Results 1 to 16 of 16
  1. #1

    Question accounts hacked, how to find hacker?

    A couple of owners of websited on my server has contacted me saying that their acocunts has been hacked, their files has been modified and in some cases their passwords were changed causing them not to be able to login.

    I was told that this was probobly caused by a PHP exploit, however one of the affected accounts didnt have any PHP scripts or PHP pages on his account.
    Some of the accounts did change their passwords but that did not help the hacker did still get access to their accounts.

    I have no idea what to do here.

    What should i do to find who is hacking the accounts? (what log to check and what do i check for)

    How do I block the hacker? Would blocking the IP in APF be enough (if i find the offending IP that is).

    My server details:
    RedHat Enterprise 3 i686
    Kernel version: 2.4.21-32.0.1.ELsmp
    Apache version: 1.3.33 (Unix)
    CPanel: 10.2.0-RELEASE 82
    MySQL version: 4.0.24-standard
    PHP version: 4.3.11
    PERL version: 5.8.0

  2. #2
    Greetings:

    Please consider asking your server administrator / security administrator to review the server logs, check /tmp, /var/tmp, and /dev/shm (/dev/shm is on Linux-based servers) for suspicious files.

    While many hacks can take place without root kits, have them run chkrootkit from http://www.chkrootkit.org/ and root kit hunter from http://www.rootkit.nl/

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  3. #3
    I forgot to mention, both chkrootkit and rkhunter were run and no suspisius files were found.

    What logfiles should i check?

  4. #4
    Originally posted by yemoller
    I forgot to mention, both chkrootkit and rkhunter were run and no suspisius files were found.

    What logfiles should i check?
    Did this happen to take place on a server at The Planet?

    Had a similar thing happen at The Planet recently. I immediately cancelled my account with them and moved elsewhere after they would not cooperate with me in running down the problem with the hack.

  5. #5
    Yes, it is a ThePlanet server.

  6. #6
    Originally posted by yemoller
    Yes, it is a ThePlanet server.
    I was a little more than at them over my incident, which involved a PHP hack that affected the parser syntax of MySQL. The hack that hit me did not leave behind a clearly recognizable signature.

    It sounds like The Planet may have a problem with a compromised system or two, and that once the hacker/cracker knew they had found a portal into the system, they went for more than one server, or partition, or both.

    If you have root access, pour over your access logs and any other logs you have access too. If you don't have root access, try and get The Planet, or whomever the company is that is the primary host with The Planet, to cooperate with you in securing the logs and cleaning up the server. If they start giving you the run around, I would tell them good-bye and take your account elsewhere.

    It appears that there is about to be some big exploit problems with PHP script based programs.
    isc.sans.org/infocon.php

    Hint: Secure your servers and update your programs.

  7. #7
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,290
    How is this a theplanet problem?
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  8. #8
    I have root access, however im not verry experinced with the logs.
    What logs should i check and what should i check for.

    I am not holdign ThePlanet responsable in any way, they have always been good to me!

  9. #9
    Originally posted by thelinuxguy
    How is this a theplanet problem?
    Quote my post:
    "It sounds like The Planet may have a problem with a compromised system or two, and that once the hacker/cracker knew they had found a portal into the system, they went for more than one server, or partition, or both."

    I have the error logs on file showing the problem and the hacks. At the time I did not have root access to my server, and the techs handling the problem played dumb in regards to the explicit and detailed information I provided them with, regarding both the problem and the hack, which corrupted the MySQL.

    I now have a dedicated server with root access elsewhere.

    Basic security logic: If you have a corruption in your system at the root level, you have a compromised server, or a server that can be compromised, or a server that has been compromised. The rationale is to look for what caused the server to be compromised in the first place and to close up the hole. [Hint: This applied logic comes from 30+ years of security experience.]

    Originally posted by the yemoller
    I have root access, however im not verry experinced with the logs.
    What logs should i check and what should i check for.
    If you have mod_security in place, try looking in those logs. Also, if you have your access logs, start pouring through those. If you run PHP programs, start pouring over the error logs produced by those programs; if they have an error log. If you have a filter in place and it produce's logs, look at those logs as well. Look for intrusions into areas that are producing errors of any type, such as permissions denied, etc.

  10. #10
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,549
    I do not understand how you can even attempt to blame ThePlanet for this issue.

