Results 1 to 20 of 20

Thread: Server Hacked

  1. #1
    Join Date
    Apr 2008
    Location
    Brno (Czech Republic)
    Posts
    81

    Server Hacked

    Hi guys,

    i'm just trying to restore all the previous files ... i'm been just hacked by:

    1923Turk-Grup

    | Palyo34 | KaraBulut |

    On behalf of Turkish Nation, this website has been interfered by 1923Turk Grup

    Mevzu-u Bahis Vatansa Gerisi Teferruattır


    Turkish Hacker By Palyo34 | KaraBulut

    Now ... i need some help..

    1st ... all index.* file has been changed with their own... i need to change it... but to do it i need DA... (INDEX DA has been also hacked!!!)

    2nd ... anybody got this same trouble?! if yes, did he understand how????
    Alfredo Figlia - BiT Manager
    Web Hosting - Voice Hosting - Dedicated Server - VPS
    Housing - Design - PHP Development - Web Marketing
    http://www.bitmng.com

  2. #2
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,123
    You didn't give us a link to any of your sites, so we can't read what they posted. Generally the hackers give enough of an explanation for what they did, so your users will understand what will happen.

    They will still blame you, though, because it's your job to protect your servers from hackers.

    They've searched for all index files on your servers and changed their names, so you and/or your users will need to restore from backup. Only the index files need to be restored; you should probably not restore backups for all your sites unless unless you've got a very recent backup; otherwise you may restore older sites if any of your users have recently done updates.

    Information for restoring DirectAdmin's index.html can be found on these forums.

    More importantly, though: find out how they got in and close that hole so they can't do it again.

    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

  3. #3
    Join Date
    Mar 2005
    Posts
    5,270
    Might I add too that in order for them to have changed all the index files they would probably need to be the root user which means you need to wipe the hard drive clean and start over.

    Also a lot of these groups will simply rename the index file and then insert their own. So the original index file may still be there just named something else.
    Floyd Morrissette Little Creek Solutions
    Web Hosting Solutions. XEN Virtual Private Servers, VMWare .....
    DirectAdmin Administration and Support
    Our focus is on quality customer support

  4. #4
    Join Date
    Apr 2008
    Location
    Brno (Czech Republic)
    Posts
    81
    hi,

    everything is now solved, i think that he used an exploit by OS Commerce (one client of mine got it) and he took the server root ...

    Than he put all fs in read only, modified all index with his own index and deleted the the log dir ...
    Alfredo Figlia - BiT Manager
    Web Hosting - Voice Hosting - Dedicated Server - VPS
    Housing - Design - PHP Development - Web Marketing
    http://www.bitmng.com

  5. #5
    Join Date
    Mar 2005
    Posts
    5,270
    Just remember it is not really solved unless you rebuilt the server. He got root so he could have left a backdoor in place to get in later.
    Floyd Morrissette Little Creek Solutions
    Web Hosting Solutions. XEN Virtual Private Servers, VMWare .....
    DirectAdmin Administration and Support
    Our focus is on quality customer support

  6. #6
    Join Date
    Apr 2008
    Location
    Brno (Czech Republic)
    Posts
    81
    Quote Originally Posted by floyd View Post
    Just remember it is not really solved unless you rebuilt the server. He got root so he could have left a backdoor in place to get in later.
    i know, in fact i removed the partition, re created, formatted and installed the new OS with debian 5 and kernel 26 bigmem

    i hope that will never happen anymore ...
    Alfredo Figlia - BiT Manager
    Web Hosting - Voice Hosting - Dedicated Server - VPS
    Housing - Design - PHP Development - Web Marketing
    http://www.bitmng.com

  7. #7
    Join Date
    Aug 2007
    Posts
    49
    Quote Originally Posted by Elfodellanotte View Post
    i know, in fact i removed the partition, re created, formatted and installed the new OS with debian 5 and kernel 26 bigmem

    i hope that will never happen anymore ...

    Consider to:

    1) Install csf+lfd
    2) Secur your php installation by using "open_basedir" and "disabled_functions"

    Naturally if you don't use them today...


    Carlo

  8. #8
    Join Date
    Apr 2008
    Location
    Brno (Czech Republic)
    Posts
    81
    Quote Originally Posted by carlo_gra View Post
    Consider to:

    1) Install csf+lfd
    2) Secur your php installation by using "open_basedir" and "disabled_functions"

    Naturally if you don't use them today...


    Carlo
    thanks for suggestion :-)
    Alfredo Figlia - BiT Manager
    Web Hosting - Voice Hosting - Dedicated Server - VPS
    Housing - Design - PHP Development - Web Marketing
    http://www.bitmng.com

  9. #9
    Join Date
    Dec 2008
    Posts
    495
    I have the same problem, with the same group.

    I do not find where they access to the server.

    I have csf + lfd + "open_basedir" and "disabled_functions"
    I have also an email if someone login with root in ssh.

    So, I am reinstalling all, but because I do not find the security hole, I am afraid he can do it a new time.

    So if you have some other things to avoid these problems, you are welcome !

