Developer Creates Rootkit That Hides in PHP Server Modules

It's indeed important for developers and good that this is known.
So maybe security company's can do something to find or work against such kind of code.
If I read how relatively easy this was done, we can be sure we will see more of this soon from real abusing hackers.
 
This isn't an exploit or any security breach for those who may be worried. It's merely how PHP modules work. This is about the .so files you include in your server php.ini. For example the PECL files; imagick.so, redis.so etc.

If that source you got it from has been compromised or has put a rootkit in it.. then yes they can exploit it.

So this isn't anything new; if you want to learn from it; be aware that you don't put a php extention in your server/config from a source you don't/can't trust.

And that it's possible that with an already taken over server, they can put in a php module without you knowing (and another million things).
 
Well, unless you think you do have things from a source you can trust:
Paris has created a proof-of-concept PHP rootkit which he open-sourced on GitHub. The test rootkit he developed hooks into the PHP server's "hash" and "sha1" functions. The entire rootkit is 80 lines of code, and an attacker could easily hide it in legitimate modules.
Click to expand...

If I read the whole article, there are more persons then only 1 developer, who say this can cause trouble.
Especially in this part "Mitigate attack by scanning Apache module file hashes" of the piece of text.

I'm getting worried if I read sha1 hashes can be copied and infected stuff can be made to look like safe ones by cloning their sha1 hashes.

And if we already only use sources we can trust, but the developers don't, we still can get into trouble if this is true:
Very few developers check the hashes of their PHP modules, meaning it's quite easy to trick devs into downloading a tainted PHP module or replacing PHP modules on hacked servers.
Click to expand...

I'm still a bit worried but I will trust your judgement. Luckily we almost don't use other then the with DA delivered default modules.
 
@Richard, you can also look at the comments at the Dutch tweakers article if you want.

The whole story uses security terms and seemingly truths.. however they are all used in a very sensational way, it has all been taken out of proportion.

Because if someone is able to modify a .so file in your setup, he already has all the access he needs.

This all is just a text book tutorial about how stuff works, and the "teacher" saying, okay good job, but to get a 100% score for your peace, use sha256 because sha1 has been compromised.

It's fun to dig in, but news sites are just taking it over like it's something serious to look out for, while its not. If you want to panic over this, there are 10001 other things you can panic about the same way.
 
Yes you're right ofcourse.

BUT:
With this news allover the WEB and sample the "kiddies" could get a starting point wich makes things more easy.

As you all know a lot of company's / organisations has temporary / intern / outsourced persons working with them.
Still the most threads are from/by people inside, this could be abused as kind of "inside" one.

As example one Admin in Holland has taken/hacked over Webservers from his "BOSS" not long ago.

So yes Modules from trusted source, but that source has to be aware of such kind ..., and taken actions to prevent.
 
Last edited:
Thank you Arieh, that gave me some more piece of mind, also because I read it could be seen as php malware running in a user environment. In that case root is out of the question, because we run mod_ruid, so php only runs as the user in their accounts.

@ikkeben: Yes that's what I was thinking about too, but this kind of stuff will get in the open anyway if it's that easy. And he removed the hooks so also the scriptkiddies wil have to figure that out for themselves.

Things abused from or via inside persons is also possible, not only with this, so I don't worry about that. Persons working for you on security level is always something to keep in mind.
 
Richard G said:
Things abused from or via inside persons is also possible, not only with this, so I don't worry about that. Persons working for you on security level is always something to keep in mind.
Click to expand...

Uh sorry everyone should be afraid for inside hacker / criminals, so also within every company/organisation you do bussiness with and/of you are getting products or services / software.

The most worse things mostly started that kind of way.

( as you can see again a IT person in USA who has reset the Watermeter passwords of all custommers from his BOSS, such things are much more common then one knows, mostly it stay's inside secret.... because of bad publicity)

You as custommer mostly don't have any influence for that kind of sh...

( je hebt toch wel gelezen in NL bij een hoster dat een admin die boos was e.a. van die klanten "gehacked" / platgelegd had.

) ??

A lot of could be better if:
Policies ( working and rules and so on) should be right and important the check of following these at every stage and persons.
Awarenes security and privacy in every stage and persons.
 
Last edited:
Ofcourse you are correct, but I was talking about myself in this case, that's why I said I don't worry about that.

You as custommer mostly don't have any influence for that kind of sh...
Click to expand...
Correct, so why worry about it then? I can't help it anyway if the watermeter or power company have issues.

Yep, I've read that piece of the angry admin, but I don't have any "personeel", I'm ZZP.

So the only thing I have to watch are the ones I'm getting software from, if any. And ofcourse I do my checks, update servers where necessary etc. etc. which is a default thing to do imho.
 
ok worry afraid... is maybe to..

ONly things i tried to explain is checking en keeping most of the software driven things checked and also up to date.

Yes your meters is better to watch and check sometimes by hand and yourself as example. ( more complex means often more errors possible not only by hacker scams)
 
Last edited:
You must log in or register to reply here.
Back
Top