12 Replies Latest reply: Feb 8, 2008 4:54 PM by MrHoffman
Mongoose+ Level 1 Level 1 (0 points)
Hello,

I would like to know how it could be possible I got hacked. The hackers defaced the company website with a custom html file. I do not allow FTP, or SSH, just AFP.

There were no AFP logs at the time the files were "uploaded" Here are some entries form my log.

/var/log/httpd/access_log.1202342400:88.230.101.222 - - [07/Feb/2008:16:19:34 -0500] "PUT /zk.txt HTTP/1.0" 201 250
/var/log/httpd/access_log.1202342400:88.251.250.240 - - [07/Feb/2008:16:33:29 -0500] "PUT /folio.asp HTTP/1.0" 201 253
/var/log/httpd/access_log.1202342400:78.176.236.85 - - [07/Feb/2008:16:41:03 -0500] "PUT /testhost.htm HTTP/1.1" 201 268
/var/log/httpd/access_log.1202342400:78.176.236.85 - - [07/Feb/2008:16:42:09 -0500] "PUT /index.html HTTP/1.1" 201 266
/var/log/httpd/access_log.1202342400:78.176.236.85 - - [07/Feb/2008:16:42:14 -0500] "PUT /index.html HTTP/1.1" 204 0
/var/log/httpd/access_log.1202342400:78.176.236.85 - - [07/Feb/2008:16:42:33 -0500] "PUT /index.html HTTP/1.1" 204 0
/var/log/httpd/access_log.1202342400:88.238.249.221 - - [07/Feb/2008:16:44:51 -0500] "PUT /testhost.htm HTTP/1.1" 204 0

The index.html is the one that did the damage. Any ideas how they PUT files on my server. My gut says a php exploit. I turned off allowurlfopen, could that have been the hole?

Any ideas would be appreciated.

Xserve, Mac OS X (10.4.11)
  • 1. Re: Please any ideas on how I got hacked
    Camelot Level 8 Level 8 (45,790 points)
    It's entirely possible that PHP was the vector that was used. That's not to say that PHP in insecure, per se., but it has a lot of features that could be abused.
    There are other possible sources, though, including DAV, any numerous content management systems, wikis, discussion boards, etc.

    Allowing any file uploading is certainly one of those. Of course, that has legitimate uses, but can be abused if not managed properly.

    In this case, the 201 status codes indicates that the server accepted the file for upload.

    If you can't find the code in question, your best bet is to block PUT actions if you don't expect users to upload files directly, or change the permissions on the file so that the apache user doesn't have rights to delete or change files (apache only needs read access on files, so this can be an effective way of preventing the web server from overwriting content).

    If you opt to block PUT actions you can do so in /etc/httpd/httpd.conf and look for the keyword TRACE - that'll show you how the TRACE action is currently blocked:

    <pre class=command> RewriteCond %{REQUEST_METHOD} ^TRACE
    RewriteRule .* - \[F\]</pre>

    This rewriterule forbids any request that uses the TRACE method. Just copy the lines and change TRACE to any actions you want to deny (e.g. PUT and DELETE would be prime targets).
  • 2. Re: Please any ideas on how I got hacked
    MrHoffman Level 6 Level 6 (12,455 points)
    First, ensure access into port 80 and (if you're using it) 443 is plugged, at least until you clean this up.

    Without going into details of the index.html contents, was it the "hah hah you've been hacked" or "buy pharmaceuticals" sort of generic defacement, or was it some sort of defacement specifically targeted at your organization?

    What php code are you running? Is that php code current, and known clear of vulnerabilities and XSS attacks? (I've been seeing a number of XSS attacks over the past month or two.)

    What is the ownership on the web directories? The web server should not have write access to its web directories, and should not own its web directories.

    Try a PUT and see if you can repeat the sequence.

    I'd decontaminate the system, as well. Look for anything that has been modified, and verify its contents. More than a few of these exploits can leave back doors, or attack other areas of the system. A defaced index.html is a pretty minor manifestation of an attack, but I'd confirm these folks did not get further. Some organizations assume the worst here, and decontaminate the web server by initializing disks and rolling in from distro and from you most recent archival copy.

