[BlueOnyx:10160] Re: Trojans and backdoors?

Darren Shea dshea at ecpi.com
Tue Apr 17 17:16:27 -05 2012 

Thanks for all the suggestions, everyone. The particular hack does not seem
to use the mailserver, nor has it created any files in the /tmp directory. I
have pored over the logs (mail and httpd) thoroughly, but I can't say
they've really been a whole lot of help.  I did try turning on suPHP, but
that broke SquirrelMail also. There may be a configuration setting that can
make that work; I'm still looking into it..

I did find one of my WordPress customers whose PHP settings allowed fopen
and include - so I was able to lock that down. I also found several
suspicious files in various user's directories, including some which
appeared to execute strings of obfuscated code, and I removed all those. We
don't appear to have had any new exploits in over 5 hours, but I am too
nervous to relax about it yet!
 
Thank you,
  Darren
  ECPI Western Broadband
  (512)257-1077
  (254)213-6116 fax 

-----Original Message-----
From: blueonyx-bounces at mail.blueonyx.it
[mailto:blueonyx-bounces at mail.blueonyx.it] On Behalf Of
blueonyx-request at mail.blueonyx.it
Sent: Tuesday, April 17, 2012 2:07 PM
To: blueonyx at mail.blueonyx.it
Subject: Blueonyx Digest, Vol 40, Issue 33

Send Blueonyx mailing list submissions to
	blueonyx at mail.blueonyx.it

To subscribe or unsubscribe via the World Wide Web, visit
	http://mail.blueonyx.it/mailman/listinfo/blueonyx
or, via email, send a message with subject or body 'help' to
	blueonyx-request at mail.blueonyx.it

You can reach the person managing the list at
	blueonyx-owner at mail.blueonyx.it

When replying, please edit your Subject line so it is more specific than
"Re: Contents of Blueonyx digest..."


Today's Topics:

   1. [BlueOnyx:10150]  Trojans and backdoors? (Darren Shea)
   2. [BlueOnyx:10151] Re: Trojans and backdoors? (Matthew Komar)
   3. [BlueOnyx:10152]  PHPMyAdmin Export Limit (SB9-PageKeeper Service)
   4. [BlueOnyx:10153] Re: Trojans and backdoors?
      (SB9-PageKeeper Service)
   5. [BlueOnyx:10154] Re: Trojans and backdoors? (Chuck Tetlow)
   6. [BlueOnyx:10155] Re: PHPMyAdmin Export Limit (bob richards)
   7. [BlueOnyx:10156] Re: PHPMyAdmin Export Limit
      (SB9-PageKeeper Service)
   8. [BlueOnyx:10157] Re: Trojans and backdoors? (Michael Stauber)


------------------------------

Message: 8
Date: Tue, 17 Apr 2012 21:07:09 +0200
From: Michael Stauber <mstauber at blueonyx.it>
Subject: [BlueOnyx:10157] Re: Trojans and backdoors?
To: BlueOnyx General Mailing List <blueonyx at mail.blueonyx.it>
Message-ID: <201204172107.10011.mstauber at blueonyx.it>
Content-Type: Text/Plain;  charset="utf-8"

Hi Darren,

> Our BlueOnyx system seems to have been compromised by some sort of
> php-based Trojan which is allowing spammers to send spam through the
> webserver. We're having a hard time tracking it down to a particular
> virtual site, and shutting off php for all users is not an option -
> besides the people using WordPress and shopping carts, the SquirrelMail
> interface breaks when php is shut off.

Yeah, the logfiles are usually your best bet at finding this. Also check the

/tmp directory, as a lot of PHP based exploits use a round about to trick a 
vulnerable PHP script into downloading some code from somewhere into /tmp/
and 
then during a second step try to execute that code.

The date and time stamps of such suspicious files in /tmp may give an idea
as 
of when the attack happened, making it easier to find the right window of 
action in the logfiles.

Another option that helps at peventing and finding such exploits is to
enable 
suPHP. 

This is for two reasons: suPHP adds another layer of security which can help

to limit the effects of such exploits. But even if there is a blaring foul
up 
in one of your PHP scripts that still allows undesired access, then the 
exploited scripts run as the user who owns the scripts. 

So the exploit files that the attackers managed to download to /tmp are
owned 
by the siteAdmin or owner of the script in question, which already directly 
points you to the site in question. Additionally emails sent by those PHP 
scripts show the owner of the script in the header of the emails, which
again 
makes finding the culprit a really easy task.

If you want me to take a look, then please email me offlist with the details

and I'll see what I can do.

-- 
With best regards

Michael Stauber
-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2012.0.1913 / Virus Database: 2411/4942 - Release Date: 04/17/12

More information about the Blueonyx mailing list