Malware incident, file created with gid=root?

To: debian-bsd@lists.debian.org
Subject: Malware incident, file created with gid=root?
From: Steven Chamberlain <steven@pyro.eu.org>
Date: Fri, 15 Jan 2016 14:33:30 +0000
Message-id: <[🔎] 20160115143330.GB91119@pyro.eu.org>

Hi,

I had a jessie-kfreebsd webserver hosting a Wordpress site, which got
hacked as is typical.

Though I'd like some help understanding this in particular:

  File: ‘./wp-content/themes/foo/help.php’
  Size: 88800     	Blocks: 137        IO Block: 89088  regular file
Device: 81165a50h/2165725776d	Inode: 236326      Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1046/ foo)   Gid: (    0/    root)
Access: 2016-01-12 09:19:20.043419070 +0000
Modify: 2016-01-12 09:19:20.044419438 +0000
Change: 2016-01-12 09:19:20.044419438 +0000
 Birth: -
  File: ‘./wp-content/themes/foo/syslib.php’
  Size: 12947     	Blocks: 17         IO Block: 13312  regular file
Device: 81165a50h/2165725776d	Inode: 233648      Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1046/ foo)   Gid: (    0/    root)
Access: 2016-01-12 12:23:43.047660141 +0000
Modify: 2016-01-12 12:23:43.047660141 +0000
Change: 2016-01-12 12:23:43.134655890 +0000
 Birth: -

Those malware payloads were newly-created files with gid *root* - how is
that even possible as a regular user?  As uid=1046 I cannot chgrp files
to gid=0.  The containing directory has gid=1045 and even had the setgid
bit set, so files created by root even get gid=1045 by default:

  File: ‘.’
  Size: 28        	Blocks: 17         IO Block: 4096   directory
Device: 81165a50h/2165725776d	Inode: 51339       Links: 6
Access: (2755/drwxr-sr-x)  Uid: ( 1046/ foo)   Gid: ( 1045/ foo)
Access: 2015-03-09 20:55:07.000000000 +0000
Modify: 2016-01-14 06:05:22.398313371 +0000
Change: 2016-01-14 06:05:22.398313371 +0000
 Birth: -

PHP scripts run under Apache+FastCGI and have SuexecUserGroup set for
uid=1046 gid=1045, as confirmed by executing this via CGI:

<?php passthru('id'); ?>

uid=1046(foo) gid=1045(foo) groups=1045(foo) 

The malware created many other files having gid=1045 as expected.  Just
these two files have me puzzled and also a bit worried there was some
bug or potentially privilege escalation involved here.

But the malware seems unsophisticated and typical:  after they likely
bruteforced a Wordpress admin account they uploaded a PHP backdoor,
created many more, and started spamming.

Thanks,
Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Bug#811130: php5: [kfreebsd] uploaded files have gid=root
  - From: Steven Chamberlain <steven@pyro.eu.org>

Prev by Date: Add that patch to stable also? [perl: FTBFS on kfreebsd-*: t/op/stat.t]
Next by Date: Re: Bug#796798: Add that patch to stable also? [perl: FTBFS on kfreebsd-*: t/op/stat.t]
Previous by thread: Re: Bug#796798: Add that patch to stable also? [perl: FTBFS on kfreebsd-*: t/op/stat.t]
Next by thread: Bug#811130: php5: [kfreebsd] uploaded files have gid=root
Index(es):
- Date
- Thread