Download of ImageMagick 6.6.0-8 hacked?

Post any defects you find in the released or beta versions of the ImageMagick software here. Include the ImageMagick version, OS, and any command-line required to reproduce the problem. Got a patch for a bug? Post it here.
Post Reply
SEO

Download of ImageMagick 6.6.0-8 hacked?

Post by SEO »

Dear ImageMagick (users),

Today I downloaded the latest ImageMagick version from the mirror in The Netherlands that I found on http://www.imagemagick.org/script/download.php

ftp://ftp.nluug.nl/pub/ImageMagick/Imag ... 0-8.tar.gz

I followed the instructions on http://andrewduck.name/2009/01/imagemag ... -centos-5/

Then during the command make install I got diconnected from the internet.

After my connection was restored I could not login to SSH anymore using the root login. Also WinSCP (sFTP) did not accept my root password anymore.

The host has restored an old password so that I was able to login again, and then I discovered the following commands in the command log, as if someone has tried to hack the server.

The first questionable command I noticed was:
The seccond shows someone trying to delete the history and access logs:
rm -rf /var/log/wtmp ; rm -rf /var/log/lastlog ; rm -rf /var/log/secure ; rm -rf /var/log/xferlog ; rm -rf /var/log/messages ; rm -rf /var/run/utmp ; touch /var/run/utmp ; touch /var/log/messages ; touch /var/log/wtmp ; touch /var/log/messages ; touch /var/log/xferlog ; touch /var/log/secure ; touch /var/log/lastlog ; rm -rf /var/log/maillog ; touch /var/log/maillog ; rm -rf /root/.bash_history ; touch /root/.bash_history ; history -r
The most important thing is: this is a brand new server. Image Magick is the only and first thing that needed to be installed for a custom made script to get working on it. So there isn't any other possible cause, other then yum update (Cent OS) which probably should not be considdered as possible cause.

Can anyone confirm this hack could be caused by the ImageMagick installation? If more information is required, please let me know!

Best Regards,
Jan Jaap
User avatar
magick
Site Admin
Posts: 11064
Joined: 2003-05-31T11:32:55-07:00

Re: Download of ImageMagick 6.6.0-8 hacked?

Post by magick »

We include the SHA256 digest for each ImageMagick download. The authoritative source of ImageMagick distribution is on an undisclosed remote host that is mirrored to ftp.imagemagick.org. Each ImageMagick distribution has a SHA256 digest registered at ftp://ftp.imagemagick.org/pub/ImageMagick/digest.rdf. ImageMagick-6.6.0-8.tar.gz has a digest of 4279130da7add9704bcaf14f571393da27022c82d24b95cf7c81fe93116b9089. You can check yourself with
  • sha256sum ImageMagick-6.6.0-8.tar.gz
    4279130da7add9704bcaf14f571393da27022c82d24b95cf7c81fe93116b9089 ImageMagick-6.6.0-8.tar.gz
Downloading ftp://ftp.nluug.nl/pub/ImageMagick/Imag ... 0-8.tar.gz returns the expected checksum of 4279130da7add9704bcaf14f571393da27022c82d24b95cf7c81fe93116b9089.

Next we unpack the distribution and compare against the subversion trunk and no differences are found suggesting the distribution has not been modified. Next, we peruse the distribution visually and with grep and find nothing nefarious. A quick security check against the imagemagick.org host returns no exploits. In addition, we have no other reports of hacks. All of this suggests your security breach is not due to the ImageMagick distribution.

You of course can check out the distribution yourself to assure yourself your host was compromised by some other method than downloading / installing ImageMagick.
SEO

Re: Download of ImageMagick 6.6.0-8 hacked?

Post by SEO »

Dear Magick,

Thank you for your reply and the ensurance that the server could not have been compromised by the ImageMagick installation. The host is currently reinstalling the server and will install imagemagick themselfs, and hopefully it will not happen again.

Best Regards,
Jan Jaap
Post Reply