Hacked through CustomBuild's webapp user?

[28 Studios]

My machine was recently hacked and was used to send out spam and brute force ssh attacks.

It may be related to custombuild. I'm really not positive, but wanted to see if anyone here had suggestions on the potential cause.

1. The outgoing emails were being sent from the user webapp
2. The ssh attacks were executed by the user webapp
3. I removed the webapp user
4. Running ./build update (or maybe ./build all) recreated the webapp user.

I don't know what the webapp user is used for, so I'm not sure where to look next.

I also found the following in /tmp

barbut.1       
barbut.2      
barbut.3      
blue          
blue.1        
brb.1         
brb.2         
brb.3         
brb.4         
cb            
doom.tgz      
dt_ssh5       
dt_ssh5.1     
mysql.sock    
ping.txt      
resend.debug

dt_ssh5 was the brute force ssh attack.

I definitely am not blaming DirectAdmin (yet ), but this looks reasonable for the first place to look.

The machine has since been secured, but of course I will be rebuilding the server soon to be safe.

 

[scsi]

Upgrade your outdated roundcube.

 

[28 Studios]

Upgrade your outdated roundcube.

My options.conf had roundcube=no. It looks like I may have installed it previously, though.

Is there a way from the build script to remove an app? I know I have other, older things installed by custombuild that I'd like to remove.

 

[scsi]

There is a setting in options.conf to remove old webapps. Check the custombuild faq in the forums here.

 

[floyd]

And check the Announcements for the roundcube fix.

 

[28 Studios]

I confirmed roundcube was the cause and have removed it and will be more dilligent in keeping upgraded. Thanks for the tips.

 

[floyd]

Also consider running http://www.webhostgear.com/353.html