{"id":41455,"date":"2018-01-10T06:00:32","date_gmt":"2018-01-10T11:00:32","guid":{"rendered":"http:\/\/www.shamusyoung.com\/twentysidedtale\/?p=41455"},"modified":"2018-01-10T00:53:42","modified_gmt":"2018-01-10T05:53:42","slug":"broken-stuff-and-security-concerns","status":"publish","type":"post","link":"https:\/\/www.shamusyoung.com\/twentysidedtale\/?p=41455","title":{"rendered":"Broken Stuff and Security Concerns"},"content":{"rendered":"

Yes, the forums<\/a> are down. Yes, I realize you can’t edit your own comments. Let’s talk about that.<\/p>\n

On my Linux-based webserver, there is a user account linked to me. This “shamus” account owns all the files: All the PHP scripts to drive the blog, all the scripts to run the forums, and all the images and other random files that makes the site operate. Under normal circumstances, the entire file structure is designed so that only my user can upload, delete, and modify files. <\/p>\n

However, you need to make some exceptions. For example, I run a WordPress plugin that makes weekly database backups. This plugin needs to be able to save these backups, which means that I need to make the backup directory writable for all users, not just the “shamus” userPHP, MySQL, and other processes are owned by the root user.<\/span>. Otherwise, the backup plugin would run but it wouldn’t be allowed to save the resulting backup to disk.<\/p>\n

So I need to make a few spots on the machine where processes not owned by me can put files. This alone isn’t enough to compromise the security of the machine, although it’s often considered something to be avoided if you can help it. The danger is that it may provide an attack vector for potential hackers. If there’s a vulnerability in either WordPress (the software that runs the blog) or PhpBB (the software that runs the forums) then they would be able to write files to these directories.<\/p>\n

Here is a ficticious example of how something like this could work: Let’s say the forum offers a feature where users can upload their own profile image. You’re supposed to upload a JPG or PNG image file. These files end up in \/forums\/profileimages\/<\/tt>. In order for this feature to work, I need to set the permissions of \/forums\/profileimages\/<\/tt> so that anyone can write to that directory. Let’s say the people who wrote the forum software didn’t do their job and the forums don’t make sure that what the user uploaded was actually an image. Like, maybe they uploaded a PHP script. This allows them to put new pages on my site, and those pages can do all sorts of nasty things. <\/p>\n

Now, they can’t just put those pages anywhere. Those pages can only end up in \/forums\/profileimages\/<\/tt>, and only the attacker will know about them. Once the upload is done, the attacker can then manually type in the URL like so:<\/p>\n

shamusyoung.com\/forums\/profileimages\/badpage.php<\/tt><\/p>\n

This will cause the script to run and do whatever it’s supposed to do. This doesn’t give the attacker full control over the machine. (They can still only put new files in directories I’ve had to leave open.) They can’t re-write the blog or attack visitors directly, but this is still an alarming situation that allows them to see a lot of stuff they shouldn’t.<\/p>\n

This is a very simplified explanation. The actual method of attack is a lot more complex and to be honest most of it is beyond me. But this is the idea in broad strokes.<\/p>\n

A couple of months ago PeterHe doesn’t comment often so you might not know him, but Peter has been providing technical and hardware support to this site for a long time<\/a>.<\/span> and I discovered some files on the site that were not owned by the “shamus” user. Files like this:<\/p>\n

lprvpluh.php
\npvkmnwoj.php
\nonrvyxwg.php
\nukwwtgwx.php<\/tt><\/p>\n

Always the same pattern: A PHP file with a gibberish eight-character name, probably generated at random. These files contained highly obfuscated PHP code and were not part of the normal file structure of either WordPress or PhpBB. More importantly, they are obviously malicious in nature.<\/p>\n