Results 1 to 6 of 6
  1. #1
    Join Date
    Dec 2004
    Location
    New York, NY
    Posts
    10,574

    Br0keN-Pr0xy hack - FIX (the popular index defacement hack)

    Login to SSH as root:

    wget http://noc.medialayer.com/public/index-hack
    chmod 700 index-hack
    ## make sure you edit index-hack to your needs, there is one variable "STRUCT" which defines the directory structure - the default is fine for cPanel servers but you may have to change this for other servers. $1 is the username.

    To run this:

    ./index-hack <username>

    So:

    ./index-hack layer0

    would be correct

    The purpose of this script is to list any files containg the "broken proxy" text. This attack has effected many hosts and I'm sure it's a pain for some customers to find all files that contain "index", "home", or "default", etc - this can provide your customers with a nice list if you are hit with the attack - thus they know exactly what files need to be replaced.

    Obviously you really should be staying up to date kernel wise, and if you simply typed:

    yum upgrade kernel or yum upgrade kernel-smp (for dual processor boxes) and rebooted you'd be fine but hey...we're not all that lucky
    MediaLayer, LLC - www.medialayer.com Learn how we can make your website load faster, translating to better conversion rates for your business!
    The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business

  2. #2
    Nice post. It's always good to see people helping out and providing useful utilities such as this. I have an idea for a performance improvement as well, which would basically be this modification to line 31:

    if grep "Br0keN-Pr0xy" $i >&2>/dev/null

    That way the files are just being grepped vice both catted and grepped. Thanks again, good stuff!

  3. #3
    Join Date
    Dec 2004
    Location
    New York, NY
    Posts
    10,574
    Quote Originally Posted by jpetersen
    Nice post. It's always good to see people helping out and providing useful utilities such as this. I have an idea for a performance improvement as well, which would basically be this modification to line 31:

    if grep "Br0keN-Pr0xy" $i >&2>/dev/null

    That way the files are just being grepped vice both catted and grepped. Thanks again, good stuff!
    Thanks, I've made the change.
    MediaLayer, LLC - www.medialayer.com Learn how we can make your website load faster, translating to better conversion rates for your business!
    The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business

  4. #4
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    just for people reading this, this is not a fix all for all the bugs running around. There are some out there that have suid perl scripts and binarys you need to find them or you risk having this issue even after you update your kernel.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  5. #5
    Join Date
    Dec 2004
    Location
    New York, NY
    Posts
    10,574
    Quote Originally Posted by Steven
    just for people reading this, this is not a fix all for all the bugs running around. There are some out there that have suid perl scripts and binarys you need to find them or you risk having this issue even after you update your kernel.
    Yes, of course it can be a perl script, but most of the time it's old kernel versions being exploited.
    MediaLayer, LLC - www.medialayer.com Learn how we can make your website load faster, translating to better conversion rates for your business!
    The pioneers of optimized web hosting, featuring LiteSpeed Web Server & SSD Storage - Celebrating 10 Years in Business

  6. #6
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Quote Originally Posted by layer0
    Yes, of course it can be a perl script, but most of the time it's old kernel versions being exploited.
    Its the kernel exploited yes in 99% of the cases but there is almost always a perl script somewhere being used to do a mass deface, they are starting to set them suid which will allow them to be executed as root even as a regular user.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •