Server compromised Zen-Cart "record company" Exploit
James Smallacombe
up at 3.am
Thu Feb 4 20:28:59 UTC 2010
Replying to Bogdan Webb's reply recommending sohusin:
This appears to be exactly what I needed, thanks! The stock ports PHP
install already has the suhosin patch, but the extension is a godsend!
Not only does it log everything, but it let's you manage php functions on
a per virtual host basis, not just in php.ini. Fantastic and is working
great. About the only thing I could want more would be to control the
functions under the apache <Directory> directives (on top of in
<VirtualHost>).
On Mon, 1 Feb 2010, James Smallacombe wrote:
>
> (please reply-all; I am not sub'd and sorry for the top posting):
>
> I have safe_mode off due to popular demand. So many customer apps demand
> that it be kept off. In fact, here is a post from one of the Zen people on
> the Zen-cart forum. In light of this exploit, this might be a little ironic:
>
> http://www.zen-cart.com/forum/showthread.php?t=76740
>
> "There is one for-sure patch: Turn off safe-mode.
>
> Keep in mind that future versions of PHP will *not* even include a safe-mode
> ... because it's a weak bandage giving a false sense of security to hosts who
> don't otherwise know how to properly secure their servers.
>
> This begs the question: why? ie: why would you want to run your online
> business on a server that's got to use safe-mode in order to think they're
> securing the server?
>
> I'm not trying to badmouth your server administrator; rather I'm attempting
> to strongly make the point that unless safe-mode is being used for a very
> specific reason for which there is no other solution (an unlikely situation),
> it shouldn't be used. And, if it is being used, you shouldn't run your
> business there, because there will be other security issues to which you'll
> be vulnerable but never have a clue about it until disaster strikes, because
> the big picture of security protection has been poorly implemented.
>
> That said, Zen Cart will install and run even if Safe Mode is active;
> however, you run the risk of certain features not working with or without
> notice, and the unexpected appearance of warning or fatal errors while
> customers are using the site. And then there's the issue of the admin side
> needing to do various things that safe-mode doesn't like.
>
> So, I guess, in short ... you can do it, but you do so at your own risk.
>
> Maybe that's more than you wanted to hear ... sorry"
>
> ----
> From: Bogdan Webb <bogdan at pgn.ro>
>
> try php's safe_mode but it is likely to keep the hackers off, indeed they
> can get in and snatch some data but they would be kept out of a shell's
> reach... but sometimes safe_mode is not enough... try considering Suhosin
> but the addon not the patch... and define the
> suhosin.executor.func.blacklist witch will deny use of certain php commands
> that allow shell execution... but keep in mind it's impossible to prevent
> all breaches... this php patch will only keep the hacker kiddos off but
> there's still a good chance it can be broken... stay safe !
>
> ref's:
> http://www.hardened-php.net/suhosin.127.html
> http://beta.pgn.ro/phps/phpinfo.php
>
>
> On Sun, 31 Jan 2010, James Smallacombe wrote:
>
>>
>> Whoever speculated that my server may have been compromised was on to
>> something (see bottom). The good news is, it does appear to be contained
>> to the "www" unpriveleged user (with no shell). The bad news is, they can
>> still cause a lot of trouble. I found the compromised customer site and
>> chmod 0 their cart (had php binaries called "core(some number).php that
>> gave the hacker a nice browser screen to cause all kinds of trouble)
>>
>> Not sure if this is related to the UDP floods, but if not, it's a heck of a
>> coincidence. At times, CPU went through the roof for the www user, mostly
>> running some sort of perl scripts (nothing in the suexec-log). I would
>> kill apache, but couldn't restart it as it would show port 80 in use. I
>> would have to manually kill processes like these:
>>
>> www 70471 1.4 0.1 6056 3824 ?? R 4:21PM 0:44.75 [eth0] (perl)
>> www 70470 1.2 0.1 6060 3828 ?? R 4:21PM 0:44.50 [bash] (perl)
>> www 64779 1.0 0.1 6056 3820 ?? R 4:07PM 2:24.34
>> /sbin/klogd -c 1 -x -x (perl)
>> www 70472 1.0 0.1 6060 3828 ?? R 4:21PM 0:44.84
>>
>> I could not find ANY file named klogd on the system, let alone in /sbin.
>> Clues as to how to dig myself out of this are appreciated....
>>
>> I found this in /tmp/bx1.txt:
>>
>> --More--(5%)#!/usr/bin/php
>> <?php
>>
>> #
>> # ------- Zen Cart 1.3.8 Remote Code Execution
>> # http://www.zen-cart.com/
>> # Zen Cart Ecommerce - putting the dream of server rooting within reach of
>> anyone!
>> # A new version (1.3.8a) is avaible on http://www.zen-cart.com/
>> #
>> # BlackH :)
>> #
>>
>> error_reporting(E_ALL ^ E_NOTICE);
>> if($argc < 2)
>> {
>> echo "
>> =___________ Zen Cart 1.3.8 Remote Code Execution Exploit ____________=
>> ========================================================================
>> | BlackH <Bl4ck.H at gmail.com> |
>> ========================================================================
>> | |
>> | \$system> php $argv[0] <url> |
>> | Notes: <url> ex: http://victim.com/site (no slash) |
>> | |
>> ========================================================================
>> ";exit(1);
>>
>> ----------- snipped ------
>>
>> It is dated from two nights ago, after these issues started, but it's
>> nonetheless larming. Security Focus is aware of the issue and refers you
>> to Zen for the fix. Only problem is, this is an old version of Zen cart,
>> and the
>>
>> James Smallacombe PlantageNet, Inc. CEO and Janitor
>> up at 3.am
>> http://3.am
>> =========================================================================
>>
>
> James Smallacombe PlantageNet, Inc. CEO and Janitor
> up at 3.am http://3.am
> =========================================================================
>
James Smallacombe PlantageNet, Inc. CEO and Janitor
up at 3.am http://3.am
=========================================================================
More information about the freebsd-questions
mailing list