Recurring HTTP exploit

itsensellc

Verified User
Joined
Jul 15, 2005
Messages
51
Hello,

I'm having a recurring issue where someone is getting a script into /tmp, taking down the webserver and setting up their stupid IRC bot on port 80. It's annoying because thus far I have not been able to track them down. As soon as it happens I'm combing through the logs trying to find out what PHP script (probably PHPBB or something like it from one of my customers) is letting them through but there is nothing in the logs. I've had this happen before but usually there's some trace in the logs like some ASCII encoded string. Right now I just have little to nothing to go on and it's quite annoying. I've combed all over the net but found next to nothing. RKHunter doesn't even know it exists.

Any suggestions on how I can track this down or at least set myself up for when it does happen the next time I can trap where it's coming from and patch it?

Thanks very much,
JP
 
Is your /tmp folder on a partition of its own? Do you run suphp or suexec?
 
/tmp is on its own filesystem with noexec, nosuid. I'm running SUPHP. From what I've read, the /tmp noexec, nosuid doesn't prevent someone from executing a script out of tmp.
 
They must of found a major exploit then if you run suphp and noexec on /tmp. Because even being able to bind to port 80 would require root privledges. I would make sure all customers sites are updated that might be using cms or forum software that could be exploitable. I dont know if there is an easy way to find out where it came in though.

Do you disable any php functions that could be exploited?

You could try greping your apache logs for path=
 
Ya nothing on that grep.

I have not disabled any PHP functions personally (such as shell, etc). I probably should. But one side of me doesn't want to block them just yet until I figure out how they got through. I'll let them through again unless I can find in the meantime how they got in because short of taking down the webserver, they aren't doing anything malicious.

Now here's my issue - they must not have any kind of significant elevated privileges because if they did, I think they would be doing much worse that setting up an IRC bot (such as going after my customer's data and websites).

I'm even running mod_security. I would have thought it would catch it. Apparently I don't have a rule setup to catch it :)

Any other ideas?
 
Fire up a nice IDS/NIDS like snort/ACID or prelude.

It's annoying at first because you have to tune it for your needs and you will have a lot of false positives (alerts which aren't really a security treat), but it's a must to catch those kind of attacks.
If you don't use proactive rules (which are way difficult to setup) it won't stop the attack, but it will tell you who did it and how was it done.
You will probably need a security analyst or at least someone good in security matters to study the alerts.
 
I feel like a rookie. PHP is running in CLI mode. I'm going to switch to CGI mode and observe.

Thanks!
 
That won't probably change anything, but here is a fast & easy security solution for a large number of PHP vulnerabilities & reconnaissance; just put this in the php.ini file and restart Apache:

Code:
disable_functions = "apache_get_modules, apache_get_version, apache_getenv, apache_note, apache_setenv, disk_free_space, diskfreespace, dl, highlight_file, ini_alter, ini_restore, openlog, passthru, phpinfo, proc_nice, shell_exec, show_source, symlink, system, exec, fsockopen, popen, proc_open"

Some of those functions may be used by a few very special pages... just check them out and permit the used functions.
 
Back
Top