Uno strano file test.cake sul mio server è un segno di compromesso?

Naviga le tue risposte
1

Su un hosting condiviso client ho trovato un file chiamato test.cake nella cartella admin. È piuttosto grande, 353 KByte, e contiene questo: 

execve("/usr/local/bin/php", ["php", "login.php"], ["GREP_COLOR=1;32", "HOSTNAME=gator3304.hostgator.com", "SHELL=/usr/local/cpanel/bin/jailshell", "TERM=xterm", "HISTSIZE=5000", "PERL5LIB=/home1/username/perl5/lib/perl5", "OLDPWD=/home1/username/public_html", "PERL_MB_OPT=--install_base \"/home1/username/perl5\"", "USER=username", "LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.axa=00;36:*.oga=00;36:*.spx=00;36:*.xspf=00;36:", "MAIL=/var/spool/mail/username", "PATH=/usr/local/jdk/bin:/home1/username/perl5/bin:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/opt/cpanel/composer/bin:/opt/python27/bin:/usr/local/bin:/usr/X11R6/bin:/home1/username/bin", "INPUTRC=/etc/inputrc", "PWD=/home1/username/public_html/admin", "JAVA_HOME=/usr/local/jdk", "EDITOR=pico", "SHLVL=1", "HOME=/home1/username", "GREP_OPTIONS=--color", "LS_OPTIONS=--color=tty -F -a -b -T 0", "PERL_LOCAL_LIB_ROOT=/home1/username/perl5", "LOGNAME=username", "VISUAL=pico", "CVS_RSH=ssh", "CLASSPATH=.:/usr/local/jdk/lib/classes.zip", "LESSOPEN=||/usr/bin/lesspipe.sh %s", "PROMPT_COMMAND=history -a", "PERL_MM_OPT=INSTALL_BASE=/home1/username/perl5", "G_BROKEN_FILENAMES=1", "HISTTIMEFORMAT=%c : ", "_=/usr/bin/strace"]) = 0
brk(0)                                  = 0x1603000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f11fd30a000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/usr/lib64/tls/x86_64/libcrypt.so.1", O_RDONLY) = -1 ENOENT (No such file or directory)
stat("/usr/lib64/tls/x86_64", 0x7ffeba45a410) = -1 ENOENT (No such file or directory)
open("/usr/lib64/tls/libcrypt.so.1", O_RDONLY) = -1 ENOENT (No such file or directory)
stat("/usr/lib64/tls", {st_dev=makedev(9, 123), st_ino=1046537, st_mode=S_IFDIR|0555, st_nlink=2, st_uid=0, st_gid=0, st_blksize=4096, st_blocks=8, st_size=4096, st_atime=2018/02/15-16:53:26, st_mtime=2011/09/23-06:50:20, st_ctime=2013/06/03-19:07:46}) = 0
open("/usr/lib64/x86_64/libcrypt.so.1", O_RDONLY) = -1 ENOENT (No such file or directory)
stat("/usr/lib64/x86_64", 0x7ffeba45a410) = -1 ENOENT (No such file or directory)
open("/usr/lib64/libcrypt.so.1", O_RDONLY) = -1 ENOENT (No such file or directory)

Quindi fa qualcosa con i file: 

lstat("/home1/username/public_html/admin/login.php", {st_dev=makedev(8, 1), st_ino=22413445, st_mode=S_IFREG|0644, st_nlink=1, st_uid=32458, st_gid=32460, st_blksize=4096, st_blocks=8, st_size=2709, st_atime=2015/09/24-13:22:20, st_mtime=2013/09/27-07:57:56, st_ctime=2018/02/15-22:49:32}) = 0
lstat("/home1/username/public_html/admin", {st_dev=makedev(8, 1), st_ino=22421570, st_mode=S_IFDIR|0755, st_nlink=4, st_uid=32458, st_gid=32460, st_blksize=4096, st_blocks=8, st_size=4096, st_atime=2015/09/24-02:46:04, st_mtime=2018/02/15-22:51:05, st_ctime=2018/02/15-22:51:05}) = 0

Che cos'è? Un trojan? Non ho mai usato l'estensione .cake e non so come viene interpretata.

    
posta user4035 04.04.2018 - 12:30
fonte

1 risposta

2

A quanto pare, qualcuno ha eseguito il debugging dello script login.php con strace .

strace registra un sistema di processi chiamate e segnali, quindi quello che vedi sono solo le syscalls che php ha fatto lungo la strada. Per confronto, qui mi trovo a cercare un file casuale foo.php : 

$ strace php foo.php
execve("/usr/sbin/php", ["php", "foo.php"], 0x7fffa8f9e7c8 /* 40 vars */) = 0
brk(NULL)                               = 0x55b364d06000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=189059, ...}) = 0
mmap(NULL, 189059, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f233c438000
close(3)                                = 0
...

Anche se non dovresti lasciare i log di debug accessibili in modo accessibile su un server web, non c'è indicazione che questo abbia uno sfondo malevolo.

La mia ipotesi è che l'estensione .cake sia stata scelta solo per attivare l'evidenziazione della sintassi di un editore.

    
risposta data 04.04.2018 - 13:05
fonte

Leggi altre domande sui tag

Posso supporre che la directory del profilo di Windows non sia scrivibile da altri utenti? MITM basato sullo spoofing ARP