JiscMail Logo
Email discussion lists for the UK Education and Research communities

Help for MOODLE-UK Archives


MOODLE-UK Archives

MOODLE-UK Archives


MOODLE-UK@JISCMAIL.AC.UK


View:

Message:

[

First

|

Previous

|

Next

|

Last

]

By Topic:

[

First

|

Previous

|

Next

|

Last

]

By Author:

[

First

|

Previous

|

Next

|

Last

]

Font:

Proportional Font

LISTSERV Archives

LISTSERV Archives

MOODLE-UK Home

MOODLE-UK Home

MOODLE-UK  May 2012

MOODLE-UK May 2012

Options

Subscribe or Unsubscribe

Subscribe or Unsubscribe

Log In

Log In

Get Password

Get Password

Subject:

Re: php-cgi security breach and how our test server was hacked

From:

Alastair Hole <[log in to unmask]>

Reply-To:

UK Moodle Users JISCMail list <[log in to unmask]>

Date:

Thu, 17 May 2012 13:18:35 +0000

Content-Type:

text/plain

Parts/Attachments:

Parts/Attachments

text/plain (158 lines)

Hi,
I agree a virus or a trojan does sound like a possible candidate for the
odd behaviour - is it likely that anyone uses the web browser(s) on the
machine itself? With an outdated version of flash or windows updates
waiting to be installed an infection is very possible. Also another route
could be a file has been uploaded through moodle, perhaps by sneaking
itself into a zip file on an infected desktop or something of that ilk,
not sure how the file would then execute code but it's certainly a concern.
What antivirus software are you running on the server? I presume you have
run a scan but bear in mind it's possible this software is also
compromised - the only way to know for certain is to check the disk with a
known clean system, either attach the disk to another machine or boot an
alternative (e.g. rescue CD) OS just for the scan.
Rkill could be a good option to try:
http://www.bleepingcomputer.com/download/anti-virus/rkill
If it shows a positive then it should stop it running and then you can
delete the offending file(s), if not it's still worth running a scan as
described above.

Cheers,
Alastair


On 17/05/2012 14:04, "Mari-Cruz Garcia" <[log in to unmask]> wrote:

>Hello Alaisdair,
>
>We use fastCGI, as you mentioned. I thought of possible human errors and
>I already asked the users who have admin access in that server, in
>addition to myself. All of them assured me that they hadn't deleted
>anything and neither had I.  Yet the reality is that the file php-cgi.exe
>had been deleted.
>
>As our php folder is placed in the c:\ disk, the same file in which
>Windows program files are stored, another possibility I am thinking of is
>that a Trojan or  virus may have been downloaded and not detected by the
>antivirus and may have caused that damage.
>
>Could it not be possible? VM Windows servers are like Windows PC in the
>end.
>
>Regards
>
>
>
>Mari Cruz García
>Educational technologist, The Learning Zone/ KSeHIN Education Programme
>M.Sc Diabetes Care and Education
>DUCU Representative for the Medical Research Institute
>University of Dundee
>Office: +44(0)1382 740701
>
>
>
>-----Original Message-----
>From: UK Moodle Users JISCMail list [mailto:[log in to unmask]] On
>Behalf Of Alastair Hole
>Sent: 16 May 2012 16:53
>To: [log in to unmask]
>Subject: Re: php-cgi security breach and how our test server was hacked
>
>Are you using CGI or FastCGI with IIS? I would imagine the latter, it's
>unclear if FastCGI is vulnerable or not. We use FastCGI and appending ?-s
>to the URL as described in the vulnerability yields nothing so we appear
>to be unaffected (currently using php 5.3.10)
>
>Regarding security measures we do little beyond keeping windows/microsoft
>updates current and we publish to the WWW via MS Threat Management
>Gateway so inherit whatever protection is inherent to that product.
>
>This vulnerability does seem to allow code execution but it's not obvious
>if that would make it possible to delete something like php-cgi.exe. I
>presume you have ruled out human error/malicious actions from
>authenticated privileged users? How many people have admin access to the
>server?
>
>Alastair
>
>From: Mari-Cruz Garcia
><[log in to unmask]<mailto:[log in to unmask]>>
>Reply-To: UK list 
><[log in to unmask]<mailto:[log in to unmask]>>
>Date: Wednesday, 16 May 2012 16:32
>To: UK list <[log in to unmask]<mailto:[log in to unmask]>>
>Subject: php-cgi security breach and how our test server was hacked
>
>Hello,
>
>I would like to share the following matter in this list, in case that it
>can be useful to others:
>
>We have two live servers implemented in Windows IIS7 (a test and a
>production site). The network security for our servers is done by our
>educational partner and they are using a firewall.
>
>On Monday, I noticed that the test site stopped working due to an error
>related to php-cgi. When I logged in the server (I use Cisco VPN and
>Remote Desktop Connect  to log in the server. I have been told by our
>provider that this connection  is pretty reliable), I noticed that some
>files have been deleted from the php 5.3 folder, including php-cgi.exe.
>
>I fixed the problem and, research into this, there seems to be a security
>breach in php-cgi using Windows servers:
>- http://www.php.net/archive/2012.php#id2012-05-03-1
>- http://www.kb.cert.org/vuls/id/520827
>
>I would have imagined that with a firewall a server is pretty safe, but
>it doesn't seem to be the case.
>
>I am going to upgrade to 5.3.12, but,
>Which other security measures do you recommend for Windows servers?
>
>Is a Rootkit detector of any good for these cases?
>
>Thank you very much for your advice.
>
>Regards
>
>
>Mari Cruz García
>Educational technologist,The Learning
>Zone<https://learning.health.org.kw/>/ KSeHIN Education Programme M.Sc
>Diabetes Care and Education DUCU Representative for the Medical Research
>Institute University of Dundee
>Office: +44(0)1382 740701
>
>
>
>
>The University of Dundee is a registered Scottish Charity, No: SC015096
>-----------------------------------------------------------------------
>This message is sent in confidence for the addressee only. It may contain
>confidential or sensitive information. The contents are not to be
>disclosed to anyone other than the addressee unless specific
>authorisation has been given by the sender. Unauthorised recipients are
>requested to preserve this confidentiality and to advise us of any errors
>in transmission. Thank you.
>
>Save paper, only print this email if really necessary and think green.
>Please turn off PC's and lights when not in use.
>
>Don't just standby, Switch Off!
>
>Worcester College of Technology EcoCampus Group.
>-----------------------------------------------------------------------
>
>
>The University of Dundee is a registered Scottish Charity, No: SC015096

-----------------------------------------------------------------------
This message is sent in confidence for the addressee only. It may contain confidential or sensitive information. The contents are not to be disclosed to anyone other than the addressee unless specific authorisation has been given by the sender. Unauthorised recipients are requested to preserve this confidentiality and to advise us of any errors in transmission. Thank you.

Save paper, only print this email if really necessary and think green. Please turn off PC's and lights when not in use.

Don't just standby, Switch Off!

Worcester College of Technology EcoCampus Group.
-----------------------------------------------------------------------

Top of Message | Previous Page | Permalink

JISCMail Tools


RSS Feeds and Sharing


Advanced Options


Archives

April 2014
March 2014
February 2014
January 2014
December 2013
November 2013
October 2013
September 2013
August 2013
July 2013
June 2013
May 2013
April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
October 2012
September 2012
August 2012
July 2012
June 2012
May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007


WWW.JISCMAIL.AC.UK

Secured by F-Secure Anti-Virus CataList Email List Search Powered by the LISTSERV Email List Manager