Has my fedora 18 installation been hacked?

Georgios Petasis petasisg at yahoo.gr
Fri Mar 15 12:56:11 UTC 2013 

Dear Reindl,

I am sorry if I gave a wrong impression, but I was reffering to the tmp, 
cache and tmp folders inside the joomla installation, not the OS or 
apache ones. The whole apache document root is owned by root and has a 
read-only selinux policy (apache cannot write anything in there). The 
only folders owned by apache and had rw selinux permissions, where the 
cache, log & tmp folder of the joomla installation (i.e. 
/var/www/html/joomla/tmp). This was the folder I found two php files 
that were executed by calling them though a POST http request.

Regards,

George

Στις 15/3/2013 2:30 μμ, ο/η Reindl Harald έγραψε:
>
> Am 15.03.2013 12:16, schrieb Georgios Petasis:
>> I suspect that it is a joomla 1.5.26 exploit. I have found two php files in the tmp folder of one web site,
>> and POSTs to them in the apache access log file.
>> I know this is an old version of joomla
> this is the main problem
>
> what your machine does / did is attack 3rd parties and this is
> the most common what happens after intrusion and without your ISP
> having open yes you would still not know that it happened
>
> and this is the reason why my reaction on malinglists to
> posts starzign with "i installed Fedora 14" is pure anger
> because it is unacceptable and i was there on the other side
> of a DDOS-Attack from many thousand ip's for nights and can
> tell anybody that it is no fun try to hold the business alive
> in such situations - you can be sure ALL of this thousands
> attackers where hijacked servers / clients with whatever OS
>
>> and I have made the mistake to make the folders tmp, cache & log
>> writtable by the apache in selinux...)
> the writeable is not the problem, how should they work readonly
> but make them accessable AND executeable from the web is a big
> mistake for several reasons:
>
> * log: you do not want access to logfiles from outside
> * cache: you do not want get applications cache readed from outside
> * tmp: you do not want get temp-fiels of the application readed from outside
>
> for any folder:
> you do not want to get executed code from outside which can be injected
> this affects also the log-file, i have seen attacks where php-code
> was in the requests and someone found a small injection leak and
> used the log file to prepare his whole script and execute it
> with the injection leak
> _________________________________________
>
> i generally protect any log/temp/cache AND all folders where from
> users uploaded files (miages, pdf...) are stored with disable
> the php-engine and fro tmp/log deny access at all
>
> "IfVersion" needs "mod_version.so" loaded and is used here
> to prepare a smooth upgrade to Apache 2.4 after mod_security
> acts correct with "mod_remoteip" behind a proxy
>
> [harry at srv-rhsoft:~]$ cat /www/www.rhsoft.net/temp/.htaccess
> <IfModule mod_php5.c>
>   php_flag engine off
> </IfModule>
> <IfModule mod_php6.c>
>   php_flag engine off
> </IfModule>
> <IfVersion < 2.4>
>   Order deny,allow
>   Deny from all
> </IfVersion>
> <IfVersion >= 2.4>
>   Require all denied
> </IfVersion>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20130315/8f7c83ab/attachment.html>

More information about the users mailing list