vBSEO Security Bulletin - vBSEO 3.3.2 Released

Also, I forgot to mention in my earlier post....

You must scan you entire (web) filesystem and look for .htaccess files .

You must examine each one.....

The attacker will add .htaccess files to make the hidden PHP files (hidden as jpgs, gifs, .txt etc) executable CGI scripts.

Examples of scans.... if you need examples:

Scan file system look for httpd-php in .htaccess file

Code:

find . -name .htaccess -exec grep -i httpd-php {} \;

Scan file system look for the phrase phpspypass in gif files:

Code:

find . -regex '.*\.gif$' -exec grep phpspypass {} \;

Originally Posted by Oleg Ignatiuk

Also, if you have a writable folder (attachments, customprofilepic, etc), I would recommend to create an .htaccess file in each of these folders that will block script requests from those folders:

Code:

<Files ~ "\.(php\d*|cgi|pl|phtml)$">
   order allow,deny
   deny from all
</Files>

Hi,

I have created this .htaccess file in following writable folders:-

customavatars
customgroupicons
customprofilepics
signaturepics

1. I wanted to know whether this .htaccess also goes in attachments/ and albums/ folder even if they are above root ?

2. Should I also put this .htaccess in customavatars/thumbs/ and customgroupicons/thumbs/ ?

3. ibproarcade's arcade/ directory and vbadvanced modules/ directory are also set to 0777. Should I put this .htaccess in these folders too? Can it create some problem as both the folders don't just contain images.

Thanks

Originally Posted by webwizzy

1. I wanted to know whether this .htaccess also goes in attachments/ and albums/ folder even if they are above root ?

Yes. You should put it in any and all directories you want to protect (that is required to be writable by the web server). However, it is not enough just to recreate the .htaccess file. You must insure that it is not writeable or movable or renameable by your webserver. Just creating this file will not protect you, because the attacker will just edit the file.

Originally Posted by webwizzy

2. Should I also put this .htaccess in customavatars/thumbs/ and customgroupicons/thumbs/ ?

Yes.

Originally Posted by webwizzy

3. ibproarcade's arcade/ directory and vbadvanced modules/ directory are also set to 0777. Should I put this .htaccess in these folders too? Can it create some problem as both the folders don't just contain images.
Thanks

These directories above should not be set 777. For our site, none of these directories and files are writeable by the web server user ID.

If you set your file and directory permissions correctly, you don't need the .htaccess protection file because that directory is not writable by the web server.

Make sure directories that do not require to be written to by the web server (avatars, attachments, etc. are required to be writable) are not writable by the web server !!!! Same for files too!!

If your web server runs as "www" and the group is "www", then the files should be owned by someone else (a different user ID), for example, root or admin etc.. Only root, for example, should be able to write to your directories with static PHP files, etc. Never. Never. Never... (did I say it enough?) should your static directories and files be writeable by the web server if you want to protect your filesystem.

htaccess works up. If you place the file in customavatars, so long as you don't have an htaccess file in customavatars/subfolder/ the customavatars file will cover the subfolders.

Originally Posted by Brian Cummiskey

htaccess works up. If you place the file in customavatars, so long as you don't have an htaccess file in customavatars/subfolder/ the customavatars file will cover the subfolders.

Hi Brian,

Your statement is true, generally speaking.

However, an attacker who gains access to the filesystem, as we are seeing as the results of SQL Injection and other exploits, can write their own .htaccess files.

So, if the filesystem (subdirectories) are write-able by the web server user id, then not having a protected .htaccess file in the subdirectory will permit an attacker to create one.

Since we are discussing, primarily, directories write enabled for the web server process, not having a .htaccess file in the subdirectories leaves the subdirectories open to attack.

This is a fact, not theory, BTW.

You must place a .htaccess file in web server write-enabled subdirectories, and protect that file from web-server changes, deletions, renaming, etc. or the subdirectories are completely vulnerable.

Cheers.

Quick question: is this another bug? or the same one? I updated again (because I couldn't remember if I did all my forums) and the patched file sizes were different (to the ones I know I definately patched).

Originally Posted by woostar

Quick question: is this another bug? or the same one? I updated again (because I couldn't remember if I did all my forums) and the patched file sizes were different (to the ones I know I definately patched).

The files have not been updated. The zip may be slightly different in size if you unpacked it differently. The files should all be createdate timestamped of around 11pm 11/17/2009

so, was this bug found yesterday or when this thread was started (hence the 3.3.2 release)?

Originally Posted by woostar

so, was this bug found yesterday or when this thread was started (hence the 3.3.2 release)?

Yesterday. We simply added on to this release as it is a similiar issue to the previous and did not require a full version upgrade. Plus, by keep the version the same, hackers don't know if you are patched or not simply by sending a bot around to collect version numbers.

i am getting positives from
find /home/main -regex '.*\.gif$' -exec grep php {} \;

when i look inside gif file
<COPY>Copyright 2004 The phpBB Group, All Rights Reserved
are these gif files hacked too

Originally Posted by gorsan

i am getting positives from
find /home/main -regex '.*\.gif$' -exec grep php {} \;

when i look inside gif file
<COPY>Copyright 2004 The phpBB Group, All Rights Reserved
are these gif files hacked too

Not sure.....

First, check the regex to see if it is working propertly.

Run.....

Code:

find /home/main -regex '.*\.gif$' | more  (or whatever)

and check to see if the regex is working on your system and you only see gif files.

If it is working, then you need to look inside any gif file (or jpg, etc.) that has PHP code in it, absolutely.

Is your regex working properly?

(regex expressions can work differently on different systems)

thank you.
Since i can call the gif image from web i am assuming it is not virus

Originally Posted by gorsan

i am getting positives from
find /home/main -regex '.*\.gif$' -exec grep php {} \;

when i look inside gif file
<COPY>Copyright 2004 The phpBB Group, All Rights Reserved
are these gif files hacked too

Did you convert from phpBB at one point in time? is the image that is found ia valid phpBB graphic? if so, i would say you are likely ok. most gif's have some sort of plain text embedded into them naturally.

Originally Posted by Brian Cummiskey

..... most gif's have some sort of plain text embedded into them naturally.

That is correct.

It is better to search for a known phrase that the attacker has in their code that is unique (more unique that "php")

That is why I only provided examples. Examples are only examples. You have to do your own detective work. Don't only search gifs. Search jpgs, png, etc. Search text..... Search search search...

A better example is to search for phpspypass

phpspypass is a phrase found in real world attacker code we have seen.

When an attacker scans for a vulnerability, for example an SQL injection weakness, they will all do different things. One might plant one type of file, another might plant a different file or two or more.

If you really want more protection (detection, not prevention), install tripwire.

Cheers!

PS: PM if you need more info and we can discuss general filesystem protection elsewhere. I don't want to take too much more space in this thread on general filesystem security topics. Good luck...