised customer site and >> chmod 0 their cart (had php binaries called "core(some number).php that >> gave the hacker a nice browser screen to cause all kinds of trouble) >> >> Not sure if this is related to the UDP floods, but if not, it's a heck of a >> coincidence. At times, CPU went through the roof for the www user, mostly >> running some sort of perl scripts (nothing in the suexec-log). I would >> kill apache, but couldn't restart it as it would show port 80 in use. I >> would have to manually kill processes like these: >> >> www 70471 1.4 0.1 6056 3824 ?? R 4:21PM 0:44.75 [eth0] (perl) >> www 70470 1.2 0.1 6060 3828 ?? R 4:21PM 0:44.50 [bash] (perl) >> www 64779 1.0 0.1 6056 3820 ?? R 4:07PM 2:24.34 >> /sbin/klogd -c 1 -x -x (perl) >> www 70472 1.0 0.1 6060 3828 ?? R 4:21PM 0:44.84 >> >> I could not find ANY file named klogd on the system, let alone in /sbin. >> Clues as to how to dig myself out of this are appreciated.... >> >> I found this in /tmp/bx1.txt: >> >> --More--(5%)#!/usr/bin/php >> <?php >> >> # >> # ------- Zen Cart 1.3.8 Remote Code Execution >> # http://www.zen-cart.com/ >> # Zen Cart Ecommerce - putting the dream of server rooting within reach of >> anyone! >> # A new version (1.3.8a) is avaible on http://www.zen-cart.com/ >> # >> # BlackH :) >> # >> >> error_reporting(E_ALL ^ E_NOTICE); >> if($argc < 2) >> { >> echo " >> =___________ Zen Cart 1.3.8 Remote Code Execution Exploit ____________= >> ======================================================================== >> | BlackH <Bl4ck.H@gmail.com> | >> ======================================================================== >> | | >> | \$system> php $argv[0] <url> | >> | Notes: <url> ex: http://victim.com/site (no slash) | >> | | >> ======================================================================== >> ";exit(1); >> >> ----------- snipped ------ >> >> It is dated from two nights ago, after these issues started, but it's >> nonetheless larming. Security Focus is aware of the issue and refers you >> to Zen for the fix. Only problem is, this is an old version of Zen cart, >> and the >> >> James Smallacombe PlantageNet, Inc. CEO and Janitor >> up@3.am >> http://3.am >> ========================================================================= >> > > James Smallacombe PlantageNet, Inc. CEO and Janitor > up@3.am http://3.am > ========================================================================= > James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1002041525250.83398>