2013-11 PHP security issue

    PHP versions 5.3.x before 5.3.12 and 5.4.x before 5.4.2 are vulnerable and allow attacks via remote code execution. This security issue has been described in detail on the following page:

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823

     

    Please note that even if your machine has been compromised, the attacker scripts are running with the same permissions as the Apache web server (the daemon user), so the attacker does not have rights to modify any files owned by the bitnami user or root. The attacker scripts are usually used to scan other machines. 
     

    Prevent

    To prevent unauthorized access, please log into your servers and remove the following files by executing the command:

    sudo rm -f /opt/bitnami/apache2/cgi-bin/php-cgi /opt/bitnami/apache2/cgi-bin/php-cgi.bin

    You can learn more about how to access your machine via SSH in our wiki:
    http://wiki.bitnami.com/BitNami_Cloud_Hosting/Servers/SSH#How_to_connect_to_my_server

     

    Detect if your machine is compromised

    First, you can check your Apache log files and search for cgi-bin/php-cgi requests. If there are any present, it is possible that your machine has already been attacked:

    egrep 'POST /cgi-bin/php-cgi.*6E HTTP.* 200 ' /opt/bitnami/apache2/logs/access_log

    You may also detect if your machine has been compromised by executing the following commands:

    ls -asl /tmp /var/tmp
    sudo ps -Udaemon -u daemon
    sudo crontab -l -u daemon
    sudo atq

    If you notice any processes running apart from atd or httpd, or if you see any suspicious files owned by the daemon user in the /var/tmp or /tmp directories, or if you see any strange cron job defined for the daemon user, it means your machine is affected.

     

    How to remove the attacker scripts

    There might be different versions of the attacker scripts, but the following procedure should work in most of the cases.

    First, make sure that your Apache configuration is correct to avoid problems after restarting it. 

    Then you can execute the following script:

     
    mkdir -p /home/bitnami/201311-security-issue
    cd /home/bitnami/201311-security-issue
    sudo sh -c '. /opt/bitnami/scripts/setenv.sh && /opt/bitnami/apache2/bin/apachectl -t'
    if [ $? != 0 ]; then
      echo 'APACHE CONFIG PROBLEM!!!'
    else
      cp -r /opt/bitnami/apache2/cgi-bin .
      sudo rm -f /opt/bitnami/apache2/cgi-bin/php-cgi /opt/bitnami/apache2/cgi-bin/php-cgi.bin
      mkdir -p attacker_files
      cd attacker_files
      sudo mv /var/spool/cron/crontabs/daemon crontabs_daemon
      mkdir -p daemon_tmp_files daemon_var_tmp_files
      find /var/tmp/ -maxdepth 1 -user daemon -print0 | sudo xargs -0 mv -t daemon_var_tmp_files --
      find /tmp/ -maxdepth 1 -user daemon -print0 | sudo xargs -0 mv -t daemon_tmp_files --
      sudo ps -Udaemon -u daemon | grep -v PID | awk '{print $1}'| sudo xargs kill -9
      sudo /opt/bitnami/ctlscript.sh restart apache
    fi
     

    At the end of this process, reboot your machine.

    It is difficult for us to provide one on one support for our free users, but if have trouble with the above instructions, please reach out to us at helpdesk.bitnami.com and we will try to help. Please include as many details as possible about your system (IP address or domain name, application version, what you already tried, etc.) and we will try to help you.

    Tag page (Edit tags)
    • No tags
    Page statistics
    15612 view(s), 9 edit(s) and 4320 character(s)

    Comments

    You must login to post a comment.

    Attach file

    Attachments