Date: Fri, 23 Jun 2006 14:55:00 -0700 From: Ralf Subject: IMPORTANT: Security Vulnerability in RIG IMPORTANT: Vulnerability found in RIG. Please read!! A vulnerability has been found in RIG that affects all version: http://www.securityfocus.com/archive/1/437818/30/0/threaded Unfortunately the person who advertised the vulnerability did not contact me prior doing so. My server was actually compromised as well as one from my friends. I consequently URGE you to do the following: 1- Stop your apache web server and look for intrusions. See below. 2- Fix RIG as described below or switch to another web-based album such as Gallery. =============== 1- STOP APACHE AND LOOK AT YOUR SYSTEM =============== This applies to a Debian distro. Things may be different on another distro. As root: # apachectl stop or # /etc/init.d/apache stop Look at your apache logs. Typically you'd have been infected started June 21st. Look for any url containing "check_entry.php" in your apache log files: # grep check_entry /var/log/apache/*.log Under debian, apache runs as "www-data" so you want to look at the activity done by this user (running processes and files created) If you have full control of the machine and can connect locally, switch to single-user mode by using "telinit 1" as root. If not, please stop as many services as you can while you scan your system. Look in /tmp for anything owned by www-data and delete it. Look in all your album directories. For example in the directory pointed to by "dir_abs_src" for me, there was a .tgz file and an unpacked version of it. Using "ps wfaux" look for processes still running as www-data. Typically you may find an "httpd" still running. Try killing it. Make sure there is no crontab for the www-data user. Using "locate name" or "find / -name "..." -print", look for these names: cupu y2kupdate fblast dbspy psybnc eggdrop onebounce If you find such files, remove them. Only continue when you think your system is clean. You don't want to run a compromised host on the internet, it would be used to generate DOS attacks and send spam and you may be legally demeed responsible. =============== 2- FIXING RIG =============== A- Locate any instance of check_entry.php on your disk (generally installed where index.php is). Edit the function rig_check_src_file() as following (added lines have a + at the beginning): //******************************** function rig_check_src_file($name) //******************************** { global $dir_abs_install; global $dir_abs_src; global $dir_abs_admin_src; global $dir_abs_globset; global $dir_abs_locset; // enabling track_errors is a big help ini_set("track_errors", "1"); + // disable auto-globals from CGI params + ini_set("register_globals", "0"); + if (ini_get("register_globals") == 1) + { + echo "

RIG Configuration Error

"; + echo "

Important!

You MUST disable register_globals in your PHP.INI file!"; + } // check it worked $track_errors = (ini_get("track_errors") == 1); if ($track_errors) $result = @file_exists($name); else $result = file_exists($name); if (!$result) { + // Uncomment the following line for debugging new installations + exit; echo "

RIG Configuration Error

"; echo "

Error

A source file could not be located! Please check location.php file!"; if ($track_errors) echo "

Reason

$php_errormsg"; else echo "

Important!

Please consider enabling track_errors in your PHP.INI file!"; echo "

Details

"; echo "
";
	    echo "file path         = '$name'
"; echo "
"; echo "dir_instal = '$dir_abs_install'
"; echo "dir_abs_src = '$dir_abs_src'
"; echo "dir_abs_admin_src = '$dir_abs_admin_src'
"; echo "
"; echo "dir_abs_globset = '$dir_abs_globset'
"; echo "dir_abs_locset = '$dir_abs_locset'
"; echo "
"; echo "
"; + exit; } return $name; } B- Now locate php.ini, generally in /etc/php4/apache/php.ini on your system. Edit the file and locate the line "register_globals". Change the setting from On to Off. Re-enabled your web server or restart it. # apachectl restart To make sure the fix worked: - create a file foo.php in your public_html with the following content: then try to compromise your own site as an attacker would do: http://mywebsite/check_entry.php?dir_abs_src=http://mywebsite/foo.php? (note the extra ? at the end) Feel feel free to contact me if you need help performing this. Easiest way to contact me is with ralfoide@gmail.com or on Google Talk (http://talk.google.com) I have id "ralfoide" or on Skype id "ralfoide". Ralf/