Discussion:
apache log entry: sh: -t: command not found
(too old to reply)
Tim
2012-08-19 04:44:02 UTC
Permalink
Hi-

I keep getting this in my apache error log file but I cant figure out
where its coming from. I think someone is trying to hack me (maybe) but
I have no idea from where or how. I have my box very locked down AFAIK.

AFAIK Im not using any system calls in any CGI scripts either. Anyone have
any ideas on how I might further find this?

Thanks
patpro ~ patrick proniewski
2012-08-19 06:54:02 UTC
Permalink
Post by Tim
Hi-
I keep getting this in my apache error log file but I cant figure out
where its coming from. I think someone is trying to hack me (maybe) but
I have no idea from where or how. I have my box very locked down AFAIK.
AFAIK Im not using any system calls in any CGI scripts either. Anyone have
any ideas on how I might further find this?
With php applications, you never know. Many CMS try to use system calls
to trigger local binaries (especially to manipulate images).
If you are paranoid you can setup a php.ini that forbids the use of
system(), exec(), passthru(), shell_exec(), and so on.
You can also try and activate an audit process of some sort. On FreeBSD
I'm using auditd (OpenBSM project). It tracks every exec attempts from
Apache and issue a small reports like this:

header,336,11,execve(2),0,Sun Aug 19 04:09:32 2012, + 130 msec
exec arg,sh,-c,convert -quality 85 -resize 67x75!
sites/emc/IMG/jpg/Damien2.jpg
sites/emc/local/cache-vignettes/L67xH75/Damien2-cf6b7.jpg
exec
env,LD_LIBRARY_PATH=/usr/local/lib,HOME=/,PATH=/sbin:/bin:/usr/sbin:/usr/
bin,RC_PID=20,PWD=/
path,/bin/sh
attribute,555,root,wheel,85,353353,1415208
subject,www,www,www,www,www,38912,0,0,0.0.0.0
return,success,0
trailer,336

But it's complicated, and it's quite a lot of work to get there. And as
you can see, it won't give you the guilty php script, just the command
as it was triggered by the user www.
In my apache error logs it would correspond to this entry:

convert: not found

You should track down php errors (log them into a file), and may be add
some verbosity. It helps, sometimes.

And give an antivirus a try. I've found out that some sophisticated php
hack scripts are detected by clamav, for example. It could help you to
find a script that would have been injected through a vulnerability of
one of your php applications. (this kind of hacking script, for example:
<Loading Image...>)

Try to find files that have the same age than your first "sh: -t:
command not found" and that belong to your apache user (www, httpd, ...)
using the command find and review them carefully.

I also find it nice to prevent apache user to open outgoing connections
by using a few firewall rules, but it requires a firewall that
understand the notion of "user" (pf on OpenBSD/FreeBSD for example).
Whatever is injected on the server, it won't be able to create a remote
connection (irc bot scripts, outgoing shell script, spam bot, etc.).

patpro
--
A vendre : KVM IP 16 ports APC
http://patpro.net/blog/index.php/2008/01/12/133
Continue reading on narkive:
Loading...