    Firstly you do not even have any idea what happened to him, you are just assuming what happened too you is the same for him.

    As for your server, even if another theplanet server was compromised this would not put your server in any danager than it already was.
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: [email protected]

  11. #11
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,686
    This is far from a TP issue, as is/was yours. The responsibility is always on the owner/lesee of the server to keep security up to par. As well, it is the SITE owner's responsibility to keep their scripts up to date, not the server owner or administrator's responsibility (unless the owner/admin specifically agrees to do that).

    The reason for this is really quite simple:
    You figure that you need 1-200 accounts on a server to break even. Much more, and you overload the server, cause problems, and, well, that's just not good. This INCLUDES resold accounts.

    Take those 1-200 accounts, and figure that 1:3 will have phpbb installed, maybe a bit higher, maybe a bit lower, but most likely it'll be close to that figure.

    Now, take those 1-200 accounts, and figure mail, etc, all that jazz. It is (literally) impossible for the server owner to keep track of what is going on with whom on any shared server. sure, you can do your best, but, even your best (at times) just flat out doesn't do.

    So, how to get around this?
    Simple, really. Put something into your TOS that states that all users are responsible for updating their own web software (such as phpbb, phpnuke, etc), and any user whos account is used to hack into the server like this will be suspended until such time as it's fixed.

    This covers everyone, everywhere.

    Sure, SOME (some) of these fixes can be automated with patches and scripts, and there's even a few out there to do this, but, for the most part, it's not that simple.

    The alternative to this is doing something like enforcing strict php rules, strict perl rules, disabling every worthwhile function in php, limiting both get and curl, and just basically having an unusable server. I can't count the times individuals have called me (or mailed me) and said "so and so screwed up my server because they limited function xxx", and asked me to fix it. Honestly, limiting functions does nothing huge for security and WILL result in fewer clients.

    That's not saying to be lax on security, but it IS saying that at some point, it becomes the end user's responsibility to manage their own websites and update software as necessary.

    I forgot to mention, both chkrootkit and rkhunter were run and no suspisius files were found.
    While VERY good tools, they won't find everything. It's entirely possible that the hacker got in through a php shell script, or a perl exploit, or some other exploit. Once they're in your system (as in this case, apparently they are), then it's time to reformat and reinstall, going back to backups that are at least a month old, and forcing a password change for all users (don't forget to post something in your helpdesk telling your users what is going on)


    Why this old? Because if the hacker's gotten into your system, then you can't assume he's only affected current files, you need to be 100% sure that this isn't affecting ALL files, so , grab some sort of offsite backup, throw it into things and go from there.

    Unfortunately, without more details, it's really not possible to make a guess as to what the problem could be. You'll need to run a thorough scan on your system and make sure that it's secure, once the restoration is complete though, to prevent the individual from coming back. As well, for god's sakes, hire an admin to manage your server, if you don't know anything about it, because NOT doing so will only cause more problems and affect everyone internetwide possibly.

  12. #12
    I have a company doing the updating and securing on the server, but they doesnt seem to be doing to much about this.

    The last i got from them was that my server probobly is compromised and i chould request a OS reload, I hope they manage to find how it became comromised to start with so it doesnt happen again.

  13. #13
    Join Date
    Mar 2004
    Location
    Singapore
    Posts
    6,984
    Check if Steve , thelinuxguy is around, he is very solid at compromised servers.

  14. #14
    Join Date
    Aug 2003
    Location
    Gods Own Country
    Posts
    869
    Read this article in the link http://linuxgazette.net/111/cherian.html . It will be of great help to you.
    Blessen Cherian
    Follow me on twitter.com/blessenonly
    Over a decade plus in the Hosting Industry

  15. #15
    Join Date
    Aug 2003
    Location
    Gods Own Country
    Posts
    869
    Finding a hacker is a tough job and it should be done by professionals . Try to search for some Security Admin and assign him the work.

    Read this article in the link http://linuxgazette.net/111/cherian.html . It will be of great help to you.
    Blessen Cherian
    Follow me on twitter.com/blessenonly
    Over a decade plus in the Hosting Industry

  16. #16
    Thanks for that link, i have actually found the hacker :-) turns out he had an acocunt on hte server.
    I have also managed to find an additional 10 accounts he gained access to.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •