Results 1 to 16 of 16
-
07-05-2005, 11:20 AM #1Newbie
- Join Date
- Jan 2003
- Posts
- 27
accounts hacked, how to find hacker?
A couple of owners of websited on my server has contacted me saying that their acocunts has been hacked, their files has been modified and in some cases their passwords were changed causing them not to be able to login.
I was told that this was probobly caused by a PHP exploit, however one of the affected accounts didnt have any PHP scripts or PHP pages on his account.
Some of the accounts did change their passwords but that did not help the hacker did still get access to their accounts.
I have no idea what to do here.
What should i do to find who is hacking the accounts? (what log to check and what do i check for)
How do I block the hacker? Would blocking the IP in APF be enough (if i find the offending IP that is).
My server details:
RedHat Enterprise 3 i686
Kernel version: 2.4.21-32.0.1.ELsmp
Apache version: 1.3.33 (Unix)
CPanel: 10.2.0-RELEASE 82
MySQL version: 4.0.24-standard
PHP version: 4.3.11
PERL version: 5.8.0
-
07-05-2005, 11:32 AM #2Web Hosting Master
- Join Date
- Dec 2001
- Posts
- 5,221
Greetings:
Please consider asking your server administrator / security administrator to review the server logs, check /tmp, /var/tmp, and /dev/shm (/dev/shm is on Linux-based servers) for suspicious files.
While many hacks can take place without root kits, have them run chkrootkit from http://www.chkrootkit.org/ and root kit hunter from http://www.rootkit.nl/
Thank you.
-
07-05-2005, 12:04 PM #3Newbie
- Join Date
- Jan 2003
- Posts
- 27
I forgot to mention, both chkrootkit and rkhunter were run and no suspisius files were found.
What logfiles should i check?
-
07-05-2005, 01:22 PM #4Newbie
- Join Date
- Dec 2004
- Posts
- 5
Originally posted by yemoller
I forgot to mention, both chkrootkit and rkhunter were run and no suspisius files were found.
What logfiles should i check?
Had a similar thing happen at The Planet recently. I immediately cancelled my account with them and moved elsewhere after they would not cooperate with me in running down the problem with the hack.
-
07-05-2005, 01:53 PM #5Newbie
- Join Date
- Jan 2003
- Posts
- 27
Yes, it is a ThePlanet server.
-
07-05-2005, 02:07 PM #6Newbie
- Join Date
- Dec 2004
- Posts
- 5
Originally posted by yemoller
Yes, it is a ThePlanet server.
It sounds like The Planet may have a problem with a compromised system or two, and that once the hacker/cracker knew they had found a portal into the system, they went for more than one server, or partition, or both.
If you have root access, pour over your access logs and any other logs you have access too. If you don't have root access, try and get The Planet, or whomever the company is that is the primary host with The Planet, to cooperate with you in securing the logs and cleaning up the server. If they start giving you the run around, I would tell them good-bye and take your account elsewhere.
It appears that there is about to be some big exploit problems with PHP script based programs.
isc.sans.org/infocon.php
Hint: Secure your servers and update your programs.
-
07-05-2005, 02:09 PM #7Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
How is this a theplanet problem?
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
07-05-2005, 02:13 PM #8Newbie
- Join Date
- Jan 2003
- Posts
- 27
I have root access, however im not verry experinced with the logs.
What logs should i check and what should i check for.
I am not holdign ThePlanet responsable in any way, they have always been good to me!
-
07-05-2005, 02:39 PM #9Newbie
- Join Date
- Dec 2004
- Posts
- 5
Originally posted by thelinuxguy
How is this a theplanet problem?
"It sounds like The Planet may have a problem with a compromised system or two, and that once the hacker/cracker knew they had found a portal into the system, they went for more than one server, or partition, or both."
I have the error logs on file showing the problem and the hacks. At the time I did not have root access to my server, and the techs handling the problem played dumb in regards to the explicit and detailed information I provided them with, regarding both the problem and the hack, which corrupted the MySQL.
I now have a dedicated server with root access elsewhere.
Basic security logic: If you have a corruption in your system at the root level, you have a compromised server, or a server that can be compromised, or a server that has been compromised. The rationale is to look for what caused the server to be compromised in the first place and to close up the hole. [Hint: This applied logic comes from 30+ years of security experience.]
Originally posted by the yemoller
I have root access, however im not verry experinced with the logs.
What logs should i check and what should i check for.
