DA exploit Server Hacking Version 1.301

[Marwen]

Hello,
(soory for my bad english i will try to explain our
heavy problem)

last night 2 of our server are hacked. (after a reboot both servers are
dead)
the Cross-Site-Scripting-code cames from the „domain“ (Data: „cmd_user_stats“). command.

the exploit is writen here:
http://www.tecchannel.de/sicherheit/news/481205/
(sorry only german discription)

i think this link is the same:
http://secunia.com/advisories/25881/


at the moment we drop all connection at port 2222 at our other servers to secure the server.

we recover all hosting users form the dead servers at an other maschine (i pray that this maschine have no attacks in the next time)

what can we do ? have anyone a workaround for this heavy problem ?



greetings Mario

 

[jackc]

please send email report this to support@directadmin.com

 

[Marwen]

thank you jackc.

mail is out !!

 

[demz]

WTF!

John / DA could you fix this like asap and bring out an patch!!!

 

[rldev]

http://securityreason.com/securityalert/830

 

[DirectAdmin Support]

These reports bug me.

A server cannot be hacked with this.
The only thing that can happen is a valid User... (one who has access to the server already) can enter bad information into the form.. which will then allow him to run any javascript he wants in *HIS OWN* browser. What does this do? Nothing on your server. Nothing to your other users. It lets him run javascript on his own computer. He can only attack himself.

There is no security threat to your server.
This is a very low priority "security" hole.
I have it patched, but only to appease these benign reports.

These reports always fail to mention the fact that nothing bad can happen or that the User can only attack himself.

If it were a major security issue, I would have had it fixed within a few hours.

John

 

[Alain]

Hi John, Thx for your reply...! However i think it would be a good idea if you would mention these things somewhere. So if a report like that show somewhere, you post a topic (or something like that) that it's nothing to worry about. When i see a post like the topicstarter here, all alarm-bells start to ring here.

 

[rldev]

These reports bug me.

A server cannot be hacked with this.
The only thing that can happen is a valid User... (one who has access to the server already) can enter bad information into the form.. which will then allow him to run any javascript he wants in *HIS OWN* browser. What does this do? Nothing on your server. Nothing to your other users. It lets him run javascript on his own computer. He can only attack himself.

There is no security threat to your server.
This is a very low priority "security" hole.
I have it patched, but only to appease these benign reports.

These reports always fail to mention the fact that nothing bad can happen or that the User can only attack himself.

If it were a major security issue, I would have had it fixed within a few hours.

John

Maybe address the user who was hacked and claims it was because of this exploit.

 

[DirectAdmin Support]

Good point.
Common causes of exploits are old libraries or software versions that are not updated. Eg: old openssl, apache, proftpd versions can be exploited. A kernel should also be updated.. a user with access to the server using an old kernel can in some cases gain root access. Also, it's recommended to mount /tmp with noexec,nosuid in your /etc/fstab (if /tmp is it's own partition) so that any intrution cannot run a script there. Installing mod_security into apache can also go a long way at filtering out bad requets.

John

 

[nobaloney]

On the subject of mod_security; I got a call today from the company that wrote it (you have to give them your content information to download it); he asked me if I wanted to sell the commercial version .

John, are you willing to make mod_security a part of the standard install? Complete with some standard rules?

Jeff

 

[DirectAdmin Support]

may not be a bad idea, assuming the rules are not too strict. I've had to debug many systems that had rules preventing their sites from working properly, and phpMyAdmin etc.. if smtalk is willing, it could be added to custombuild.

John

 

[nobaloney]

may not be a bad idea, assuming the rules are not too strict.

Which is why I'd like you to do it .

What about those of us who haven't switched to custombuild yet?

Jeff

 

[DirectAdmin Support]

I probably won't be doing much more with customapache, the custombuild will be phasing it out. Planning on having install time choices this release (I hope to anyway).

John

 

[jlandes]

I have not switched from customapache to custombuild yet because of all of the issues that I see people postng about on this forum. Are all of these issues resolved or are they all user errors? John, are you saying that the next version of DA (possibly 1.302) will ship with custombuild instead of customapache? Is there any documentation yet on how to successfully confgure and use the new custombuild system?

 

[pucky]

Didnt the origional poster already state that two of his boxes was hacked?

Maybe i was imaging the post.

 

[DirectAdmin Support]

Pucky, yes he did, no response from him as of yet for any more detail into that issue.

Jlandes, we will provide the option to use custombuild at install time. It won't be forced. We already have the option to use custombuild by typing:

touch /root/.custombuild

before running the setup.sh and it will install custombuild instead of customapache. The options will ask you during the setup.sh for what you want, and how you want it.

John

 

[Marwen]

These reports bug me.

A server cannot be hacked with this.
The only thing that can happen is a valid User... (one who has access to the server already) can enter bad information into the form.. which will then allow him to run any javascript he wants in *HIS OWN* browser. What does this do? Nothing on your server. Nothing to your other users. It lets him run javascript on his own computer. He can only attack himself.

There is no security threat to your server.
This is a very low priority "security" hole.
I have it patched, but only to appease these benign reports.

These reports always fail to mention the fact that nothing bad can happen or that the User can only attack himself.

If it were a major security issue, I would have had it fixed within a few hours.

John

Hi John,

first thank you for your fast answer.

The Hacker has Installed 3 different programms on my servers.
psscan, c41, mech (this is wat i have found it is possible that there are
more files / code)
(fast.tgz, hack.tgz udp.pl) aso.

He installed his own sshd, bash httpd_server aso.
he change my sshd_config with the allowed_users add his user
and add a user on the system.

sorry, i think it is a bigger problem.

 

[DirectAdmin Support]

If you'd like us to take a look at your system to try and determine how he got in, send us an email.
https://www.directadmin.com/clients/safesubmit.php
Include an approximate time you think he got in so I have some basis to try and figure out when he got in via the logs etc..

John

 

[Marwen]

Hi John,

at the moment the servers are down and we have no chance to start the server because the hacker have destroy many system files.

we have backup alle users with an rescue system and transfer all users and ips to an new maschine. then we stop/block the DA interface at this server.
no problems since the transfer.

one maschine i can start now remote for you on this maschine the system
files are ok.

please give me 10 min. i add you an user an sent you the data.

thanks for your help.

here my icq nummer 255640, i think it is faster to talk.

 

[Marwen]

server is up and data sent.