5

I apologize for the large post for a first timer. I've not been able to find a reason for the /tmp/phpXXX files created on my server. It seems that some sites (BAD GUY IP in the data below) are sending posts to my site for a Joomla vulnerability (I don't have Joomla installed). The attack tries to upload a gif file and then rename the gif file to a php file. The code in the "gif" file is a trojan control panel. I'm pretty sure that the attacker is unable to rename the gif file to a php file.

My question is how is the /tmp/phpXXX file being created on my site? Why does the /tmp/phpXXX file stick around? It seems that the image upload and rename is failing and therefore the temporary file should get cleaned up. I've tried to replicate the attacking posts against my site with no luck creating the /tmp/phpXXX file.

It seems that if I could understand why the /tmp/phpXXX files stick around it would help me understand if I have a real vulnerability on my site.

Thanks for reading!

MY site is hosted by Yahoo

I'm finding temporary files in the /tmp directory that are trojans. It looks like it is a Joomla JCE vulnerability attack (I don't have Joomla installed) see: http://forum.joomla.org/viewtopic.php?f=432&t=740054 The files created are random file names (ie phpXXX)

The files contain the following (I was able to remove the bad stuff between the tick marks)

GIF89aGiam
<?php eval(gzinflate(str_rot13(base64_decode('')))); ?>

I correlated the /tmp/phpXXX files times to certain posts in my access.log file

Here are some recent posts...

BAD GUY IP - - [25/Feb/2014:22:09:15 -0800] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 200 12608 "-" "BOT/0.1 (BOT for JCE)" "www.MYSITE.com"
BAD GUY IP - - [25/Feb/2014:22:09:22 -0800] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1" 200 12608 "-" "BOT/0.1 (BOT for JCE)" "www.MYSITE.com"
BAD GUY IP - - [25/Feb/2014:22:10:03 -0800] "GET /images/stories/food.php?rf HTTP/1.1" 404 89 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6" "www.MYSITE.com"
BAD GUY IP - - [25/Feb/2014:22:10:58 -0800] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 200 - "-" "BOT/0.1 (BOT for JCE)" "www.MYSITE.com"

I wrote some code to dump the data from the posts...

if (isset($_REQUEST['option'])) {
$today = date("D M j G:i:s T Y");
file_put_contents($hack_log_file, "\nDATE / TIME: ".$today."\n", FILE_APPEND);      
$serverInfo = $_SERVER['HTTP_REFERER'];
file_put_contents($hack_log_file, "\nHTTP_REFERER: ".$serverInfo."\n", FILE_APPEND);    
$serverInfo = $_SERVER['REMOTE_ADDR'];
file_put_contents($hack_log_file, "REMOTE_ADDR: ".$serverInfo."\n", FILE_APPEND);   
$serverInfo = $_SERVER['REMOTE_HOST'];
file_put_contents($hack_log_file, "REMOTE_HOST: ".$serverInfo."\n", FILE_APPEND);       
foreach ($_GET as $key => $value) {
file_put_contents($hack_log_file, "GET: ".$key." => ".$value."\n", FILE_APPEND);}       
foreach ($_POST as $key => $value) {
file_put_contents($hack_log_file, "POST: ".$key." => ".$value."\n", FILE_APPEND);}          
$results = print_r($_FILES, true); 
file_put_contents($hack_log_file, "FILES:\n".$results."\nEND FILES:\n", FILE_APPEND);}

Here are the results of my trapping the "attacks"...

DATE / TIME: Tue Feb 25 22:09:15 PST 2014

HTTP_REFERER: 
REMOTE_ADDR: BAD GUY IP
REMOTE_HOST: 
GET: option => com_jce
GET: task => plugin
GET: plugin => imgmanager
GET: file => imgmanager
GET: version => 1576
GET: cid => 20
POST: json => {\"fn\":\"folderRename\",\"args\":[\"/food.gif\",\"food.php\"]}
FILES:
    Array
    (
    )

END FILES:

DATE / TIME: Tue Feb 25 22:09:22 PST 2014

HTTP_REFERER: 
REMOTE_ADDR: BAD GUY IP
REMOTE_HOST: 
GET: option => com_jce
GET: task => plugin
GET: plugin => imgmanager
GET: file => imgmanager
GET: version => 1576
GET: cid => 20
POST: json => {\"fn\":\"folderRename\",\"args\":[\"/food.gif\",\"food.php\"]}
FILES:
    Array
    (
    )

HTTP_REFERER: 
REMOTE_ADDR: BAD GUY IP
REMOTE_HOST: 
GET: option => com_jce
GET: task => plugin
GET: plugin => imgmanager
GET: file => imgmanager
GET: method => form
GET: cid => 20
GET: 6bc427c8a7981f4fe1f5ac65c1246b5f => cf6dd3cf1923c950586d0dd595c8e20b
POST: upload-dir => /
POST: upload-overwrite => 0
POST: upload-name => food
POST: action => upload
FILES:
    Array
    (
    [Filedata] => Array
        (
            [name] => food.gif
            [type] => image/gif
            [tmp_name] => /tmp/phpR1KNP7
            [error] => 0
            [size] => 1524
        )

    )

END FILES:

DATE / TIME: Tue Feb 25 22:11:04 PST 2014

HTTP_REFERER: 
REMOTE_ADDR: BAD GUY IP
REMOTE_HOST: 
GET: option => com_jce
GET: task => plugin
GET: plugin => imgmanager
GET: file => imgmanager
GET: method => form
GET: cid => 20
GET: 6bc427c8a7981f4fe1f5ac65c1246b5f => cf6dd3cf1923c950586d0dd595c8e20b
POST: upload-dir => /
POST: upload-overwrite => 0
POST: upload-name => food
POST: action => upload
FILES:
    Array
    (
    [Filedata] => Array
        (
            [name] => food.gif
            [type] => image/gif
            [tmp_name] => /tmp/phpDUbonr
            [error] => 0
            [size] => 1524
        )

    )

END FILES:
Kristijan Iliev
  • 4,901
  • 10
  • 28
  • 47
user3376038
  • 51
  • 2
  • 1
    are you on a dedicated server? if it's a shared server, your /tmp files could be coming from some OTHER site hosted on the same box. And just because you're not running joomla doesn't mean much. Script kiddies are morons and will nuke a city so they can squash an ant hiding under the steps in a single house. they don't care what you're running.t hey just point and click and wait for SOME vulnerability to be found. the fact that 99.999999999% of the places they attack aren't vulnerable is irrelevant to them. they're l33t h4c|<3rz seeking prey. – Marc B Mar 03 '14 at 20:24
  • Hi Marc, thanks for the comments. The Yahoo host I'm on is probably like a virtual private server, all the files in the /tmp belong to my site. I mentioned the Joomla thing, just to help rule out a Joomla vulnerability. The script kiddies have certainly found a way to place a "gif" file in my /tmp by simply posting crap. My limited knowledge is preventing me from figuring out how they do it. – user3376038 Mar 04 '14 at 22:44
  • Did you ever find out any more info related to this issue? – Josh Brower Nov 19 '14 at 21:15
  • I have not found any new information. Since the time I posted this the frequency of occurrence has decreased significantly. Interestingly during the time I was trying to debug why and how those files were appearing, Microsoft Security Essentials asked to look at the files. Some time later MSE decided that they were dangerous and removed them from my file system. I'm now using Avast and it does not see them as a threat. – user3376038 Nov 20 '14 at 23:27
  • @MarcB Your comment is sorta answer material in my opinion. Nice wording by the way. I think it'd be cool if you added that as an actual answer. – Yes Barry Feb 16 '15 at 06:18

1 Answers1

0

You mentioned Windows deleting the files. Is it possible your version of PHP is affected by PHP issue #68535?

Please comment back if the issue looks similar or not and if any of the suggested workarounds or configuration changes help.

Steve E.
  • 9,003
  • 6
  • 39
  • 57
  • 1
    Hi Steve, my site is hosted by Yahoo which is running FreeBSD. I don't believe #68525 is relevant. Thanks for bringing it to my attention! I believe the reason my desktop running Windows deleted the files is due to the virus contained within the files. The mysterious virus files have stopped appearing in my /tmp folder. It could be that I closed up some possible injection issues with mysql. – user3376038 Sep 16 '15 at 18:13