Results 1 to 24 of 24
-
09-26-2009, 09:14 PM #1How Can I Help You Today?
- Join Date
- Oct 2002
- Location
- Langley, BC
- Posts
- 2,045
Servers Hacked - Preventing SQL Inject?
Hi,
Three of my servers were compromised on Thu-Fri by Sarbot511.
I believe they get in through an application which are open to SQL Inject attack. My question is how did they gain root password of the server through SQL Inject?
I have SuPhp, mod_security, and CSF firewall installed. All clients are running through their own username, if a client's website say is open to SQL inject attack, how is it possible for them to gain root access and compromised the whole server?
Any inputs would be appreciated.
Thank you.██ We Have Generated Over 7 Million cPanel Backups Come Dance Together With Us Y'all!
██ Offer Your Own Backup Hosting Service - SiteAutoBackup.Com (Private Label / WHMCS Ready)
██ WebHostingBusinessBook.Com | YouTube.com/WebHostingTutorial | NowOpenOnline.Com
-
09-26-2009, 09:18 PM #2Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
It probably was not a sql injection. It was likely a remote include exploit.
Also if they got root access it is likely your kernel was not upgraded and they exploited it.Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
09-26-2009, 09:21 PM #3Web Hosting Guru
- Join Date
- Aug 2006
- Location
- Canada
- Posts
- 292
Just curious, which kernel version did you have?
█ HighLayer - Canadian Web Hosting, Reseller Hosting & Dedicated Servers
█ Latest cPanel/WHM - 99.9% Uptime Guarantee - 30 Day Money Back Guarantee - 24/7 Support
█ Visit www.highlayer.com or Call 1-888-84-LAYER
-
09-26-2009, 09:34 PM #4How Can I Help You Today?
- Join Date
- Oct 2002
- Location
- Langley, BC
- Posts
- 2,045
Well you know what, the server was compromised, then I order an OS reload, I applied kernel updates, and everything else, apache, cpanel. Not long after the server is online and clients data restored, it was comprised again, the root password is not the same. How is that possible.
██ We Have Generated Over 7 Million cPanel Backups Come Dance Together With Us Y'all!
██ Offer Your Own Backup Hosting Service - SiteAutoBackup.Com (Private Label / WHMCS Ready)
██ WebHostingBusinessBook.Com | YouTube.com/WebHostingTutorial | NowOpenOnline.Com
-
09-26-2009, 09:43 PM #5WHT Addict
- Join Date
- Apr 2003
- Location
- Earth
- Posts
- 156
Your PC is infected?
-
09-26-2009, 10:11 PM #6How Can I Help You Today?
- Join Date
- Oct 2002
- Location
- Langley, BC
- Posts
- 2,045
My PC? meaning that the hacker got all the root password from my PC?
I used Kaspersky and it should be good.██ We Have Generated Over 7 Million cPanel Backups Come Dance Together With Us Y'all!
██ Offer Your Own Backup Hosting Service - SiteAutoBackup.Com (Private Label / WHMCS Ready)
██ WebHostingBusinessBook.Com | YouTube.com/WebHostingTutorial | NowOpenOnline.Com
-
09-26-2009, 10:21 PM #7Junior Guru
- Join Date
- Jun 2008
- Posts
- 205
Turn off direct root logins.
Do a much better check of your home PC and read up on server security.
Oh, and quit using or allowing your users to use FTP or POP with passwords in the clear.
-
09-27-2009, 07:42 AM #8WHT Addict
- Join Date
- Jun 2008
- Location
- India
- Posts
- 130
Which operating system are you using? if you were using Centos with old kernel then there is some bugs on that. You are you suppose to upgrade kernel and apply all patches....many of the Centos servers got hacked due to kernel bug
Hacker may got root access but it doesn't mean that hacker used your root password....
-
09-27-2009, 07:53 AM #9Web Hosting Master
- Join Date
- Apr 2009
- Posts
- 865
most likely old linux kernel. As for php you can install suhosin to prevent common php sql injections
-
09-27-2009, 02:46 PM #10Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
People fail to read what people have to say.
Guys stop being lame, read a whole thread. He said he got the box back up with a new os and with a new kernel and it got compromised.
Sorry to say, the likely hood that anything else but your pc being infect is slim.
Just because you have a antivirus doesn't mean your home pc is secure. There are virus that some antivirus do not pick up, but others do.Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
09-28-2009, 09:27 AM #11Junior Guru
- Join Date
- Oct 2008
- Location
- Chicago, IL
- Posts
- 222
You might want to scan all the websites for a remote shell file. We've seen many .php files with base64 in them that is obfuscated and allows remote shell access. How "they" got root access from there is still unanswered but it might lead you down the right path.
What processes are running under root on that server? There must be some remote binary on someone's website that keeps getting copied over when you restore the files. Can you restore a few at a time, check for the root access, then restore some more, check for root access...you get the idea.
Have you tried any rootkit detectors? Just trying to come up with ideas of what to try.Thomas J. Raef
WeWatchYourWebsite - so you don't have to!
-
09-28-2009, 02:37 PM #12WHT Addict
- Join Date
- Apr 2003
- Location
- Earth
- Posts
- 156
Yes, your PC as Steven said. You can't trust one AV program. I had something recently that NOD32 and Symantec totally missed on my local PC.
Malwarebytes did find and clean the problem. Give it a try.
