755 and 644 ? Hacking in shared servers. How they are treating our system.

This is a first post written in English and probably have a grammatical error but talk to me and I set.
Obeservation:
This article will show two sides of the coin. One side, teatching the badness (using a tool that is in my github), other side, teach how we can mitigate the risks.
Introduction:
I am a fanatic about security and development and a desesperate friend asked to help me for indentify and cleaned the site that was full of malwares. He said that had been invaded sometime, and before things he tried, the problens ever returned. He believed that was maked sometime things wrong. I was analyzing because that was happening.
First time I identified many malwares and with many types and with difference dates, but the important was a folder that was listing many files with reference the sensibles files database or configuration of others users. So I realized that the site was serving of hub for others sites. Identified the file that execute this procedure and maked a reverser enginier for undestand how the site served for atack other sites.
Environment:
initially the site was a cms, WordPress updated, with few plugins and organized. The Service was a retail server, shared ohters sites/system of others users. But for the validation and comprovation, the similar procedure was make in other 6 servers, all shared servers too. This servers contain of 4 at 600 system/users by servers.
Fact:
After to estudy and analiser the malware, I modification in how checked and created files used symbol links for ready only and pontencialized the results in 3x or 4x more results, as well many others extractions of information with writeable folders and parten system with cms and the most widely used frameworks. So borned the “php octopus”. A little file that work how a octopus with its tentacles scan all server for find files of configuration.
But how?!
  1. All system linux has a file with name passwd that is in the folder / etc /. This file is salve all users of server, this file is the key of all, but exist other alternatives for find users but less eficient.
  2. I check if the actual folder has a structure / home / my_user / public_html / , for default in servers linux.
  3. I do the read of file passwb and list all users for a loop.
  4. Next step, we will search configuration files, files of database, system or writting folders. Exemplo:
    1. All site init with index.html or index.php in php, last item is that important for us, so checked if existe this file / home / my_user / public_html / index.php
    2. In case of WordPress site used / home / my_user / public_html / wp-config.php
    3. In case of Joomla site used / home / my_user / public_html / configuration.php
    4. And many others standards indentified how cms and frameworks
    5. And in the end return data of files and os information if folder is can write or not.

Solution:

Many peoples will say that the problem is permission wrong. Correctly, but what? All system have folders with permission 755 and files 644. Where is wrong?

The result is:

  • Server:
    • Eliminate view of file / etc / passwd for common users.
    • Eliminate access of users in folder of other users,  for view or writting.
  • Usuário:
    • Edit permission of root folder for 750.
    • Never use 777 for folders or files.
    • For statemant, internal folders use 755 and files 644. Only internals, this root folder 750.

How do you do for test:

Make download of file octopus in https://github.com/lenonleite/octopus and insert in your server. Existe two files, a simple file and other with stegonography with header metatag in gif for by pass in system of upload if necessary.

See the vídeo:

Result:

OBS: Click in the check for show files.

Server 1:

249 users, 111 found sensibles files:

server8-e1473307784440

server10-1-e1473308333968

Server  2:

Não foi possível a leutura do arquvio passwd

server9

Servidor 3:

1 user, 8 found sensibles files:

PHP Octopus with stegonography for bypass

server6-e1473307765851

Server 4:

49 users, 18 found sensibles files;

server5-e1473307744109

Server 5:

4 users, 11 found sensibles files:

server4-e1473307723908

Servidor 6:

1 user, 5 found sensibles files

server3-e1473307697462

Server 7:

21 users, 35 found sensibles files.

server1-e1473307674218

Clicking in check of column of configuration Zend file.

server11-e1473308756190

 

6 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *