automad
automad copied to clipboard
marcantondahmen
Security question / problem?
Hi, we deployed automad on a webserver of a very security conscious webhoster this week. He contacted me today and was very concerned that the system is trying to use "sudo" commands to gain access to the system. Usually this is related to hacking attempts according to him.
We tried looking through your code but could not find the source for this. According to his security logs, the problem occurs when someone is active in the dashboard. In his logs there is a POST request from /dashboard?ajax=autocomplete_search which triggers the mentioned "sudo" attempt. He has the theory, that some kind of malicious code is inside the javascript which triggers the POST. But since the JS is quite complex we are unable to verify easily.
Therefore we would like to ask you who knows the code best, if this is normal that automad is trying "sudo" commands on the server? We already tried deleting the whole installation and did a fresh install from your github repo and the problem persists. If this is not normal for automad then do you have an idea how this can happen?
Please help. Regards, Steffen
Hi Steffen,
I can understand your concerns. I'm not aware of any part of Automad that is running sudo commands on the system. Aside from security such behaviour would also create other cross-platform issues. The POST request you mention is actually not doing anything else than retrieving the list of pages to be used as autocompletion data. There is not much Javascript involved. It would be very helpful to see those logs to be able to judge the situation a bit better. Maybe there is an issue with the logs that create such confusion.
Hi, the hoster has sent me some lines of code from his security logs:
Dec 18 16:20:24 www sudo[10482]: apache : unable to stat /etc/sudoers : No such file or directory ; TTY=unknown ; PWD=/var/www/servers/www/html ; USER=root ; Dec 18 16:20:47 www sudo[10501]: apache : unable to stat /etc/sudoers : No such file or directory ; TTY=unknown ; PWD=/var/www/servers/www/html ; USER=root ; Dec 18 16:21:20 www sudo[10518]: apache : unable to stat /etc/sudoers : No such file or directory ; TTY=unknown ; PWD=/var/www/servers/www/html ; USER=root ;
The error occurs because in his security concept there is no file "/etc/sudoers" even though "sudo" is installed. This is intended to prevent unauthorized access. This is what triggered his alert mail.
The corresponding apache log request were as follows:
xxx.xxx.xxx.xxx - - [18/Dec/2020:16:20:24 +0100] "GET /dashboard?context=edit_page&url=%2Fkontakt HTTP/1.1" 200 43839 "https://www.domainremoved.com/dashboard?context=edit_page&url=%2Fcontent" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0" xxx.xxx.xxx.xxx - - [18/Dec/2020:16:20:24 +0100] "POST /dashboard?ajax=page_data HTTP/1.1" 200 25678 "https://www.domainremoved.com/dashboard?context=edit_page&url=%2Fkontakt" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0" xxx.xxx.xxx.xxx - - [18/Dec/2020:16:20:24 +0100] "POST /dashboard?ajax=select_image HTTP/1.1" 200 7230 "https://www.domainremoved.com/dashboard?context=edit_page&url=%2Fkontakt" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0" xxx.xxx.xxx.xxx - - [18/Dec/2020:16:20:24 +0100] "POST /dashboard?ajax=files HTTP/1.1" 200 2208 "https://www.domainremoved.com/dashboard?context=edit_page&url=%2Fkontakt" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0" xxx.xxx.xxx.xxx - - [18/Dec/2020:16:20:24 +0100] "POST /dashboard?ajax=status HTTP/1.1" 200 24 "https://www.domainremoved.com/dashboard?context=edit_page&url=%2Fkontakt" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0" xxx.xxx.xxx.xxx - - [18/Dec/2020:16:20:24 +0100] "POST /dashboard?ajax=status HTTP/1.1" 200 24 "https://www.domainremoved.com/dashboard?context=edit_page&url=%2Fkontakt" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0" xxx.xxx.xxx.xxx - - [18/Dec/2020:16:20:24 +0100] "GET /lib/fonts/inter/inter-italic-var.woff2?v=3.15 HTTP/1.1" 304 - "https://www.domainremoved.com/automad/gui/dist/automad.min.css?v=1.6.6" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0" xxx.xxx.xxx.xxx - - [18/Dec/2020:16:20:24 +0100] "POST /dashboard?ajax=status HTTP/1.1" 200 24 "https://www.domainremoved.com/dashboard?context=edit_page&url=%2Fkontakt" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0" xxx.xxx.xxx.xxx - - [18/Dec/2020:16:20:24 +0100] "POST /dashboard?ajax=autocomplete_link HTTP/1.1" 200 2161 "https://www.domainremoved.com/dashboard?context=edit_page&url=%2Fkontakt" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0" xxx.xxx.xxx.xxx - - [18/Dec/2020:16:20:24 +0100] "POST /dashboard?ajax=autocomplete_search HTTP/1.1" 200 2119 "https://www.domainremoved.com/dashboard?context=edit_page&url=%2Fkontakt" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0"
I obfuscated IP's and domain names for privacy reasons. Clearly while browsing the backend the requests made result in a corresponding missing "/etc/sudoers" error if you compare the timestamps.
Hope that helps? Regard, Steffen
Hi, thanks. It is nothing special to not allow Apache to run sudo commands. In fact it is quite a standard to have a very restricted user for Apache. And as I wrote before, Automad doesn't run any kind of system related commands — with or without sudo.
What I can see in the logs is that your hoster even has issues with CSS and font files. That is more than strange. It is literally impossible for CSS or font files to be harmful in any scenario.
It is also not clear to me what action or command actually triggered the alert? The logs don't show this.