Server Hacked

Elfodellanotte

Verified User
Joined
Apr 12, 2008
Messages
81
Location
Brno (Czech Republic)
Hi guys,

i'm just trying to restore all the previous files ... i'm been just hacked by:

1923Turk-Grup

| Palyo34 | KaraBulut |

On behalf of Turkish Nation, this website has been interfered by 1923Turk Grup

Mevzu-u Bahis Vatansa Gerisi Teferruattır


Turkish Hacker By Palyo34 | KaraBulut

Now ... i need some help..

1st ... all index.* file has been changed with their own... i need to change it... but to do it i need DA... (INDEX DA has been also hacked!!!)

2nd ... anybody got this same trouble?! if yes, did he understand how????
 
You didn't give us a link to any of your sites, so we can't read what they posted. Generally the hackers give enough of an explanation for what they did, so your users will understand what will happen.

They will still blame you, though, because it's your job to protect your servers from hackers.

They've searched for all index files on your servers and changed their names, so you and/or your users will need to restore from backup. Only the index files need to be restored; you should probably not restore backups for all your sites unless unless you've got a very recent backup; otherwise you may restore older sites if any of your users have recently done updates.

Information for restoring DirectAdmin's index.html can be found on these forums.

More importantly, though: find out how they got in and close that hole so they can't do it again.

Jeff
 
Might I add too that in order for them to have changed all the index files they would probably need to be the root user which means you need to wipe the hard drive clean and start over.

Also a lot of these groups will simply rename the index file and then insert their own. So the original index file may still be there just named something else.
 
hi,

everything is now solved, i think that he used an exploit by OS Commerce (one client of mine got it) and he took the server root ...

Than he put all fs in read only, modified all index with his own index and deleted the the log dir ...
 
Just remember it is not really solved unless you rebuilt the server. He got root so he could have left a backdoor in place to get in later.
 
Just remember it is not really solved unless you rebuilt the server. He got root so he could have left a backdoor in place to get in later.

i know, in fact i removed the partition, re created, formatted and installed the new OS :) with debian 5 and kernel 26 bigmem

i hope that will never happen anymore ...
 
i know, in fact i removed the partition, re created, formatted and installed the new OS :) with debian 5 and kernel 26 bigmem

i hope that will never happen anymore ...


Consider to:

1) Install csf+lfd
2) Secur your php installation by using "open_basedir" and "disabled_functions"

Naturally if you don't use them today... :D


Carlo
 
I have the same problem, with the same group.

I do not find where they access to the server.

I have csf + lfd + "open_basedir" and "disabled_functions"
I have also an email if someone login with root in ssh.

So, I am reinstalling all, but because I do not find the security hole, I am afraid he can do it a new time.

So if you have some other things to avoid these problems, you are welcome !
 
I have the same problem, with the same group.

I do not find where they access to the server.

I have csf + lfd + "open_basedir" and "disabled_functions"
I have also an email if someone login with root in ssh.

So, I am reinstalling all, but because I do not find the security hole, I am afraid he can do it a new time.

So if you have some other things to avoid these problems, you are welcome !
if you have a customer that is using an open source like OSCommerce, there is some fixes that he must do. otherwise, later, we can check it together :)
 
got me too:mad::(:mad::confused:
Muslim Defacer
Hacked By oToFaReSi
will be starting from the ground up with new OS and all , even a new MB faster and more mem.
Question, how did they do this? all sites in home had the index replaced
yes I have clients with oscommerce, wordpress and zencart
I read that these script were to back door in
I am upgrading to the latest stable versions of all services will stop most of it?
I am running older centOS 4.4 and php ect
even when the system is all new, can these idiots still have access through the scripts people run?
also using ConfigServer Security & Firewall - csf v5.13 and that has stopped so many attempts
but these attempt were not seen as intrusive to the FW
 
Has someone a code, to find all versions of oscommerce, joomla ... installed on the server ?

So we can check them, and contact user to do updates.

One question, I do not see it on the forum, but maybe, it's a new time, a stupide question...

Can we install mod_ruid2 and mods secure_access_group=access (here http://www.directadmin.com/features.php?id=961)

I install secure_access_group, and want test mod_ruid2, which suppress 777 and 666 chmod.
 
got me too:mad::(:mad::confused:
Muslim Defacer
Hacked By oToFaReSi
will be starting from the ground up with new OS and all , even a new MB faster and more mem.
Question, how did they do this? all sites in home had the index replaced
yes I have clients with oscommerce, wordpress and zencart
I read that these script were to back door in
I am upgrading to the latest stable versions of all services will stop most of it?
I am running older centOS 4.4 and php ect
even when the system is all new, can these idiots still have access through the scripts people run?
also using ConfigServer Security & Firewall - csf v5.13 and that has stopped so many attempts
but these attempt were not seen as intrusive to the FW

tell to all the clients with oscommerce to upgrade their version and to download all the fixes, there are many fixes.

Pratically the hacker is uploading the file through oscommerce (the ftp on oscommerce, if they are not going to use .htpasswd and .htaccess setting up just 1 ip that can join in all the admin folders are ****ed, is free to access and do whatever they wants), than, still using an exploit of oscommerce are running the script that make all the changes, and they got access not with ssh but still i didn't understood how, is looking a similar interface like kvm, and in the end delete all the logs.


I can just tell that after all the fixes and major secure the oscommerce (obviously the customer must do it), everything is gonna be ok. If you want i can give you the contact of my customer that i think he can speak english and can explain what he did with his oscommerce.
After august i didn't had anymore issues.

Last thing, when you'll put again up everything check daily the syslog, at least, after the hacking, i had a continuous flood of DNS attack
more info i did the report here and as you can see there are many other with the same problem from the same ip
http://www.liveipmap.com/109.72.146.154.html
obviously i started to populate iptables adding every ip address DROPPING their connections.
iptables -A INPUT -s 109.72.146.154 -j DROP

The log will be something like this :
XXX : 109.172.146.154#(random port) query (cache) ./INS/IN denied

And than everything was going to be better :)


I contacted now my customer, he's preparing an howto for oscommerce regarding what he did to secure his platform, i suggest everybody that got customers that are using oscommerce platform to give them this howto. ASAP there will be news.

EDIT: Here below the modification to do for OSCommerce customers ...

- deleted file file_manager.php from oscommerce Admin folder

- deleted file define_language.php from oscommerce Admin folder

- changed Admin folder name, use a not standard name... different from "admin, administration, adm..."

- added a htaccess rule in every folder where access is not allowed from http (Ex. Backups, Cache, pub, tmp...)



--- Start htaccess rule ---

#Block all files from HTTP

Options -Indexes



<Files *>

Order Deny,Allow

Deny from all

</Files>

--- End htaccess rule ---



- added a htaccess rule in every "include" folder (oscommerce/include - oscommerce/admin/include) for blocking *.php requests from http



--- Start htaccess rule ---

#Block all php files from HTTP

<Files *.php>

Order Deny,Allow

Deny from all

</Files>

--- End htaccess rule ---



PS: Don't worry, it doesn't block php include or require command.



- normally you can access to the Administration Panel from any computer with an internet connection, but in my case is not necessary... for this reason i've added an additionally rule into "oscommerce/admin", with this rule is possible to access to the panel only from your office static ip (if you have one...).



--- Start htaccess rule ---

#Block all ip different from mine

RewriteEngine on

RewriteCond %{REMOTE_ADDR} !^111.222.333.444$

RewriteRule .* – [R=403,L]

--- End htaccess rule ---
 
Last edited:
When you build your new server, for most security when users don't update to latest secure software versions, run PHP not as mod_php but as CGI, or through mod_ruid2.

Jeff
 
Let me answer the question:

You can use either mod_ruid2 or mod_suphp (suPHP). The first is faster, as they say, the second is more secure.

With mod_ruid2 you'll start much faster. I mean, there are much less things you will have to change and re-configure, when starting using mod_ruid2. But with suPHP you can set private PHP.INI on per user basis, and suPHP is permissions sensitive. You'll have chmod all PHP scripts to 640 or 644, and directories to 750 or 755. With mod_suphp no php_value and no php_flag are allowed within .htaccess (at least without additional module).

Thus you can choose, what to use.
 
Let me answer the question:You can use either mod_ruid2 or mod_suphp (suPHP). The first is faster, as they say, the second is more secure.
Set "MaxRequestsPerChild 1" in your config and mod_ruid2 is even more secure as mod_suphp. In this mode capabilities are permanently dropped after the switch to the right user and group. This will drop the performance of mod_ruid2 a lot but it still is equal (or better) as with mod_suphp...
 
Sorry for butting in and slightly off-topic.

With php-cgi/suphp, I see there can be individual php.ini's for each user - whats stopping a hacker from uploading a modified php.ini file to the public_html to gain (disabled) functions, would this php.ini be used?
 
You can use for Linux
Code:
chmod 640 php.ini
chown 0:username php.ini
chattr +i php.ini
and for FreeBSD
Code:
chmod 640 php.ini
chown 0:username php.ini
chflags uunlnk php.ini
 
got me too:mad::(:mad::confused:
Question, how did they do this? all sites in home had the index replaced
yes I have clients with oscommerce, wordpress and zencart
I read that these script were to back door in

Standard recipe is find old vulnerable script like those listed above, upload malicious code to server, exploit old kernel and escalate your priviledges to root.

Key thing is to have all system software (kernel too) and scripts up to date.


When you build your new server, for most security when users don't update to latest secure software versions, run PHP not as mod_php but as CGI, or through mod_ruid2.

PHP scripts should be ran with lowest priviledges and mod_php does exactly that. Now if you need logging you can make wrapper. If you use suPHP you risk that vulnerable php can access all files owned by that particular user which is not good.
 
Last edited:
Back
Top