Got Hacked

[Voland]

Hacked - SOLVED!

Hello!

Generally server is fine but Today i found some scripts uploaded to the one fo the users directory.

As i understand, someone (I will call him atacker) has uploaded to the jumla's administrator templates directory some php script, encoded by base64 this script generates another perl script with some extension.

with htaccess atacker override basic rules:

htaccess:

Options FollowSymLinks MultiViews Indexes ExecCGI

AddType application/x-httpd-cgi .evil

AddHandler cgi-script .evil
AddHandler cgi-script .evil

another htaccess:

#Options FollowSymLinks MultiViews Indexes ExecCGI

AddType application/x-httpd-cgi .izri

AddHandler cgi-script .pl
AddHandler cgi-script .pl

and run perl script.

System:

Centos 5.5 - Kernel updated
Apache 2.2.1x (dont remember, has updated)
PHP 5.2.x - disabled all exec, shell_exec and others
mod_ruid2
CSF
Perl - cgi disabled for all users
openbase directory - on
safe mode -off


any ideas, how to prevent perl scripts running when CGI in da is off?

 

[Voland]

nobody knows how to prevent overriding CGI off in DA?

 

[nobaloney]

Install an empty .htaccess file, and chattr it immutable.

Jeff

 

[Voland]

Install empty htaccess

good idea for one site
but when i have mote than 3000 users?
it's impossible to do that for all and for all their folders.
Users need mod_rewrite and php control by php_flag-s

Its very big trouble if everyone is able to run perl scripts in any da server
we need right solution because all da installations is in danger.

 

[zEitEr]

So, what is the problem?

1. Read logs and learn how was your server hacked.

2. Read logs and learn how were some scripts uploaded.

3. Read logs and learn how a hacker did things on your server.

And depending on what you learn from logs you should fix the things:

1. Restrictions on .htaccess, or
2. Restrictions on FTP, or
3. etc.

 

[Voland]

Re

Have you read my first post?

I have checked the logs and i know how server was hacked ,from old jumla.
And knoiw what they have done.
I can do nothing, becouse the configuration alows ru run perl script
when perl access is disabled in user config

yes, of cource i can put empty htaccess file to all users folders
but you think it's normal?
Do you order hosting at provider who has root owned htaccess file in your site folder?

I(We) still need right solution to completly disable perl when it's turned off in user config.

 

[zEitEr]

OK, you might want to remove mod_perl then. Or change AllowOverride option in global httpd.conf in order to deny to use some directives in .htaccess.

 

[SeLLeRoNe]

I had same problem yesterday.

Hacker used OS Commerce for put the .htaccess file.

Solution was easy. Tell your customer that his website is not-up2date and so a risk for the server and he must solve it, if not, website get suspended.

Ok you dont wanna put .htaccess in users folder, but they must have everything updated and dont be a risk for all the server, this should be in your policy.

PS. I had cgi disabled aswell from DA Panel.

Regards

 

[Voland]

PS. I had cgi disabled aswell from DA Panel.

Me to..

OK, you might want to remove mod_perl then. Or change AllowOverride option in global httpd.conf in order to deny to use some directives in .htaccess.

can you tell me how to change AllowOverride only for perl?
php is usefull.

 

[zEitEr]

It's impossible to do it only for perl. You should deny:

1. FileInfo: AddHandler
2. Options +ExecCGI

http://httpd.apache.org/docs/2.0/mod/core.html#allowoverride

But this will break a lot of things. So it would be too restrictive for you, I believe.

So you might need to remove mod_cgi and mod_perl.

 

[scsi]

chmod 750 /usr/bin/perl
chmod 750 /usr/local/bin/perl

 

[Voland]

chmod 750 /usr/bin/perl
chmod 750 /usr/local/bin/perl

does this kill something else?

 

[scsi]

Just disabled any non root user from being able to use perl. If not your gonna have to do alot of hacking to apache to not allow perl scripts from working...probably disabling allowoverrides and disabling the use of cgi-bin alltogether. Removing mod_cgi and mod_perl is probably a good idea if you are worried about it.

 

[Voland]

cgi

Can you tell me where is mod_cgi or mod_perl is included?

I've checked all http confs and user httpd confs
but cant find wher it is.

I'm using default custobuild options >> php5 cli and apache 2.2.19

 

[Voland]

Perl

Thanks! It works!

I just removed the search/execution for others (chmod 754 /usr/bin/perl)
and now perl gives 500 error
in logs:

(13)Permission denied: exec of '/home/xxxxxxxxxxx/domains/xxxxxxxxxxxxxxx.xx/public_html/templates/tm2/izriperl.izri' failed

Thank you guys Wery much!

For notes:
chmod 754 /usr/bin/perl is inough because I'm using mod_ruid2.
if someone not using this module
must do:
chmod 744 /usr/bin/perl to prevent execution from apache

or /usr/local/bin/perl

 

[LawsHosting]

because I'm using mod_ruid2.

Was only the account hacked, or the server, I mean, did the script managed to get out of the account's public_html?

What does this script do? Does it try anything in /tmp/?

I'm asking because I'm thinking of adding ruid2

 

[Voland]

mod_ruid2

I think mod_ruid2 saved server from beeng hacked
because of mod_ruid2, thay only get access 777 chmoded files outside user directory.

 

[zEitEr]

You might need to swith to access group

http://www.directadmin.com/features.php?id=961