-
07-05-2005, 11:40 PM #10Engineer
- Join Date
- Jan 2005
- Location
- Scotland, UK
- Posts
- 2,681
I do not understand how you can even attempt to blame ThePlanet for this issue.
Firstly you do not even have any idea what happened to him, you are just assuming what happened too you is the same for him.
As for your server, even if another theplanet server was compromised this would not put your server in any danager than it already was.Server Management - AdminGeekZ.com
Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
Check our wordpress varnish plugin. Contact us for quote: sales@admingeekz.com
-
07-06-2005, 12:06 AM #11
This is far from a TP issue, as is/was yours. The responsibility is always on the owner/lesee of the server to keep security up to par. As well, it is the SITE owner's responsibility to keep their scripts up to date, not the server owner or administrator's responsibility (unless the owner/admin specifically agrees to do that).
The reason for this is really quite simple:
You figure that you need 1-200 accounts on a server to break even. Much more, and you overload the server, cause problems, and, well, that's just not good. This INCLUDES resold accounts.
Take those 1-200 accounts, and figure that 1:3 will have phpbb installed, maybe a bit higher, maybe a bit lower, but most likely it'll be close to that figure.
Now, take those 1-200 accounts, and figure mail, etc, all that jazz. It is (literally) impossible for the server owner to keep track of what is going on with whom on any shared server. sure, you can do your best, but, even your best (at times) just flat out doesn't do.
So, how to get around this?
Simple, really. Put something into your TOS that states that all users are responsible for updating their own web software (such as phpbb, phpnuke, etc), and any user whos account is used to hack into the server like this will be suspended until such time as it's fixed.
This covers everyone, everywhere.
Sure, SOME (some) of these fixes can be automated with patches and scripts, and there's even a few out there to do this, but, for the most part, it's not that simple.
The alternative to this is doing something like enforcing strict php rules, strict perl rules, disabling every worthwhile function in php, limiting both get and curl, and just basically having an unusable server. I can't count the times individuals have called me (or mailed me) and said "so and so screwed up my server because they limited function xxx", and asked me to fix it. Honestly, limiting functions does nothing huge for security and WILL result in fewer clients.
That's not saying to be lax on security, but it IS saying that at some point, it becomes the end user's responsibility to manage their own websites and update software as necessary.
I forgot to mention, both chkrootkit and rkhunter were run and no suspisius files were found.
Why this old? Because if the hacker's gotten into your system, then you can't assume he's only affected current files, you need to be 100% sure that this isn't affecting ALL files, so , grab some sort of offsite backup, throw it into things and go from there.
Unfortunately, without more details, it's really not possible to make a guess as to what the problem could be. You'll need to run a thorough scan on your system and make sure that it's secure, once the restoration is complete though, to prevent the individual from coming back. As well, for god's sakes, hire an admin to manage your server, if you don't know anything about it, because NOT doing so will only cause more problems and affect everyone internetwide possibly.
-
07-06-2005, 08:20 AM #12Newbie
- Join Date
- Jan 2003
- Posts
- 27
I have a company doing the updating and securing on the server, but they doesnt seem to be doing to much about this.
The last i got from them was that my server probobly is compromised and i chould request a OS reload, I hope they manage to find how it became comromised to start with so it doesnt happen again.
-
07-06-2005, 08:33 AM #13Retired Moderator
- Join Date
- Mar 2004
- Location
- Singapore
- Posts
- 6,990
Check if Steve , thelinuxguy is around, he is very solid at compromised servers.
-
07-06-2005, 12:29 PM #14Web Hosting Master
- Join Date
- Aug 2003
- Location
- Gods Own Country
- Posts
- 892
Read this article in the link http://linuxgazette.net/111/cherian.html . It will be of great help to you.
Blessen Cherian
Follow me on twitter.com/blessenonly
Two decade in Web Hosting Industry
-
07-06-2005, 12:31 PM #15Web Hosting Master
- Join Date
- Aug 2003
- Location
- Gods Own Country
- Posts
- 892
Finding a hacker is a tough job and it should be done by professionals . Try to search for some Security Admin and assign him the work.
Read this article in the link http://linuxgazette.net/111/cherian.html . It will be of great help to you.Blessen Cherian
Follow me on twitter.com/blessenonly
Two decade in Web Hosting Industry
-
07-06-2005, 02:10 PM #16Newbie
- Join Date
- Jan 2003
- Posts
- 27
Thanks for that link, i have actually found the hacker :-) turns out he had an acocunt on hte server.
I have also managed to find an additional 10 accounts he gained access to.