[BlueOnyx:12858] Re: Blueonyx Backdoor:Perl/Shellbot

[Michael Stauber]

Hi Senthil,

> Today again we are seeing same files re-appear. We have removed those
> files again. But don’t know how they are getting in?
> 
> Has anyone seen this before and have a solution? Or point us to right
> direction?

Enable suPHP for all PHP enabled sites that have Wordpress or other
doubtful open source portals installed. (I mean no disrespect to the
Wordpress makers. But their software's success and wide spread makes it
an excellent and often exploited target).

If someone manages to trick Wordpress into downloading stuff to /tmp (or
other places) and you have suPHP installed, then the files will be owned
by the siteAdmin of the site that the Wordpress install belongs to. That
makes it pretty easy to spot which site was exploited to make this
attack possible,

Additionally suPHP throws in some extra limitations to the malice the
attackers can cause.

For more info on suPHP see this page:

http://www.blueonyx.it/index.php?page=suphp

Additionally it is a VERY good idea to reset "allow_url_fopen" and
"allow_url_include" back to the safe defaults of "No".

If these are turned on, scripts are allowed to access remotely hosted
resources - or even to include them into local code execution. Which is
generally a horrible idea.

Remote access of scripts to certain resources is necessary for some of
the Wordpress functions to work. Such as the access and download of
upgrades and/or third party modules during install. While this is
generally very accommodating, you should turn that off in cases like
this and only turn it on briefly when you need it again. If your
attitude is "security first", you'd leave both of these options set to
"No" and damn the consequences. Just saying.

-- 
With best regards

Michael Stauber