Mailing List Archive

Your log doesn't start early enough. Someone uploaded a web shell (or found
an existing web shell) to your server, possibly using an upload for that
doesn't validate the input, then used that shell to run commands on your
server.
I would consider your entire server to be compromised at this point since
you have no record of what else the attacker could have done once they had
a shell.

Make sure that you do not allow users to upload files and then execute
those files.

- Y

On Tue, Jul 5, 2022 at 9:53 PM KK CHN <kkchn.in@gmail.com> wrote:

> https://pastebin.com/YspPiWif
>
> One of the websites hosted by a customer on our Cloud infrastructure was
> compromised, and the attackers were able to replace the home page with
> their banner html page.
>
> The log files output I have pasted above.
>
> The site compromised was PHP 7 with MySQL.
>
> From the above log, can someone point out what exactly happened and how
> they are able to deface the home page.
>
> How to prevent these attacks ? What is the root cause of this
> vulnerability and how the attackers got access ?
>
> Any other logs or command line outputs required to trace back kindly let
> me know what other details I have to produce ?
>
> Kindly shed your expertise in dealing with these kind of attacks and trace
> the root cause and prevention measures to block this.
>
> Regards,
> Krish
>
>
>

ok may or may not be related but i found i had to lock php, wordpress
etc down heavely in apache

especially if you are using vhosts

i found one authorized site could talk to another without making things
more strict

yes its a pain to have one vhost per site but its the only way to fully
isolate one from the other

if someone executes stuff it stays within their working directory

example (shows http alias etc - note the directory directives - i use a
database --> script generator so its not too inconvient.) :


<VirtualHost *:80>
ServerName bedrockconstruction.ca
ServerAlias bedrockconstruction.ca
ServerAlias www.bedrockconstruction.ca
Redirect permanent / https://bedrockconstruction.ca/
</VirtualHost>

<VirtualHost *:443>
ServerName bedrockconstruction.ca
ServerAlias bedrockconstruction.ca
ServerAlias www.bedrockconstruction.ca
DocumentRoot /www/bedrockconstruction.ca

SSLEngine on
SSLProtocol all
SSLCertificateFile
/www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.crt
SSLCertificateKeyFile
/www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.key
SSLCertificateChainFile
/www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.chain


SuexecUserGroup www www

<Directory "/www/bedrockconstruction.ca/wp-content/uploads/">
<Files "*.php">
Order Deny,Allow
Deny from All
</Files>
</Directory>

<Directory /www/bedrockconstruction.ca>
php_admin_value open_basedir /www/bedrockconstruction.ca:/var/log/
</Directory>

<Directory /www/bedrockconstruction.ca>
php_admin_value sys_temp_dir /www/bedrockconstruction.ca/tmp/
</Directory>

<Directory /www/bedrockconstruction.ca>
php_admin_value session.save_path /www/bedrockconstruction.ca/tmp/
</Directory>

<Directory /www/bedrockconstruction.ca>
php_admin_value soap.wsdl_cache_dir /www/bedrockconstruction.ca/tmp/
</Directory>

<Directory /www/bedrockconstruction.ca>
php_admin_value upload_tmp_dir /www/bedrockconstruction.ca/tmp
</Directory>

<Directory "/www/bedrockconstruction.ca">
AllowOverride All
php_value session.save_path "/www/bedrockconstruction.ca/"
</Directory>

</VirtualHost>












Happy Wednesday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services <http://www.scom.ca>
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email paul@scom.ca

On 7/5/2022 9:52 PM, KK CHN wrote:
> https://pastebin.com/YspPiWif <https://pastebin.com/YspPiWif>
>
> One of the websites hosted  by a customer on our Cloud infrastructure
> was compromised, and the attackers were able to replace the home page
> with their banner html page.
>
> The log files output I have pasted above.
>
> The site compromised was PHP 7 with MySQL.
>
> From the above log, can someone point out what exactly happened and how
> they are able to deface the home page.
>
> How to prevent these attacks ? What is the root cause of this
> vulnerability  and how the attackers got access ?
>
> Any other logs or command line outputs required to trace back kindly let
> me know what other details  I have to produce ?
>
> Kindly shed your expertise in dealing with these kind of attacks and
> trace the root cause and prevention measures to block this.
>
> Regards,
> Krish
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is
> believed to be clean.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Never had these issues at all if you set up vhosts correctly.

But agree we tend to have 2 vhosts for the domain

* vhost 1 is the real vhost and handle requests
* vhost 2 contains all the redirects from other domain names to the canonical one

The only ServerAlias lines in vhost 1 are for development URLs which are run on different servers

But we also don't expose our wordpress - but use a mirroring script to serve the site as predominantly static {takes careful design to do this!}


-----Original Message-----
From: Paul Kudla (SCOM.CA Internet Services Inc.) <paul@scom.ca>
Sent: 06 July 2022 11:29
To: users@httpd.apache.org
Subject: Re: [users@httpd] site compromised and httpd log analysis [EXT]


ok may or may not be related but i found i had to lock php, wordpress etc down heavely in apache

especially if you are using vhosts

i found one authorized site could talk to another without making things more strict

yes its a pain to have one vhost per site but its the only way to fully isolate one from the other

if someone executes stuff it stays within their working directory

example (shows http alias etc - note the directory directives - i use a database --> script generator so its not too inconvient.) :


<VirtualHost *:80>
ServerName bedrockconstruction.ca
ServerAlias bedrockconstruction.ca
ServerAlias https://urldefense.proofpoint.com/v2/url?u=http-3A__www.bedrockconstruction.ca&d=DwIDaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc&m=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10&s=2I8OZ_jBeUEUwIOVDyTOtp8vGvpwwAi20BxIyLEQ4d0&e=
Redirect permanent / https://urldefense.proofpoint.com/v2/url?u=https-3A__bedrockconstruction.ca_&d=DwIDaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc&m=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10&s=ACmbZk0Pm3piuR1DATvB0hI5ScZQPHlJe7ZcD4xBOOY&e=
</VirtualHost>

<VirtualHost *:443>
ServerName bedrockconstruction.ca
ServerAlias bedrockconstruction.ca
ServerAlias https://urldefense.proofpoint.com/v2/url?u=http-3A__www.bedrockconstruction.ca&d=DwIDaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc&m=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10&s=2I8OZ_jBeUEUwIOVDyTOtp8vGvpwwAi20BxIyLEQ4d0&e=
DocumentRoot /www/bedrockconstruction.ca

SSLEngine on
SSLProtocol all
SSLCertificateFile
/www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.crt
SSLCertificateKeyFile
/www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.key
SSLCertificateChainFile
/www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.chain


SuexecUserGroup www www

<Directory "/www/bedrockconstruction.ca/wp-content/uploads/">
<Files "*.php">
Order Deny,Allow
Deny from All
</Files>
</Directory>

<Directory /www/bedrockconstruction.ca>
php_admin_value open_basedir /www/bedrockconstruction.ca:/var/log/
</Directory>

<Directory /www/bedrockconstruction.ca>
php_admin_value sys_temp_dir /www/bedrockconstruction.ca/tmp/
</Directory>

<Directory /www/bedrockconstruction.ca>
php_admin_value session.save_path /www/bedrockconstruction.ca/tmp/
</Directory>

<Directory /www/bedrockconstruction.ca>
php_admin_value soap.wsdl_cache_dir /www/bedrockconstruction.ca/tmp/
</Directory>

<Directory /www/bedrockconstruction.ca>
php_admin_value upload_tmp_dir /www/bedrockconstruction.ca/tmp
</Directory>

<Directory "/www/bedrockconstruction.ca">
AllowOverride All
php_value session.save_path "/www/bedrockconstruction.ca/"
</Directory>

</VirtualHost>












Happy Wednesday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.scom.ca&d=DwIDaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc&m=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10&s=_KrQarPZVkZAVM2At-fFSlh8crzfvk75b0xPz4RBhv0&e= >
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email paul@scom.ca

On 7/5/2022 9:52 PM, KK CHN wrote:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__pastebin.com_YspPiWif&d=DwIDaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc&m=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10&s=5Nna_6oH-BJdYmfSIPPUFiuLF-Zlf8cizzQZSIIHT2g&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__pastebin.com_YspPiWif&d=DwIDaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc&m=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10&s=5Nna_6oH-BJdYmfSIPPUFiuLF-Zlf8cizzQZSIIHT2g&e= >
>
> One of the websites hosted  by a customer on our Cloud infrastructure
> was compromised, and the attackers were able to replace the home page
> with their banner html page.
>
> The log files output I have pasted above.
>
> The site compromised was PHP 7 with MySQL.
>
> From the above log, can someone point out what exactly happened and how
> they are able to deface the home page.
>
> How to prevent these attacks ? What is the root cause of this
> vulnerability  and how the attackers got access ?
>
> Any other logs or command line outputs required to trace back kindly let
> me know what other details  I have to produce ?
>
> Kindly shed your expertise in dealing with these kind of attacks and
> trace the root cause and prevention measures to block this.
>
> Regards,
> Krish
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by *MailScanner* <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.mailscanner.info_&d=DwIDaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc&m=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10&s=5Eo4dqX5kQQCYJEGl4C2i4H0LtfO_U-QaP0QK5zxcts&e= >, and is
> believed to be clean.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org




--
The Wellcome Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

ok thats for more detail ....

ok redirects simply are considered insecure when it comes to ssl certs

ie apache serves the content under the alias redirect previous to going
towards the main site.

that will defanitely be the issue.

i ran into this myself (i have multiple domains redirected on one account ?)

my config for this is below maybe this helps ?

it handles all the domains and the http redirects

i believe the trick is to issue all of the redirects under http:// only
pointing to one https:// is how i got around this issue.

otherwise you would need one cert per actual domain

i dont see the harm in http:// --> https:// actual site

since apache redirects it immediately?


<VirtualHost *:80>
ServerName electrokineticsolutions.com
ServerAlias electrokineticsolutions.com
ServerAlias www.electrokineticsolutions.com
ServerAlias eksolutions.ca
ServerAlias www.eksolutions.ca
ServerAlias eksolutions.ca
ServerAlias electrokineticsolutions.ca
ServerAlias www.electrokineticsolutions.ca
ServerAlias electrokineticsolutions.ca
ServerAlias electrokinetc.ca
ServerAlias www.electrokinetc.ca
ServerAlias electrokinetc.ca
ServerAlias electro-kineticsolutions.ca
ServerAlias www.electro-kineticsolutions.ca
ServerAlias electro-kineticsolutions.ca
ServerAlias electrokinetic-solutions.ca
ServerAlias www.electrokinetic-solutions.ca
ServerAlias electrokinetic-solutions.ca
ServerAlias electro-kinetic-solutions.ca
ServerAlias www.electro-kinetic-solutions.ca
ServerAlias electro-kinetic-solutions.ca
ServerAlias ek-solutions.ca
ServerAlias www.ek-solutions.ca
ServerAlias ek-solutions.ca
ServerAlias electrokinetic-solutions.com
ServerAlias www.electrokinetic-solutions.com
ServerAlias electrokinetic-solutions.com
ServerAlias eks.ca
ServerAlias www.eks.ca
ServerAlias eks.ca
Redirect permanent / https://electrokineticsolutions.com/
</VirtualHost>

<VirtualHost *:443>
ServerName electrokineticsolutions.com
ServerAlias electrokineticsolutions.com
ServerAlias www.electrokineticsolutions.com
DocumentRoot /www/eks.ca

SSLEngine on
SSLProtocol all
SSLCertificateFile /www/eks.ca/ssl/electrokineticsolutions.com.crt
SSLCertificateKeyFile /www/eks.ca/ssl/electrokineticsolutions.com.key
SSLCertificateChainFile /www/eks.ca/ssl/electrokineticsolutions.com.chain


SuexecUserGroup www www

<Directory "/www/eks.ca/wp-content/uploads/">
<Files "*.php">
Order Deny,Allow
Deny from All
</Files>
</Directory>

<Directory /www/eks.ca>
php_admin_value open_basedir /www/eks.ca:/var/log/
</Directory>

<Directory /www/eks.ca>
php_admin_value sys_temp_dir /www/eks.ca/tmp/
</Directory>

<Directory /www/eks.ca>
php_admin_value session.save_path /www/eks.ca/tmp/
</Directory>

<Directory /www/eks.ca>
php_admin_value soap.wsdl_cache_dir /www/eks.ca/tmp/
</Directory>

<Directory /www/eks.ca>
php_admin_value upload_tmp_dir /www/eks.ca/tmp
</Directory>

<Directory "/www/eks.ca">
AllowOverride All
php_value session.save_path "/www/eks.ca/"
</Directory>

</VirtualHost>






Happy Wednesday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services <http://www.scom.ca>
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email paul@scom.ca

On 7/6/2022 8:03 AM, James Smith wrote:
> Never had these issues at all if you set up vhosts correctly.
>
> But agree we tend to have 2 vhosts for the domain
>
> * vhost 1 is the real vhost and handle requests
> * vhost 2 contains all the redirects from other domain names to the canonical one
>
> The only ServerAlias lines in vhost 1 are for development URLs which are run on different servers
>
> But we also don't expose our wordpress - but use a mirroring script to serve the site as predominantly static {takes careful design to do this!}
>
>
> -----Original Message-----
> From: Paul Kudla (SCOM.CA Internet Services Inc.) <paul@scom.ca>
> Sent: 06 July 2022 11:29
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] site compromised and httpd log analysis [EXT]
>
>
> ok may or may not be related but i found i had to lock php, wordpress etc down heavely in apache
>
> especially if you are using vhosts
>
> i found one authorized site could talk to another without making things more strict
>
> yes its a pain to have one vhost per site but its the only way to fully isolate one from the other
>
> if someone executes stuff it stays within their working directory
>
> example (shows http alias etc - note the directory directives - i use a database --> script generator so its not too inconvient.) :
>
>
> <VirtualHost *:80>
> ServerName bedrockconstruction.ca
> ServerAlias bedrockconstruction.ca
> ServerAlias https://urldefense.proofpoint.com/v2/url?u=http-3A__www.bedrockconstruction.ca&d=DwIDaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc&m=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10&s=2I8OZ_jBeUEUwIOVDyTOtp8vGvpwwAi20BxIyLEQ4d0&e=
> Redirect permanent / https://urldefense.proofpoint.com/v2/url?u=https-3A__bedrockconstruction.ca_&d=DwIDaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc&m=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10&s=ACmbZk0Pm3piuR1DATvB0hI5ScZQPHlJe7ZcD4xBOOY&e=
> </VirtualHost>
>
> <VirtualHost *:443>
> ServerName bedrockconstruction.ca
> ServerAlias bedrockconstruction.ca
> ServerAlias https://urldefense.proofpoint.com/v2/url?u=http-3A__www.bedrockconstruction.ca&d=DwIDaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc&m=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10&s=2I8OZ_jBeUEUwIOVDyTOtp8vGvpwwAi20BxIyLEQ4d0&e=
> DocumentRoot /www/bedrockconstruction.ca
>
> SSLEngine on
> SSLProtocol all
> SSLCertificateFile
> /www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.crt
> SSLCertificateKeyFile
> /www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.key
> SSLCertificateChainFile
> /www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.chain
>
>
> SuexecUserGroup www www
>
> <Directory "/www/bedrockconstruction.ca/wp-content/uploads/">
> <Files "*.php">
> Order Deny,Allow
> Deny from All
> </Files>
> </Directory>
>
> <Directory /www/bedrockconstruction.ca>
> php_admin_value open_basedir /www/bedrockconstruction.ca:/var/log/
> </Directory>
>
> <Directory /www/bedrockconstruction.ca>
> php_admin_value sys_temp_dir /www/bedrockconstruction.ca/tmp/
> </Directory>
>
> <Directory /www/bedrockconstruction.ca>
> php_admin_value session.save_path /www/bedrockconstruction.ca/tmp/
> </Directory>
>
> <Directory /www/bedrockconstruction.ca>
> php_admin_value soap.wsdl_cache_dir /www/bedrockconstruction.ca/tmp/
> </Directory>
>
> <Directory /www/bedrockconstruction.ca>
> php_admin_value upload_tmp_dir /www/bedrockconstruction.ca/tmp
> </Directory>
>
> <Directory "/www/bedrockconstruction.ca">
> AllowOverride All
> php_value session.save_path "/www/bedrockconstruction.ca/"
> </Directory>
>
> </VirtualHost>
>
>
>
>
>
>
>
>
>
>
>
>
> Happy Wednesday !!!
> Thanks - paul
>
> Paul Kudla
>
>
> Scom.ca Internet Services <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.scom.ca&d=DwIDaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc&m=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10&s=_KrQarPZVkZAVM2At-fFSlh8crzfvk75b0xPz4RBhv0&e= >
> 004-1009 Byron Street South
> Whitby, Ontario - Canada
> L1N 4S3
>
> Toronto 416.642.7266
> Main 1.866.411.7266
> Fax 1.888.892.7266
> Email paul@scom.ca
>
> On 7/5/2022 9:52 PM, KK CHN wrote:
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__pastebin.com_YspPiWif&d=DwIDaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc&m=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10&s=5Nna_6oH-BJdYmfSIPPUFiuLF-Zlf8cizzQZSIIHT2g&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__pastebin.com_YspPiWif&d=DwIDaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc&m=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10&s=5Nna_6oH-BJdYmfSIPPUFiuLF-Zlf8cizzQZSIIHT2g&e= >
>>
>> One of the websites hosted  by a customer on our Cloud infrastructure
>> was compromised, and the attackers were able to replace the home page
>> with their banner html page.
>>
>> The log files output I have pasted above.
>>
>> The site compromised was PHP 7 with MySQL.
>>
>> From the above log, can someone point out what exactly happened and how
>> they are able to deface the home page.
>>
>> How to prevent these attacks ? What is the root cause of this
>> vulnerability  and how the attackers got access ?
>>
>> Any other logs or command line outputs required to trace back kindly let
>> me know what other details  I have to produce ?
>>
>> Kindly shed your expertise in dealing with these kind of attacks and
>> trace the root cause and prevention measures to block this.
>>
>> Regards,
>> Krish
>>
>>
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by *MailScanner* <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.mailscanner.info_&d=DwIDaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vVY_Oi8KXyHxOVIqskbHBAc&m=NocH2bgtJpik8PIJwPUix3SJ7UY_NOBu-St0juQBbZNOEtxO4zB3CMmSBHgsav10&s=5Eo4dqX5kQQCYJEGl4C2i4H0LtfO_U-QaP0QK5zxcts&e= >, and is
>> believed to be clean.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Cross-site contamination is not the same as exploiting insecure php scripts
to upload malicious content.

I will agree that isolation is a good idea, but it really has little to do
with the thread at hand.

On Wed, 6 Jul 2022 at 06:30, Paul Kudla (SCOM.CA Internet Services Inc.) <
paul@scom.ca> wrote:

>
> ok may or may not be related but i found i had to lock php, wordpress
> etc down heavely in apache
>
> especially if you are using vhosts
>
> i found one authorized site could talk to another without making things
> more strict
>
> yes its a pain to have one vhost per site but its the only way to fully
> isolate one from the other
>
> if someone executes stuff it stays within their working directory
>
> example (shows http alias etc - note the directory directives - i use a
> database --> script generator so its not too inconvient.) :
>
>
> <VirtualHost *:80>
> ServerName bedrockconstruction.ca
> ServerAlias bedrockconstruction.ca
> ServerAlias www.bedrockconstruction.ca
> Redirect permanent / https://bedrockconstruction.ca/
> </VirtualHost>
>
> <VirtualHost *:443>
> ServerName bedrockconstruction.ca
> ServerAlias bedrockconstruction.ca
> ServerAlias www.bedrockconstruction.ca
> DocumentRoot /www/bedrockconstruction.ca
>
> SSLEngine on
> SSLProtocol all
> SSLCertificateFile
> /www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.crt
> SSLCertificateKeyFile
> /www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.key
> SSLCertificateChainFile
> /www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.chain
>
>
> SuexecUserGroup www www
>
> <Directory "/www/bedrockconstruction.ca/wp-content/uploads/">
> <Files "*.php">
> Order Deny,Allow
> Deny from All
> </Files>
> </Directory>
>
> <Directory /www/bedrockconstruction.ca>
> php_admin_value open_basedir /www/bedrockconstruction.ca:/var/log/
> </Directory>
>
> <Directory /www/bedrockconstruction.ca>
> php_admin_value sys_temp_dir /www/bedrockconstruction.ca/tmp/
> </Directory>
>
> <Directory /www/bedrockconstruction.ca>
> php_admin_value session.save_path /www/bedrockconstruction.ca/tmp/
> </Directory>
>
> <Directory /www/bedrockconstruction.ca>
> php_admin_value soap.wsdl_cache_dir /www/bedrockconstruction.ca/tmp/
> </Directory>
>
> <Directory /www/bedrockconstruction.ca>
> php_admin_value upload_tmp_dir /www/bedrockconstruction.ca/tmp
> </Directory>
>
> <Directory "/www/bedrockconstruction.ca">
> AllowOverride All
> php_value session.save_path "/www/bedrockconstruction.ca/"
> </Directory>
>
> </VirtualHost>
>
>
>
>
>
>
>
>
>
>
>
>
> Happy Wednesday !!!
> Thanks - paul
>
> Paul Kudla
>
>
> Scom.ca Internet Services <http://www.scom.ca>
> 004-1009 Byron Street South
> Whitby, Ontario - Canada
> L1N 4S3
>
> Toronto 416.642.7266
> Main 1.866.411.7266
> Fax 1.888.892.7266
> Email paul@scom.ca
>
> On 7/5/2022 9:52 PM, KK CHN wrote:
> > https://pastebin.com/YspPiWif <https://pastebin.com/YspPiWif>
> >
> > One of the websites hosted by a customer on our Cloud infrastructure
> > was compromised, and the attackers were able to replace the home page
> > with their banner html page.
> >
> > The log files output I have pasted above.
> >
> > The site compromised was PHP 7 with MySQL.
> >
> > From the above log, can someone point out what exactly happened and how
> > they are able to deface the home page.
> >
> > How to prevent these attacks ? What is the root cause of this
> > vulnerability and how the attackers got access ?
> >
> > Any other logs or command line outputs required to trace back kindly let
> > me know what other details I have to produce ?
> >
> > Kindly shed your expertise in dealing with these kind of attacks and
> > trace the root cause and prevention measures to block this.
> >
> > Regards,
> > Krish
> >
> >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by *MailScanner* <http://www.mailscanner.info/>, and
> is
> > believed to be clean.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

On Wed, Jul 6, 2022 at 8:33 AM Yehuda Katz <yehuda@ymkatz.net> wrote:

> Your log doesn't start early enough. Someone uploaded a web shell (or
> found an existing web shell) to your server, possibly using an upload for
> that doesn't validate the input, then used that shell to run commands on
> your server.
>

Yes, that was not too old log

Here is another old log paste
https://zerobin.net/?a4d9f5b146676594#hkpTU0ljaG5W0GUNVEsaYqvffQilrXavBmbK+V9mzUw=


.

Here is another log which starts earlier than the earlier logs. Which may
help to investigate more.

I would consider your entire server to be compromised at this point since
> you have no record of what else the attacker could have done once they had
> a shell.
>
> Yes we took the server down, and recreated the VM with an old backup. Also
informed the developer/maintainer about this simple.shell execution and the
need of regular patching of the PHP7 version and the wordpress framework
they used for hosting.

I would like to know what other details / analysis we need to perform to
find out how the attacker got access and what time the backdoor was
installed and through what vulnerability they exploited ?

I request your tips to investigate further and to find the root cause of
this kind of attack and how to prevent it in future..??



Make sure that you do not allow users to upload files and then execute
> those files.
>
> - Y
>
> On Tue, Jul 5, 2022 at 9:53 PM KK CHN <kkchn.in@gmail.com> wrote:
>
>> https://pastebin.com/YspPiWif
>>
>> One of the websites hosted by a customer on our Cloud infrastructure was
>> compromised, and the attackers were able to replace the home page with
>> their banner html page.
>>
>> The log files output I have pasted above.
>>
>> The site compromised was PHP 7 with MySQL.
>>
>> From the above log, can someone point out what exactly happened and how
>> they are able to deface the home page.
>>
>> How to prevent these attacks ? What is the root cause of this
>> vulnerability and how the attackers got access ?
>>
>> Any other logs or command line outputs required to trace back kindly let
>> me know what other details I have to produce ?
>>
>> Kindly shed your expertise in dealing with these kind of attacks and
>> trace the root cause and prevention measures to block this.
>>
>> Regards,
>> Krish
>>
>>
>>

Happy Wednesday

Ok allow me to share some experience :

about 4 years ago 1one1 hosting, myself and a bunch of others got hacked.

this is because i was using common vhosts pointing to the web directory

because www:www were the rights (no real easy way to get around that) i
had to lock php down (as indicated) along with wordpress etc.

It appears this is the real issue at hand, once a server is comprimised
(regardless of the operating system at hand) it basically needs to wiped
clean and reloaded

the config below might be like using a balistic missle when a sledge
hammer will do ...

however touch wood i have not need hacked since

and if someone does figure out a site login (ftp,wordpress etc) then the
damage is contained to that site and will not bleed out sideways.

unfortunately this is what is required in today's operating environment

so basically with this config

central logging that will firewall ip's on demand

wordpress fail2ban showing bad admin logins being track

people try all day long but no real issues other the the odd dos attacks
with the firewall will fix within 20 minutes of the attack?


Hope this explains / helps .....


Happy Wednesday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services <http://www.scom.ca>
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email paul@scom.ca

On 7/6/2022 8:57 AM, Frank Gingras wrote:
> Cross-site contamination is not the same as exploiting insecure php
> scripts to upload malicious content.
>
> I will agree that isolation is a good idea, but it really has little to
> do with the thread at hand.
>
> On Wed, 6 Jul 2022 at 06:30, Paul Kudla (SCOM.CA <http://SCOM.CA>
> Internet Services Inc.) <paul@scom.ca <mailto:paul@scom.ca>> wrote:
>
>
> ok may or may not be related but i found i had to lock php, wordpress
> etc down heavely in apache
>
> especially if you are using vhosts
>
> i found one authorized site could talk to another without making things
> more strict
>
> yes its a pain to have one vhost per site but its the only way to fully
> isolate one from the other
>
> if someone executes stuff it stays within their working directory
>
> example (shows http alias etc - note the directory directives - i use a
> database --> script generator so its not too inconvient.) :
>
>
> <VirtualHost *:80>
> ServerName bedrockconstruction.ca <http://bedrockconstruction.ca>
> ServerAlias bedrockconstruction.ca <http://bedrockconstruction.ca>
> ServerAlias www.bedrockconstruction.ca
> <http://www.bedrockconstruction.ca>
> Redirect permanent / https://bedrockconstruction.ca/
> <https://bedrockconstruction.ca/>
> </VirtualHost>
>
> <VirtualHost *:443>
> ServerName bedrockconstruction.ca <http://bedrockconstruction.ca>
> ServerAlias bedrockconstruction.ca <http://bedrockconstruction.ca>
> ServerAlias www.bedrockconstruction.ca
> <http://www.bedrockconstruction.ca>
> DocumentRoot /www/bedrockconstruction.ca <http://bedrockconstruction.ca>
>
> SSLEngine on
> SSLProtocol all
> SSLCertificateFile
> /www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.crt
> <http://bedrockconstruction.ca/ssl/bedrockconstruction.ca.crt>
> SSLCertificateKeyFile
> /www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.key
> <http://bedrockconstruction.ca/ssl/bedrockconstruction.ca.key>
> SSLCertificateChainFile
> /www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.chain
> <http://bedrockconstruction.ca/ssl/bedrockconstruction.ca.chain>
>
>
> SuexecUserGroup www www
>
> <Directory "/www/bedrockconstruction.ca/wp-content/uploads/
> <http://bedrockconstruction.ca/wp-content/uploads/>">
> <Files "*.php">
> Order Deny,Allow
> Deny from All
> </Files>
> </Directory>
>
> <Directory /www/bedrockconstruction.ca <http://bedrockconstruction.ca>>
> php_admin_value open_basedir /www/bedrockconstruction.ca:/var/log/
> </Directory>
>
> <Directory /www/bedrockconstruction.ca <http://bedrockconstruction.ca>>
> php_admin_value sys_temp_dir /www/bedrockconstruction.ca/tmp/
> <http://bedrockconstruction.ca/tmp/>
> </Directory>
>
> <Directory /www/bedrockconstruction.ca <http://bedrockconstruction.ca>>
> php_admin_value session.save_path /www/bedrockconstruction.ca/tmp/
> <http://bedrockconstruction.ca/tmp/>
> </Directory>
>
> <Directory /www/bedrockconstruction.ca <http://bedrockconstruction.ca>>
> php_admin_value soap.wsdl_cache_dir /www/bedrockconstruction.ca/tmp/
> <http://bedrockconstruction.ca/tmp/>
> </Directory>
>
> <Directory /www/bedrockconstruction.ca <http://bedrockconstruction.ca>>
> php_admin_value upload_tmp_dir /www/bedrockconstruction.ca/tmp
> <http://bedrockconstruction.ca/tmp>
> </Directory>
>
> <Directory "/www/bedrockconstruction.ca
> <http://bedrockconstruction.ca>">
> AllowOverride All
> php_value session.save_path "/www/bedrockconstruction.ca/
> <http://bedrockconstruction.ca/>"
> </Directory>
>
> </VirtualHost>
>
>
>
>
>
>
>
>
>
>
>
>
> Happy Wednesday !!!
> Thanks - paul
>
> Paul Kudla
>
>
> Scom.ca Internet Services <http://www.scom.ca <http://www.scom.ca>>
> 004-1009 Byron Street South
> Whitby, Ontario - Canada
> L1N 4S3
>
> Toronto 416.642.7266
> Main 1.866.411.7266
> Fax 1.888.892.7266
> Email paul@scom.ca <mailto:paul@scom.ca>
>
> On 7/5/2022 9:52 PM, KK CHN wrote:
> > https://pastebin.com/YspPiWif <https://pastebin.com/YspPiWif>
> <https://pastebin.com/YspPiWif <https://pastebin.com/YspPiWif>>
> >
> > One of the websites hosted  by a customer on our Cloud
> infrastructure
> > was compromised, and the attackers were able to replace the home
> page
> > with their banner html page.
> >
> > The log files output I have pasted above.
> >
> > The site compromised was PHP 7 with MySQL.
> >
> >  From the above log, can someone point out what exactly happened
> and how
> > they are able to deface the home page.
> >
> > How to prevent these attacks ? What is the root cause of this
> > vulnerability  and how the attackers got access ?
> >
> > Any other logs or command line outputs required to trace back
> kindly let
> > me know what other details  I have to produce ?
> >
> > Kindly shed your expertise in dealing with these kind of attacks and
> > trace the root cause and prevention measures to block this.
> >
> > Regards,
> > Krish
> >
> >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by *MailScanner* <http://www.mailscanner.info/
> <http://www.mailscanner.info/>>, and is
> > believed to be clean.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> <mailto:users-unsubscribe@httpd.apache.org>
> For additional commands, e-mail: users-help@httpd.apache.org
> <mailto:users-help@httpd.apache.org>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is
> believed to be clean.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

On Wed, Jul 6, 2022 at 9:08 AM KK CHN <kkchn.in@gmail.com> wrote:

> On Wed, Jul 6, 2022 at 8:33 AM Yehuda Katz <yehuda@ymkatz.net> wrote:
>
>> Your log doesn't start early enough. Someone uploaded a web shell (or
>> found an existing web shell) to your server, possibly using an upload for
>> that doesn't validate the input, then used that shell to run commands on
>> your server.
>>
> Here is another old log paste
> https://zerobin.net/?a4d9f5b146676594#hkpTU0ljaG5W0GUNVEsaYqvffQilrXavBmbK+V9mzUw=
>
>

I see an entry in that log file mentioning a web shell on June 19:

175.141.226.202 - - [19/Jun/2022:03:35:03 +0530] "GET
/dashboard/upload/wordpdf/origiinal-shellbackdoor-anonymous-bypass-kak827j.php?path=/var/www/html
HTTP/1.1"


You can see the same IP address added a second hidden shell (gel4y - an
open-source hidden shell).


> I would like to know what other details / analysis we need to perform to
> find out how the attacker got access and what time the backdoor was
> installed and through what vulnerability they exploited ?
> I request your tips to investigate further and to find the root cause of
> this kind of attack and how to prevent it in future..??
>

As I said before, you need to make sure your webserver will not try to
execute files uploaded by users.
Since you mentioned Wordpress: Wordpress is well known for having this
vulnerability because uploads are stored in a public location by default.
Make sure none of your plugins allow file uploads with
unspecified extensions - for example, an upload form for pictures should
check to make sure that what was uploaded is actually a picture before
moving it to the wp-content/uploads directory.
You should also look into blocking execution of PHP and other scripts in
the wp-content/uploads directory (and any other location an untrusted user
may be able to upload to).

- Y