On Fri, Aug 21, 2009 at 04:08:43PM -0500, Gregory P. Ennis wrote:
> Everyone,
>
> This morning I received a notice from PayPal that one of our sites got
> hacked and was spoofing a PayPal web site.
>
> When I checked the the site, I was surprised to find they were correct.
> About 5 days a go we had a server that got hacked and somehow the file
> paypal.com.tar got uploaded to our server and then stored in a a
> subdirectory of /var/www/.
>
> I had previously started a mysqld server and planned on using it for web
> authorizations. I had not been able to work on it, but left it in
> place. I looked like the hacker downloaded his paypal spoof files into
> a subdirectory of /var/www/phpmyadmin.
>
> I am running 5.3 with all current updates.
>
> I do not have telnet or ftp active on this server, and have password
> authentication of sshd turned off.
>
> I have tried to obtain dialog with PayPal about this but they have not
> responded to my queries. If any of you have had some experience with
> this I would be interested in knowing how this may have happened. I
> have shutdown the mysqld server as well as removed access in httpd.conf
> of the /var/www/phpmyadmin directory in order to shutdown the spoofing
> site.
>
> If any of you have a leg up on this I would appreciate your help.
Some advice (assuming the culprit here is phpMyAdmin):
- Keep phpMyAdmin up to date. Best way to do this is to use a
package from a well known repository like EPEL that keeps the
package at the latest version for you.
- Run with SELinux Enforcing
- Protect phpMyAdmin with Basic HTTP authentication instead of
relying only on phpMyAdmin's authentication which does nothing to
prevent the exploitation of many URL-based vulnerabilities.
Ray