Hello,
I woke up to find that web sites on the server using php where not working and just provided this error message
Warning: Unknown: SAFE MODE Restriction in effect. The script whose uid is 10002 is not allowed to access /tmp/.tmp.err owned by uid 0 in Unknown on line 0 Warning: Unknown: failed to open stream: No such file or directory in Unknown on line 0 Fatal error: Unknown: Failed opening required '/tmp/.tmp.err' (include_path='.:') in Unknown on line 0
I then found in etc/php.ini at the bottom of the file, a 2nd entry for the variable and was set as
auto_prepend_file=/tmp/.tmp.err
I have removed this and reboot the server, and still getting the same error message, and phpinfo() is showing me the variable is still set which would suggest it is being injected somewhere.
I will update this once I have found out more, or someone comes to my aid.
PHP auto_prepend_file abuse
-
mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: PHP auto_prepend_file abuse
If your /etc/php.ini file was modified then the attackers either got root access to your system, or your permissions on /etc/php.ini allow non-root users to access the file.
So the first thing I would do is check your trusted backups to see how the file was configured (you cant rely on the system itself at this point, if they got root the entire system could be compromised and at that point the system can just lie to you). If you can confirm that the permissions on that file only allowed root access, then they have managed to gain root access to your system. Either by stealing root credentials, or compromising the system via a vulnerability. For example, if you use a control panel that allows modification of /etc/php.ini then they may have compromised the control panel, or even another application on the system that allowed root access.
If the file allowed non-root users to modify it, then you need to make sure /etc/php.ini can only be changed by root. If you use a control panel that requires the file to be non-root writable, get rid of that control panel.
So the first thing I would do is check your trusted backups to see how the file was configured (you cant rely on the system itself at this point, if they got root the entire system could be compromised and at that point the system can just lie to you). If you can confirm that the permissions on that file only allowed root access, then they have managed to gain root access to your system. Either by stealing root credentials, or compromising the system via a vulnerability. For example, if you use a control panel that allows modification of /etc/php.ini then they may have compromised the control panel, or even another application on the system that allowed root access.
If the file allowed non-root users to modify it, then you need to make sure /etc/php.ini can only be changed by root. If you use a control panel that requires the file to be non-root writable, get rid of that control panel.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: PHP auto_prepend_file abuse
Thanks for the advice.
The etc/php.ini is not backed up, as each site is backed up and restored to a new server. I cleared the variable out of /etc/php.ini this morning, but phpinfo() revelases it is still sitting int he config.
After finally getting grep to return results, I have found this in
<FilesMatch "\.(php|php5|php4|htm|html|jsp|shtml|asp|aspx)$">
php_value auto_prepend_file "/tmp/.tmp.err"
</FilesMatch>
so I have removed for the time being.
I have aslo found the same text in
/etc/httpd/conf.d
<FilesMatch "\.(php|php5|php4|htm|html|jsp|shtml|asp|aspx)$">
php_value auto_prepend_file "/tmp/.tmp.err"
</FilesMatch>
with both of these entries removed, and a httpd restart I have been able to clear up the TMP directory and keep the sites up.
Has anyone seen this sort of thing before ?
The etc/php.ini is not backed up, as each site is backed up and restored to a new server. I cleared the variable out of /etc/php.ini this morning, but phpinfo() revelases it is still sitting int he config.
After finally getting grep to return results, I have found this in
<FilesMatch "\.(php|php5|php4|htm|html|jsp|shtml|asp|aspx)$">
php_value auto_prepend_file "/tmp/.tmp.err"
</FilesMatch>
so I have removed for the time being.
I have aslo found the same text in
/etc/httpd/conf.d
<FilesMatch "\.(php|php5|php4|htm|html|jsp|shtml|asp|aspx)$">
php_value auto_prepend_file "/tmp/.tmp.err"
</FilesMatch>
with both of these entries removed, and a httpd restart I have been able to clear up the TMP directory and keep the sites up.
Has anyone seen this sort of thing before ?
-
mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: PHP auto_prepend_file abuse
So if anything in /etc/httpd/conf.d/* was modified, then they either have root access to your system, or the permissions on that directory are incorrect.
If you are not if this was just a permissions issue, then I would assume they got root on the system. If they got root, and you aren't using the ASL RBAC system, then you will want to assume that they may have compromised more than just those files and will want to restore the system from a trusted backup, or reinstall the system. A root compromise can hide all manner of things, including other ways for them to get on the system.
If you are not if this was just a permissions issue, then I would assume they got root on the system. If they got root, and you aren't using the ASL RBAC system, then you will want to assume that they may have compromised more than just those files and will want to restore the system from a trusted backup, or reinstall the system. A root compromise can hide all manner of things, including other ways for them to get on the system.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone