ThinkPHP: remote code execution?
Hello all.
I have a “little home server” in my home (call me crazy). It’s a LAMP with Slackware 14.1. and I serve my blog from it. I know, I need to upgrade, but I have no time. I have several doubts (I am thinking now, if it is necessary I can open one thread for each of them). First, a little view to my server: Code:
$ uname -a && cat /etc/slackware-version The server was off over a year, because problems with my ISP (I live in a little willage in the North of Spain, in the mountains, and here we only can hire ADSL with one ISP, no rivalry, the prices are excessivelly expensive, and the provided services are minimal, so I declined the contract). I renewed it recently, and server is “on the air” again. Since I turned it on, I am seeing lines like this in the apache log: Code:
$ cat /var/log/httpd/access_log | grep thinkphp | tail -n 1 I read some things about the thinkphp web attack, but I can understand (in my bad english comprehension) that it consists in a remote code execution vulnerability in ThinkPHP, and I am not using the thinkPHP framework in my server, I think (Slack does not install it neither in a full install, and I didn’t installed it): Code:
$ php -i | grep think Code:
wget -O you.are.a.bastard I have read too (important, I know) that this vulnerability is patched (versions affected are thinkPHP ThinkPHP 5.0 and 5.1) but I have not installed it, theither other versions… So, what’s is happening? How can I defend my machine from this? I tried to edit my .htaccess file (I did it for a lot of times, I can’t remember, a lot less I can transcibe those attemps here), in order to filter the “thinkphp” match, and I tried searching how to do it with apache too, but my attemps are being unsuccessful (a bad sysadmin, remember) What can I do? I think perhaps you need more information about my system, like outputs of httpd -L, php -option, or whatever thing else… But that outputs are large, and you can help me with grep or similar to searching for relevant info. Note I need a temporary solution, because I know I must upgrade the system, apache, php, etc. I need to implement SSL and HTTPS too (I read a good manual from AlienBob, great!)… And I have a lot less time I would like, and I’m sure I’ll crash something during the process (It is possible that the best way to do all is going to reinstall and reconfigure all, but I’ll try to upgrade and to learn a lot during the process first), so I think all these tasks are going to extend over the time. My second doubt: My domain has been blacklisted in Sorbs Duhl and in Spamhaus ZEN. It is possible that exists a relation between the blacklist and my vulnerability? Thank you very much, and sorry my bad English. |
Quote:
Quote:
It could be that your IP was used previously to spam, or your ISP has a bad reputation in general regarding spam. |
Quote:
Same is probably true of the ZEN list, although that list includes all of the Spamhaus RBLs, so it's hard to be certain. Still, one of those is also a dynamic IP address list. https://www.spamhaus.org/ Both of those would only affect email being sent from your server to another server that uses those RBLs -- they wouldn't have any effect on attempts to hack your server....which is probably not happening, as bathory said. |
First of all, tahnk you very much for your anwser, bathory. This seems a topical, but some of us, not proffesional workers, need this anwsers to sleep peacefully.
Quote:
Another thing I though (because thinkphp not installed) was that I had a vulnerability that allowed attakers to use my machine like a zombie, running the script to another hosts. Esta noche voy a dormir a pierna suelta, we say in Spanish Language: This night I'm going to sleep soundly. Thank you very much!! |
Quote:
I remember that I configured sendmail in my server before to put it in the internet, but when I put it "in produccion" I was blacklisted right away. I was read a lot of them at that time (year 2015, I think), and who to solve it, because I wished to implement mail acounts in my site: I knew that dynamic IPs are blacklisted by default. Your infer is right: my host is running on a dynamic address. It is redirected to my domain with a program suministred by my domain provider. What I did not know was that this "would only affect email being sent from your server to another server that uses those RBLs". So I'm thinking I perhaps run sendmail again (another task... I have a lot of work!!) :D I'll start upgrading my system and implementing SSL much quieter. Question solved: thank you very much again, Bathory & Scasey. |
All times are GMT -5. The time now is 05:24 AM. |