Announcement

Collapse
No announcement yet.

Server Hacked

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Server Hacked

    Hi all, I currently freelance for a company who is having some problems with their servers.

    They are stuck with Ubuntu 9.10 LTS with a poor version of php 5.1.2 which they cant upgrade.

    I am currently trying to get them to buy a new server (Mabe with eUK).

    My question is before we move we know that rootkits and such have been installed on the server as we keep removing them and dodgy cron jobs that reinstall them then brute force the server passwords from inside before emailing them once successful.

    Our problem (or one of them) is how do we go about identifying where the problem is originating? We have looked through our auth logs and we can see the login attempts, we have looked through the ftp logs and found nothing so were left thinking that it could be an infected site / php script that's the problem but are now stuck without knowledge of how to search for such a script.

    Any help would be appreciated.

    Thanks

  • #2
    Originally posted by Themodem View Post
    Hi all, I currently freelance for a company who is having some problems with their servers.

    They are stuck with Ubuntu 9.10 LTS with a poor version of php 5.1.2 which they cant upgrade.

    I am currently trying to get them to buy a new server (Mabe with eUK).

    My question is before we move we know that rootkits and such have been installed on the server as we keep removing them and dodgy cron jobs that reinstall them then brute force the server passwords from inside before emailing them once successful.

    Our problem (or one of them) is how do we go about identifying where the problem is originating? We have looked through our auth logs and we can see the login attempts, we have looked through the ftp logs and found nothing so were left thinking that it could be an infected site / php script that's the problem but are now stuck without knowledge of how to search for such a script.

    Any help would be appreciated.

    Thanks
    Hi,

    Ubuntu Server Edition 9.10 comes inbuilt with PHP 5.2, which has lots of bugs fixed. From the security point of view, it has AppArmor 2.3, Iptables 1.4 & Ucomplicated Firewall (ufw) 0.27 bundled too.

    Our Cheap Linux Dedicated servers come pre-installed [or can be installed on request] with tools such as ChkRootkit & RKHunter.

    These both useful tools are used for checking a local server whether infected with rootkits, backdoors or any other local exploits by checking for deleted entries in the wtmp & lastlog files, finding sniffer logs & rootkit's config files present on some default file locations.

    They further more check in /proc for entries which are hidden from ps & the readdir system call, which can be an indication of a LKM trojan being present in the system, which are nearly impossible to see with the naked eye. We take appropriate care of servers from the security point of view by keeping them updated with the latest patches, monitoring systems, etc..

    Ubuntu ships with a no open ports policy, meaning that after you install the machine, be it an Ubuntu desktop or a server, no applications will be accepting connections from the Internet by default.. Also, it doesn't enable the root, or administrator, account by default & there is a great deal of security benefit to this approach, securing the server by almost 50% In general, Ubuntu & Debian are of a very secure platform.. but if your server is connected to the Internet, for security purposes, it's always in a war zone Security is based on three characteristics: prevention, protection & detection.

    Grsecurity is a patch for Linux kernel that allows you to increase each of these points. Hardened kernels are modifications to the Linux kernel that add additional security measures.

    This could include:
    • The randomization of ports, memory addresses, process ID's, & other information that is typically predictable. This can thwart off many types of common attacks.
    • Identify & prevent buffer overflow attacks from resulting in compromise by killing compromised processes. Edgy & higher contain GCC stack protection enforced in most applications, but is unable to respond to several kinds of attacks that a kernel-layer enforcer could. Likewise, PaX & friends have weakness that GCC stack protection helps cover, so the two work great as a duo.
    • Hiding information that Linux usually allows everyone to see, including all running processes on the system, load averages, CPU info, IP addresses, etc. Obscuring this information can help keep attackers "in the dark" so to speak.
    • More aggressive enforcement of buffer overflow protection than what Ubuntu's standard gcc stack protector can do.
    • Adding additional restrictions on the capabilities of regular users that prevent channels of attack.
    • Additional permissions systems that allow finer-grained tuning of various aspects of Linux.

    The most common hardened kernel patch is called "grsecurity2" (grsecurity), which does everything on this list.

    Read more on GrSecurity here:
    grsecurity
    Installing GrSecurity - Ubuntu Forums
    Hardening The Linux Kernel With Grsecurity (Debian) | HowtoForge - Linux Howtos and Tutorials


    We'd highly recommend you to go for a web based firewall such as mod_security, which would prevent/filter any attacks originating from the web server. Mod_security is an Apache 1.x/2.x module whose purpose is to tighten the Web application security by shielding the applications from attack. The idea is to filter request & web content before passing it to Apache core.

    Please read more on installing & configuring mod_security with Apache here : Secure your Apache2 with mod-security | Debian/Ubuntu Tips & Tricks

    These techniques combined have been shown to be very effective in the real world in guarding against unknown attacks. For example, many administrators of hardened kernel servers either report or even prove that their hardened systems were invulnerable to newly discovered security holes, or that the severity of a breach was significantly reduced.

