One of our clients was sending out spam unknowingly yesterday. I spent most of my afternoon cleaning it up, tracking down how the attackers were doing it.<\/p>\n
In this clients case, they have their own server (which we maintain), and they mostly write their own code.
\nMost of the common garden variety vulnerability scans don’t work on their server, because they write their own code, although in this case it didn’t save them from being exploited.<\/p>\n
In order to find out what was causing the spamming, I had to find out how the attackers got in.
\nUsually this means a check of the apache logs to check for anything untoward.<\/p>\n
In this case, although the logs had plenty of vulnerability scans (which were to files that don’t exist on their server), I couldn’t see anything in the logs that immediately stuck out as being the cause.
\n
\nThinking that they might be sneaky, I decided to check if any files on the server had anything interesting in them. PHP has a few functions that are a little dangerous, most of these are system related – you can execute other software on the system using them. <\/p>\n
As pretty much all the code on this server is php based, I went a little deeper, and did a filesystem scan of some common php system calls to see if anything popped out.<\/p>\n
In unix, this is pretty easy<\/p>\n
A few seconds later, this popped up as a result.<\/p>\n Hmm, a jpg file containing shell_exec? A quick check of the file in a text editor showed that it was actually a shell script that contained the c99shell. Both these scripts allowed for remote pseudo shell access to the server, as well as attempts to further hack the server using common vulnerabilities. They are both quite comprehensive in what they do, and are worthy of further dissection at a later date.<\/p>\n I removed the 2 files (after making copies for further analysis), and let the client know. Sneaky!<\/p>\n Turns out that the client was using a common upload library, and it appears that this had an upload vulnerability. PHP has an extension called FileInfo, which can check files to see if they’re actually what they say they are. Even so, you still need to avoid using FileInfo for checking gif files, as it pretty much assumes any file starting in GIF is a gif. <\/p>\n Sample code to safely check for gif below.<\/p>\n Back to FileInfo. The typical way to install Pear extensions is <\/p>\n In this case “pecl install FileInfo” wasn’t working, because we set \/tmp as non executable for safety reasons.<\/p>\n ERROR: `phpize' failed<\/code><\/p>\n So, we had to install it manually, sigh.<\/p>\n Manual installation of pecl files is simple, although undocumented.<\/p>\n Go to the download folder: Move the file to a different folder with execute permissions Extract, and install<\/p>\n We also had to add extension=fileinfo.so to our \/etc\/php5\/apache2\/php.ini file.<\/p>\n Conclusions for us – <\/p>\n Luckily, they didn’t manage to do any damage except for send mass email. We’re planning to further tighten their system with a PHP Hardener called Suhosin, although this depends on their scripts being compatible. We’re currently trialing a Suhosin install with logging enabled to see what may break when its fully enabled.<\/p>\n We use Suhosin on a most of our servers already. One of our clients was sending out spam unknowingly yesterday. I spent most of my afternoon cleaning it up, tracking down how the attackers were doing it. In this clients case, they have their own server (which we maintain), and they mostly write their own code. Most of the common garden variety vulnerability scans don’t […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[48,25],"tags":[528,50,49],"class_list":["post-177","post","type-post","status-publish","format-standard","hentry","category-exploits","category-technical-mumbo-jumbo","tag-exploits","tag-shell-scripts","tag-suhosin"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/177","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/comments?post=177"}],"version-history":[{"count":2,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/177\/revisions"}],"predecessor-version":[{"id":179,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/posts\/177\/revisions\/179"}],"wp:attachment":[{"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/media?parent=177"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/categories?post=177"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.computersolutions.cn\/blog\/wp-json\/wp\/v2\/tags?post=177"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}grep shell_exec * -R<\/code><\/p>\n\/userpix\/1216256595.jpg<\/code><\/p>\n
\nSeems strange.<\/p>\n
\nI soon found another script in that folder with a .jpg extension that contained the r57shell.<\/p>\n
\nA check of the logs revealed that calls were indeed being made to those files.<\/p>\n
\nI advised them to do better error checking, update that library, and installed some additional features for them in their server.<\/p>\n
\nIts not perfect, but it does add a degree of safety for situations like this where things get abused.<\/p>\nif (!$img = @imagecreatefromgif($uploadedfilename)) {
\n trigger_error('Not a GIF image!',E_USER_WARNING);
\n \/\/ do necessary stuff
\n}<\/code><\/p>\npecl install
\npecl install Fileinfo
\n3 source files, building
\nrunning: phpize
\nConfiguring for:
\nPHP Api Version: 20041225
\nZend Module Api No: 20060613
\nZend Extension Api No: 220060519
\n\/usr\/bin\/phpize: \/tmp\/pear\/cache\/Fileinfo-1.0.4\/build\/shtool: \/bin\/sh: bad interpreter: Permission denied
\nCannot find autoconf. Please check your autoconf installation and the $PHP_AUTOCONF
\nenvironment variable is set correctly and then rerun this script.<\/p>\n
\ncd \/tmp\/pear\/cache\/<\/code><\/p>\n
\ncp Fileinfo-1.0.4.tgz \/downloads
\ncd \/downloads<\/code><\/p>\ntar -zxf Fileinfo-1.0.4.tgz
\ncd Fileinfo-1.0.4
\nphpize
\n.\/configure
\nmake
\nmake install<\/code><\/p>\n
\nTripwire and Tiger (two IDS programs we use) showed that none of the system files on their server were compromised. <\/p>\n
\nIronically we had been talking about it with that client when they got hacked! <\/p>\n","protected":false},"excerpt":{"rendered":"