aws

2013-11 PHP security issue

PHP versions 5.3.x before 5.3.12 and 5.4.x before 5.4.2 are vulnerable and allow attacks via remote code execution.

Please note that even if your machine has been compromised, the attacker scripts run with the same permissions as the Apache web server (the daemon user), so the attacker does not have rights to modify any files owned by the bitnami user or root user. The attacker scripts are usually used to scan other machines.

Find more information about the issue.

Prevent access

To prevent unauthorized access, log into your servers and remove the following files by executing the command:

$ sudo rm -f /opt/bitnami/apache2/cgi-bin/php-cgi /opt/bitnami/apache2/cgi-bin/php-cgi.bin

Detect if the system is compromised

  • Check Apache log files and search for cgi-bin/php-cgi requests. If there are any present, it is possible that your machine has already been attacked. Use the command below:

    $ egrep 'POST /cgi-bin/php-cgi.*6E HTTP.* 200 ' /opt/bitnami/apache2/logs/access_log
    
  • Alternatively, detect if your machine has been compromised by executing the following commands:

    $ ls -asl /tmp /var/tmp
    $ sudo ps -Udaemon -u daemon
    $ sudo crontab -l -u daemon
    $ sudo atq
    

    If you notice any processes running apart from atd or httpd, or if you see any suspicious files owned by the daemon user in the /var/tmp or /tmp directories, or if you see any strange cron jobs defined for the daemon user, it means your machine is affected.

Remove attacker scripts

Follow these steps:

  • Ensure that your Apache configuration is correct to avoid problems on restart.

  • Execute the following script:

    mkdir -p /home/bitnami/201311-security-issue
    cd /home/bitnami/201311-security-issue
    sudo sh -c '. /opt/bitnami/scripts/setenv.sh && /opt/bitnami/apache2/bin/apachectl -t'
    if [ $? != 0 ]; then
      echo 'APACHE CONFIG PROBLEM!!!'
    else
      cp -r /opt/bitnami/apache2/cgi-bin .
      sudo rm -f /opt/bitnami/apache2/cgi-bin/php-cgi /opt/bitnami/apache2/cgi-bin/php-cgi.bin
      mkdir -p attacker_files
      cd attacker_files
      sudo mv /var/spool/cron/crontabs/daemon crontabs_daemon
      mkdir -p daemon_tmp_files daemon_var_tmp_files
      find /var/tmp/ -maxdepth 1 -user daemon -print0 | sudo xargs -0 mv -t daemon_var_tmp_files --
      find /tmp/ -maxdepth 1 -user daemon -print0 | sudo xargs -0 mv -t daemon_tmp_files --
      sudo ps -Udaemon -u daemon | grep -v PID | awk '{print $1}'| sudo xargs kill -9
      sudo /opt/bitnami/ctlscript.sh restart apache
    fi
    
  • At the end of this process, reboot the system.