server hacked using www-data exploit

Looks like it's working for me:

And

For the records. This is also a handy link to have (read) http://www.howtoforge.com/forums/showthread.php?t=58062

 

Yould you please post your php versions?
It would be nice to get some information about what output these commands give

Code:

/usr/lib/cgi-bin/php5 -v

Code:

/usr/bin/php5-cgi -v

Seems to me that not all versions are vulnerable.

 

For me it's this:

/usr/lib/cgi-bin/php5 -v

/usr/bin/php5-cgi -v

 

And with this version you have been vulnerable before using modsec?
Or have you updated your php5 along with modsec install?

 

I have updated the PHP at the same time as I installed modsec.

 

Dou you still know which version was there before? Maybe an update of php would have been enough (doesn't mean modsec isn't helpful )

 

Sorry.. I do not know. All I needed to do was enable modsec (what I did yesterday) to start working.
It's maybe not needed, but as I discovered yesterday also a nice tool to debug websites

 

Info you wanted

root@server1:~# /usr/lib/cgi-bin/php5 -vPHP 5.3.3-1ubuntu9.10 with Suhosin-Patch (cgi-fcgi) (built: Feb 11 2012 06:39:58)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
root@server1:~#

 

Info you wanted

root@server1:~# /usr/bin/php5-cgi -vPHP 5.3.3-1ubuntu9.10 with Suhosin-Patch (cgi-fcgi) (built: Feb 11 2012 06:40:15)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
root@server1:~#

And if I did NOT say this earlier, thank you all for the help. I think I speak for all of us when I say we appreciate the hell out of this.

(big New York style manhug) ROFL!

 

Hum, to be honest... this looks like a quite old and outdated version that should be vulnerable, I think.
Try getting a newer version.

You see there that the package was built more than one year ago (Feb 2012).

EDIT: Ok, just tested this package. It IS VULNERABLE!

 

Still vulnerable?

So after al the work I've done to the system, I am still vulnerable? This sucks. Looks like I should just get everything moved to the new server and be done with it!

I have not seen any odd behavior after changing all the settings in PHP though?

 

I said the php version is vulnerable not your system. If you deny all possible access to php-cgi, the system might be ok.
Anyway you would be safer using a newer php version. This one is seriously outdated.

 

Hello Again,

Could you tell me if my version is also vulnerable:
PHP 5.3.3-7+squeeze3 with Suhosin-Patch (cgi-fcgi) (built: Jun 28 2011 08:20:48)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0
Copyright (c) 1998-2010 Zend Technologies with Suhosin v0.9.32.1
Copyright (c) 2007-2010, by SektionEins GmbH

I am afraid it is since the built date is from 2011!

What is a good procedure to update php without breaking anything else (Debian Squeeze + ISPCOnfig 3)?

Thanks
Cheers

 

Just check that in your apt sources.list it says "squeeze" and not "stable".
Otherwise your system would try to upgrade to wheezy, which could indeed break something.
Upgrading inside queeze should not break anything, as till stated!

 

Try to subscribe Atomic modsecurity Rule Set. They can block many many things! You won't regret!

 

https://isc.sans.edu/diary/More+hea...s+against+Plesk+"phppath"+vulnerability/16255

 

To the attention of the Ispconfig staff

To the attention of the Ispconfig staff:

Seem that this security issue that is being used was fixed in the Ubuntu 10.04 LTS package in May 2012 by the following USN:

http://www.ubuntu.com/usn/usn-1437-1/

http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-2311.html

 

This mean that the php problem is other and not this issue?