2013-11 PHP security issue
PHP versions 5.3.x before 5.3.12 and 5.4.x before 5.4.2 are vulnerable and allow attacks via remote code execution.
Please note that even if your machine has been compromised, the attacker scripts run with the same permissions as the Apache web server (the daemon user), so the attacker does not have rights to modify any files owned by the bitnami user or root user. The attacker scripts are usually used to scan other machines.
Find more information about the issue.
Prevent access
To prevent unauthorized access, log into your servers and remove the following files by executing the command:
$ sudo rm -f /opt/bitnami/apache2/cgi-bin/php-cgi /opt/bitnami/apache2/cgi-bin/php-cgi.bin
Detect if the system is compromised
-
Check Apache log files and search for cgi-bin/php-cgi requests. If there are any present, it is possible that your machine has already been attacked. Use the command below:
$ egrep 'POST /cgi-bin/php-cgi.*6E HTTP.* 200 ' /opt/bitnami/apache2/logs/access_log
-
Alternatively, detect if your machine has been compromised by executing the following commands:
$ ls -asl /tmp /var/tmp $ sudo ps -Udaemon -u daemon $ sudo crontab -l -u daemon $ sudo atq
If you notice any processes running apart from atd or httpd, or if you see any suspicious files owned by the daemon user in the /var/tmp or /tmp directories, or if you see any strange cron jobs defined for the daemon user, it means your machine is affected.
Remove attacker scripts
Follow these steps:
-
Ensure that your Apache configuration is correct to avoid problems on restart.
-
Execute the following script:
mkdir -p /home/bitnami/201311-security-issue cd /home/bitnami/201311-security-issue sudo sh -c '. /opt/bitnami/scripts/setenv.sh && /opt/bitnami/apache2/bin/apachectl -t' if [ $? != 0 ]; then echo 'APACHE CONFIG PROBLEM!!!' else cp -r /opt/bitnami/apache2/cgi-bin . sudo rm -f /opt/bitnami/apache2/cgi-bin/php-cgi /opt/bitnami/apache2/cgi-bin/php-cgi.bin mkdir -p attacker_files cd attacker_files sudo mv /var/spool/cron/crontabs/daemon crontabs_daemon mkdir -p daemon_tmp_files daemon_var_tmp_files find /var/tmp/ -maxdepth 1 -user daemon -print0 | sudo xargs -0 mv -t daemon_var_tmp_files -- find /tmp/ -maxdepth 1 -user daemon -print0 | sudo xargs -0 mv -t daemon_tmp_files -- sudo ps -Udaemon -u daemon | grep -v PID | awk '{print $1}'| sudo xargs kill -9 sudo /opt/bitnami/ctlscript.sh restart apache fi
-
At the end of this process, reboot the system.