Singe site hacked, no other services or sites affected

R

rszkutak

Verified User
Joined
Dec 22, 2003
Messages
173
Location
Scottsdale, AZ & Clam Gulch, AK
we have one site on our server that was hacked or something. It was used in a "phising" scheme, we were alerted to this each time by different security org's that do this sort of thing for clients like Bank of America, Chase, Washington Mutual, and so on.

Initially it was WM that had a phising site there, the pages were basic PHP, so we removed them and moved on. Within a few hours it came back again, once again we removed them and looked deeper into the site. Once again, hacked. This time we disalbed the site, removed everything from it and re enabled it. Finally it got hacked the last time, and we disabled it and re routed DNS to 192.168.1.1 which as we know will go nowhere fast.

We have changed all admin accounts passwords, ROOT PW, and the DA admin & resleer passwords yet it still got "compromised".

Any thoughts as to where i can look, or what i can do here to get this rolling again ?

thanks,
Rob
 
Check this?

1. The website your talking about where they came in is still vulnerable?
2. Backdoors? check your /tmp, run some rootkit scanners? check your apache logs... check your processes for strange things.. check your connections: 'netstat' is your friend.. check all...
3. If your unsure about number 2. backup and reinstall :)
 
We got a similar report today, Rob. One of the advantages of Level3 is they monitor this sort of thing and they let us know right away.

Better than 99% of the time it's a local (site) vulnerability.

After checking with chkrootkit and rkhunter we just suspend the site. And let the client know they're responsible for fixing the problem. Here's the text of the form email we use for resellers; the one for our users is similar:
To Whom It May Concern:

We've been made aware of a Terms of Service violation by one of
your clients: USERNAME : EXAMPLE.com

It has come to our attention that you are hosting a fraudulent "phish"
website that is attempting to steal account information from customers
of xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.

The URL of the fraudulent site is as follows:

http://xxxxxxxxxxxxxxxxxxxxxxx

The IP address hosting this phish is x.xx.xxx.xxx

Because of the severity of this issue we've suspended the site under
our Terms of Service.

Please do NOT unsuspend this site until:

a) The phish site included in this site has been removed

b) Software on this site has been updated to remove any vector that
could have been used to compromise the site.

c) You've notified us of steps taken to secure the site.

If you unsuspend this site before following the steps above we will
suspend your entire account until the issues are cleared.

Note that this site has been run as Safe Mode OFF Open BaseDir OFF.
To assure a minimal level of security we have turned Safe Mode and
Open BaseDir On. We will not turn either Safe Mode or Open BaseDir
Off again for this site until we've reviewed your steps taken to
secure the site's underlying software and agree that the site is now
secure.
Click to expand...
Jeff
 
Jeff,
As always thanks for your reponse here... Since this site is managed by a good friend of mine i want to offer some guidance to him here as to what to look for or not to look for.

He is a joomla fanatic, so i speculate that their might be something there causing this issue. he indicated he updated Joomla and all the other apps he uses there but still got re hacked within hours.

Can you give me some direction to go here ?


Thanks,
R
 
I can tell you it's most likely a joomla issue; my client with the problem (it's happened before) uses joomly almost exclusively. It's possibly there's some kind of exploit in the joomla database already (or somewhere in the codeset) that lets it come back; I'm not a joomla guy, and I have no idea.

I can also tell you that joomly appears to my inexperienced eyes to be incredibly insecure.

Unfortunately I can't tell you anything else.

My reseller hasn't contacted me back yet; his site is still suspended.

Jeff
 
I had phishing sites on my server too :(

The first site hacked was a phpbb modified script. I disabled that site, and the customer went further with vbulletin.

But I noticed that there were browse scripts uploaded. With these scripts I could explore all files on the server.

As long as a customer makes a directory world writeable and -readable and a script where his visitor can upload files (even .jpg of .gif) it can be used by a hacker. I was told that a .gif file can contain php code where normally the exif info is. It will be executed by php.
 
RichardF said:
I had phishing sites on my server too :(

The first site hacked was a phpbb modified script. I disabled that site, and the customer went further with vbulletin.

