Results 1 to 33 of 33
  1. #1
    Join Date
    May 2004
    Location
    Hungary
    Posts
    106

    * server hacked (?) - how?

    Hi guys,

    One of my client claims his website was hacked and the hacker got the source code of his own very valueable script.
    He spoke with the hacker and that said that he used a vulneribility in our server to get the files.
    How could that happen? What program could be vulnerable?
    We have open_basedir set to the user's dir (hacker said he didn't use a badly-written script), tmp is secured, safe_mode is on, PHP can't exec system commands, rkhunter+chrootkit finds nothing, no root logins except me
    System: CentOS 4.0 kernel: 2.6.9-5.0.3.EL
    Thanks for your helpful input in advance!

  2. #2
    Join Date
    Dec 2004
    Location
    New York, NY
    Posts
    10,574
    One of my client claims his website was hacked and the hacker got the source code of his own very valueable script.
    Was this a PHP script?
    MediaLayer, LLC - www.medialayer.com Learn how we can make your website load faster, translating to better conversion rates for your business!
    The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business

  3. #3
    Join Date
    May 2004
    Location
    Hungary
    Posts
    106
    Yes, it's a PHP-based WAP chat script.

  4. #4
    Join Date
    May 2002
    Location
    Moscow
    Posts
    1,490
    i saw many "PHP-based WAP chat script" and can't say that it's verysecured. Many of then using register_globals=on and also send sensitive information with GET request. Of course, i am not see script which you tald secured, but most likely it is based on one of popular wap chat scripts. And i should say that all of them is not very secured...
    May be if you investigate customer web-logs or mod_security (if you use it) logs you may found how script ws stealed.
    Rustelekom LLC Dedicated server since 2002, RIPE NCC member, LIR, AS51168

  5. #5
    Join Date
    May 2004
    Location
    Hungary
    Posts
    106
    Thanks for the answer, rustelekom.
    The script is unique, it was developed by the client.
    I also think that it might be a bug in his script, but he asked the hacker the following questions: "Was there an error in the chat? Did I misconfigure something on the server? Was it the server's fault?" As a reply he got that it was a vulneribility on the server he used. And THAT makes me worry.
    I don't use mod_security and a daily log for this site is ~70MB and no one knows when the incident happened, so it would be pretty difficult to look them all through.

  6. #6
    Join Date
    Sep 2005
    Location
    Essex, England
    Posts
    548
    Of course, the hacker may just be lying...
    Would you trust a thief to tell the truth?

  7. #7
    Join Date
    May 2002
    Location
    Moscow
    Posts
    1,490
    hacker do not right person for trust him of course, for already happen story this will not help, but try enable mod_security and change default settings to log,allow. as minimum you will see what happen on server on his web part and who try compromise it. btw: tmp securing not help you with protecting from hacking. hacker may using perl and run any script on secured /tmp partiion...
    Rustelekom LLC Dedicated server since 2002, RIPE NCC member, LIR, AS51168

  8. #8
    Join Date
    May 2004
    Location
    Hungary
    Posts
    106
    I'm glad you rather think that the hacker lies and not that it was my fault I somehow believe this guy. Why would he lie? To make the client go to a different host?
    Anyway, thanks I'll install mod_security this weekend and I'll ask the client to rewrite the script so I can disable register_globals.

  9. #9
    Join Date
    Sep 2005
    Location
    Essex, England
    Posts
    548
    He might lie in order to stop the customer from securing his script.

  10. #10
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    just for info.. that kernel is exploitable.. sooo i wonder how much more is out of date on the server
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  11. #11
    Join Date
    May 2004
    Location
    Hungary
    Posts
    106
    Blapto: Well, I haven't thought of that.
    Thelinuxguy: I know, I'll upgrade it but I hate shutting down/restarting the server because of that. But if you think that it was the cause for this hack, I'll upgrade it today! Besides that everything is up-to-date on the machine.
    Last edited by davevad; 11-19-2005 at 12:00 PM.

  12. #12
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    kernels are vital to keep upgraded.. exploits in the kernel can lead to root compromise.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  13. #13
    Join Date
    May 2004
    Location
    Hungary
    Posts
    106
    OK, I'll do it ASAP. Just have to inform my users.
    You think that made this incident possible?

  14. #14
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    no. I think his script was probably exploitable
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  15. #15
    Join Date
    Dec 2004
    Location
    New York, NY
    Posts
    10,574
    Are you running the latest versions of PHP, Apache, etc.?
    MediaLayer, LLC - www.medialayer.com Learn how we can make your website load faster, translating to better conversion rates for your business!
    The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business

  16. #16
    Join Date
    May 2004
    Location
    Hungary
    Posts
    106
    Steven: That sounds convincing to me, thanks.
    elix: Apache is the newest, PHP is still 4.4.0. CGIs are not allowed.

  17. #17
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,549
    Dave,

    Have alook around your apache logs, for any sort of commands that would allow someone to view the files, such as `cat`,`wget`,`curl`,`GET` and so on.

    find all the scripts that execute commands on the server

    find /home -name '*.php' -exec grep 'system(' {} \; -print
    find /home -name '*.php' -exec grep 'exec(' {} \; -print
    find /home -name '*.php' -exec grep 'passthru(' {} \; -print

    There are lots more find the rest of them at www.php.net/system it will show you related commands.
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: [email protected]

  18. #18
    Join Date
    May 2004
    Location
    Hungary
    Posts
    106
    Scott: Safe_mode is on and safe_mode_exec_dir is set to a dir with the following minimum content: convert, ncftpput, ping, tar.
    He can't have executed system commands for this.

    Update from hacker: he claims he tried hacking some kind of filebrowser and he got in somehow (retold by costumer). As open_basedir limits the user to his own folder the script must have been in that folder!
    The guy posted the file names, modification date, size in the chat.
    Log file for yesterday is "just" 54MB

  19. #19
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,549
    If he posted the file info then obviously he executed commands on the server.

    Like I said

    find /home -name '*.php' -exec grep 'system(' {} \; -print
    find /home -name '*.php' -exec grep 'exec(' {} \; -print
    find /home -name '*.php' -exec grep 'passthru(' {} \; -print

    Replace /home with the location of the users DIR.
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: [email protected]

  20. #20
    Join Date
    May 2004
    Location
    Hungary
    Posts
    106
    Tried those... no result

  21. #21
    Join Date
    Sep 2005
    Location
    Essex, England
    Posts
    548
    Are you using cPanel?
    Is the customer (or are you) using secure passwords?

  22. #22
    Join Date
    May 2004
    Location
    Hungary
    Posts
    106
    No, we use a self-developed control panel, but I don't see anything strange in its log.
    I use secure password and I hope he does too. His FTP user is not the same as his domain name and I saw only him logging in with that user.

  23. #23
    Join Date
    Sep 2005
    Location
    Essex, England
    Posts
    548
    Well, your control panel may have a flaw in it somewhere.
    "Update from hacker: he claims he tried hacking some kind of filebrowser and he got in somehow (retold by costumer)."

    I take it your control panel has something that would be described as "some kind of filebrowser"?

  24. #24
    Join Date
    May 2004
    Location
    Hungary
    Posts
    106
    No, there is no file browser integrated.
    It runs with register_globals off but open_basedir off as well.
    There is one file content listing option (log view) but that would report any abuse. It has no function that would display modification date or size. And there is no demo for the system, so the hacker wouldn't even know what options it has.

  25. #25
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    its possible that code was injected into your clients own code though an include or something..

    http://us2.php.net/manual/en/function.readdir.php

    for example would give an output of the files etc.. Just some ideas. Do you have recentlogs for apache? around the time it happened
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  26. #26
    Join Date
    May 2004
    Location
    Hungary
    Posts
    106
    I also think that something like that happened.
    We have the logs. The problem is that I don't know when it happened. He said that it *might have been* yesterday between 8 and 10. That's fine, but the log is extremely long and all requests have some posted variable (eg. /msg.php?id=f4d3h75x) so it's totally unreadable.

  27. #27
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    cat file | grep -i "some info"
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  28. #28
    Join Date
    May 2004
    Location
    Hungary
    Posts
    106
    Thanks, I'm checking the log for possible break in attempts.
    No positve match in the first run.

  29. #29
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,549
    Quote Originally Posted by davevad
    /msg.php?id=f4d3h75x)
    What exactly does the id part do?

    If it was done via $_GET you should be able to get the actual commands executed from the apache logs, however you will have to search all scripts if you are unable to find anything(indicating it was from $_POST,$_COOKIE, and so on)

    Most scripts that do not execute directly usually have the commands added into the url which means closing the current tag and then reopening it, either using a ) directly or using it in html form(%29) such as

    http://www.mysite.com/index.php?site=%22%29.passthru%28%22uname%20-a%22%29.%28%22

    and if the code was

    PHP Code:
    echo("You inputted $_GET[site]"); 
    Obviously its not going to be that simple but essentially what that would read is
    PHP Code:
    echo("You inputted ").passthru("uname -a").(""); 
    Well you get the general idea. Just keep having alook if you are still unable to find the problem you may look into getting someone to look at it for you.
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: [email protected]

  30. #30
    Join Date
    May 2004
    Location
    Hungary
    Posts
    106
    The id is used as session name identifier.
    I didn't find any general PHP dir or file functions so I guess he used POST. Looking through the source will take a while, but I have no other choice, I have to convince him that the problem was in his script.
    Thanks.

  31. #31
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    what strings did you look at exactly?
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  32. #32
    Join Date
    May 2004
    Location
    Hungary
    Posts
    106
    I searched for the following words: fopen, popen, readdir, opendir, include, require
    And looked at the % strings Scott.Mc mentioned.

  33. #33
    Join Date
    May 2004
    Location
    Hungary
    Posts
    106
    Scott.Mc: id is equal to session_id().

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •