Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Hosting Security and Technology Tutorials : Br0keN-Pr0xy hack - FIX (the popular index defacement hack)

[layer0]

Login to SSH as root:

wget http://noc.medialayer.com/public/index-hack
chmod 700 index-hack
## make sure you edit index-hack to your needs, there is one variable "STRUCT" which defines the directory structure - the default is fine for cPanel servers but you may have to change this for other servers. $1 is the username.

To run this:

./index-hack <username>

So:

./index-hack layer0

would be correct

The purpose of this script is to list any files containg the "broken proxy" text. This attack has effected many hosts and I'm sure it's a pain for some customers to find all files that contain "index", "home", or "default", etc - this can provide your customers with a nice list if you are hit with the attack - thus they know exactly what files need to be replaced.

Obviously you really should be staying up to date kernel wise, and if you simply typed:

yum upgrade kernel or yum upgrade kernel-smp (for dual processor boxes) and rebooted you'd be fine but hey...we're not all that lucky

[jpetersen]

Nice post. It's always good to see people helping out and providing useful utilities such as this. I have an idea for a performance improvement as well, which would basically be this modification to line 31:

if grep "Br0keN-Pr0xy" $i >&2>/dev/null

That way the files are just being grepped vice both catted and grepped. Thanks again, good stuff!

[layer0]

Quote:

Originally Posted by jpetersen

Nice post. It's always good to see people helping out and providing useful utilities such as this. I have an idea for a performance improvement as well, which would basically be this modification to line 31:

if grep "Br0keN-Pr0xy" $i >&2>/dev/null

That way the files are just being grepped vice both catted and grepped. Thanks again, good stuff!

Thanks, I've made the change.

[Steven]

just for people reading this, this is not a fix all for all the bugs running around. There are some out there that have suid perl scripts and binarys you need to find them or you risk having this issue even after you update your kernel.

[layer0]

Quote:

Originally Posted by Steven

just for people reading this, this is not a fix all for all the bugs running around. There are some out there that have suid perl scripts and binarys you need to find them or you risk having this issue even after you update your kernel.

Yes, of course it can be a perl script, but most of the time it's old kernel versions being exploited.

[Steven]

Quote:

Originally Posted by layer0

Yes, of course it can be a perl script, but most of the time it's old kernel versions being exploited.

Its the kernel exploited yes in 99% of the cases but there is almost always a perl script somewhere being used to do a mass deface, they are starting to set them suid which will allow them to be executed as root even as a regular user.