Security Flaw in ISPC2

[dayjahone]

With the latest version of ISPConfig installed, attackers are able to execute arbitrary code as admispconfig on the server (uid=1001). They have used this exploit to upload email addresses to /tmp and /dev/shm and send spam email to the addresses. They have also been able to run a backdoor perl shell (dc.txt). We are unable to identify the security exploit allowing them to execute code in the first place.

[till]

Do you have phpmyadmin installed? Then the hackers most likely got in trough phpmyadmin, there were several problems in phpmyadmin detected in the last months. A installed phpmyadmin package runs under the user admispconfig, thats why this can be easily mixed up with a ispconfig problem.

[dayjahone]

Yes, I do have phpmyadmin installed. Any idea how to solve it?

[till]

First you should remove the current phpmyadmin package:

rm -r /home/admispconfig/ispconfig/web/phpmyadmin
rm /home/admispconfig/ispconfig/web/phpmyadmin.tar.gz
rm -r /home/admispconfig/ispconfig/web/tools/tools/phpmyadmin

and install a new one trough ispconfig. Jonas is releasing new phpmyadmin packages for ispconfig on a regular basis, the latest package can be found here:

http://www.howtoforge.com/forums/showthread.php?t=47423

Then you will have to try to find the files that the hacker uploaded. If you know the creation date of the dc.txt, you can e.f. scan for files that date, especially interesiting are files inside /home/admispconfig/. Also look for files owned by the user admispconfig that are in unusual places (outside of /home/admispconfig). If you are unsure if a file belongs to ispconfig, feel free to post the path here.

You should then check your system with rkhunter and chkrootkit in case that the attacker was able to get root permissions.