-
09-28-2009, 04:14 PM #13Newbie
- Join Date
- Jan 2008
- Location
- Montreal, Canada
- Posts
- 8
I second the idea that your pc may be the weak point here. He could have hacked your pc in the beginning. Someone else is using that pc? possibly planted a keylogger somewhere and excluded it from the AV check?
-
09-28-2009, 04:23 PM #14Retired Moderator
- Join Date
- Nov 2006
- Location
- search.php?do=getnew
- Posts
- 1,241
I think you should re - install your desktop PC, preferably with Linux if you will be accessing servers from it.
http://www.rskeens.com
A casual blog mainly about the web hosting industry
-
09-28-2009, 04:27 PM #15Keep rockin' in the free world
- Join Date
- May 2002
- Location
- Kingston, Ontario
- Posts
- 1,588
I agree that it's possible your local PC or network traffic may even be sniffed (more unlikely but possible if on wireless). As Steven said, just because you have anti-virus on your local machine doesn't mean it will be detected. Smart hackers will test their latest sploits against all latest scanners to ensure a high success rate....
What do your logs of the server have to show after the reload and until the compromise? Just because mod_security is installed doesn't mean it's protecting you. The default rules are basically empty... meaning mod_security is doing nothing, much like a firewall that is there but isn't configured.
Let us know what kernel you're using, you never responded.
-
09-29-2009, 03:36 AM #16Temporarily Suspended
- Join Date
- Jul 2009
- Location
- Manila
- Posts
- 301
Hello
I experienced the same thing. I don't think this is about my PC because I had my partner living in another country change the root password and it was SMSed to me. So we didn't discuss about the root password and I didnt save it to any file in my PC
But just 8+ hours ago, the server is still hacked. I still receive this message:
lfd on name.server.com: WHM root access alert from 41.250.233.130 (MA/Morocco/-)
2 IPs were able to log in as root again. This has been the case since Sept 26, 2009
-
09-29-2009, 03:56 AM #17Disabled
- Join Date
- Apr 2007
- Location
- Everywhere
- Posts
- 273
emsjs1, Notify your admin immediately. If you don't have one, this is the time to get one, You have to act quickly.
Regards,
-
09-29-2009, 04:25 AM #18Temporarily Suspended
- Join Date
- Jul 2009
- Location
- Manila
- Posts
- 301
Yes my partner who changed the password is the server admin. They are checking it now but I want to help also in checking because I really want to know what happened and how they got root access. They changed the server contact, changed the account name of my site and uploaded files. It happened all last Sept 26-27
-
09-29-2009, 08:09 PM #19Junior Guru Wannabe
- Join Date
- Nov 2004
- Location
- India
- Posts
- 91
Do you use any integrated billing softwares like WHMCS or Modernbill.
I have seen one of my friend's server hacked with similar symptoms and the ip which gained root access also accessed the WHMCS admin page which was hosted on a different server."If you have knowledge, let others light their candles in it. "
-
09-29-2009, 08:15 PM #20Junior Guru Wannabe
- Join Date
- Nov 2004
- Location
- India
- Posts
- 91
-
09-30-2009, 01:34 AM #21server automation specialist
- Join Date
- Apr 2009
- Location
- Nevada
- Posts
- 662
Since 3 of your server were hacked, then it is more likely to be a common vulnerability. What was the kernel version on these 3 servers? Did you run chkrootkit/rkhunter if so what was the output.? Hackers must have uploaded a c99 scripts which gives them shell and must have exploited kernel vulnerabilities to escalate privileges.
Last edited by ZenMonk; 09-30-2009 at 01:41 AM.
James B
►WWW.EZEELOGIN.COM |Setup your Secure Linux SSH Gateway►MEET PCI DSS & ISO 27001 Compliance|Manage & Administer Multiple Linux Servers Quickly & Securely.
-
09-30-2009, 07:49 AM #22Junior Guru
- Join Date
- Jun 2008
- Posts
- 205
Do you know what a keylogger is?
"WHM root access alert" isn't like SSH root access, I don't think you can "escalate" to it, it means they typed the password in, or maybe like amalji said, through some sort of WHMCS or Modernbill type of thing.
If they don't move on to another server and keep coming back for more sounds like they may be playing with you. Could it be someone you know? Possibly a hardware keylogger on your PC?
-
09-30-2009, 08:28 AM #23Support Facility
- Join Date
- Jun 2009
- Posts
- 2,335
Prevent unauthorized access to the database and limit the permissions that are granted to the database user account that the application users.
-
09-30-2009, 10:16 AM #24Web Hosting Master
- Join Date
- Dec 2001
- Posts
- 5,221
Greetings:
It is critical to note chkrootkit, rkhunter, ossec-rootcheck, and related root check tools DO NOT (I repeat DO NOT) catch most web-based injections that have successfully landed on the server.
To help prevent web-based injections, use mod_security from http://modsecurity.org/
While not perfect, to check for C99 and related type malware, use Clam Anti-virus with the detect possibly unwanted applications (PUA) option turned on.
Thank you.
Similar Threads
-
preventing being hacked by "V4 team"
By chamelion in forum Hosting Security and TechnologyReplies: 6Last Post: 11-17-2010, 12:08 AM -
PHP Inject? Help!
By CleberDantas in forum Hosting Security and TechnologyReplies: 8Last Post: 02-02-2008, 10:29 PM -
Prevent SQL Inject
By latheesan in forum Programming DiscussionReplies: 4Last Post: 02-13-2006, 04:16 PM -
qmail-inject with exim
By residenta in forum Hosting Security and TechnologyReplies: 3Last Post: 08-07-2004, 10:24 PM