Re: Hack attempt
From: Cedric Blancher (blancher_at_cartel-securite.fr)
To: firstname.lastname@example.org Date: Sat, 24 Jul 2004 08:54:50 +0200
Le ven 23/07/2004 à 04:04, Alex Derkach a écrit :
> Not really an exploit IMO. It is a feature in PHP which you should
> disable if you don't use it. (Edit php.ini OR httpd.conf and add a
> disable_functions directive).
IMHO, if the exploit is quite simple, it points out strong issues
regarding this webserver configuration :
. Web application is poorly developped
. technic shows user input direct usage and no validation
This is a common web apps vulnerabilites. User input must never be
trusted and must be validated in any case.
. PHP is not configured properly :
. technic shows fopen URL wrapper set to 1 (baaaad)
. successful command execution shows safe_mode desactivated
PHP Safe_mode allows one to put restriction on stuff like file
including from scripts, command execution, uploading, etc.
. Webserver host is poorly filtered
. actions shows intruder is able to download stuff from the
Internet, then probably bind a shell, launch eggdrop and so on
The host should be restricted to the only connections it is supposed
to receive and initiate, no more. This can prevent an intruder to
perform a complete intrusion. In this case, a proper network filtering
could have prevent the host from including distant URL...
> You shouldn't be too worried, the 'hacker' can't get access to
> anything that the web server user doesn't have access to, but don't
> take any chances either. (a simple rm -rf can wipe you out and leave
> you wishing you had backups)
I disagree. Considering the fact there's a lot of kernel local root
exploits around, there's not much to do to get root
if server has strong availability restriction that could have refrain
admin from upgrading kernel. Not mentionning vulnerable third party
applications... Intruder actions have to get verified in order to
validate the fact he couldn't get further priviledges.
Anyway, to my mind, this webserver should be completely wiped away,
reinstalled and reconfigured properly from a clean system base
implementing strong restrictions for web apps and correct network
connections filtering. Good start for PHP secure installation can be :
There's a lot of paper on web apps security around.
-- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread!