Bogdan Webb wrote:
try php's safe_mode but it is likely to keep the hackers off, indeed they
can get in and snatch some data but they would be kept out of a shell's
reach... but sometimes safe_mode is not enough... try considering Suhosin
but the addon not the patch... and define the
suhosin.executor.func.blacklist witch will deny use of certain php commands
that allow shell execution... but keep in mind it's impossible to prevent
all breaches... this php patch will only keep the hacker kiddos off but
there's still a good chance it can be broken... stay safe !
ref's:
http://www.hardened-php.net/suhosin.127.html
http://beta.pgn.ro/phps/phpinfo.php
2010/1/31 James Smallacombe <u...@3.am>
Whoever speculated that my server may have been compromised was on to
something (see bottom). The good news is, it does appear to be contained to
the "www" unpriveleged user (with no shell). The bad news is, they can
still cause a lot of trouble. I found the compromised customer site and
chmod 0 their cart (had php binaries called "core(some number).php that gave
the hacker a nice browser screen to cause all kinds of trouble)
Not sure if this is related to the UDP floods, but if not, it's a heck of a
coincidence. At times, CPU went through the roof for the www user, mostly
running some sort of perl scripts (nothing in the suexec-log). I would kill
apache, but couldn't restart it as it would show port 80 in use. I would
have to manually kill processes like these:
www 70471 1.4 0.1 6056 3824 ?? R 4:21PM 0:44.75 [eth0] (perl)
www 70470 1.2 0.1 6060 3828 ?? R 4:21PM 0:44.50 [bash] (perl)
www 64779 1.0 0.1 6056 3820 ?? R 4:07PM 2:24.34
/sbin/klogd -c 1 -x -x (perl)
www 70472 1.0 0.1 6060 3828 ?? R 4:21PM 0:44.84
I could not find ANY file named klogd on the system, let alone in /sbin.
Clues as to how to dig myself out of this are appreciated....
I found this in /tmp/bx1.txt:
--More--(5%)#!/usr/bin/php
<?php
#
# ------- Zen Cart 1.3.8 Remote Code Execution
# http://www.zen-cart.com/
# Zen Cart Ecommerce - putting the dream of server rooting within reach of
anyone!
# A new version (1.3.8a) is avaible on http://www.zen-cart.com/
#
# BlackH :)
#
error_reporting(E_ALL ^ E_NOTICE);
if($argc < 2)
{
echo "
=___________ Zen Cart 1.3.8 Remote Code Execution Exploit ____________=
========================================================================
| BlackH <bl4c...@gmail.com> |
========================================================================
| |
| \$system> php $argv[0] <url> |
| Notes: <url> ex: http://victim.com/site (no slash) |
| |
========================================================================
";exit(1);
----------- snipped ------
It is dated from two nights ago, after these issues started, but it's
nonetheless larming. Security Focus is aware of the issue and refers you to
Zen for the fix. Only problem is, this is an old version of Zen cart, and
the
James Smallacombe PlantageNet, Inc. CEO and Janitor
u...@3.am http://3.am
=========================================================================
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "
freebsd-questions-unsubscr...@freebsd.org"
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
check out port mod_security for apache31 and mod_security2 for apache22
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