    Search for other +I've Been+ Hacked discussions here in the forums, too. You'll find various discussions. Web and Hacked is probably a pretty good search target.
  • 3. Re: Please any ideas on how I got hacked
    coreyammons Level 1 Level 1 (105 points)
    Sorry for the cross post but this falls along the lines of a question I just posted.

    http://discussions.apple.com/thread.jspa?threadID=1384019&stqc=true

    In short, what should the permissions be set to on the domain folders? And, can the domain be shared via AFP for the web designer or do they need to use FTP to upload new pages/data?
  • 4. Re: Please any ideas on how I got hacked
    Mongoose+ Level 1 Level 1 (0 points)
    Thanks for the response. I can see a brute force attack coming in on some of my php files. Every 2 minutes an ip is connecting. I blocked that, but obviously they will reroute their attack. I did find that I had write ability for WWW, it is was something I was testing for my CIO. I changed all access for WWW to read only. I will run an virus scan to be safe and look for anything out of the ordinary. Our php developer is in house and doesn't know a lot about super php security in his code. I will also be killing that PUT ability in Apache.

    Thanks so much this is a great start.
  • 5. Re: Please any ideas on how I got hacked
    Mongoose+ Level 1 Level 1 (0 points)
    It was very similar, to be honest I never got a great look at it as I killed the Web Server before more than my engineering department every saw it. It was a generic defacement. It appears that a bot finally got access and uploaded his rogue index.html file. I am running 10.4.11 with the built-in 4.4.7. I am not sure about the XSS stuff, but will research that this morning.

    Can you give me a quick pointer to upload a PUT before I disable it? Hopefully since removing write perms for www it won't work anyway.

    Thanks so much for you reply.
  • 6. Re: Please any ideas on how I got hacked
    Mongoose+ Level 1 Level 1 (0 points)
    Here is what I implemented and I will monitor from this point on.

    In Apache:

    Disabled the PUT and DELETE per Camelot's suggestion.
    Disabled all modules that are not being utilized.

    In PHP:
    Turned off allowurlfopen
    Turned off enable_dl
    Turned off expose_php
    Turned off file_uploads
    set variable for session.referer_check
    Turned on safe_mode

    These were suggestions from various tools online.

    Removed all writable access to WWW and checked the perms on all PHP files.

    I hope this does it.

    Thanks for the suggestions, or if anyone has more php/apache security tips, I am all ears.

    Cheers.
  • 7. Re: Please any ideas on how I got hacked
    Mongoose+ Level 1 Level 1 (0 points)
    Also noted I turned off webdav.

    Does anyone have any quick directions for me to test my server against PUT file attempts. I am by no means a hacker to even try this.

    Thanks.
  • 8. Re: Please any ideas on how I got hacked
    MrHoffman Level 6 Level 6 (12,455 points)
    That your web server was able to write into the web directories was probably the central configuration issue here. This is a Really Bad Idea. The web server can and should have read access, and should not have ownership nor write access, save to specified and potentially protected subdirectories, and then only as required.

    The usual trigger with php vulnerabilities is down-revision software; a php-based package that is insecure. Either due to long-standing bugs that have been found, or due to a failure to maintain a current version of the software. (The CMS systems I'm fond of do require some diligence around staying current.)

    php code needs to validate its input. More than a few folks do try to jam unexpected data into the php code, seeking to cause it to perform untoward acts. If you review your logs, you'll probably find evidence of cross-site scripting attacks, too. Here's the [Wikipedia XSS|http://en.wikipedia.org/wiki/Cross-site_scripting] article.

    There are any number of other attacks against php code, and web masters will tend to use the conf configuration file or the .htaccess file to try to protect against various of these. There are gremlins around the net that look for weak php mail scripts, etc.

    As for testing against PUT, look to use +curl --upload-file+ at the shell. There are other ways to do this, though curl is among those built into Mac OS X Server. (telnet, too, can issue PUT, but that's too much like work.)
  • 9. Re: Please any ideas on how I got hacked
    coreyammons Level 1 Level 1 (105 points)
    So as far as the Owner/Group/Other how should the permissions be set for a web domain within workgroup manager?
  • 10. Re: Please any ideas on how I got hacked
    Mongoose+ Level 1 Level 1 (0 points)
    The way I have it now is

    Owner : webmaster or valid user : Read/Write
    Group : www : Read Only
    Everyone : None
  • 11. Re: Please any ideas on how I got hacked
    Mongoose+ Level 1 Level 1 (0 points)
    Thanks for the link and the code. I agree about the write access, especially when I looked at the owner of the hacked index.html it was www.

    Hopefully this is fixed for good, I like php, but it can be dangerous.
  • 12. Re: Please any ideas on how I got hacked
    MrHoffman Level 6 Level 6 (12,455 points)
    @coreyammons: FWIW, I've posted up some protection and ownership suggestions over in your http://discussions.apple.com/thread.jspa?threadID=1384019 thread.