Article 13663 at 08/08/01 01:46:35 From: rodrigo (at mark) xnet.com.mx Subject: [coba-e:13663] Re: apache suexec

Index: [Article Count Order] [Thread]
Date:  Thu, 31 Jul 2008 10:46:15 -0600
From:  "Rodrigo Ordonez Licona" <rodrigo (at mark) xnet.com.mx>
Subject:  [coba-e:13663] Re: apache suexec
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <200807311736.m6VHaC00016648 (at mark) ana.xnet.com.mx>
In-Reply-To:  <0d6b01c8f30d$f7ea9710$967da8c0@thomasferrari>
X-Mail-Count: 13663

We recently received an attack through a joomla site, somehow the user
uploaded a php script (which ended being owned by apache)

..., and was able to place apache owned documents all aver the server,
(affected awstats specifically) files were deleted by awstats next day...

 but freaked out more than one customer.

So this is a security concern, whoever is able to upload files should only
be able to affect that vsite..

My 2 cents

Rodrigo O 

-----Original Message-----
From: thomas [mailto:tfj-online (at mark) mail.tele.dk] 
Sent: Jueves, 31 de Julio de 2008 07:04
To: coba-e (at mark) bluequartz.org
Subject: [coba-e:13659] Re: apache suexec


From: "Chris Gebhardt"
> Hi Thomas
> Reminder to always "inline post".   Don't reply on top.  Your reply 
> should always be BENEATH what you are replying to.
> 
> This is an issue that we have observed occasionally with dynamically 
> created content from a CMS such as Joomla or Wordpress or the like.
> Then a user wants to make changes via FTP and that winds up requiring 
> a support ticket so that our techs can run a quick chown -R for them.


Yes, we do that alot, but we would rather like to fix the problem.

I can se that suexec seems to be compiled with a wrong document root

# suexec -V
 -D AP_DOC_ROOT="/var/www" <<<<< should have been /home/.sites or /home
 -D AP_GID_MIN=100
 -D AP_HTTPD_USER="apache"
 -D AP_LOG_EXEC="/var/log/httpd/suexec.log"
 -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
 -D AP_UID_MIN=500
 -D AP_USERDIR_SUFFIX="public_html"

# httpd -V
Server version: Apache/2.0.52
Server built:   May  4 2007 06:25:03
Server's Module Magic Number: 20020903:9
Architecture:   32-bit
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D HTTPD_ROOT="/etc/httpd"
 -D SUEXEC_BIN="/usr/sbin/suexec"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="logs/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"


from errorlog i get this

[error] [client ] Premature end of script headers: index.php

from /var/log/httpd/suexe_log I get this

uid: (502/someadminuser) gid: (500/500) cmd: index.php
command not in docroot (/home/.sites/28/site1/web/index.php)

Is it possible to change all that!

--
Thomas Jensen