Results 1 to 24 of 24
  1. #1
    Join Date
    Oct 2002
    Location
    Langley, BC
    Posts
    2,045

    Servers Hacked - Preventing SQL Inject?

    Hi,
    Three of my servers were compromised on Thu-Fri by Sarbot511.

    I believe they get in through an application which are open to SQL Inject attack. My question is how did they gain root password of the server through SQL Inject?

    I have SuPhp, mod_security, and CSF firewall installed. All clients are running through their own username, if a client's website say is open to SQL inject attack, how is it possible for them to gain root access and compromised the whole server?

    Any inputs would be appreciated.

    Thank you.
    We Have Generated Over 7 Million cPanel Backups Come Dance Together With Us Y'all!
    Offer Your Own Backup Hosting Service - SiteAutoBackup.Com (Private Label / WHMCS Ready)
    WebHostingBusinessBook.Com | YouTube.com/WebHostingTutorial | NowOpenOnline.Com

  2. #2
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    It probably was not a sql injection. It was likely a remote include exploit.

    Also if they got root access it is likely your kernel was not upgraded and they exploited it.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  3. #3
    Join Date
    Aug 2006
    Location
    Canada
    Posts
    292
    Just curious, which kernel version did you have?
    HighLayer - Canadian Web Hosting, Reseller Hosting & Dedicated Servers
    Latest cPanel/WHM - 99.9% Uptime Guarantee - 30 Day Money Back Guarantee - 24/7 Support
    Visit www.highlayer.com or Call 1-888-84-LAYER

  4. #4
    Join Date
    Oct 2002
    Location
    Langley, BC
    Posts
    2,045
    Well you know what, the server was compromised, then I order an OS reload, I applied kernel updates, and everything else, apache, cpanel. Not long after the server is online and clients data restored, it was comprised again, the root password is not the same. How is that possible.
    We Have Generated Over 7 Million cPanel Backups Come Dance Together With Us Y'all!
    Offer Your Own Backup Hosting Service - SiteAutoBackup.Com (Private Label / WHMCS Ready)
    WebHostingBusinessBook.Com | YouTube.com/WebHostingTutorial | NowOpenOnline.Com

  5. #5
    Join Date
    Apr 2003
    Location
    Earth
    Posts
    156
    Your PC is infected?

  6. #6
    Join Date
    Oct 2002
    Location
    Langley, BC
    Posts
    2,045
    My PC? meaning that the hacker got all the root password from my PC?

    I used Kaspersky and it should be good.
    We Have Generated Over 7 Million cPanel Backups Come Dance Together With Us Y'all!
    Offer Your Own Backup Hosting Service - SiteAutoBackup.Com (Private Label / WHMCS Ready)
    WebHostingBusinessBook.Com | YouTube.com/WebHostingTutorial | NowOpenOnline.Com

  7. #7
    Join Date
    Jun 2008
    Posts
    205
    Turn off direct root logins.

    Do a much better check of your home PC and read up on server security.

    Oh, and quit using or allowing your users to use FTP or POP with passwords in the clear.

  8. #8
    Join Date
    Jun 2008
    Location
    India
    Posts
    130
    Which operating system are you using? if you were using Centos with old kernel then there is some bugs on that. You are you suppose to upgrade kernel and apply all patches....many of the Centos servers got hacked due to kernel bug

    Hacker may got root access but it doesn't mean that hacker used your root password....

  9. #9
    Join Date
    Apr 2009
    Posts
    865
    most likely old linux kernel. As for php you can install suhosin to prevent common php sql injections

  10. #10
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    People fail to read what people have to say.

    Guys stop being lame, read a whole thread. He said he got the box back up with a new os and with a new kernel and it got compromised.

    Sorry to say, the likely hood that anything else but your pc being infect is slim.

    Just because you have a antivirus doesn't mean your home pc is secure. There are virus that some antivirus do not pick up, but others do.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  11. #11
    Join Date
    Oct 2008
    Location
    Chicago, IL
    Posts
    222
    You might want to scan all the websites for a remote shell file. We've seen many .php files with base64 in them that is obfuscated and allows remote shell access. How "they" got root access from there is still unanswered but it might lead you down the right path.

    What processes are running under root on that server? There must be some remote binary on someone's website that keeps getting copied over when you restore the files. Can you restore a few at a time, check for the root access, then restore some more, check for root access...you get the idea.

    Have you tried any rootkit detectors? Just trying to come up with ideas of what to try.

  12. #12
    Join Date
    Apr 2003
    Location
    Earth
    Posts
    156
    Yes, your PC as Steven said. You can't trust one AV program. I had something recently that NOD32 and Symantec totally missed on my local PC.

    Malwarebytes did find and clean the problem. Give it a try.

    Quote Originally Posted by jrianto View Post
    My PC? meaning that the hacker got all the root password from my PC?

    I used Kaspersky and it should be good.

  13. #13
    Join Date
    Jan 2008
    Location
    Montreal, Canada
    Posts
    8
    I second the idea that your pc may be the weak point here. He could have hacked your pc in the beginning. Someone else is using that pc? possibly planted a keylogger somewhere and excluded it from the AV check?

  14. #14
    Join Date
    Nov 2006
    Location
    search.php?do=getnew
    Posts
    1,241
    I think you should re - install your desktop PC, preferably with Linux if you will be accessing servers from it.
    http://www.rskeens.com
    A casual blog mainly about the web hosting industry

  15. #15
    Join Date
    May 2002
    Location
    Kingston, Ontario
    Posts
    1,588
    I agree that it's possible your local PC or network traffic may even be sniffed (more unlikely but possible if on wireless). As Steven said, just because you have anti-virus on your local machine doesn't mean it will be detected. Smart hackers will test their latest sploits against all latest scanners to ensure a high success rate....

    What do your logs of the server have to show after the reload and until the compromise? Just because mod_security is installed doesn't mean it's protecting you. The default rules are basically empty... meaning mod_security is doing nothing, much like a firewall that is there but isn't configured.

    Let us know what kernel you're using, you never responded.

  16. #16
    Join Date
    Jul 2009
    Location
    Manila
    Posts
    301
    Hello

    I experienced the same thing. I don't think this is about my PC because I had my partner living in another country change the root password and it was SMSed to me. So we didn't discuss about the root password and I didnt save it to any file in my PC

    But just 8+ hours ago, the server is still hacked. I still receive this message:

    lfd on name.server.com: WHM root access alert from 41.250.233.130 (MA/Morocco/-)

    2 IPs were able to log in as root again. This has been the case since Sept 26, 2009

  17. #17
    Join Date
    Apr 2007
    Location
    Everywhere
    Posts
    273
    emsjs1, Notify your admin immediately. If you don't have one, this is the time to get one, You have to act quickly.

    Regards,

  18. #18
    Join Date
    Jul 2009
    Location
    Manila
    Posts
    301
    Yes my partner who changed the password is the server admin. They are checking it now but I want to help also in checking because I really want to know what happened and how they got root access. They changed the server contact, changed the account name of my site and uploaded files. It happened all last Sept 26-27

  19. #19
    Join Date
    Nov 2004
    Location
    India
    Posts
    91

    Question

    Do you use any integrated billing softwares like WHMCS or Modernbill.
    I have seen one of my friend's server hacked with similar symptoms and the ip which gained root access also accessed the WHMCS admin page which was hosted on a different server.
    "If you have knowledge, let others light their candles in it. "

  20. #20
    Join Date
    Nov 2004
    Location
    India
    Posts
    91

    Post

    Quote Originally Posted by amalji View Post
    Do you use any integrated billing softwares like WHMCS or Modernbill.
    I have seen one of my friend's server hacked with similar symptoms and the ip which gained root access also accessed the WHMCS admin page which was hosted on a different server.
    The hack, I mentioned happened on September 28th and the hacker was the same - "SarBoT511"

    Between, the ip, that hacked the servers were in the range - 188.51.x and 188.52.x ( probably Saudi Arabian )
    "If you have knowledge, let others light their candles in it. "

  21. #21
    Join Date
    Apr 2009
    Location
    Nevada
    Posts
    662
    Since 3 of your server were hacked, then it is more likely to be a common vulnerability. What was the kernel version on these 3 servers? Did you run chkrootkit/rkhunter if so what was the output.? Hackers must have uploaded a c99 scripts which gives them shell and must have exploited kernel vulnerabilities to escalate privileges.
    Quote Originally Posted by jrianto View Post
    Hi,
    Three of my servers were compromised on Thu-Fri by Sarbot511.

    I believe they get in through an application which are open to SQL Inject attack. My question is how did they gain root password of the server through SQL Inject?

    I have SuPhp, mod_security, and CSF firewall installed. All clients are running through their own username, if a client's website say is open to SQL inject attack, how is it possible for them to gain root access and compromised the whole server?

    Any inputs would be appreciated.

    Thank you.
    Last edited by ZenMonk; 09-30-2009 at 01:41 AM.
    James B
    WWW.EZEELOGIN.COM |Setup your Secure Linux SSH GatewayMEET PCI DSS & ISO 27001 Compliance|Manage & Administer Multiple Linux Servers Quickly & Securely.

  22. #22
    Join Date
    Jun 2008
    Posts
    205
    Quote Originally Posted by emsjs1 View Post
    Hello

    I experienced the same thing. I don't think this is about my PC because I had my partner living in another country change the root password and it was SMSed to me. So we didn't discuss about the root password and I didnt save it to any file in my PC
    Do you know what a keylogger is?

    "WHM root access alert" isn't like SSH root access, I don't think you can "escalate" to it, it means they typed the password in, or maybe like amalji said, through some sort of WHMCS or Modernbill type of thing.

    If they don't move on to another server and keep coming back for more sounds like they may be playing with you. Could it be someone you know? Possibly a hardware keylogger on your PC?

  23. #23
    Prevent unauthorized access to the database and limit the permissions that are granted to the database user account that the application users.
    SUPPORT FACILITY | 24/7 TECH SUPPORT
    SERVER MANAGEMENT | WEB HOSTING SUPPORT | WP EXPERTS

  24. #24
    Greetings:

    It is critical to note chkrootkit, rkhunter, ossec-rootcheck, and related root check tools DO NOT (I repeat DO NOT) catch most web-based injections that have successfully landed on the server.

    To help prevent web-based injections, use mod_security from http://modsecurity.org/

    While not perfect, to check for C99 and related type malware, use Clam Anti-virus with the detect possibly unwanted applications (PUA) option turned on.

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

Similar Threads

  1. preventing being hacked by "V4 team"
    By chamelion in forum Hosting Security and Technology
    Replies: 6
    Last Post: 11-17-2010, 12:08 AM
  2. PHP Inject? Help!
    By CleberDantas in forum Hosting Security and Technology
    Replies: 8
    Last Post: 02-02-2008, 10:29 PM
  3. Prevent SQL Inject
    By latheesan in forum Programming Discussion
    Replies: 4
    Last Post: 02-13-2006, 04:16 PM
  4. qmail-inject with exim
    By residenta in forum Hosting Security and Technology
    Replies: 3
    Last Post: 08-07-2004, 10:24 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •