Here's Where We Are
Vulnerability: Any stock CentOS 5.x or 6.x system with Apache and PHP exposed to Internet access with no IP address restrictions (WhiteList).
UPDATED: See this post for the latest information. It appears that the security hole may be limited to 64-bit Linux systems as well as Proxmox servers with OpenVZ support.
How Do They Get In: Some (perhaps unknown) vulnerability in stock versions of Apache and PHP on CentOS systems allows the attacker to gain system access. We really don't know any more than that at this juncture. But this does not appear to be a PHPmyAdmin exploit as that utility is locked down by secure htaccess password on some systems that have been compromised. Fail2Ban is not detecting hack attempts so it appears the attacker is walking right in with this exploit.
Privileges: Still unclear whether attacker is gaining root access or merely same access as enjoyed by Apache on the attacked system. To do what they're doing would NOT require root privileges on your system. The attacker brings a customized version of WebMin with their own password.
What Happens Once They're In: In a nutshell, your system is turned into a zombie. Using perl and WebMin (their own version), they can interconnect your server into a worldwide network of machines used to launch denial-of-service and other malicious attacks against other systems on the Internet.
How Do I Know If My Machine Has Been Compromised? Examine some of the previous comments in this thread. Run
ps awx on your server and look for long lists of processes running perl scripts. Look in the /usr directory for a directory called game, games, books, etc. Inside those directories, run
ls -all which will show hidden files beginning with a period. There will be a directory called .n or .s or something similar. Look in /etc/cron.daily. There will be a new script as outlined in this thread. NOTE: The zombie software is old and signatures already exist in anti-virus programs. The exploit to gain access may be entirely new.
What Should Be in /usr? On a stock PIAF system, you should see the following directories:
bin games kerberos libexec man share tmp etc include lib local sbin src X11R6
The games directory will be empty when you
ls -all
What Should Be in /etc/cron.daily? On a stock PIAF system, you should see the following files:
0anacron cups makewhatis.cron prelink tmpwatch 0logwatch logrotate mlocate.cron rpm
How to Fix It: If your system has been compromised, reformat the disk and reinstall. If they haven't gotten in or if you've started over, (1) immediately turn off Internet access to web services on your servers. You can implement a whitelist of safe IP addresses for web access using IPtables or your hardware-based firewall. We will post a HOW-TO shortly. (2) Upgrade Apache to latest version and PHP to latest 5.2 or 5.3 version. For PIAF users, we are working on an upgrade which should be available in the next couple days. It's not easy!
NOTE: Just because your system has not yet been compromised does NOT mean you are safe. Your system still needs to be secured. Turn OFF Web Access Now!
For Standard PIAF servers and Proxmox PIAF installs ONLY:
How to Temporarily Disable Web Access: Log in as root. Issue command:
iptables -D INPUT -p tcp -m tcp --dport 80 -j ACCEPT
How to Temporarily Enable Web Access: Log in as root. Issue command:
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
How to Temporarily Enable Web Access for Specific IP Address :
iptables -A INPUT -p tcp -m tcp -s 123.45.67.8 --dport 80 -j ACCEPT
NOTE: These settings only work on stock PIAF servers, not hosted systems such as RentPBX. These settings are temporary until a reboot or
service iptables restart.
For RentPBX-hosted PIAF servers ONLY:
How to Temporarily Disable Web Access: Log in as root. Issue command:
iptables -D RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
How to Temporarily Enable Web Access: Log in as root. Issue command:
iptables -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
NOTE: These settings only work on RentPBX PIAF servers, not standard PIAF systems. These settings are temporary until a reboot or
service iptables restart.