So, low and behold, a legacy site we've been hosting for a client had a version of FCKEditor that allowed someone to upload the dreaded c99madshell exploit onto our web host.
I'm not a big security buff -- frankly I'm just a dev currently responsible for S/A duties due to a loss of personnel. Accordingly, I'd love any help you server-faulters could provide in assessing the damage from the exploit.
To give you a bit of information:
The file was uploaded into a directory within the webroot, "/_img/fck_uploads/File/". The Apache user and group are restricted such that they can't log in and don't have permissions outside of the directory from which we serve sites.
All the files had 770 permissions (user rwx, group rwx, other none) -- something I wanted to fix but was told to hold off on as it wasn't "high priority" (hopefully this changes that). So it seems the hackers could've easily executed the script.
Now I wasn't able to actually locate c99madshell.php itself -- only a bunch of other HTML files containing russian text and a few .xl and .html files with inline PHP that were renditions of the madshell hack. Upon doing a bit of research, though, it looks like the hack destroys itself after execution -- great.
Anyway, my initial assessment would be this:
Not necessary to rebuild the entire host, as given the isolation of the apache user / group, they shouldn't have been able to get system level passwords.
It is necessary to fix this vulnerability by restricting uploads to not have the execute permission, updating the FCKEditor version to correct the original exploit target, and add server-level configuration that denies execution of PHP script within the uploads directory.
I should change the DB passwords for the app -- given the configuration file for the database connection lies within the web-root, the hacker most likely could've grabbed it and with it the DB password.
Anyway, please provide any input you guys have regarding what I should tell the bossman. Obviously it'd be ideal to avoid rebuilding the whole host -- but if thats what we have to take to ensure we're not running a hacked machine, then thats what its going to take.
I really appreciate your guys help. Also don't hesitate to ask for more information (I'd be happy to run commands / work with you guys to assess the damage). God damn hackers :(.
Answer
Obviously as others have said, the official "secure" response would be to rebuild the machine.
The reality of the situation might prevent that. You can run a few things to check for compromises:
- Chkrootkit - tests for common signs of the server being compromised
- If rpm system, 'rpm -Va|grep 5' will check all rpm installed binaries and report a "5" if the MD5 sum has changed. Rebuild necessary if you found any inconsistencies not explained b a customized binary.
- Look in /tmp for anything suspicious.
- Check 'ps fax' for any abnormal processes. If 'ps' is compromised or via other techniques you could still have hidden processes running.
- If you found ANY files in your search that had ownership other than apache, your system accounts were definitely compromised and you need a rebuild.
Corrections to make on your system configuration:
- Disable uploads by FCKeditor if possible
- Make sure your temp directories are made NOEXEC to prevent programs executing off of them
- Any php scripts should be up to date
- If you want to get fancy install mod_security to look out for exploits during runtime of the php scripts
There is a ton of stuff I am missing out but those would be the first steps I would take. Depending on what you are running on the server and the importance of the security of it (do you handle CC transactions?) a rebuild might be necessary but if it is a 'low security' server you might be ok with checking the above.
No comments:
Post a Comment