I have a dedicated server and it has been hacked about four times in the past few weeks. Each time the hacker uploads files to the root temp directory and does DOS-Attacks on other sites. They are gaining access right through a browser... This is a few of the logs of successful entries: i replaced the real urls with "mysite".... also this is happening on multiple urls on the same server. The only php stuff i use is xoops and wordpress. But you will notice mentions of mombo etc. cms's i don't use.... Is anyone else having this problem and does anyone know the fix. I have read somethings that it could be but i am really not sure what the exact problem is. the venerabilities i have read about is : 1) register globals being enabled 2) "mosConfig_absolute_path" parameter. 3) something about aw stats Are all these the same problem or what.... Any help would be appreciated It seems that some of the reading i have done says that globals need to be off and some say it need to be on.... but really i have no clue....my register_globals is set to on.... Some of the reading i have found: http://secunia.com/advisories/17622/ http://secunia.com/advisories/17441/
globals just allow the variables to be passed in urls like you are doing. Are you using a windows based server? In order for the above to work you must have cmd and wget in the webserver users path and also executable. Check for these.
For goodness' sake, turn register_globals off! Pretty much everything written in PHP in the past 4 years has been written to use the environment properly -- something like Mambo (I'm guessing you're running it, based on your log) shouldn't have any problems.
Our admins have a policy that once a server is hacked, the system is rebuilt. You never know what they leave on to allow them access the next time.
Good luck! It's a shame that people can't treat each other with respect and try to help each other out more. We've had similar issues along the way. You can always look on the bright side though, your site is popular enough to make someone mad enough to do something about it. You can't be that bad off..
i think i may have found the problem.... i am running php 4.3.9 and if wordpress and or xoops uses pear PHP application that includes PEAR.php from PHP <= 4.3.10 and is running in PHP < 4.4.1 with register_globals turned on, can be exploited does that make since ??? yes i do have aw stats, but my whm is on automatic updates and from what i have read that problem is fixed in the latest versions...??? No, i'm not running mambo at all.... only word press and xoops
before you do anything you need to figure out how your being hacked. replicate it yourself... Being this is a linux box run a rootkit checker make sure you havent been backdoored. As serverunion said above its wise to erase the OS and rebuld When I used to get hacked through phpbb2 all the time (before they even realized it was exploitable) I had a very very similar thing happen. What you can do is replace the wget binary with your own logging binary. This will show you how its being called ...then you can backtrace from there
my decision on it being my version of php was because of reading this article http://www.hardened-php.net/globals_overwite_and_its_consequences.76.html i found it very informative. Now when i put the url from my logs above onto my browser i get "GLOBALS overwrite attempt detected" I have checked out rootkit hunter and will be installing it. I was thinking the same thing about the backdoor. I'm a little surprised my web host was not aware of this php vulnerability. I also think it is a good idea to do a system rebuild. I'll post if it seems to fix the problem. Note to Shoemoney, Your Shoemoney Contest link resolves at a 404
Thanks... forgot about that. Again its really important that you can douplicate the exploit. Otherwise your just guessing. Also you will learn tons in the process.
I was thinking by putting the url the hacker used in my address bar would duplicate it, but by me not really knowing the rest of what he/she does i don't know for sure. Minstrel: Apparently i also had a problem with awstats and have installed a patch. I thought if whm was up to date, the awstats patches would be too? This is the only business that i have ever been in that even after four+ years i feel like a newbie sometimes. But, that is what makes it interesting.
Are you talking about the one file named wp-config.php ? No i did not.... but i don't remember reading that i was supposed to. From what i remember i was to delete the install file and i did that.
I update my php version within hours of a new update. It just has to get done. Join security mailing lists to get emails on new updates. This is also very helpful to know if you run software with a problem.