DA exploit Server Hacking Version 1.301

Marwen

Verified User
Joined
Nov 7, 2003
Messages
141
Location
germany
Hello,
(soory for my bad english i will try to explain our
heavy problem)

last night 2 of our server are hacked. (after a reboot both servers are
dead) :(
the Cross-Site-Scripting-code cames from the „domain“ (Data: „cmd_user_stats“). command.

the exploit is writen here:
http://www.tecchannel.de/sicherheit/news/481205/
(sorry only german discription)

i think this link is the same:
http://secunia.com/advisories/25881/


at the moment we drop all connection at port 2222 at our other servers to secure the server.

we recover all hosting users form the dead servers at an other maschine (i pray that this maschine have no attacks in the next time)

what can we do ? have anyone a workaround for this heavy problem ?



greetings Mario
 
Last edited:

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
8,919
These reports bug me.

A server cannot be hacked with this.
The only thing that can happen is a valid User... (one who has access to the server already) can enter bad information into the form.. which will then allow him to run any javascript he wants in *HIS OWN* browser. What does this do? Nothing on your server. Nothing to your other users. It lets him run javascript on his own computer. He can only attack himself.

There is no security threat to your server.
This is a very low priority "security" hole.
I have it patched, but only to appease these benign reports.

These reports always fail to mention the fact that nothing bad can happen or that the User can only attack himself.

If it were a major security issue, I would have had it fixed within a few hours.

John
 

Alain

Verified User
Joined
Sep 12, 2005
Messages
10
Location
The Netherlands
Hi John, Thx for your reply...! However i think it would be a good idea if you would mention these things somewhere. So if a report like that show somewhere, you post a topic (or something like that) that it's nothing to worry about. When i see a post like the topicstarter here, all alarm-bells start to ring here.
 

rldev

Verified User
Joined
May 26, 2004
Messages
1,074
These reports bug me.

A server cannot be hacked with this.
The only thing that can happen is a valid User... (one who has access to the server already) can enter bad information into the form.. which will then allow him to run any javascript he wants in *HIS OWN* browser. What does this do? Nothing on your server. Nothing to your other users. It lets him run javascript on his own computer. He can only attack himself.

There is no security threat to your server.
This is a very low priority "security" hole.
I have it patched, but only to appease these benign reports.

These reports always fail to mention the fact that nothing bad can happen or that the User can only attack himself.

If it were a major security issue, I would have had it fixed within a few hours.

John
Maybe address the user who was hacked and claims it was because of this exploit.
 

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
8,919
Good point.
Common causes of exploits are old libraries or software versions that are not updated. Eg: old openssl, apache, proftpd versions can be exploited. A kernel should also be updated.. a user with access to the server using an old kernel can in some cases gain root access. Also, it's recommended to mount /tmp with noexec,nosuid in your /etc/fstab (if /tmp is it's own partition) so that any intrution cannot run a script there. Installing mod_security into apache can also go a long way at filtering out bad requets.

John
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
On the subject of mod_security; I got a call today from the company that wrote it (you have to give them your content information to download it); he asked me if I wanted to sell the commercial version ;) .

John, are you willing to make mod_security a part of the standard install? Complete with some standard rules?

Jeff
 

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
8,919
may not be a bad idea, assuming the rules are not too strict. I've had to debug many systems that had rules preventing their sites from working properly, and phpMyAdmin etc.. if smtalk is willing, it could be added to custombuild.

John
 

nobaloney

NoBaloney Internet Svcs - In Memoriam †
Joined
Jun 16, 2003
Messages
26,119
Location
California
may not be a bad idea, assuming the rules are not too strict.
Which is why I'd like you to do it :) .

What about those of us who haven't switched to custombuild yet?

Jeff
 

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
8,919
I probably won't be doing much more with customapache, the custombuild will be phasing it out. Planning on having install time choices this release (I hope to anyway).

John
 

jlandes

Verified User
Joined
Dec 1, 2005
Messages
624
Location
Lewistown, Pennsylvania, USA
I have not switched from customapache to custombuild yet because of all of the issues that I see people postng about on this forum. Are all of these issues resolved or are they all user errors? John, are you saying that the next version of DA (possibly 1.302) will ship with custombuild instead of customapache? Is there any documentation yet on how to successfully confgure and use the new custombuild system?
 

pucky

Verified User
Joined
Sep 9, 2006
Messages
795
Didnt the origional poster already state that two of his boxes was hacked?

Maybe i was imaging the post.
 

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
8,919
Pucky, yes he did, no response from him as of yet for any more detail into that issue.

Jlandes, we will provide the option to use custombuild at install time. It won't be forced. We already have the option to use custombuild by typing:

touch /root/.custombuild

before running the setup.sh and it will install custombuild instead of customapache. The options will ask you during the setup.sh for what you want, and how you want it.

John
 

Marwen

Verified User
Joined
Nov 7, 2003
Messages
141
Location
germany
These reports bug me.

A server cannot be hacked with this.
The only thing that can happen is a valid User... (one who has access to the server already) can enter bad information into the form.. which will then allow him to run any javascript he wants in *HIS OWN* browser. What does this do? Nothing on your server. Nothing to your other users. It lets him run javascript on his own computer. He can only attack himself.

There is no security threat to your server.
This is a very low priority "security" hole.
I have it patched, but only to appease these benign reports.

These reports always fail to mention the fact that nothing bad can happen or that the User can only attack himself.

If it were a major security issue, I would have had it fixed within a few hours.

John
Hi John,

first thank you for your fast answer.

The Hacker has Installed 3 different programms on my servers.
psscan, c41, mech (this is wat i have found it is possible that there are
more files / code)
(fast.tgz, hack.tgz udp.pl) aso.

He installed his own sshd, bash httpd_server aso.
he change my sshd_config with the allowed_users add his user
and add a user on the system.

sorry, i think it is a bigger problem. :(
 

Marwen

Verified User
Joined
Nov 7, 2003
Messages
141
Location
germany
Hi John,

at the moment the servers are down and we have no chance to start the server because the hacker have destroy many system files.

we have backup alle users with an rescue system and transfer all users and ips to an new maschine. then we stop/block the DA interface at this server.
no problems since the transfer.

one maschine i can start now remote for you on this maschine the system
files are ok.

please give me 10 min. i add you an user an sent you the data.

thanks for your help.

here my icq nummer 255640, i think it is faster to talk.
 
Top