We’ve been made aware of a new exploit that appears to have been launched today that is so far targeting WordPress and osCommerce installations. If you are running either of these pieces of software we recommend that you upgrade to the latest version as soon as possible. With osCommerce we would actually recommend you switch to an alternative product such as Zen Cart, as the development process is very slow and often stagnates.
The exploit itself creates .htaccess files in any directory where it has write permissions and places the following two lines in it, or on the end of an existing .htaccess:
AddType application/x-httpd-php .php .phtml .php3 .php4 .php5 .htm .html
/tmp/25454b22bf39c75795851f39d5e347c4 claims to be mini suhosin, part of the Suhosin PHP security software, this is not the case. The exploit also tries to leave a back door shell in to infected system by leaving a shell process called minisuhosin running.
As many of you will no doubt be aware there has recently been a vulnerability with 64bit Linux announced that allows a local system user to gain root level system access. Whilst these things do happen from time to time, the problem at the moment is that a lot of vendors do not have a new kernel with the security hole patched. To make things worse, the exploit that is out in the wild installs a back door in to your systems as well, so even when patched they will still have root level access to your system!
Whilst many are saying this isn’t a major issue as it is only exploitable by having local machine access, it’s actually bigger than a lot of people realise in a web hosting environment as users are allowed to execute their own PHP and Perl code or install 3rd part scripts – what we’re seeing lately is that many such user and 3rd party applications have many holes in them that allow arbitrary code to be executed or even uploaded on to servers and then executed. Both situations effectively give a local user account (that of the web server user, or the account user depending on how the system is configured). One of the biggest causes of such problems are scripts that allow users to upload images or other files to a website – the vast majority of them do not check to make sure it is an image, or a PDF or a text file etc. that is uploaded – we’ve seen recently that a lot of these scripts allow users to upload PHP scripts for example instead of an image and of course once it’s in the images directory it can be executed like any other PHP.
There is currently a workaround for the specific exploit out in the wild, but they do not protect from any new exploits that may utilise the same security hole. The only solution ready at the moment appears to be that from KSplice.com – Which our managed hosting customers will be pleased to know we’ve been installing on all of your servers for the past few weeks now. For our un-managed customers you can also have KSplice but unfortunately for you there is a small charge for this, of £2.50 + VAT per copy – If you would like it installing then please open a ticket with us and we’ll get it done for you ASAP.