Results 1 to 19 of 19
  1. #1
    Join Date
    May 2003
    Posts
    847

    hacked at OS level

    Hello

    my VPS has been hacked as per as the provider emailed me

    Hi, Your VPS is hacked at OS level. It was running following suspicious processes and bot files were uploaded to it.

    -bash-3.00# ps aux
    USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
    root 1 0.0 0.0 1628 600 ? Ss 19:27 0:00 init boot
    root 18326 0.0 0.1 2156 1164 ? Ss 19:27 0:00 bash
    root 18354 0.0 0.0 2156 524 ? S 19:27 0:00 bash
    root 18356 0.0 0.0 1524 468 ? S 19:27 0:00 sed s/.*ifcfg-venet0://
    root 18357 0.0 0.0 1780 100 ? T 19:27 0:00 ls -1 bak/ifcfg-venet0:*
    root 18358 0.0 0.0 0 0 ? Z 19:27 0:00 [sed] <defunct>
    root 11610 0.0 0.0 1628 296 ? Ss 19:32 0:00 init boot
    root 11611 0.0 0.1 2156 1200 ? S 19:32 0:00 /bin/bash /etc/rc.d/rc.sysinit
    root 11625 0.0 0.0 1484 572 ? S 19:32 0:00 /sbin/initlog -r /etc/rc.d/rc.sysinit
    root 11839 0.0 0.0 1456 276 ? Ss 19:32 0:00 minilogd
    root 12006 0.0 0.0 2156 532 ? S 19:32 0:00 /bin/bash /etc/rc.d/rc.sysinit
    root 12014 0.0 0.0 1780 104 ? T 19:32 0:00 ls ifcfg-lo ifcfg-venet0
    root 12021 0.0 0.0 27104 512 ? S 19:32 0:00 sort -k 1,1 -k 2nroot 12022 0.0 0.0 1372 52 ? T 19:32 0:00 sed s/[0-9]/ &/
    root 12025 0.0 0.0 1524 464 ? S 19:32 0:00 sed s/ //
    root 12030 0.0 0.0 0 0 ? Z 19:32 0:00 [sed] <defunct>
    root 12044 0.0 0.0 0 0 ? Z 19:32 0:00 [sed] <defunct>
    root 5654 0.0 0.0 1912 392 ? Ss 22:46 0:00 vzctl: ttyp0
    root 5655 0.2 0.1 2156 1248 ttyp0 Ss 22:46 0:00 -bash
    root 5733 0.0 0.0 2312 764 ttyp0 R+ 22:46 0:00 ps aux
    -bash-3.00# cd /usr/local/games/-bash-3.00# ls -a.
    .. irc
    -bash-3.00# cd irc/-bash-3.00# ls
    1 12 15 18 20 23 26 29 31 34 37 4 42 45 48 50 53 56 59 61 64 8 common mfu.txt
    r00t ssh
    10 13 16 19 21 24 27 3 32 35 38 40 43 46 49 51 54 57 6 62 68.231.ps.22 9 full pass_file skan x
    11 14 17 2 22 25 28 30 33 36 39 41 44 47 5 52 55 58 60 63 7 all go.sh ps ss-bash-3.00


    how can I know what is the issue over here

    please help
    Last edited by cannibal; 03-13-2008 at 04:34 PM.

  2. #2
    Join Date
    May 2002
    Location
    Kingston, Ontario
    Posts
    1,573
    Your VPS has been root exploited - you need to get it reloaded and take a look at your security.
    Upload Guardian 2 - Malicious Upload Scanner - Windows and Linux!
    Instantly scan uploaded files
    Get notified when released

  3. #3
    Join Date
    May 2003
    Posts
    847
    Quote Originally Posted by Ramprage View Post
    Your VPS has been root exploited - you need to get it reloaded and take a look at your security.
    all the service after the reload has been updated as per as the VPS provider said

    can it be because of the out of date PHP Script in the VPS ??!!

    can the root exploite started from the out of date PHP Script in my VPS ??

    please let me know

  4. #4
    Join Date
    Jun 2007
    Location
    UK
    Posts
    219
    Yes, it is entirely possible that they exploited a badly written PHP script, or just a vulnerability in the web server software you had installed.
    I think the server saw what was required of it and just committed suicide instead.

  5. #5
    Join Date
    May 2003
    Posts
    847
    any idea what are these files
    mfu.txt
    go.sh

    because those kids are just following hacking steps !!

  6. #6
    Join Date
    Jun 2007
    Location
    UK
    Posts
    219
    Google is your friend

    http://www.webhostingtalk.com/showthread.php?t=408097

    Amongst other hits - looks like it is part of a rootkit. Time for a wipe-n-reinstall!
    I think the server saw what was required of it and just committed suicide instead.

  7. #7
    Join Date
    May 2003
    Posts
    847
    the reload is completed
    and I made all the security issues

    in the VPS it contains only one forum (last version)

    what should I do next ??!!

  8. #8
    not sure what u mean with "made all the security issues".

    Since you're running a forum, make sure its updated and the modules/plugin is also updated. Most of the time, its the plugin that caused trouble or vulnerable.
    UltraUnix Internet Services
    Quality service since 2000!
    Reliability . Simplicity . Affordability

  9. #9
    Join Date
    May 2003
    Posts
    847
    I have also old WHMCS v 3.3.0

    can it be the reason ??

  10. #10
    I'm not sure if its vulnerable but if you're not using them. Its better to take them off from net.
    UltraUnix Internet Services
    Quality service since 2000!
    Reliability . Simplicity . Affordability

  11. #11
    Join Date
    May 2003
    Posts
    847
    I am just wondering how they hacked the system !!
    there are only 3 websites with no PHP scripts

  12. #12
    To answer that question needs a lot of time and analyzing the log files. Typically /var/log, httpd log and logs for any other services that you run. It could also be your password is dictionary word or too easy to guess

    Since the VPS has already been rebuild, the only thing you should worry now is how to prevent it from happening again. Try installing APF and BFD for firewall and brute force detection. Might want to try mod_security on apache.

    APF & BFD (http://rfxnetworks.com/proj.php)
    mod_Security (http://www.modsecurity.org/)
    UltraUnix Internet Services
    Quality service since 2000!
    Reliability . Simplicity . Affordability

  13. #13
    Join Date
    Oct 2002
    Location
    State of Disbelief
    Posts
    22,951
    Quote Originally Posted by cannibal View Post
    I have also old WHMCS v 3.3.0 can it be the reason ??
    There were some vulnerabilities in the older versions, so it's possible, but without seeing the logs and investigating you may never know.
    Quote Originally Posted by cannibal View Post
    I am just wondering how they hacked the system !! there are only 3 websites with no PHP scripts
    Well, except WHMCS.
    Having problems, or maybe questions about WHT? Head over to the help desk!

  14. #14
    Join Date
    Feb 2004
    Location
    New Zealand
    Posts
    1,202
    Several things you need to do, as there is an increasing amount of " hacked VPS's ".

    Please take note that when you get VPS - they are NOT secured.

    ALL PHP SCRIPTS ARE VULNERABLE! - RFI exploits and vuln's are every where on the internet, just use google and im sure you could find an vulnerability for your PHP scripts.

    mod_security install & config
    mod_evasive install & config
    APF, BFD or CFD install and config.
    Tripwire / Honeypot
    LFD install & config
    logwatch

    There is many more i can list, but thats the main apps I attend too.

    Good luck

    Best Regards,
    Logan Douglas
    DigitalGoods.info
    FREE Shared, Mega Resellers + Dedicated Servers

  15. #15
    Join Date
    May 2003
    Posts
    847
    I installed csf+lfd
    and also mod_security with stronge module
    I changed the ssh port
    and I installed Suhosin
    also I added some functions to disable_functions in php.ini
    also safe mode is ON
    and... and ...and

    between I suspended the site which is using the old WHMCS
    and until now nothing happened to the VPS

    I emailed WHMCS company and I was just like
    can I update the 3.3.0V to the last version directly without updating to 3.4.0V and 3.5.0V ?

    and they where like yes you can do that

    so do you guys think it's ok to unsuspend the site and update ?!!

  16. #16
    Join Date
    Feb 2004
    Location
    New Zealand
    Posts
    1,202
    Quote Originally Posted by cannibal View Post
    I installed csf+lfd
    and also mod_security with stronge module
    I changed the ssh port
    and I installed Suhosin
    also I added some functions to disable_functions in php.ini
    also safe mode is ON
    and... and ...and

    between I suspended the site which is using the old WHMCS
    and until now nothing happened to the VPS

    I emailed WHMCS company and I was just like
    can I update the 3.3.0V to the last version directly without updating to 3.4.0V and 3.5.0V ?

    and they where like yes you can do that

    so do you guys think it's ok to unsuspend the site and update ?!!
    Keep an eye on the logs, I would disable compilers to un-needed users, and i would consider setting up tripwire to monitor your binaries and further systems monitoring such as a honeypot or others.

    What control panel are you running?

    Best Regards,
    Logan Douglas
    DigitalGoods.info
    FREE Shared, Mega Resellers + Dedicated Servers

  17. #17
    Join Date
    May 2003
    Posts
    847
    I am with CPANEL/WHM

    yeah I disabled the compilers already

    hope after upgrade WHMCS to the last version hope everything will be fine

  18. #18
    Join Date
    Sep 2005
    Location
    Canada
    Posts
    645
    Perhaps the server's password was not secure? Make sure it has a long password that doesn't appear in a dictionary.
    VPSVille.com
    Toronto, London, Dallas, Los Angeles
    Quality VPS hosting on Premium bandwidth

  19. #19
    phreek338 Guest
    well there are several attack vectors , so its hard to tell HOW they got in with the information you provided... But it looks like you are running some weird scripts on your webserver... i suggest removing them and shutting down any services you dont use. Usually VPS's come with a bunch of stuff you dont need on the OS.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •