On Fri, Aug 21, 2009 at 04:08:43PM -0500, Gregory P. Ennis wrote:
Everyone,
This morning I received a notice from PayPal that one of our sites got hacked and was spoofing a PayPal web site.
When I checked the the site, I was surprised to find they were correct. About 5 days a go we had a server that got hacked and somehow the file paypal.com.tar got uploaded to our server and then stored in a a subdirectory of /var/www/.
I had previously started a mysqld server and planned on using it for web authorizations. I had not been able to work on it, but left it in place. I looked like the hacker downloaded his paypal spoof files into a subdirectory of /var/www/phpmyadmin.
I am running 5.3 with all current updates.
I do not have telnet or ftp active on this server, and have password authentication of sshd turned off.
I have tried to obtain dialog with PayPal about this but they have not responded to my queries. If any of you have had some experience with this I would be interested in knowing how this may have happened. I have shutdown the mysqld server as well as removed access in httpd.conf of the /var/www/phpmyadmin directory in order to shutdown the spoofing site.
If any of you have a leg up on this I would appreciate your help.
Some advice (assuming the culprit here is phpMyAdmin):
- Keep phpMyAdmin up to date. Best way to do this is to use a package from a well known repository like EPEL that keeps the package at the latest version for you. - Run with SELinux Enforcing - Protect phpMyAdmin with Basic HTTP authentication instead of relying only on phpMyAdmin's authentication which does nothing to prevent the exploitation of many URL-based vulnerabilities.
Ray