Hi, I had a jessie-kfreebsd webserver hosting a Wordpress site, which got hacked as is typical. Though I'd like some help understanding this in particular: File: ‘./wp-content/themes/foo/help.php’ Size: 88800 Blocks: 137 IO Block: 89088 regular file Device: 81165a50h/2165725776d Inode: 236326 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 1046/ foo) Gid: ( 0/ root) Access: 2016-01-12 09:19:20.043419070 +0000 Modify: 2016-01-12 09:19:20.044419438 +0000 Change: 2016-01-12 09:19:20.044419438 +0000 Birth: - File: ‘./wp-content/themes/foo/syslib.php’ Size: 12947 Blocks: 17 IO Block: 13312 regular file Device: 81165a50h/2165725776d Inode: 233648 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 1046/ foo) Gid: ( 0/ root) Access: 2016-01-12 12:23:43.047660141 +0000 Modify: 2016-01-12 12:23:43.047660141 +0000 Change: 2016-01-12 12:23:43.134655890 +0000 Birth: - Those malware payloads were newly-created files with gid *root* - how is that even possible as a regular user? As uid=1046 I cannot chgrp files to gid=0. The containing directory has gid=1045 and even had the setgid bit set, so files created by root even get gid=1045 by default: File: ‘.’ Size: 28 Blocks: 17 IO Block: 4096 directory Device: 81165a50h/2165725776d Inode: 51339 Links: 6 Access: (2755/drwxr-sr-x) Uid: ( 1046/ foo) Gid: ( 1045/ foo) Access: 2015-03-09 20:55:07.000000000 +0000 Modify: 2016-01-14 06:05:22.398313371 +0000 Change: 2016-01-14 06:05:22.398313371 +0000 Birth: - PHP scripts run under Apache+FastCGI and have SuexecUserGroup set for uid=1046 gid=1045, as confirmed by executing this via CGI: <?php passthru('id'); ?> uid=1046(foo) gid=1045(foo) groups=1045(foo) The malware created many other files having gid=1045 as expected. Just these two files have me puzzled and also a bit worried there was some bug or potentially privilege escalation involved here. But the malware seems unsophisticated and typical: after they likely bruteforced a Wordpress admin account they uploaded a PHP backdoor, created many more, and started spamming. Thanks, Regards, -- Steven Chamberlain steven@pyro.eu.org
Attachment:
signature.asc
Description: Digital signature