I have a pretty standard VPS running Ubuntu 8.1, Apache 2.2, PHP 5 etc. — standard Lamp stack. I am using suhosin and have tried my best to plug the obvious stuff, since I'm the only user– there's no SSH access except via pubkey on a non-standard port, there's no root access by SSH, no FTP server running, iptables is set to discard anything outside of basically port 80 or my SSH port (there's no mail server or anything else).
However, I've still been compromised (not badly as far as I can tell) probably by a SQL injection. I've locked down the SQL user (there's only one outside of root, and he's got limited priv, no file etc.)
So I ran nikto to see what I'm doing wrong, and there's a list of things I've never seen, and can't find using "find" or any other method I'm aware of. See below:
+ /autologon.html?10514: Remotely Anywhere 5.10.415 is vulnerable to XSS attacks that can lead to cookie theft or privilege escalation. This is typically found on port 2000.
+ /servlet/webacc?User.html=noexist: Netware web access may reveal full path of the web server. Apply vendor patch or upgrade.
+ OSVDB-35878: /modules.php?name=Members_List&letter='%20OR%20pass%20LIKE%20'a%25'/*: PHP Nuke module allows user names and passwords to be viewed.
+ OSVDB-3092: /sitemap.xml: This gives a nice listing of the site content.
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests which contain specific QUERY strings.
+ OSVDB-12184: /some.php?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests which contain specific QUERY strings.
+ OSVDB-12184: /some.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests which contain specific QUERY strings.
+ OSVDB-12184: /some.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests which contain specific QUERY strings.
+ OSVDB-3092: /administrator/: This might be interesting...
+ OSVDB-3092: /Agent/: This might be interesting...
+ OSVDB-3092: /includes/: This might be interesting...
+ OSVDB-3092: /logs/: This might be interesting...
+ OSVDB-3092: /tmp/: This might be interesting...
+ ERROR: /servlet/Counter returned an error: error reading HTTP response
+ OSVDB-3268: /icons/: Directory indexing is enabled: /icons
+ OSVDB-3268: /images/: Directory indexing is enabled: /images
+ OSVDB-3299: /forumscalendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20'';%20echo%20%60id%20%60;die();echo%22: Vbulletin allows remote command execution. See link
+ OSVDB-3299: /forumzcalendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20'';%20echo%20%60id%20%60;die();echo%22: Vbulletin allows remote command execution. See link
+ OSVDB-3299: /htforumcalendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20'';%20echo%20%60id%20%60;die();echo%22: Vbulletin allows remote command execution. See link
+ OSVDB-3299: /vbcalendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20'';%20echo%20%60id%20%60;die();echo%22: Vbulletin allows remote command execution. See link
+ OSVDB-3299: /vbulletincalendar.php?calbirthdays=1&action=getday&day=2001-8-15&comma=%22;echo%20'';%20echo%20%60id%20%60;die();echo%22: Vbulletin allows remote command execution. See link
+ OSVDB-6659: /kCKAowoWuZkKCUPH7Mr675ILd9hFg1lnyc1tWUuEbkYkFCpCdEnCKkkd9L0bY34tIf9l6t2owkUp9nI5PIDmQzMokDbp71QFTZGxdnZhTUIzxVrQhVgwmPYsMK7g34DURzeiy3nyd4ezX5NtUozTGqMkxDrLheQmx4dDYlRx0vKaX41JX40GEMf21TKWxHAZSUxjgXUnIlKav58GZQ5LNAwSAn13l0w<font%20size=50>DEFACED<!--//--: MyWebServer 1.0.2 is vulnerable to HTML injection. Upgrade to a later version.
I understand about the trace and index, but what about the vbulletin and autologin? I've searched, and I can't find any files like that on the server. I have no idea about the "MyWebServer" stuff, the PHP Nuke, or the Netware/servlet stuff– there's nothing really on the server except a pretty standard Joomla site (updated to the latest version).
Any help with these messages and/or what I'm doing wrong is very much appreciated.
Best Answer
Nikto produces a lot of false positives. Most of the results that you have posted may or may not be an issue and it requires manual inspection.
Nikto warnings like this are because you have directory listing enabled.
This is considered to be a minor information disclosure vulnerability. To patch this vulnerability you can modify your apache config:
Another patch is to put blank index.html pages in these folders.
Nikto is also saying is that you maybe running PHP-Nuke and Vbulletin. Vulnerabilities have been found in these applications and you maybe vulnerable. If you are running these applications, make sure they are fully updated.
Here are some other things you should do:
1)I highly recommend installing mod_security, the default rule sets are quite good at preventing exploitation.
2)Make sure your PHP web applications have their own restricted MySQL user account. Make sure
file_privhas been revoked on this account. MySQL File privileges is one of the worst things you can give a web application. You should also make sure that it only has access to the databases it needs to work. For instance it would be a mistake to give the user account access to mysql.user.3)Run PHPSecInfo and modify your php.ini file accordingly. You shouldn't have any RED errors.
4)Run OpenVAS which is the freer version of nessus. OpenVAS will run Nikto along with a bunch of other tests.