Proxmox Web Security Issue

[wardmundy]

A Few Thoughts on the Recent Web/PHP Exploit of CentOS-based Apache Systems

FreePBX Distro Rooted

See also the FreePBX Security Advisory

We don't wish this on anybody or any distro, but it reinforces the importance of security vigilance and the need to heed 5 KEY SECURITY CONSIDERATIONS WITH PBX IN A FLASH:

1. Always run PIAF behind a secure hardware-based firewall with NO PORTS exposed to the Internet
2. You always get the latest YUM updates for CentOS on new PIAF installs
3. Don't monkey with the PIAF and Apache Security Model
4. If you absolutely must expose PIAF ports to the Internet, use WHITELISTS in IPtables or a VPN for all access
5. install-hamachi script is included in new installs and OpenVPN install instructions are available on this forum!

For current status, see this post.

 

[darmock]

interesting how they seem to be whining about other distros in their thread.... oh well hope they fix it soon


tom

 

[mbrevda]

oh well hope they fix it soon

Indeed, considering the scope of the vulnerability it would be nice to see an update from the CentOS guys.

UPDATE: In the mean time, an update has been released for the FreePBX Distro. More here. Also, the vulnerability(s) at hand are not specific to the FreePBX distro - they affect MOST VERSIONS of apache and some version of php REGARDLESS OF DISTRO.

 

[phoneguy]

Tom

I think you need to evaluate your version of php and apache for exploits as we have spent countless hours on FreePBX Support the past week with customers from PBXiaF, Trixbox, Elastix, AsteriskNow and yes the FreePBX Distro who have been hacked from these exploits. We rolled an upgrade today that patches the exploits in 3 different packages.

So before you start trying to take jabs at us you should look at your own product also.

Neither Centos 5.5, 5.6 or 6.0 have versions of apache that closes this exploit.

Edit- This is based on our ability to stop the exploit on some customer support boxes by upgrading apache to a version higher than 2.2.18 which stock Centos does not include from my scan this morning of there repos.

 

[bucasia]

Hi Tony,

Please can you provide links to details about 'this exploit'.

Thanks, Matt

 

[phoneguy]

No at this time for security reasons I think it would be irresponsible of us to state the exact exploits as to draw more attention to them and invite more hackers to go after it. Just trust us that we have seen over 50 boxes compromised in the last week from it already. I have informed Ward over the phone about it since all version of PBXiaF have the same exploit.

 

[bucasia]

Please Private Message me with the details then. I have many customers running FreePBX in its various guises (Trixbox, Elastix, PIAF).

If you've seen so many boxes compromised this week you are not protecting anyone by keeping this information private. The details are obviously available in the hacker community.

If the exploits are public anyway (have CVE numbers etc ...) then the information is already available (but maybe not relating to how it affects FreePBX). If the exploits are general Apache/PHP exploits with current versions of CentOS then the implications are much wider.

Anyway, I'd obviously be very grateful if you could PM the details.

Thanks, Matt

 

[phoneguy]

Guys

I posted here everything that we know. freepbx.org/news/2011-08-11/security-advisory-web-services-aug-11-2011

Sorry could not have exact exploits since they were not reported to us that way but as stated in that blog what our results were after the upgrade.

 

[malcolmd]

Okay, as far as we can tell, what's shipping in the latest AsteriskNOW is *not* vulnerable. Tony, if we're wrong, drop me a line.

 

[wardmundy]

Tony,
The post you mention states that you didn't see the same vulnerability once you had upgraded Apache and FreePBX. If we don't know what the vulnerability is, then how do we know it has been addressed by these updates??

Thanks for all your work on this!

P.S. If anyone has had HTTP compromised (and there are some good hints in the FreePBX forum posts referenced in the first post above), please PM me ASAP!!! Thanks.

 

[phoneguy]

Ward

The upgrade for FreePBX Distro is only upgrading Apache and PHP. We are not touching anything in FreePBX GUI with this upgrade. I suggest getting the latest Apache installed as that is what stopped it on the systems that we were working on. The systems we saw the exploits on where from the FreePBX Support customers not Schmooze PBXact customers. It was some home built FreePBX systems and numerous other FreePBX Distros including PBXiaF. Please do not spin this as a Schmooze Customer Exploit or FreePBX Distro exploit. FreePBX Distro was running Apache httpd-2.2.3-43 we upgraded to httpd-2.2.19 and the attacks stopped.

 

[bucasia]

Hi Tony,

Please elaborate on this bit "... and the attacks stopped". I think that is the vital bit of information we are missing.

How/what are you seeing as an 'attack'? Is this log entries, IDS warnings, traffic patterns ... or just that attackers no longer of root access to the boxes.

If it's just the latter I'm not sure that proves anything.

Thanks, Matt

 

[wardmundy]

No spin intended, Tony. We're all in this together. I was merely restating what was reported on the FreePBX Forums (see screenshot below).

If you are able to identify the exploit, we would appreciate a heads up. We certainly appreciate all your work in finding a fix to this (as yet) unidentified exploit.

Frankly, I'm a little surprised that any outside firm that found this vulnerability (as you reported to me in our phone call) would not have alerted the customer to what the actual problem was. That is highly unusual behavior to put it charitably.

 

[mbrevda]

Ward, in the link above there are links to some vulnerabilities. That being said, one can never me 1000% sure that anything is vulnerability-proof. In this case, what ever issue there were*, seemed to "go way" when the system were upgraded. Hence we feel that, at a minimum, these fixes should be applied.


*I'll leave it to Tony to elaborate, his picture is clearer than mine

 

[phoneguy]

We would ps awx and see a ton of process called exim running which executing some perl script and most of the time you could see a SCREEN session running.

If you did a screen -x you could watch the port scan running. In each example we would see they were running scans of IP's for /phpmyadmin or /myadmin. At other times they were doing scans to find email SMTP relay servers to exploit from other peoples boxes.

Most of these scripts were being fed from other hacked boxes running IRC servers to command and control the IP addresses the scripts should be executing.

Most of the time the scripts were being save in /usr/game/

Hope this helps everyone.

 

[bucasia]

Hi Tony,

Many thanks. That's really useful. Absolutely no finger pointed intended at all. The heads up is appreciated.

One last thing - do you know if the processes were running as root, or the Apache user (whatever user Apache was running as).

Thanks, Matt

 

[wardmundy]

Tony,

If you would kindly pass along contact information for any PIAF users that report a vulnerability, we will follow up with them directly.

Thanks again.

 

[phoneguy]

All I can do is tell them they can contact you. I can not pass this info along for privacy reasons.

 

[ezekielmudd]

These exploits are published on the net already. Security by obscurity isn't helping anyone.

In these cases, I usually look at milw0rm to see if they've posted any vulnerabilities. Take a quick look at universal Inj3ct0r 1337 Exploit DataBase to see if they listed any 0day exploits with Linux. Two come up for Trixbox. Do the descriptions look familiar?

Or are these boxes getting slammed because of phpmyadmin vulnerabilities?

I had an old copy of phpmyadmin on my regular linux box and it got slammed.

Don't panic. Fix it calmly.

BTW, here's a link to the exploit reports over at FreePBX.

 

[ezekielmudd]

We would ps awx and see a ton of process called exim running which executing some perl script and most of the time you could see a SCREEN session running.

That's a mail daemon. They're sending out emails.

If you did a screen -x you could watch the port scan running. In each example we would see they were running scans of IP's for /phpmyadmin or /myadmin.

They're trying to exploit phpmyadmin because it's terribly insecure. I got slammed that way.

At other times they were doing scans to find email SMTP relay servers to exploit from other peoples boxes.

They're trying to exploit exim on other machines.

I did a search for exploits on apache 2.2.18 and there's no 0day exploits - only DoS exploits.

If, in fact, there is an exploit for apache 2.2.18 then it's really new.

Metasploit (The Good Guys) says that the last published exploit for apache was for version 2.2.14.