I left off with my server almost completely back up, but not yet Apache. I’ve had to make sure the web apps off the internet weren’t full of security holes before allowing access to them again.
Though this is my third post 4 days later – in real time it’s been less than 24 hours since I’ve discovered the ftp scanner. So I had some breathing time to do a half-decent job.
Most of all I suspected WordPress. They come up with a new version every few months and every time claim it’s a security update, which makes me wonder if it’s ever secure. Luckily both ISO Master and Grumble Grumble are just stock wordpress installs with a theme over them. Everything else is stored in the database. So I was able to delete all the code except for the themes, install WordPress 2.7 on both, and miraculously both websites came back up with no trouble whatsoever.
I have not reviewed the theme code or the contents of the databases – I assume the WordPress guys were smart enough not to store executable code in either of those places. Either way it was a risk I was willing to take.
A third WordPress website (the old Canvas3D blog) I’ve decided not to bother with and left it with chmod 0.
Three web apps down, two to go – SquirrelMail and Roudcube. I have both installed because I have more than one email account, so I have both open in browser tabs at once. I’ve decided to look around before enabling these. RoudCube first. Some way or another I stumbled upon a php file in the logs directory:
root@legrand-sw:/media/hd/home/www/htdocs/mail/logs# ls -al total 129 drwxrwxr-x 2 andrew apache 120 2008-12-30 18:00 ./ drwxr-xr-x 10 andrew users 480 2008-08-15 10:25 ../ -rw-r--r-- 1 apache apache 14985 2009-01-07 13:29 errors -rw-r--r-- 1 apache apache 7033 2009-01-07 13:26 sendmail -rw-r--r-- 1 apache apache 105643 2008-12-30 18:00 zq.php
Which is a really strange place to keep a php file, especially since the directory is writeable by Apache. See how zh.php is owned by apache? That’s really bad. And lookie here what was at the top of zq.php:
/******************************************************************************************************/ /* /* # # # # /* # # # # /* # # # # /* # ## #### ## # /* ## ## ###### ## ## /* ## ## ###### ## ## /* ## ## #### ## ## /* ### ############ ### /* ######################## /* ############## /* ######## ########## ####### /* ### ## ########## ## ### /* ### ## ########## ## ### /* ### # ########## # ### /* ### ## ######## ## ### /* ## # ###### # ## /* ## # #### # ## /* ## ## /* /* /* /* r57shell.php - /* : http://rst.void.ru /* : 1.3 (05.03.2006) /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/ /* : blf, phoenix, virus, NorD RST/GHC. /* - /* rst@void.ru. . /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/ /* (c)oded by 1dt.w0lf /* RST/GHC http://rst.void.ru , http://ghc.ru /* ANY MODIFIED REPUBLISHING IS RESTRICTED /******************************************************************************************************/
Isn’t that interesting.. I didn’t quite know what to think of the bug – on the one hand looks like the hacker put it there to taunt me, on the other hand RoundCube is a young open source project so who knows what the developer was smoking?
Didn’t take long to figure out though: both http://rst.void.ru and http://ghc.ru are hacker websites, though ghc.ru looks half-commercial. And the contents of the file (which I’ve had no time to analyse) clearly do something that isn’t nice. I’ve renamed the file to .txt and put it up for you to study if you care. (P.S. 25 july 2012: I had to remove this from the server, my ISP was getting restless)
As with mailman (see previous post) I decided this service is not going to be reenabled. Maybe I messed up something during setup, but just as likely RoudCube was at fault. After all it was the first ‘stable’ version, 0.1. And I’ll keep SquirrelMail off too for good measure, I’ll just install Thunderbird on all my machines.
So there you go. One clue in Mailman, one in RoudCube. Are they related or are they two separate hacking attempts? Were they run by script kiddies or serious hackers? Having some evidence that the ftp scanner was set up manually I tend to favour the latter possibility. And what of this zq.php? Was the logo there because it’s a general-purpose cracking tool, or because those groups actually had something to do with my server?
There’s lots of investigation left still. At this point my server is completely operational so I have lots of time. I do hope I find more clues, mystery solving turns out to be a really exciting hobby.