PHP and remote execution

["Strider" <strider () chatcircuit com>]

After our latest fun with one of our boxes becoming a DoS source, we've
spent much time tracking how it was compromised. It was all because of a
forum called CyBoards. There exists a bug that is known to exists and has
not been fix that allows execution of code on the hosting server. In this
case, the attacker wanted to conceal is activity as much as possible so he
made use of the exploit as little as possible by making it install a back
door. Through the back door, he installed a DoS client and initiated 2 DoS
attacks.
 
We found the DoS client without a problem. It was in /tmp with the name of 
milk', which seems to be a lesser known packet fragmentation DoS attack
program originating from Brasil. The two attacks were launched against
Basilian sites, so this clued us in that it was a rather local attack.
 
With 400+ site logs to navigate, it wasn't easy looking for something we
didn't know to look for. We quickly figured out that it was in fact done via
the web server due to the fact the attack binary was owned by the user and
group as the httpd, and we also fairly quickly figured out the DoS attack
was not launched via an interactive web script (php, cgi, etc). It was
either a script specifically used for this purpose, or an installed backdoor

 
It took hours of scouring, several cups of coffee, and several packs of
cigarettes to find the initial attack. An exploit was done on an
installation of CyBoards which instructed a hole to execute a script from
another server in Brasil, which instructed our server to download, compile,
and execute a shell backdoor. From there, the attacker logged into the shell
backdoor and downloaded the milk binary to the server, already compiled.
 
The measures we have taken to prevent this so far is to prevent php from
executing remote scripts, and modifying the kernel with grsec for better
access control. Does anyone know of any other measures we should take to
prevent these things? Is there a way to move the tmp dir access to the user
dirs?
 
Beau (Strider) Steward
strider () chatcircuit com
http://www.arteryplanet.net
http://www.chatcircuit.com


---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's most
recognized corporate security certification track, provides a comprehensive
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case 
studies and true hands-on utilization
of pertinent security tools. For a limited time you can enter for a chance
to win one of the latest technological innovations, the SEGWAY HT.
Log onto http://www.securityfocus.com/FastTrain-security-basics
----------------------------------------------------------------------------