Security issue

[bernholdt]

I was cleaning up my in my uploader directory on a site today and i found a script called r57shell uploaded by some user a while ago Im just wondering how concerned i should be. The script seems to be a hacker tool used to extract all kind info from server.

The server is running fine and the person who uploaded it dosent seem to have messed up annything. Im just worried tht he/she has extracted all my users usernames and pw, and automaticly emailed them somewere.

I dont allow shell access on any sites im running, but i have safemode turned off.

I couldnt help be a little courious so i downloaded it and tested it on a local test server i have here at home, and i noticed that you can see all useraccounts and search for all .htpassword etc etc.

Is the Perfect server guide and Ispconfig setting secure enough to prevent these kinda scripts ??

[Ben]

Generally you should reinstall your whole machine in such cases as you never know if the script may have left any backdoors elsewehere in your system.

next thing you should do besides reinstalling is using different passwords when recreating the accounts on the new machine.

I do no think it's just about the php safemode as there may be many several possible ways to break in a system. Also safe mode is the "killer" security option and there are many ppl telling about ignoring this feature and suggest using open_basedir and other restrictions, as safe mode won't be integrated in further php versions.

[till]

I totally agree to ben. In my opinion safemode is still a very good option in the current php versions. For example if you use just open_basedir restriction, you can still do things like:

passthru('cat /etc/passwd');

to get a copy of the passwd file in the browser. Ok, you may now disable functions like exec, passthru etc. and if you finished that you and up with a configuration that is very similar to what safemode offers in one option.

So the recommendation is to enable sfaemode whenever its possible. In case it is not possible, you shout at least set individual settings like open_basedir and disable unneeded functions via php_admin_flag and php_admin_value in the apache directibves field in the website.

[bernholdt]

well it seems like i was lucky this time phew

it was uploaded inside a phpbb forum and the file was called r57shell021321610~ with no php extention so the uploader hasent been able to execute the script. I ran several malware and trojan scans and they all went home free.


As i wrote i tested it on my home test server and tried to run some of the command from the script but it couldnt get permission to execute any commands, so it seems that ISP Confic is wery secure, against these kinda scripts.

Output of apache errorlog:

Quote:

find: /proc/19795/task/19795/fd: Permission denied
find: /proc/19795/fd: Permission denied
find: /proc/19796/task/19796/fd: Permission denied
find: /proc/19796/fd: Permission denied
find: /proc/19797/task/19797/fd: Permission denied
find: /proc/19797/fd: Permission denied
find: /var/run/exim4: Permission denied
find: /var/log/mysql: Permission denied
find: /var/log/munin: Permission denied
find: /var/log/exim4: Permission denied
find: /var/lib/mysql/web32db1: Permission denied
find: /var/lib/mysql/web16db4: Permission denied
find: /var/lib/mysql/web16db3: Permission denied
find: /var/lib/mysql/web5db4: Permission denied
find: /var/spool/postfix/saved: Permission denied
find: /var/spool/postfix/hold: Permission denied
find: /var/spool/postfix/maildrop: Permission denied
find: /var/spool/postfix/corrupt: Permission denied
find: /var/spool/postfix/incoming: Permission denied
find: /var/spool/postfix/defer: Permission denied
find: /var/spool/cron/atspool: Permission denied
find: /var/www/web11/user/web11_admin/Maildir: Permission denied
find: /var/www/web27/user/web27_admin/Maildir: Permission denied

And so it keeps on.

On the other hand if i enable Shell from within ispconfig the script takes over and lets the user do almost annything.