    But one thing I'd like to make clear, there is no such thing as a fully secure system. Securing systems isn't about making it impossible for a breach to occur. It's about making the breach so difficult that it's not worth it to the attacker.. Have backups of all important files, & a backup plan in place in case the worst happens. Never trust a server that has been cracked. A cracker has access to 100% of the system once they have root access.. Good luck
    Rock _a.k.a._ Jack Daniel

    Follow eUKhost on Twitter || Join eUKhost Community on Facebook

    Comment


    • #3
      I've found that frequently the hackers put some backdoor on sites that they've been able to compromise. At times, this can affect the entire server or just a single website.

      Scan all sites for a string that starts with:

      <?php eval(base64_decode

      The php above maybe upper or lower case and there maybe extra spaces between php and eval.

      Sometimes we've seen this in the images folders on websites and it might be named gifimg.php. If it's a server wide infection, some people have reported that using suphp helps prevent this. This string gives hackers a method to remotely send commands to a website. Sometimes these commands allow them to create new Apache child processes because php runs as the same user as Apache does. This new Apache child process only receives some of the HTTP requests so the infection only happens once in awhile. The other valid Apache processes process the other HTTP requests as they're supposed to.

      If it's a server wide infection, when you find out what website has the infectious php malscript, you should contact that website owner as their PC probably has an FTP credential stealing virus/trojan on it. That might be how the hackers got "in" the first time.

      Let me know what you find and if you need any further assistance.
      Thomas J. Raef
      "We Watch Your Website - so you don't have to!"

      Comment


      • #4
        Excellent, thank you both, we are currently working through the steps above. I will drop a reply with our results.

        Thanks again and so do its members

        Comment


        • #5
          Originally posted by Themodem View Post
          Excellent, thank you both, we are currently working through the steps above. I will drop a reply with our results.

          Thanks again and so do its members
          You're most welcome
          Rock _a.k.a._ Jack Daniel

          Follow eUKhost on Twitter || Join eUKhost Community on Facebook

          Comment


          • #6
            Originally posted by WeWatch View Post
            I've found that frequently the hackers put some backdoor on sites that they've been able to compromise. At times, this can affect the entire server or just a single website.

            Scan all sites for a string that starts with:

            <?php eval(base64_decode

            The php above maybe upper or lower case and there maybe extra spaces between php and eval.

            Sometimes we've seen this in the images folders on websites and it might be named gifimg.php. If it's a server wide infection, some people have reported that using suphp helps prevent this. This string gives hackers a method to remotely send commands to a website. Sometimes these commands allow them to create new Apache child processes because php runs as the same user as Apache does. This new Apache child process only receives some of the HTTP requests so the infection only happens once in awhile. The other valid Apache processes process the other HTTP requests as they're supposed to.

            If it's a server wide infection, when you find out what website has the infectious php malscript, you should contact that website owner as their PC probably has an FTP credential stealing virus/trojan on it. That might be how the hackers got "in" the first time.

            Let me know what you find and if you need any further assistance.
            Originally posted by Themodem View Post
            Excellent, thank you both, we are currently working through the steps above. I will drop a reply with our results.

            Thanks again and so do its members
            While scanning the pages which start with the base64 code try out this link to decode the base64 codes, so that you will find out if there is any injected code through base64 http:// www. motobit.com/util/base64-decoder-encoder.asp
            Website Hosting | Cloud Hosting | Dedicated Server Hosting

            Comment


            • #7
              Originally posted by WeWatch View Post
              I've found that frequently the hackers put some backdoor on sites that they've been able to compromise. At times, this can affect the entire server or just a single website.

              Scan all sites for a string that starts with:

              <?php eval(base64_decode

              The php above maybe upper or lower case and there maybe extra spaces between php and eval.

              Sometimes we've seen this in the images folders on websites and it might be named gifimg.php. If it's a server wide infection, some people have reported that using suphp helps prevent this. This string gives hackers a method to remotely send commands to a website. Sometimes these commands allow them to create new Apache child processes because php runs as the same user as Apache does. This new Apache child process only receives some of the HTTP requests so the infection only happens once in awhile. The other valid Apache processes process the other HTTP requests as they're supposed to.

              If it's a server wide infection, when you find out what website has the infectious php malscript, you should contact that website owner as their PC probably has an FTP credential stealing virus/trojan on it. That might be how the hackers got "in" the first time.

              Let me know what you find and if you need any further assistance.
              Hi,
              You can harden PHP & Apache on a Linux box by going through these links:
              http://www.eukhost.com/forums/f42/di...unctions-6020/
              http://www.eukhost.com/forums/f29/ha...p-apache-6466/


              Once these security steps are applied, it'd be difficult for a hacker/cracker to get into the server through any PHP scripts..
              Rock _a.k.a._ Jack Daniel

              Follow eUKhost on Twitter || Join eUKhost Community on Facebook

              Comment

              Working...
              X