Hacked Linux Server
Discussion
JamieBeeston said:
Most likely the kiddies are 'in a competition' and ar simply submiting 'proof' of the sites they have defaced, the 'security' site then catalogues it for reference.
Wouldnt surprise me if the site was run by associates of the hackers, but I think the link ends there..
The logs just show copies of the page being grabbed, most likely from a Script at the other end, called by the script that defaced you.
Scripts feeding scripts feeding scripts.
Yeah, Zone-H is a well known site for hackers to brag about defacing other people's sites. Hackers have little childish competitions on there to see how many websites they can deface.
JamieBeeston said:
www.chkrootkit.org
Download, untar and execute the RookCheck script.
Also install Rootkit Hunter - from www.rootkit.nl - this has regular updates available which you can download automatically from a cron job.
Both of them give you the occasional false positive, chkkrootkit the more so - it sometimes reports false positives for LKM trojans, and having port sentry type applications running can make it give false positives for bindshell trojans.
I don't know how assiduous Libranet is with providing security updates, but Debian is shit hot, and keeping it up to date is simply a matter of "apt-get update && apt-get upgrade" at regular intervals - if you're feeling brave you can even do that from a cron job, though it's safer to do it manually. Might be worth switching to Debian.
Pigeon said:
www.chkrootkit.org
Download, untar and execute the RookCheck script.
Also install Rootkit Hunter - from www.rootkit.nl - this has regular updates available which you can download automatically from a cron job.
Both of them give you the occasional false positive, chkkrootkit the more so - it sometimes reports false positives for LKM trojans, and having port sentry type applications running can make it give false positives for bindshell trojans.
I don't know how assiduous Libranet is with providing security updates, but Debian is shit hot, and keeping it up to date is simply a matter of "apt-get update && apt-get upgrade" at regular intervals - if you're feeling brave you can even do that from a cron job, though it's safer to do it manually. Might be worth switching to Debian.
Libranet is Debian, so I do regular updates quite easily from the adminmenu or apt-get.
chkrootkit is giving me LKM Trjan alerts, which I've read are quite common on Debian.
I'll try out your other suggestion thanks.
size13 said:
The server only runs php db stuff with no galleries etc. I'm going to upgrade PHP tonight. (shutting the door after ...)
No, no, no!!!!!
The only way to be certain of a compromised machine is to completely re-install from known good media. Upgrading software on an already compromised machine is an utter waste of time.
zumbruk said:
The server only runs php db stuff with no galleries etc. I'm going to upgrade PHP tonight. (shutting the door after ...)
No, no, no!!!!!
The only way to be certain of a compromised machine is to completely re-install from known good media. Upgrading software on an already compromised machine is an utter waste of time.
Have to agree with this, wipe and re-install I am afraid.
zumbruk said:
There are an infinate number of ways they could have got in.
SSH Exploit
Telnet Exploit
Sendmail / MTA Exploit
Apache Expoit etc
Given that it isn't running SSH or telnet and is unlikely to be running sendmail, this advice is utterly useless.
A bit harsh that!
As it happens I checked for all these, and have found sendmail running on the machine - so that's another thing that needs fixing that I may not have looked at.
zumbruk said:
There are an infinate number of ways they could have got in.
SSH Exploit
Telnet Exploit
Sendmail / MTA Exploit
Apache Expoit etc
Given that it isn't running SSH or telnet and is unlikely to be running sendmail, this advice is utterly useless.
In this instance it might not have been the way it was compromised, but knowledge is never useless
and i am 99.9% certain it was a PHP Exploit, as I say later with more evidence given.
Calm Down!
JamieBeeston said:Ten thousands of servers suffered from that one in the last hours. It even compromised sites that don't run phpBB themselves, but other sites on the same machine. Google allegedly stopped it now.
www.theregister.co.uk/2004/12/21/santy_worm/
Might be of Interest to you
oh yes, and more reference:
www.kaspersky.com/news?id=156681162
www.kaspersky.com/news?id=156681162
Bodo said:
]
Ten thousands of servers suffered from that one in the last hours. It even compromised sites that don't run phpBB themselves, but other sites on the same machine. Google allegedly stopped it now.
It wouldn't need the site to run phpBB itself, as once It exploited any instance of it, it had the privs of the Apache Process, and as such could write anywhere Apache can write.... or, if they were clever enough, they could craft a buffer overflow to execute arbitrary code which could potentially lead to root privs, and write to any site / file / folder anywhere.
It only takes one site on your box to be compromised before the rest are at risk. That's why on Register1 we run each site in its own Mini-Chrooted environment, to reduce the risks as much as possible.
this just highlights why Virtual Hosting isn't good for Security, and you shouldn't 'bang as many sites on the one server as you can, just because its cheaper'
JamieBeeston said:That's what I was trying to say with my limited language
It wouldn't need the site to run phpBB itself, as once It exploited any instance of it, it had the privs of the Apache Process, and as such could write anywhere Apache can write....
JamieBeeston said:
That's why on Register1 we ...
john_p said:
Given that it isn't running SSH or telnet and is unlikely to be running sendmail, this advice is utterly useless.
How was Jamie supposed to know that?
The original poster said it was only listening on ports 80 (http) and 25 (smtp), which eliminates ssh and telnet. Most Linuxes don't run sendmail, hence the "unlikely".
zumbruk said:
The original poster said it was only listening on ports 80 (http) and 25 (smtp), which eliminates ssh and telnet. Most Linuxes don't run sendmail, hence the "unlikely".
size13 said:
After investigaton it turns out to be a SHV4 rootkit, may have gotten in through a SAMBA vulnerability.
I'll have to have our router config check as I thought it only allowed port 80 and 25 through.
So the firewall wasn't set up as expected, which caused the problem .. so it's always worth checking every eventuality.
... and how many out of the box Linux installs come with Sendmail as standard? 80%? Not that I'd disagree with the fact it should be the first thing to be removed.
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff