Security Problem

Discussion in 'Installation/Configuration' started by Cracknel, Nov 15, 2008.

  1. Cracknel

    Cracknel New Member

    I have some clients running outdated php scripts. They have many bugs.
    Last week a website got hacked. The attacker uploaded a PHP shell and made a deface.
    I've personally uploaded a php shell and guess what, I can access even the root directory!
    What can I do?
    I've discovered spam sending scripts and bank scam pages on one of my personal websites. God knows what else could be affected.
    Please tell me what's wrong!
    I've installed ISPConfig on a virtual server. I have the same problem!
    Everything went normal with the installation!
     
  2. _X_

    _X_ New Member

    http://docs.ispconfig.org/en-sandbox-dynamic-site/?page=faq

    You cannot blame ISPConfig for that hack because IMHO ISPConfig has nothing to do with that.

    You should Backup ISPConfig base and settings and do a fresh install. It the safest way.

    Hope this can help:
    http://howtoforge.com/forums/showthread.php?t=28258&highlight=backup restore

    http://howtoforge.com/forums/showthread.php?t=23448&highlight=backup restore
     
  3. Cracknel

    Cracknel New Member

    Read again!
    I have already installed a new server that has the same problem!
     
  4. _X_

    _X_ New Member

    Well that part of your post I didnt understand.

    You installed new ISPConfig on virtual server and uploaded the attacker script and it works? or

    After a clean install and restore of ISPConfig settings script is still there?
     
  5. Cracknel

    Cracknel New Member

    The installation on the virtual server was just to find out if there was a problem with my server or with all ispconfig installations.


    You can test the bug on your own server. Just upload a c99 or r57 php shell script and change the working directory to /.

    you can look in /var/www and from there in all accounts, stealing passwords from configuration files, scripts...
     
  6. _X_

    _X_ New Member

  7. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    An this has still nothing to do with ISPConfig as _X_ explained above. You are just saying that a hacker script that you uploaded to a php webspace is working, ispconfig is not envolved in executing that script at all.

    So, back to your original problem. If you want to prevent that a php script accesses the whole folder, you can do several things:

    1) activate php safemode for the website.
    2) update your php to the latest version.
    3) Deactivate potential harmful functions in your php.ini lieke exec, passthru etc.
    4) install security extensions for apache like mod_security
    5) install suhosin for php.
     
  8. Cracknel

    Cracknel New Member

    the problem is that if you host, let's say, 10 websites and one person uploads a bad script you'll get in trouble!

    for example some cms scripts don't run if php is in safemode (joomla is one of them).

    please don't close the thread! I'll be back with information.
     
  9. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    Sure, but why you blame ispconfig for joomla being insecure or not supporting safemode?

    Take a look at the points that I posted above to secure your php installation.
     
  10. _X_

    _X_ New Member

    from what i know joomla can work and be safe with this settings in Apache Directives (Optional)::

    Options FollowSymLinks
    AllowOverride All
    php_admin_flag register_globals Off
    php_admin_value disable_functions "show_source system shell_exec passthru exec phpinfo popen proc_open"
    php_admin_flag allow_url_fopen Off
    php_admin_flag magic_quotes_gpc On
    php_admin_value session.save_path "/var/www/web1/phptmp/"
    php_admin_value open_basedir "/var/www/web1/"

    and PHP Safe Mode dissabled.

    Correct me if I'm wrong.
     
  11. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    I guess this should work fine. To sum it up, if you want to run a hosting business, you should make yourself familar on how to secure the different applications on your server :)

    One note. I'am not sure if "AllowOverride All" is really nescessary, as this would allow an attacker to remove the security settings that you set in the apache directives field again in a .htaccess file.
     
    Last edited: Nov 15, 2008
  12. _X_

    _X_ New Member

    on my test server it resulted with:

    Internal Server Error

    The server encountered an internal error or misconfiguration and was unable to complete your request.

    .htaccess: Options not allowed here

    maybe it has to do something with SEF on joomla?
     
  13. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    Take a look in the error log of the website, there should be listed the exact option which caused the error and then it is better to allow overriding for just that option.
     
  14. _X_

    _X_ New Member

    .htaccess: Options not allowed here

    is from error.log in /var/www/web1/log/
     
  15. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    Hmm, ok. Can you please post the content of the .htaccess file.
     
  16. _X_

    _X_ New Member

    here goes htaccess:
    Options +FollowSymLinks
    RewriteEngine On
    RewriteBase /

    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} (/|\.htm|\.php|\.html|/[^.]*)$ [NC]
    RewriteRule ^(content/|component/) index.php

    RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR]
    RewriteCond %{REQUEST_URI} (/|\.htm|\.php|\.html|/[^.]*)$ [NC]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule (.*) index.php

    RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
    RewriteRule ^(.*)$ index.php [F,L]

    i guess problem is in first line?
     
  17. _X_

    _X_ New Member

    :confused: just saw that there are some duplicate lines :rolleyes:
     
  18. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    Yes, the directive "Options +FollowSymLinks" should not be put in an .htaccess file. Either you put it wrapped into a directory directive in the apache directives field or you enable "Options +FollowSymLinks" globally in the apache2.conf file for all sites.
     
  19. _X_

    _X_ New Member

    Just to repeat for anyone interested into setting ISPConfig for Joomla 1.0.x:

    htaccess - with support for SEFurl plug-ins:
    Code:
    RewriteEngine On
    RewriteBase /
    
    RewriteRule ^(content/|component/) index.php
    
    RewriteCond %{REQUEST_URI} ^(/component/option,com) [NC,OR]
    RewriteCond %{REQUEST_URI} (/|\.htm|\.php|\.html|/[^.]*)$ [NC]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule (.*) index.php
    
    RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
    RewriteRule ^(.*)$ index.php [F,L]
    Apache Directives (Optional): -change webXXX with your configuration
    Code:
    <Directory "/var/www/webXXX/web">
    Options FollowSymLinks
    php_admin_flag register_globals Off
    php_admin_value disable_functions "show_source system shell_exec passthru exec phpinfo popen proc_open"
    php_admin_flag allow_url_fopen Off
    php_admin_flag magic_quotes_gpc On
    php_admin_value session.save_path "/var/www/webXXX/phptmp/"
    php_admin_value open_basedir "/var/www/webXXX/"
    </Directory>
    and PHP Safe Mode dissabled - Joomla 1.0.x doesnt work with this option enabled.
     
    Last edited: Nov 16, 2008
  20. Cracknel

    Cracknel New Member

    I found a solution:
    in /etc/apache2/apache2.conf

    replace
    Code:
    <Directory /var/www/*/web>
        Options +Includes -Indexes
        AllowOverride None
        AllowOverride Indexes AuthConfig Limit FileInfo
        Order allow,deny
        Allow from all
    
        <Files ~ "^\.ht">
        Deny from all
        </Files>
    </Directory>
    
    With:
    Code:
    <Directory /var/www/*/web>
        Options +Includes -Indexes
        AllowOverride None
        AllowOverride Indexes AuthConfig Limit FileInfo
        Order allow,deny
        Allow from all
        php_admin_value open_basedir /var/www/web
    
        <Files ~ "^\.ht">
        Deny from all
        </Files>
    </Directory>
    
    This should be included in the setup script for ISPConfig.

    [later edit]

    looks that this option can be bypassed with a simple script.
    i've even restricted some functions from php.ini
     
    Last edited: Nov 16, 2008

Share This Page