  10. #10
    Join Date
    Apr 2008
    Location
    Brno (Czech Republic)
    Posts
    81
    Quote Originally Posted by pppplus View Post
    I have the same problem, with the same group.

    I do not find where they access to the server.

    I have csf + lfd + "open_basedir" and "disabled_functions"
    I have also an email if someone login with root in ssh.

    So, I am reinstalling all, but because I do not find the security hole, I am afraid he can do it a new time.

    So if you have some other things to avoid these problems, you are welcome !
    if you have a customer that is using an open source like OSCommerce, there is some fixes that he must do. otherwise, later, we can check it together
    Alfredo Figlia - BiT Manager
    Web Hosting - Voice Hosting - Dedicated Server - VPS
    Housing - Design - PHP Development - Web Marketing
    http://www.bitmng.com

  11. #11
    Join Date
    Oct 2006
    Posts
    576
    got me too
    Muslim Defacer
    Hacked By oToFaReSi
    will be starting from the ground up with new OS and all , even a new MB faster and more mem.
    Question, how did they do this? all sites in home had the index replaced
    yes I have clients with oscommerce, wordpress and zencart
    I read that these script were to back door in
    I am upgrading to the latest stable versions of all services will stop most of it?
    I am running older centOS 4.4 and php ect
    even when the system is all new, can these idiots still have access through the scripts people run?
    also using ConfigServer Security & Firewall - csf v5.13 and that has stopped so many attempts
    but these attempt were not seen as intrusive to the FW

  12. #12
    Join Date
    Dec 2008
    Posts
    495
    Has someone a code, to find all versions of oscommerce, joomla ... installed on the server ?

    So we can check them, and contact user to do updates.

    One question, I do not see it on the forum, but maybe, it's a new time, a stupide question...

    Can we install mod_ruid2 and mods secure_access_group=access (here http://www.directadmin.com/features.php?id=961)

    I install secure_access_group, and want test mod_ruid2, which suppress 777 and 666 chmod.

  13. #13
    Join Date
    Apr 2008
    Location
    Brno (Czech Republic)
    Posts
    81
    Quote Originally Posted by AndyII View Post
    got me too
    Muslim Defacer
    Hacked By oToFaReSi
    will be starting from the ground up with new OS and all , even a new MB faster and more mem.
    Question, how did they do this? all sites in home had the index replaced
    yes I have clients with oscommerce, wordpress and zencart
    I read that these script were to back door in
    I am upgrading to the latest stable versions of all services will stop most of it?
    I am running older centOS 4.4 and php ect
    even when the system is all new, can these idiots still have access through the scripts people run?
    also using ConfigServer Security & Firewall - csf v5.13 and that has stopped so many attempts
    but these attempt were not seen as intrusive to the FW
    tell to all the clients with oscommerce to upgrade their version and to download all the fixes, there are many fixes.

    Pratically the hacker is uploading the file through oscommerce (the ftp on oscommerce, if they are not going to use .htpasswd and .htaccess setting up just 1 ip that can join in all the admin folders are ****ed, is free to access and do whatever they wants), than, still using an exploit of oscommerce are running the script that make all the changes, and they got access not with ssh but still i didn't understood how, is looking a similar interface like kvm, and in the end delete all the logs.


    I can just tell that after all the fixes and major secure the oscommerce (obviously the customer must do it), everything is gonna be ok. If you want i can give you the contact of my customer that i think he can speak english and can explain what he did with his oscommerce.
    After august i didn't had anymore issues.

    Last thing, when you'll put again up everything check daily the syslog, at least, after the hacking, i had a continuous flood of DNS attack
    more info i did the report here and as you can see there are many other with the same problem from the same ip
    http://www.liveipmap.com/109.72.146.154.html
    obviously i started to populate iptables adding every ip address DROPPING their connections.
    iptables -A INPUT -s 109.72.146.154 -j DROP

    The log will be something like this :
    XXX : 109.172.146.154#(random port) query (cache) ./INS/IN denied

    And than everything was going to be better


    I contacted now my customer, he's preparing an howto for oscommerce regarding what he did to secure his platform, i suggest everybody that got customers that are using oscommerce platform to give them this howto. ASAP there will be news.

    EDIT: Here below the modification to do for OSCommerce customers ...

    - deleted file file_manager.php from oscommerce Admin folder

    - deleted file define_language.php from oscommerce Admin folder

    - changed Admin folder name, use a not standard name... different from "admin, administration, adm..."

    - added a htaccess rule in every folder where access is not allowed from http (Ex. Backups, Cache, pub, tmp...)



    --- Start htaccess rule ---

    #Block all files from HTTP

    Options -Indexes



    <Files *>

    Order Deny,Allow

    Deny from all

    </Files>

    --- End htaccess rule ---



    - added a htaccess rule in every "include" folder (oscommerce/include - oscommerce/admin/include) for blocking *.php requests from http



    --- Start htaccess rule ---

    #Block all php files from HTTP

    <Files *.php>

    Order Deny,Allow

    Deny from all

    </Files>

    --- End htaccess rule ---



    PS: Don't worry, it doesn't block php include or require command.



    - normally you can access to the Administration Panel from any computer with an internet connection, but in my case is not necessary... for this reason i've added an additionally rule into "oscommerce/admin", with this rule is possible to access to the panel only from your office static ip (if you have one...).



    --- Start htaccess rule ---

    #Block all ip different from mine

    RewriteEngine on

    RewriteCond %{REMOTE_ADDR} !^111.222.333.444$

    RewriteRule .* – [R=403,L]

    --- End htaccess rule ---
    Last edited by Elfodellanotte; 01-20-2011 at 06:47 AM.
    Alfredo Figlia - BiT Manager
    Web Hosting - Voice Hosting - Dedicated Server - VPS
    Housing - Design - PHP Development - Web Marketing
    http://www.bitmng.com

  14. #14
    Join Date
    Jun 2003
    Location
    California
    Posts
    26,123
    When you build your new server, for most security when users don't update to latest secure software versions, run PHP not as mod_php but as CGI, or through mod_ruid2.

    Jeff
    +1 951 643-5345
    Third-Party DirectAdmin administration and support
    Dedicated Servers, Dedicated Reseller Accounts
    NoBaloney Internet Services div. Qnito Incorporated
    848 North Rainbow Blvd., Suite #3789
    Las Vegas, NV 89107-1103

  15. #15
    Join Date
    Aug 2009
    Posts
    26
    Jeff, is mod_ruid2 intended to replace mod_suphp (suPHP)?

  16. #16
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,023
    Let me answer the question:

    You can use either mod_ruid2 or mod_suphp (suPHP). The first is faster, as they say, the second is more secure.

    With mod_ruid2 you'll start much faster. I mean, there are much less things you will have to change and re-configure, when starting using mod_ruid2. But with suPHP you can set private PHP.INI on per user basis, and suPHP is permissions sensitive. You'll have chmod all PHP scripts to 640 or 644, and directories to 750 or 755. With mod_suphp no php_value and no php_flag are allowed within .htaccess (at least without additional module).

    Thus you can choose, what to use.

  17. #17
    Join Date
    May 2010
    Posts
    7
    Quote Originally Posted by zEitEr View Post
    Let me answer the question:You can use either mod_ruid2 or mod_suphp (suPHP). The first is faster, as they say, the second is more secure.
    Set "MaxRequestsPerChild 1" in your config and mod_ruid2 is even more secure as mod_suphp. In this mode capabilities are permanently dropped after the switch to the right user and group. This will drop the performance of mod_ruid2 a lot but it still is equal (or better) as with mod_suphp...

  18. #18
    Join Date
    Sep 2008
    Location
    London UK
    Posts
    1,482
    Sorry for butting in and slightly off-topic.

    With php-cgi/suphp, I see there can be individual php.ini's for each user - whats stopping a hacker from uploading a modified php.ini file to the public_html to gain (disabled) functions, would this php.ini be used?
    Regards, Peter
    UK Web Hosting - Professional & Reliable Shared and VPS Hosting! Offering DirectAdmin licences on our VPS's

  19. #19
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    11,023
    You can use for Linux
    Code:
    chmod 640 php.ini
    chown 0:username php.ini
    chattr +i php.ini
    and for FreeBSD
    Code:
    chmod 640 php.ini
    chown 0:username php.ini
    chflags uunlnk php.ini

  20. #20
    Join Date
    May 2006
    Posts
    40
    Quote Originally Posted by AndyII View Post
    got me too
    Question, how did they do this? all sites in home had the index replaced
    yes I have clients with oscommerce, wordpress and zencart
    I read that these script were to back door in
    Standard recipe is find old vulnerable script like those listed above, upload malicious code to server, exploit old kernel and escalate your priviledges to root.

    Key thing is to have all system software (kernel too) and scripts up to date.


    Quote Originally Posted by jlasman View Post
    When you build your new server, for most security when users don't update to latest secure software versions, run PHP not as mod_php but as CGI, or through mod_ruid2.
    PHP scripts should be ran with lowest priviledges and mod_php does exactly that. Now if you need logging you can make wrapper. If you use suPHP you risk that vulnerable php can access all files owned by that particular user which is not good.
    Last edited by MMarko; 04-04-2011 at 03:00 PM.
    NMSERVERS - Need fast HTTP/2 hosting? managed servers, administration, performance analysis and system security services

Similar Threads

  1. Help, server hacked...
    By Brian S in forum General Technical Discussion & Troubleshooting
    Replies: 18
    Last Post: 03-10-2010, 02:16 AM
  2. is my server hacked ?
    By darkbaron in forum DNS
    Replies: 2
    Last Post: 03-08-2009, 03:44 PM
  3. Help, my server was hacked :(
    By Aspegic in forum General Technical Discussion & Troubleshooting
    Replies: 27
    Last Post: 09-25-2008, 01:29 AM
  4. server is hacked, please help
    By jack in forum General Technical Discussion & Troubleshooting
    Replies: 3
    Last Post: 05-12-2006, 02:53 AM
  5. my server hacked please help
    By islam in forum General Technical Discussion & Troubleshooting
    Replies: 1
    Last Post: 05-04-2006, 01:00 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •