#1  
Old 5th November 2008, 00:13
bernholdt bernholdt is offline
Senior Member
 
Join Date: Jun 2007
Posts: 154
Thanks: 45
Thanked 13 Times in 11 Posts
Exclamation Security issue

I was cleaning up my in my uploader directory on a site today and i found a script called r57shell uploaded by some user a while ago Im just wondering how concerned i should be. The script seems to be a hacker tool used to extract all kind info from server.

The server is running fine and the person who uploaded it dosent seem to have messed up annything. Im just worried tht he/she has extracted all my users usernames and pw, and automaticly emailed them somewere.

I dont allow shell access on any sites im running, but i have safemode turned off.

I couldnt help be a little courious so i downloaded it and tested it on a local test server i have here at home, and i noticed that you can see all useraccounts and search for all .htpassword etc etc.

Is the Perfect server guide and Ispconfig setting secure enough to prevent these kinda scripts ??
__________________
www.gamebook.me
Reply With Quote
Sponsored Links
  #2  
Old 5th November 2008, 08:47
Ben Ben is offline
Moderator
 
Join Date: Jul 2006
Posts: 1,029
Thanks: 7
Thanked 62 Times in 56 Posts
Default

Generally you should reinstall your whole machine in such cases as you never know if the script may have left any backdoors elsewehere in your system.

next thing you should do besides reinstalling is using different passwords when recreating the accounts on the new machine.

I do no think it's just about the php safemode as there may be many several possible ways to break in a system. Also safe mode is the "killer" security option and there are many ppl telling about ignoring this feature and suggest using open_basedir and other restrictions, as safe mode won't be integrated in further php versions.
Reply With Quote
  #3  
Old 5th November 2008, 10:18
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,202
Thanks: 829
Thanked 5,420 Times in 4,262 Posts
Default

I totally agree to ben. In my opinion safemode is still a very good option in the current php versions. For example if you use just open_basedir restriction, you can still do things like:

passthru('cat /etc/passwd');

to get a copy of the passwd file in the browser. Ok, you may now disable functions like exec, passthru etc. and if you finished that you and up with a configuration that is very similar to what safemode offers in one option.

So the recommendation is to enable sfaemode whenever its possible. In case it is not possible, you shout at least set individual settings like open_basedir and disable unneeded functions via php_admin_flag and php_admin_value in the apache directibves field in the website.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #4  
Old 5th November 2008, 13:04
bernholdt bernholdt is offline
Senior Member
 
Join Date: Jun 2007
Posts: 154
Thanks: 45
Thanked 13 Times in 11 Posts
 
Default

well it seems like i was lucky this time phew

it was uploaded inside a phpbb forum and the file was called r57shell021321610~ with no php extention so the uploader hasent been able to execute the script. I ran several malware and trojan scans and they all went home free.


As i wrote i tested it on my home test server and tried to run some of the command from the script but it couldnt get permission to execute any commands, so it seems that ISP Confic is wery secure, against these kinda scripts.

Output of apache errorlog:
Quote:
find: /proc/19795/task/19795/fd: Permission denied
find: /proc/19795/fd: Permission denied
find: /proc/19796/task/19796/fd: Permission denied
find: /proc/19796/fd: Permission denied
find: /proc/19797/task/19797/fd: Permission denied
find: /proc/19797/fd: Permission denied
find: /var/run/exim4: Permission denied
find: /var/log/mysql: Permission denied
find: /var/log/munin: Permission denied
find: /var/log/exim4: Permission denied
find: /var/lib/mysql/web32db1: Permission denied
find: /var/lib/mysql/web16db4: Permission denied
find: /var/lib/mysql/web16db3: Permission denied
find: /var/lib/mysql/web5db4: Permission denied
find: /var/spool/postfix/saved: Permission denied
find: /var/spool/postfix/hold: Permission denied
find: /var/spool/postfix/maildrop: Permission denied
find: /var/spool/postfix/corrupt: Permission denied
find: /var/spool/postfix/incoming: Permission denied
find: /var/spool/postfix/defer: Permission denied
find: /var/spool/cron/atspool: Permission denied
find: /var/www/web11/user/web11_admin/Maildir: Permission denied
find: /var/www/web27/user/web27_admin/Maildir: Permission denied
And so it keeps on.

On the other hand if i enable Shell from within ispconfig the script takes over and lets the user do almost annything.
__________________
www.gamebook.me
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
just dl'd + installed ubuntu 8 server... concerned about recent ssh security issue zskillz Installation/Configuration 4 27th December 2009 15:22
Serious security issue in proftpd/mysql/Debian-Howto marcusr HOWTO-Related Questions 7 1st September 2008 17:03
Security issue / Upgrade BIND henrygud Server Operation 1 23rd July 2008 11:30
A big security issue in FTP server freesqrt Installation/Configuration 8 22nd June 2008 13:45
Security Issue in Mailserver after ISPConfig installation bogdinator Installation/Configuration 8 31st October 2006 12:00


All times are GMT +2. The time now is 02:35.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.