Hole in my script? (I was hacked - need help finding hole!)
Posted: Thu Jul 19, 2007 7:33 pm
Hello,
I was hacked the last 2 days by some Romanian scum - the first night they installed a trojan SSHD and captured my root logins (just found that out today - they used a /dev/saux patched SSH). The second night they installed an eBay / PayPal trojan. Fortunately I shut everything down hard before it became active, but I feel like crap about the whole thing. I've shut down the server (Fedora Core 4 based), and moved to a hosted scheme - it's just not worth the time/effort to run my own server anymore!
Anyway, seeing how I'm going to move the scripts I was using, I want to patch the hole he used to get in originally. I was running PHP 5 (latest) and Apache 2.0.54. He covered his tracks pretty well (edited .bash_history), but I found that he liked this script: login.php.
Potential problems: Could httpd be running as root? I executed apachectl as root, but my conf was nobody:nobody
Sessions: Is there a way to hijack a session and get in as root?
Permissions: My servers' permissions could have been wonky, and that the dir where the script was could have been nobody writable
If anyone has tips, I'd love to hear them - I don't want to redeploy my app before this gets solved (the login part I can live without - I just want to know the root cause of the breach!)
Thanks!!
-Dan
Here it is:
I was hacked the last 2 days by some Romanian scum - the first night they installed a trojan SSHD and captured my root logins (just found that out today - they used a /dev/saux patched SSH). The second night they installed an eBay / PayPal trojan. Fortunately I shut everything down hard before it became active, but I feel like crap about the whole thing. I've shut down the server (Fedora Core 4 based), and moved to a hosted scheme - it's just not worth the time/effort to run my own server anymore!
Anyway, seeing how I'm going to move the scripts I was using, I want to patch the hole he used to get in originally. I was running PHP 5 (latest) and Apache 2.0.54. He covered his tracks pretty well (edited .bash_history), but I found that he liked this script: login.php.
Potential problems: Could httpd be running as root? I executed apachectl as root, but my conf was nobody:nobody
Sessions: Is there a way to hijack a session and get in as root?
Permissions: My servers' permissions could have been wonky, and that the dir where the script was could have been nobody writable
If anyone has tips, I'd love to hear them - I don't want to redeploy my app before this gets solved (the login part I can live without - I just want to know the root cause of the breach!)
Thanks!!
-Dan
Here it is:
Code: Select all
<html>
<head>
<title>Login</title>
</head>
<body>
<?
include ("gumgums_config.php");
echo "Log-on To Plymptonia.com <br><br>";
if ($Error != "")
{
echo "<b>Error: $Error</b><br>";
}
# echo "Current Page: $SCRIPT_NAME";
# $tmp = $HTTP_ENV_VARS["HTTP_REFERER"];
# echo "Other Referrer: $pagename";
?>
<form method="POST" action="<? echo HOMEDIR;?>loginverify.php">
<p>Login: <input type="text" name="Login" size="20"></p>
<p>Password: <input type="password" name="Password" size="20"></p>
<p><input type="hidden" value="<?echo "$pagename"?>" name="pagename"></p>
<p><input type="checkbox" name="NewUser" value="True">Create New User Account with The Above Login & Password</p>
<p><input type="submit" value="Submit" name="B1"><input type="reset" value="Reset" name="B2"></p>
</form>
<?
/*
<form method="POST" action="<?if ($pagename=="") {echo "/index.html"; } else {echo "$pagename";} ?>">
<p><input type="submit" value="Cancel - Return to last page" name="B3">
</form>
*/
?>
<form method="POST" action="/index.html">
<p><input type="submit" value="Cancel - Return to home" name="B4">
</form>
<p>
<p>
<script language=javascript>document.forms[0].Login.focus()</script>
</BODY>
</html>