Urgent - server compromised

Discussion in 'Server Operation' started by erosbk, Aug 20, 2011.

  1. erosbk

    erosbk New Member

    I have eight process, run by one of my user clients (web8) with this information on htop:

    16751 web8 20 0 30032 4884 1392 R 71 0.1 94:46.31 perl
    16726 web8 20 0 30032 4884 1392 R 68 0.1 95:44.83 perl
    14980 web8 20 0 30032 4880 1392 R 65 0.1 101:56.24 perl
    16801 web8 20 0 30032 4944 1444 R 65 0.1 95:17.64 perl
    14890 web8 20 0 30032 4904 1412 R 64 0.1 102:23.19 perl
    15024 web8 20 0 30032 4908 1412 R 64 0.1 101:12.46 perl
    15348 web8 20 0 30032 4888 1392 R 64 0.1 101:50.93 perl
    16838 web8 20 0 30032 4904 1412 R 62 0.1 94:29.64 perl
    15053 web8 20 0 30032 4880 1392 R 62 0.1 101:17.27 perl
    14904 web8 20 0 30032 4884 1392 R 60 0.1 100:25.55 perl
    16701 web8 20 0 30032 4908 1412 R 58 0.1 96:06.25 perl
    16798 web8 20 0 30032 4888 1392 R 58 0.1 95:03.22 perl

    the running program is: /usr/sbin/r00t

    for each process...

    I don't know where to begin...
  2. erosbk

    erosbk New Member

  3. erosbk

    erosbk New Member

    A site with oscommerce was hacked... lots of php files in there... all sites where running in fastcgi + suexec, so, I think I was protected against the scripts...

    First time I face with this xD

    I have to see if sever passwords were compromised... see if I can access /etc/shadow, etc... using php...

    any advise will be great!
  4. falko

    falko Super Moderator ISPConfig Developer

    Did you check your server with chkrootkit and rkhunter?
  5. erosbk

    erosbk New Member

    falko, nothing found with rkhunter and chkrootkit, all perfect. With fastcgi + suexec the damage was isolated to web8 user I think, and the script is a "php kernel" (I found diferent copies of the scripts in the injected site).

    After cleaning the site it was injected again, but previously I made a bcc in postfix to catch all mails sent by injected scripts, content was: "Boss, there was an injected target on www.domaininyected.com.ar/images/picture.php by"

    As I could see, only site was compromised, and not the entire server... I will thank your help to verify the server.

    Thanks in advance,
  6. falko

    falko Super Moderator ISPConfig Developer

    Did you update osCommerce to the latest version?
  7. erosbk

    erosbk New Member

    Nop, but I installed a fix and protected /admin with .htaccess, now new code injection at the moment.

    Osc 2.2 is very vulnerable to injection attacks as I could see, pitits was helping me to limit php by default and installing ModSecurity for future attacks.

    As I could see, no damage was made to system, but php shells can access /etc/passwd and max size of my raids and I don't know how to avoid that... if you can help me to be protected against php shells, you will save me a lot of time...

    Thanks for all falko, pititis
  8. falko

    falko Super Moderator ISPConfig Developer

    What PHP mode do you use? Do you use open_basedir to restrict PHP access to certain directories?
  9. erosbk

    erosbk New Member

    fastcgi + suexec, open base dir is the default of ispconfig:


    but, in some way, a php shell can access /etc/passwd

    Right now I am using disable_functions to limit exec and others commands, but if there is another way (or something more) I need to do would be great, because some sites as oscommerce use exec to work properly...
  10. erosbk

    erosbk New Member

    falko, could you help me? I can read almost all file system with phpshell 2.2... how can I limit this?

    I can list all content of /var/www with a phpshell installed in one of my sites... I can read every file with read permission for normal users...

    It is like open_basedir were not working but... in phpinfo() I can see that all is ok...

    Please help!

    Edit: I am using http://phpshell.sourceforge.net/ to test... I can access all readable file on the server with this shell... should be this the normal behavior? the only different thing I made, was to move www to another location, and /var/www is now a symlink to /newfolder/www. I don't know if before the change this was happening or not...
    If I edit php.ini with this disable_functions = phpinfo, popen, show_source, shell_exec, proc_open, system, phpshell stop working... should this be enought to limit access to fs?

    Thanks in advance
    Last edited: Aug 24, 2011
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, thats the normal behaviour in php scripts that you can read all files that are readable by the Linux user which runs the php scripts. You can limit this by disabling all shell access functions in the disable_functions in php.ini or the custom php.ini field of the website.

    open_basedir in php only limits file access functions like fopen or file_get_contents. It can not limit access to files when shell exec functions like exec, passthrough, phopen, system etc. are used. For that reason, you should disable all shell access functions with disable_functions that are not required for a website.

    That depends on your setup. First, you will have to use the correct php.ini function for the php method that you use. Disablinmg these functions globally in the php.ini that is used by ispconfoig shell scripts will diable ispconfig, so you have to disable these functions only in the php.ini file that is used for fastcgi scripts and not for cli scripts. Beside that, if you used the custom php.ini field in the website settings, then a custom php.ini for this website has been created. In that case, you will have to add the disable_functions in the custom php.ini field for that website.
  12. erosbk

    erosbk New Member

    Thanks for your answer Till, I am disabling in /etc/php5/cgi the following commands:

    disable_functions = phpinfo, show_source, shell_exec, exec, proc_close, proc_open, popen, system, dl, passthru, escapeshellarg, escapeshellcmd, proc_nice, proc_terminate, proc_get_status, proc_close, pfsockopen, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, dl, symlink, base64_decode, base64_encode

    I don't know if there is another command used by phpshells scripts, if any of you know another, please post here to make a more complete list.

    Is it possible to force ispconfig to use his own php.ini file?
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    On Debain and Ubuntu, php-cli has its own php.ini (beside a ini file for apache2 and cgi). If you use a different distribution, then this might be handled in a different way.
  14. erosbk

    erosbk New Member

    Thanks Till, I have Debian so, it is in a separated file.

Share This Page