[CentOS] httpd - mysql - paypal.com.tar - hacker

Fri Aug 21 21:17:16 UTC 2009
Ray Van Dolson <rayvd at bludgeon.org>

On Fri, Aug 21, 2009 at 04:08:43PM -0500, Gregory P. Ennis wrote:
> Everyone,
> 
> This morning I received a notice from PayPal that one of our sites got
> hacked and was spoofing a PayPal web site. 
> 
> When I checked the the site, I was surprised to find they were correct.
> About 5 days a go we had a server that got hacked and somehow the file
> paypal.com.tar got uploaded to our server and then stored in a a
> subdirectory of /var/www/.
> 
> I had previously started a mysqld server and planned on using it for web
> authorizations.  I had not been able to work on it, but left it in
> place.  I looked like the hacker downloaded his paypal spoof files into
> a subdirectory of /var/www/phpmyadmin.
> 
> I am running 5.3 with all current updates.
> 
> I do not have telnet or ftp active on this server, and have password
> authentication of sshd turned off.  
> 
> I have tried to obtain dialog with PayPal about this but they have not
> responded to my queries.  If any of you have had some experience with
> this I would be interested in knowing how this may have happened.  I
> have shutdown the mysqld server as well as removed access in httpd.conf
> of the /var/www/phpmyadmin directory in order to shutdown the spoofing
> site.
> 
> If any of you have a leg up on this I would appreciate your help.

Some advice (assuming the culprit here is phpMyAdmin):

  - Keep phpMyAdmin up to date.  Best way to do this is to use a
    package from a well known repository like EPEL that keeps the
    package at the latest version for you.
  - Run with SELinux Enforcing
  - Protect phpMyAdmin with Basic HTTP authentication instead of
    relying only on phpMyAdmin's authentication which does nothing to
    prevent the exploitation of many URL-based vulnerabilities.

Ray