Has my fedora 18 installation been hacked?

Reindl Harald h.reindl at thelounge.net
Fri Mar 15 13:18:48 UTC 2013

Am 15.03.2013 13:56, schrieb Georgios Petasis:
> Dear Reindl,
> I am sorry if I gave a wrong impression, but I was reffering to the tmp, 
> cache and  tmp folders inside the joomla installation, not the OS or apache
> ones

i am too

in your case this would even not had happend if it would
have been /tmp of the OS beause it is not rechable from
outside, not that i would let a web-app use /tmp which
is shared with other apps and services

on the other hand with "PrivateTmp=yes" in the systemd-unit it would
be pretty safe and NOT shared, but better have each docroot it's own
temp-folders to isolate them with open_basedir

> The whole apache document root is owned by root and has a read-only

which is good

> selinux policy (apache cannot write anything in there)
> The only folders owned by apache and had rw selinux
> permissions, where the cache, log & tmp folder of the 
> joomla installation (i.e. /var/www/html/joomla/tmp)

which is correct and needed
the application needs write permissions there

> This was the folder I found two php files that were executed 
> by calling them though a POST http request.

i understood this well, but read my post again

i explained how to prevent POST and excute to such folders
which should be done in any context to secure a web-app

the best location for such things is in reality OUTSIDE
the docroot at all and have open_basedir contain the
docroot and this folders outside and if possible put
includes also outside the docroot

and if you would like get open_basedir really usable you
should disable ANY function which can execute applications
in the "php.ini" -> this DOES NOT work with "php_admin_value"
perdir even if it is wrongly shown in phpinfo() as working

disable_functions = "popen, pclose, exec, passthru, shell_exec, system, proc_open, proc_close, proc_nice,
proc_terminate, proc_get_status, pcntl_exec, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid,
posix_setsid, posix_setuid, mail, symlink, link"

with suhosin you have the possibility to work perdir
but you can NOT allow a function which is contained
in "disable_functions", i use all three everywhere
php_admin_value suhosin.executor.func.blacklist ".........."
php_admin_value suhosin.executor.eval.blacklist ".........."

> Regards,
> George
> Στις 15/3/2013 2:30 μμ, ο/η Reindl Harald έγραψε:
>> Am 15.03.2013 12:16, schrieb Georgios Petasis:
>>> I suspect that it is a joomla 1.5.26 exploit. I have found two php files in the tmp folder of one web site,
>>> and POSTs to them in the apache access log file.
>>> I know this is an old version of joomla
>> this is the main problem
>> what your machine does / did is attack 3rd parties and this is
>> the most common what happens after intrusion and without your ISP
>> having open yes you would still not know that it happened
>> and this is the reason why my reaction on malinglists to
>> posts starzign with "i installed Fedora 14" is pure anger
>> because it is unacceptable and i was there on the other side
>> of a DDOS-Attack from many thousand ip's for nights and can
>> tell anybody that it is no fun try to hold the business alive
>> in such situations - you can be sure ALL of this thousands
>> attackers where hijacked servers / clients with whatever OS
>>> and I have made the mistake to make the folders tmp, cache & log
>>> writtable by the apache in selinux...)
>> the writeable is not the problem, how should they work readonly
>> but make them accessable AND executeable from the web is a big
>> mistake for several reasons:
>> * log: you do not want access to logfiles from outside
>> * cache: you do not want get applications cache readed from outside
>> * tmp: you do not want get temp-fiels of the application readed from outside
>> for any folder:
>> you do not want to get executed code from outside which can be injected
>> this affects also the log-file, i have seen attacks where php-code
>> was in the requests and someone found a small injection leak and
>> used the log file to prepare his whole script and execute it
>> with the injection leak
>> _________________________________________
>> i generally protect any log/temp/cache AND all folders where from
>> users uploaded files (miages, pdf...) are stored with disable
>> the php-engine and fro tmp/log deny access at all
>> "IfVersion" needs "mod_version.so" loaded and is used here
>> to prepare a smooth upgrade to Apache 2.4 after mod_security
>> acts correct with "mod_remoteip" behind a proxy
>> [harry at srv-rhsoft:~]$ cat /www/www.rhsoft.net/temp/.htaccess
>> <IfModule mod_php5.c>
>>  php_flag engine off
>> </IfModule>
>> <IfModule mod_php6.c>
>>  php_flag engine off
>> </IfModule>
>> <IfVersion < 2.4>
>>  Order deny,allow
>>  Deny from all
>> </IfVersion>
>> <IfVersion >= 2.4>
>>  Require all denied
>> </IfVersion>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20130315/0cd4415b/attachment.sig>

More information about the users mailing list