But I noticed that there were browse scripts uploaded. With these scripts I could explore all files on the server.
Click to expand...
There are many phishing scripts such as: C99shell.php and r75shell which provides a shell-like prompt to let a hacker executes Php code(s) interactively.

With these scripts a hacker can execute arbitrary shell commands or browse the file system on your server. Hackers can also use such scripts for transferring malicious files as images or as compressed files, unpack and then run them on your Web server. There are several ways to de-activate these scripts, if they were/are uploaded to your server. In addition, your best option is to find these scripts and completely remove them from your server.
 
Andy,

Are you going to give us a list of scripts so we can start running cronjob searches?

Thanks.

Jeff
 
hehe

the last phishing site looked like
mailform.php
index.php
style.css
in the directory named pet

searching for these files isn't what you want :D

other phishing sites I encountered on my servers had names like boa (bank of america) and with www.bankofmontreal.com.script.php.. those are better to find.

Just our uplink provider is warning us if we have this to often he will shut down our line :S
 
I was hoping Andy would give us some names; he appears to be more knowledgeable than some of us.

Generally upstream providers are reasonable if you delete the problem scripts as soon as you find out about them.

Are your default php settings safe (safe_mode on, etc.)?

Do all your users run up-to-date scripts?

Jeff
 
jlasman said:
I was hoping Andy would give us some names; he appears to be more knowledgeable than some of us.
Click to expand...
Are you referring to a script or scripts(s) that scan the server for phishing scripts? If yes, the scripts we are using belong to ServerTune and not something I can share or give away. Unfortunately it is not my call :o

I suggest you use the following Mod Security rules:
Code: 
# Require Content-Length to be provided with
    # every POST request
    SecFilterSelective REQUEST_METHOD "^POST$" chain
    SecFilterSelective HTTP_Content-Length "^$"
 
    # Don't accept transfer encodings we know we don't handle
    SecFilterSelective HTTP_Transfer-Encoding "!^$"
 
    # WEB-ATTACKS wget command attempt
    SecFilterSelective THE_REQUEST "wget "
 
    # WEB-ATTACKS uname -a command attempt
    SecFilterSelective THE_REQUEST "uname -a"
 
    # WEB-ATTACKS .htgroup access
    SecFilterSelective THE_REQUEST "\.htgroup"
 
    # WEB-ATTACKS .htaccess access
    SecFilterSelective THE_REQUEST "\.htaccess"
 
    # WEB-CLIENT Javascript URL host spoofing attempt
    SecFilter "javascript\://"
 
    # WEB-MISC cross site scripting \(img src=javascript\) attempt
    SecFilter "img src=javascript"
 
    # WEB-MISC cd..
    SecFilterSelective THE_REQUEST "cd\.\."
 
    # WEB-MISC ///cgi-bin access
    SecFilterSelective THE_REQUEST "///cgi-bin"
 
    # WEB-MISC /cgi-bin/// access
    SecFilterSelective THE_REQUEST "/cgi-bin///"
 
    # WEB-MISC /~root access
    SecFilterSelective THE_REQUEST "/~root"
 
    # WEB-MISC /~ftp access
    SecFilterSelective THE_REQUEST "/~ftp"
 
    # WEB-MISC htgrep attempt
    SecFilterSelective THE_REQUEST "/htgrep" chain
    SecFilter "hdr=/"
 
    # WEB-MISC htgrep access
    SecFilterSelective THE_REQUEST "/htgrep" log,pass
 
    # WEB-MISC .history access
    SecFilterSelective THE_REQUEST "/\.history"
 
    # WEB-MISC .bash_history access
    SecFilterSelective THE_REQUEST "/\.bash_history"
 
    # WEB-MISC /~nobody access
    SecFilterSelective THE_REQUEST "/~nobody"
 
    # WEB-PHP PHP-Wiki cross site scripting attempt
    SecFilterSelective THE_REQUEST "<script"
 
    # WEB-PHP strings overflow
    SecFilterSelective THE_REQUEST "\?STRENGUR"
 
    # WEB-PHP PHPLIB remote command attempt
    SecFilter "_PHPLIB\[libdir\]"
 
    # Require HTTP_USER_AGENT and HTTP_HOST in all requests
    SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
 
 
    SecFilterSelective REQUEST_URI "/c99shell\.txt"
    SecFilterSelective REQUEST_URI "/c99\.txt\?"
 
