Skip to main content

apache 2.2 - Server Potentially Compromised -- c99madshell





So, low and behold, a legacy site we've been hosting for a client had a version of FCKEditor that allowed someone to upload the dreaded c99madshell exploit onto our web host.



I'm not a big security buff -- frankly I'm just a dev currently responsible for S/A duties due to a loss of personnel. Accordingly, I'd love any help you server-faulters could provide in assessing the damage from the exploit.



To give you a bit of information:



The file was uploaded into a directory within the webroot, "/_img/fck_uploads/File/". The Apache user and group are restricted such that they can't log in and don't have permissions outside of the directory from which we serve sites.



All the files had 770 permissions (user rwx, group rwx, other none) -- something I wanted to fix but was told to hold off on as it wasn't "high priority" (hopefully this changes that). So it seems the hackers could've easily executed the script.




Now I wasn't able to actually locate c99madshell.php itself -- only a bunch of other HTML files containing russian text and a few .xl and .html files with inline PHP that were renditions of the madshell hack. Upon doing a bit of research, though, it looks like the hack destroys itself after execution -- great.



Anyway, my initial assessment would be this:




  • Not necessary to rebuild the entire host, as given the isolation of the apache user / group, they shouldn't have been able to get system level passwords.


  • It is necessary to fix this vulnerability by restricting uploads to not have the execute permission, updating the FCKEditor version to correct the original exploit target, and add server-level configuration that denies execution of PHP script within the uploads directory.


  • I should change the DB passwords for the app -- given the configuration file for the database connection lies within the web-root, the hacker most likely could've grabbed it and with it the DB password.





Anyway, please provide any input you guys have regarding what I should tell the bossman. Obviously it'd be ideal to avoid rebuilding the whole host -- but if thats what we have to take to ensure we're not running a hacked machine, then thats what its going to take.



I really appreciate your guys help. Also don't hesitate to ask for more information (I'd be happy to run commands / work with you guys to assess the damage). God damn hackers :(.


Answer



Obviously as others have said, the official "secure" response would be to rebuild the machine.



The reality of the situation might prevent that. You can run a few things to check for compromises:




  • Chkrootkit - tests for common signs of the server being compromised


  • If rpm system, 'rpm -Va|grep 5' will check all rpm installed binaries and report a "5" if the MD5 sum has changed. Rebuild necessary if you found any inconsistencies not explained b a customized binary.

  • Look in /tmp for anything suspicious.

  • Check 'ps fax' for any abnormal processes. If 'ps' is compromised or via other techniques you could still have hidden processes running.

  • If you found ANY files in your search that had ownership other than apache, your system accounts were definitely compromised and you need a rebuild.



Corrections to make on your system configuration:




  • Disable uploads by FCKeditor if possible


  • Make sure your temp directories are made NOEXEC to prevent programs executing off of them

  • Any php scripts should be up to date

  • If you want to get fancy install mod_security to look out for exploits during runtime of the php scripts



There is a ton of stuff I am missing out but those would be the first steps I would take. Depending on what you are running on the server and the importance of the security of it (do you handle CC transactions?) a rebuild might be necessary but if it is a 'low security' server you might be ok with checking the above.


Comments

Post a Comment

Popular posts from this blog

linux - Awstats - outputting stats for merged Access_logs only producing stats for one server's log

I've been attempting this for two weeks and I've accessed countless number of sites on this issue and it seems there is something I'm not getting here and I'm at a lost. I manged to figure out how to merge logs from two servers together. (Taking care to only merge the matching domains together) The logs from the first server span from 15 Dec 2012 to 8 April 2014 The logs from the second server span from 2 Mar 2014 to 9 April 2014 I was able to successfully merge them using the logresolvemerge.pl script simply enermerating each log and > out_putting_it_to_file Looking at the two logs from each server the format seems exactly the same. The problem I'm having is producing the stats page for the logs. The command I've boiled it down to is /usr/share/awstats/tools/awstats_buildstaticpages.pl -configdir=/home/User/Documents/conf/ -config=example.com awstatsprog=/usr/share/awstats/wwwroot/cgi-bin/awstats.pl dir=/home/User/Documents/parced -month=all -year=all...
Post a Comment
Read more

iLO 3 Firmware Update (HP Proliant DL380 G7)

The iLO web interface allows me to upload a .bin file ( Obtain the firmware image (.bin) file from the Online ROM Flash Component for HP Integrated Lights-Out. ) The iLO web interface redirects me to a page in the HP support website ( http://www.hp.com/go/iLO ) where I am supposed to find this .bin firmware, but no luck for me. The support website is a mess and very slow, badly categorized and generally unusable. Where can I find this .bin file? The only related link I am able to find asks me about my server operating system (what does this have to do with the iLO?!) and lets me download an .iso with no .bin file And also a related question: what is the latest iLO 3 version? (for Proliant DL380 G7, not sure if the iLO is tied to the server model)
Post a Comment
Read more

hp proliant - Smart Array P822 with HBA Mode?

We get an HP DL360 G8 with an Smart Array P822 controller. On that controller will come a HP StorageWorks D2700 . Does anybody know, that it is possible to run the Smart Array P822 in HBA mode? I found only information about the P410i, who can run HBA. If this is not supported, what you think about the LSI 9207-8e controller? Will this fit good in that setup? The Hardware we get is used but all original from HP. The StorageWorks has 25 x 900 GB SAS 10K disks. Because the disks are not new I would like to use only 22 for raid6, and the rest for spare (I need to see if the disk count is optimal or not for zfs). It would be nice if I'm not stick to SAS in future. As OS I would like to install debian stretch with zfs 0.71 as file system and software raid. I have see that hp has an page for debian to. I would like to use hba mode because it is recommend, that zfs know at most as possible about the disk, and I'm independent from the raid controller. For us zfs have many benefits, ...
Post a Comment
Read more