Anyone get hacked C - H Tea m?

[cyberneticos]

Hi guys,

One of our shared servers got hacked ENTIRELY. Any file that contains index, got replaced with thier hacked html code.

We use CSF, mod_security, use a different ssh port than 22, and just a bunch of other ****, and seems like they got through.

It's hard to belive they got in via root, but somehow they got root access, cuase what they did could only be done by root.

All pages showed this :

OUR BOX
HACKED BY C - H TEAM !
*hA rD_hAE rZ & C
mOs_CLR
*[ DEF ACERS
ALGE RIA ]
*WW W.SE C4EVER.CO M

(I put some spaces in there so we don't attract these folks to this thread)

Anyone dealt with this before ? Know how they "deface" a server ? Any recomendations ?

 

[cyberneticos]

oh they also deleted /var/log completely hehehee ****ers.

I belive this is what we call an "ethical hack" ?

 

[scsi]

Did you run suphp or something where php scripts run as user only?

Good idea to syslog to a seperate box too

 

[AndyII]

would like to know any info known, I havent seen a DA takeover till now
can you share the IP's concerning the hackers?
since the log was cleared, I suppose not, plus they seem to be from Algeria
Did they find your root password with force, or is there an exploit in DA code,

Google says

Your website has been suspended!
The web hosting account that hosts this website has been blocked! If you are the owner of this website, please contact the support team to resolve this ...

and gives the website name listed

 

[nobaloney]

This is not a DirectAdmin hack. Generally caused by compromised scripts.

Tell us if you're using mod_php or cgi on your server, and the output of:

ls -al /home/ANYUSER/domains/EXAMPLE.COM/public_html

and someone will be able to give you an idea of what might have happened.

Do you have safe_mode turned on? Do you have open_basedir turned on?

Jeff

 

[localhost]

This is not a DirectAdmin hack. Generally caused by compromised scripts.

Tell us if you're using mod_php or cgi on your server, and the output of:

ls -al /home/ANYUSER/domains/EXAMPLE.COM/public_html

and someone will be able to give you an idea of what might have happened.

Do you have safe_mode turned on? Do you have open_basedir turned on?

Jeff

It will be a good idea if DirectAdmin will provide some Default Security settings for new users, cause using everything as is could compromise everything.

 

[localhost]

oh they also deleted /var/log completely hehehee ****ers.

I belive this is what we call an "ethical hack" ?

What Linux distro you used?
Also could you post here a ls -l /etc ?
Maybe you can get some help in the future.

 

[floyd]

It will be a good idea if DirectAdmin will provide some Default Security settings for new users, cause using everything as is could compromise everything.

You mean like this http://help.directadmin.com/item.php?id=247

 

[floyd]

would like to know any info known, I havent seen a DA takeover till now

Technically it was not a DA takeover. Somebody's server than happened to be running DirectAdmin got hacked. If you say its a DA takeover you might as well say it was an Exim or an Apache takeover since it was running Exim and Apache as well.

 

[localhost]

You mean like this http://help.directadmin.com/item.php?id=247

Yes, but I meant by default!
Also maybe some default firewall rules, for people who don't know how to install them.

 

[floyd]

Then I will have to take an extra step and delete them. Its bad enough I have to do it when installing CentOS.

 

[nobaloney]

Yes, but I meant by default!
Also maybe some default firewall rules, for people who don't know how to install them.

It's not easy, for several reasons.

DirectAdmin runs on several OS distributions, with different defaults and running different code and kernels. Firewalling is a good example, you firewall completely differently depending on whether you use Linux or FreeBSD.

Also, people use different partitioning schemes and mounting schemes.

And as Floyd points out, we all have different ideas of what we want to do for security.

Jeff

 

[nobaloney]

Then I will have to take an extra step and delete them. Its bad enough I have to do it when installing CentOS.

Exactly what do you have to delete from a default CentOS installation?

When we install CentOS we uncheck everything; then we install only what we want.

Jeff

 

[floyd]

I have to delete the firewall rules in enables by default. When booting for the first time after the install there is the Setup Agent screen. I turn off the firewall and selinux from there. Then reenable what I want and only what I want.

 

[nobaloney]

We set up the basic firewall to allow ssh, html, and secure html. We disable SELINUX. Both from the install.

If I recall correctly you can do that before the install begins, and that's where we do it.

We leave that firewall alone, but set up our own firewall to run last at boot. That overwrites whatever firewall is set up by default.

Jeff

 

[floyd]

I just don't want DA setting up a firewall too.

If an admin doesn't have enough sense to to either set up a fire or hire somebody to do it then he needs to turn his server off.

 

[cyberneticos]

You mean like this http://help.directadmin.com/item.php?id=247

Nice. Studying. Thanks.