4

Since before mid 2014, my root server was targeted by hackers and recently they gained limited access. I disabled all services once I realized the server has been compromised and started investigating. According to the logs, this was approximately one week after the successful intrusion.

I used to host a website for a friend which was based on the Joomla CMS. During investigations I realized the website was severely outdated and practically abandoned. As his domain and site was the primary target, I suspect the attackers exploited known bugs or security flaws in the software to upload their own scripts, mainly to send spam email.

I just learned that one big issue is in fact, that all websites have the same user. Once the hackers gained access, they could execute server-side commands with this user (which is "www-data").

I wouldn't mind if this would have only affected my friend's site, but unfortunately they created a script in one of the other domains (which up until that date only showed an empty index.html). The file is a variant of the PHP remote shell called WSO and is the main reason I am asking for help. Before I wipe and re-install my root server, I want to make sure this won't happen again and want to ask these questions:

  • Apparently the hacker managed to install a php script outside the boundaries of the outdated/broken domain. How did he do that? Shouldn't nginx or php5-fpm have some sort of mechanism to prevent php scripts accessing directories outside of the current domain's root?
  • I know that some CMSs like Joomla ask you whether you want to use the php mail() function or an SMTP server. How can I strictly prevent php from sending emails by mail() and only allow authenticated smtp?
  • Is it possible to completely encapsulate the website of my friend, so that once a hacker manages to inject some script, it won't help him accessing any other website, let alone the file system of the server?
  • What is the ISP way of restricting customers' scripts and email sending behavior? Is rate-limiting the sending of emails good enough?
08frak
  • 303
  • 1
  • 2
  • 7

1 Answers1

4

The attacker had access to all other virtualhosts (what you call "domains") because they all run under the www-data user, once he got this user's privileges he could access all the other domains.

To mitigate this you can use mod_privileges on Apache to run each virtualhost under a different user account, and make each virtualhost use a different PHP-FPM pool that also runs under that same different user. If an attacker manages to gain shell access under one's virtualhost account and attempts to ls someone else's virtualhost directory, he'll only get a Permission denied error (unless that "someone else" ran chmod -R 777 on his directory, but then he just deserves to be compromised).

The PHP open_basedir directive may also help but isn't bulletproof and will only protect against reading files using PHP's usual file I/O functions, but not by executing shell commands.

How can I strictly prevent php from sending emails by mail()

PHP has a configuration directive to disable certain functions, so as a dumb solution you can use that, but it won't protect against using raw sockets to connect to a mail server and dump spam in there. The best solution is to block outgoing connections to port 25. Authenticated SMTP can use the submission port (587) so legitimate users will still be able to use their own mail provider's server or the server your provide, but won't be able to scan for open relays on port 25 and try to send their spam.

Is it possible to completely encapsulate the website of my friend

You can put each server into a chroot jail and running on a different port, and have a lightweight web server in front of them acting as a proxy to redirect connections from the standard HTTP(s) port to the correct chrooted server based on the domain name. You can go even further by using LXC (containers) or entire virtual machines/physical servers for this, depending on your security requirements.

What is the ISP way of restricting customers' scripts and email sending behavior?

Some (bad) ISPs just block port 25 to anything but their own servers (from where they can track the user even if he doesn't authenticate because they know which IP belongs to who), some let you use the port freely and I assume just terminate your account if they get too many complaints about spam from your IP.

From reading OVH's (a popular french ISP) terms and conditions they appear to monitor your outgoing SMTP traffic and pass every main through their Spamassasin-based filter, and if too many mails are considered as spam they block your port 25.