Skip to main content

apache 2.2 - Server Potentially Compromised -- c99madshell





So, low and behold, a legacy site we've been hosting for a client had a version of FCKEditor that allowed someone to upload the dreaded c99madshell exploit onto our web host.



I'm not a big security buff -- frankly I'm just a dev currently responsible for S/A duties due to a loss of personnel. Accordingly, I'd love any help you server-faulters could provide in assessing the damage from the exploit.



To give you a bit of information:



The file was uploaded into a directory within the webroot, "/_img/fck_uploads/File/". The Apache user and group are restricted such that they can't log in and don't have permissions outside of the directory from which we serve sites.



All the files had 770 permissions (user rwx, group rwx, other none) -- something I wanted to fix but was told to hold off on as it wasn't "high priority" (hopefully this changes that). So it seems the hackers could've easily executed the script.




Now I wasn't able to actually locate c99madshell.php itself -- only a bunch of other HTML files containing russian text and a few .xl and .html files with inline PHP that were renditions of the madshell hack. Upon doing a bit of research, though, it looks like the hack destroys itself after execution -- great.



Anyway, my initial assessment would be this:




  • Not necessary to rebuild the entire host, as given the isolation of the apache user / group, they shouldn't have been able to get system level passwords.


  • It is necessary to fix this vulnerability by restricting uploads to not have the execute permission, updating the FCKEditor version to correct the original exploit target, and add server-level configuration that denies execution of PHP script within the uploads directory.


  • I should change the DB passwords for the app -- given the configuration file for the database connection lies within the web-root, the hacker most likely could've grabbed it and with it the DB password.





Anyway, please provide any input you guys have regarding what I should tell the bossman. Obviously it'd be ideal to avoid rebuilding the whole host -- but if thats what we have to take to ensure we're not running a hacked machine, then thats what its going to take.



I really appreciate your guys help. Also don't hesitate to ask for more information (I'd be happy to run commands / work with you guys to assess the damage). God damn hackers :(.


Answer



Obviously as others have said, the official "secure" response would be to rebuild the machine.



The reality of the situation might prevent that. You can run a few things to check for compromises:




  • Chkrootkit - tests for common signs of the server being compromised


  • If rpm system, 'rpm -Va|grep 5' will check all rpm installed binaries and report a "5" if the MD5 sum has changed. Rebuild necessary if you found any inconsistencies not explained b a customized binary.

  • Look in /tmp for anything suspicious.

  • Check 'ps fax' for any abnormal processes. If 'ps' is compromised or via other techniques you could still have hidden processes running.

  • If you found ANY files in your search that had ownership other than apache, your system accounts were definitely compromised and you need a rebuild.



Corrections to make on your system configuration:




  • Disable uploads by FCKeditor if possible


  • Make sure your temp directories are made NOEXEC to prevent programs executing off of them

  • Any php scripts should be up to date

  • If you want to get fancy install mod_security to look out for exploits during runtime of the php scripts



There is a ton of stuff I am missing out but those would be the first steps I would take. Depending on what you are running on the server and the importance of the security of it (do you handle CC transactions?) a rebuild might be necessary but if it is a 'low security' server you might be ok with checking the above.


Comments

Post a Comment

Popular posts from this blog

linux - iDRAC6 Virtual Media native library cannot be loaded

When attempting to mount Virtual Media on a iDRAC6 IP KVM session I get the following error: I'm using Ubuntu 9.04 and: $ javaws -version Java(TM) Web Start 1.6.0_16 $ uname -a Linux aud22419-linux 2.6.28-15-generic #51-Ubuntu SMP Mon Aug 31 13:39:06 UTC 2009 x86_64 GNU/Linux $ firefox -version Mozilla Firefox 3.0.14, Copyright (c) 1998 - 2009 mozilla.org On Windows + IE it (unsurprisingly) works. I've just gotten off the phone with the Dell tech support and I was told it is known to work on Linux + Firefox, albeit Ubuntu is not supported (by Dell, that is). Has anyone out there managed to mount virtual media in the same scenario?
Post a Comment
Read more

hp proliant - Smart Array P822 with HBA Mode?

We get an HP DL360 G8 with an Smart Array P822 controller. On that controller will come a HP StorageWorks D2700 . Does anybody know, that it is possible to run the Smart Array P822 in HBA mode? I found only information about the P410i, who can run HBA. If this is not supported, what you think about the LSI 9207-8e controller? Will this fit good in that setup? The Hardware we get is used but all original from HP. The StorageWorks has 25 x 900 GB SAS 10K disks. Because the disks are not new I would like to use only 22 for raid6, and the rest for spare (I need to see if the disk count is optimal or not for zfs). It would be nice if I'm not stick to SAS in future. As OS I would like to install debian stretch with zfs 0.71 as file system and software raid. I have see that hp has an page for debian to. I would like to use hba mode because it is recommend, that zfs know at most as possible about the disk, and I'm independent from the raid controller. For us zfs have many benefits,
Post a Comment
Read more