Security Flaw in ISPC2

Discussion in 'General' started by dayjahone, Mar 2, 2011.

  1. dayjahone

    dayjahone Member

    With the latest version of ISPConfig installed, attackers are able to execute arbitrary code as admispconfig on the server (uid=1001). They have used this exploit to upload email addresses to /tmp and /dev/shm and send spam email to the addresses. They have also been able to run a backdoor perl shell (dc.txt). We are unable to identify the security exploit allowing them to execute code in the first place.
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Do you have phpmyadmin installed? Then the hackers most likely got in trough phpmyadmin, there were several problems in phpmyadmin detected in the last months. A installed phpmyadmin package runs under the user admispconfig, thats why this can be easily mixed up with a ispconfig problem.
  3. dayjahone

    dayjahone Member

    Yes, I do have phpmyadmin installed. Any idea how to solve it?
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    First you should remove the current phpmyadmin package:

    rm -r /home/admispconfig/ispconfig/web/phpmyadmin
    rm /home/admispconfig/ispconfig/web/phpmyadmin.tar.gz
    rm -r /home/admispconfig/ispconfig/web/tools/tools/phpmyadmin

    and install a new one trough ispconfig. Jonas is releasing new phpmyadmin packages for ispconfig on a regular basis, the latest package can be found here:

    Then you will have to try to find the files that the hacker uploaded. If you know the creation date of the dc.txt, you can e.f. scan for files that date, especially interesiting are files inside /home/admispconfig/. Also look for files owned by the user admispconfig that are in unusual places (outside of /home/admispconfig). If you are unsure if a file belongs to ispconfig, feel free to post the path here.

    You should then check your system with rkhunter and chkrootkit in case that the attacker was able to get root permissions.

Share This Page