[ale] Apache exploit

[Beddingfield, Allen]

After researching this some more, I think you are right - it seems to be related to one or more of the web control panels, such as Plesk, CPanel, etc . . .
We are just using Apache with PHP and supPHP/fastcgi.
On a side note, our web team kept insisting on wanting one of those panels, and after looking under the hood of them, I dug in my heels to resist.  Luckily, I won out.
Allen B.
--
Allen Beddingfield
Systems Engineer
The University of Alabama

From: David Tomaschik <david at systemoverlord.com<mailto:david at systemoverlord.com>>
Reply-To: Atlanta Linux Enthusiasts <ale at ale.org<mailto:ale at ale.org>>
Date: Tuesday, April 2, 2013 5:20 PM
To: Atlanta Linux Enthusiasts <ale at ale.org<mailto:ale at ale.org>>
Subject: Re: [ale] Apache exploit

On Tue, Apr 2, 2013 at 1:37 PM, Jim Kinney <jim.kinney at gmail.com<mailto:jim.kinney at gmail.com>> wrote:
from the malware must die


The malware was found in web server systems with below characteristic:

?<http://malwaremustdie.blogspot.com/2013/03/the-evil-came-back-darkleechs-apache.html#>
1
2
3

Linux
 RedHat-base distribution without SE Linux properly set
Apache httpd web server 2.x (rpm-base, as per it is)
Cgi-base web admin panel and/or Wordpress system's served


I'm assuming then that ALL 3 must be present for this process to occur.

That seems likely.


from much further down:
"It looks like the attackers were beforehand well-prepared with some penetration method to gain web exploitation which were used to gain shell access and did the privilege escalation unto root. (I am not allowed to expose this detail further at this moment)."

So run your web server with selinux in enforcing mode. It stops crap like this. Apparmor works similarly but not as fine-grained.


Unless you do something stupid like letting apache write to your apache configs (yes, I've seen g+rw on /etc/apache2/...)




--
David Tomaschik
OpenPGP: 0x5DEA789B
http://systemoverlord.com
david at systemoverlord.com<mailto:david at systemoverlord.com>