    If you have Joomla, this one prevents many remote shell and deface script includes
    SecFilter "mosConfig_"
 
    # This can prevent some dangerous things these shells do:
    SecFilterSelective POST_PAYLOAD|REQUEST_URI "<\?php (chr|fwrite|fopen|system|echr|passthru|popen|proc_open|shell_exec|exec|proc_nice|proc_terminate|proc_get_status|proc_close|pfsockopen|leak|apache_child_terminate|posix_kill|posix_mkfifo|posix_setpgid|posix_setsid|posix_setuid|phpinfo)\(.*\)\;"

Edit Php.ini and disable these functions:
Code: 
show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open

One more time, securing and hardening a server is more than just installing XYZ firewall and/or applications. Hope this helps!
 
Hello,

i'm also having issues with sites hacked, and this is what i noticed in logs:

PHP: 
203.210.207.236 - - [28/Jun/2010:10:01:41 +0200] "GET /includes/PEAR/fx29id2.txt HTTP/1.1" 200 2474 "-" "-"
203.210.207.236 - - [28/Jun/2010:10:01:47 +0200] "GET /includes/PEAR/fx29id2.txt HTTP/1.1" 200 2474 "-" "-"
203.210.207.236 - - [28/Jun/2010:10:01:47 +0200] "GET /includes/PEAR/fx29id1.txt HTTP/1.1" 200 330 "-" "-"
203.210.207.236 - - [28/Jun/2010:10:01:58 +0200] "GET /includes/PEAR/fx29id1.txt HTTP/1.1" 200 386 "-" "-"
203.210.207.236 - - [28/Jun/2010:10:06:17 +0200] "GET /includes/PEAR/fx29id1.txt HTTP/1.1" 200 386 "-" "-"
203.210.207.236 - - [28/Jun/2010:10:06:18 +0200] "GET /includes/PEAR/fx29id1.txt HTTP/1.1" 200 330 "-" "-"
193.2.1.232 - - [28/Jun/2010:10:15:17 +0200] "GET /includes/PEAR/sh.txt HTTP/1.0" 304 210 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.70 Safari/533.4"
193.2.1.232 - - [28/Jun/2010:10:15:17 +0200] "GET /favicon.ico HTTP/1.0" 404 599 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.70 Safari/533.4"
212.29.138.28 - - [28/Jun/2010:10:36:19 +0200] "GET /includes/PEAR/dds.txt??&modez=botz HTTP/1.0" 200 24092 "-" "Mozilla/4.0 (compatible; MSIE 6.0"
212.29.138.28 - - [28/Jun/2010:10:36:19 +0200] "GET /includes/PEAR/dds.txt??&modez=psybnc HTTP/1.0" 200 24092 "-" "Mozilla/4.0 (compatible; MSIE 6.0"
212.29.138.28 - - [28/Jun/2010:10:36:20 +0200] "GET /includes/PEAR/dds.txt??&modez=scannerz HTTP/1.0" 200 24092 "-" "Mozilla/4.0 (compatible; MSIE 6.0"
212.29.138.28 - - [28/Jun/2010:10:36:20 +0200] "GET /includes/PEAR/dds.txt??&modez=shellz HTTP/1.0" 200 24092 "-" "Mozilla/4.0 (compatible; MSIE 6.0"
212.29.138.28 - - [28/Jun/2010:10:36:21 +0200] "GET /includes/PEAR/fx29id1.txt??? HTTP/1.0" 200 349 "-" "Mozilla/4.0 (compatible; MSIE 6.0"
212.29.138.28 - - [28/Jun/2010:10:36:21 +0200] "GET /includes/PEAR/fx29id2.txt???? HTTP/1.0" 200 2437 "-" "Mozilla/4.0 (compatible; MSIE 6.0"

Any way to dissallow this in php config? What do you suggest?
 
When you open a topic that has been stagnant for almost 3 years what do you really expect?
 
You must log in or register to reply here.
Back
Top