Results 1 to 11 of 11

Thread: compromised?

  1. #1
    Join Date
    Jul 2005
    Location
    Europe
    Posts
    95

    compromised?

    Hi,

    Our server seems to be compromised because each of our hosted domains are redirecting to some .jp website. Many customers told me their antivirus pops up telling there are infected files on their website.

    I can't figure it out how this redirect thing is possible? Logically this could be done from apache or DNS, right?

    Also, I get many "Page cannot be found" errors though the directory/file IS there, and if I keep refreshing the page eventually it loads OR I get redirected to the same .jp website.

    Any ideas??

    Thanks!

  2. #2
    Join Date
    Apr 2001
    Posts
    2,588
    If you need to ask, and you don't have a someone on staff to resolve this, I'd start going into damage control. Restore, and have a very serious think about the security systems employed on your servers. No script or tutorial will replace the job of a system admin. Computers need babysitters too.

  3. #3
    Join Date
    Sep 2004
    Location
    Flint, Michigan
    Posts
    5,765
    First thing I woudl do is check for spyware on your personal computer. If your customers are having troubles, this is most likely not the problem, but it could be.

    If you have been root compromised then it is very possible that the compromise is what is doing this.

    A good place to start would be with chkrootkit and rkhunter (do a google on them, if you need more help just post but they're pretty easy tools to run). This will check for the basics of a root kit as well as look for many known root kits.

    The next thing you need to do is look at the logs when you request a page to find out what is actually happening. Also examine the virtual host settings in apache and the zone files for bind (for the domains in question) to see if there is a problem there. Look for the possibility of a .htaccess file in the public_html folders that may be doing a redirect as well as look at the source files of the webpage.

    Comb through your logs such as /var/log/messages to see if there has been any suspicious activity.

    If you are root compromised you are going to most likely have to have a full OS restore fresh, secure it properly, and then load your backups.
    Mike from Zoodia.com
    Professional web design and development services.
    In need of a fresh hosting design? See what premade designs we have in stock!
    Web design tips, tricks, and more at MichaelPruitt.com

  4. #4
    Join Date
    Oct 2003
    Posts
    566
    If the server is rooted your logs cannot be trusted. chkrootkit et al also don't make sense when run from the compromised system itself. Mount the hard disk from a different system (use your provider "rescue system", if provided). The only way that's really safe is reimaging the server and restoring your data. If there has been no root compromise then the problem's not that bad.

  5. #5
    Join Date
    Jul 2005
    Location
    Europe
    Posts
    95
    I have found what caused this. Two accounts had these files: flame.so, flame.php, html.php and index.html. I've never created one of the accounts. Not sure how it got there, but I deleted both of them and everything is working now. What do you think guys?

    I am not allowed to posts URL's (I don't have 5 posts yet) but this is the quote from that website:

    Neat little tool: Flame.so
    another script found on a shared server... this one actually had me stumped for about a day or so. it's pretty neat it actually exploits php's ability to load dynamic extensions. Almost every webserver has this featured enabled so it'll probably work...

    Basically whenever the flame.php script is invoked.. through a browser access etc. It serves every request recieved by the webserver (regardless of what virtualhost it's coming from or where the script is being accessed) the iframe urls that are in the index.html file.

    This was uploaded to a server with over 1000 virtual hosts/users and all the websites were sending the visitors to the urls contained in the index.html... which contained tons of win32 viruses.

    What's worse is that this script exploits one of the great legitimate features of PHP. As far as I know the only way to prevent / stop this is disabling the dl() function in your php.ini

    --

    get it here: download

  6. #6
    Join Date
    Sep 2004
    Location
    Flint, Michigan
    Posts
    5,765
    You should be alright. I would look into how it actually got on the machine to begin with though (possibly a bad script running on one of the user's accounts).
    Mike from Zoodia.com
    Professional web design and development services.
    In need of a fresh hosting design? See what premade designs we have in stock!
    Web design tips, tricks, and more at MichaelPruitt.com

  7. #7
    Join Date
    Jul 2005
    Location
    Europe
    Posts
    95
    One of the account that had these files was created by one of my resellers, but I've deleted it.

    It's unbelievable what a small file can do to over 300 accounts. :/

  8. #8
    Join Date
    Sep 2004
    Location
    Flint, Michigan
    Posts
    5,765
    That's always the battle. Security vs. features. The more features you allow (in a programming language, server, just about anything) the more security concerns you will have.
    Mike from Zoodia.com
    Professional web design and development services.
    In need of a fresh hosting design? See what premade designs we have in stock!
    Web design tips, tricks, and more at MichaelPruitt.com

  9. #9
    Join Date
    Apr 2001
    Posts
    2,588
    Thankfully I've bragged the mod's into uping my post count in order to post this:
    http://www.google.com/search?hl=en&l...so&btnG=Search

  10. #10
    Join Date
    Jul 2005
    Location
    Europe
    Posts
    95
    Yes, it's the 2nd link, the one with ****-l33t.com.

  11. #11
    Join Date
    Apr 2002
    Location
    USA
    Posts
    5,779
    Do a search Flame.so, there is already a long thread in this forum on it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •