HACKED BY kaMtiEz - INDONESIANCODER TEAM @2010

soulshepard

soulshepard

Verified User
Joined
Feb 7, 2008
Messages
128
unfortunatly i was the victim of a massivve deface attack om one of my servers
i am currently restoring backup on another server,

can anyone help me brainstorming in what to do to eliminate this thread
and risc this will happen again?

he was quite good in removing the logfiles and using running code as apache from the /tmp and other folders.

(i know i had it mounted with noexec etc in the past, but i guess this was disabled somere along the line)

he used files like 3xp and / target suidshell /kabus and kis.sh

i guess this was triggerd by an upload in a fckeditor / joomla old wordpress or oscommerse things.

would resecuring my temp help anyway?
i guess the following is on my list to do

- make sure all home folders dont have a user apache:apache
- make sure that folders have no +x or sticky bits with it.
- kill unknown processes faster from a cron?
- remount a new temp with nosuid , noexec?

whats next?

- make sure the server is fully updated with directadmin and custom scripts.
- disable all old joomla site? scan check for all the old fckeditors?
- i use php_cli .. or better try php_cgi?

any help is welcome thanks in advance
soul :(:(
 
soulshepard said:
- make sure all home folders dont have a user apache:apache
- make sure that folders have no +x or sticky bits with it.
- kill unknown processes faster from a cron?
- remount a new temp with nosuid , noexec?
Click to expand...
I'd definitely remount /tmp as a partition, nosuid, noexec.
- make sure the server is fully updated with directadmin and custom scripts.
Click to expand...
Definitely.
- disable all old joomla site?
Click to expand...
Make sure all your CMS systems are up to date. If your client is responsible and isn't updating after being warned you may need to lose the client.
scan check for all the old fckeditors?
Click to expand...
Again, make sure it's up to date. Or disable it and/or you may need to lose the client.
i use php_cli .. or better try php_cgi?
Click to expand...
Yes (though it uses more server resources), or mod_ruid (search these forums.

Hopefully your Terms of Service hold your clients responsible for exploits in the software they install (even if they install it from Installatron or Softaculous).

Jeff
 
jlasman and tomtom901 thanks for your replies and support.

as extra i also disabled more php functions after i applied a (./build secure_php) fromt the custom scripts.

i will definitly look into mod_ruid, and more options to take into a more secure platform.

jlasman: Terms of Service, yes , but still its never a nice thing to say to the client, that the downtime and restoring and changing all the nameserver records would take atleast a working day. :(

tomtom901: i have send you a mail, thx
 
Just set a TOS which allows you to charge them for the time it takes if they don't keep their software updated... unless they pay you a monthly maintenance fee (which may, and usually should, be more expensive than the hosting) to do it for them.

Jeff
 
I Also just hacked by them yesterday

Hi,

I also hacked by them on yesterday evening. and all my /var/logs gone away.

How could I protect these from happenning again?
Secure /tmp nosuid,noexec is that enough?

Sorry for my English.
Bright
 
If your logs have been deleted then the hacker had root access, and a complete server rebuild is indicated.

Jeff
 
I would suggest to soulshepard to use those things:

nosuid,noexec to tmp
sym link from /var/tmp to /tmp
php_cli with mod_ruid2 (check the forum there is an easy how-to)
suhosin patch for php (always in this forum, search update.script)
nobodycheck (same in update.script)
clamav (as before)
proftpd with clamav mod (same update.script)

And kiss or csf firewall (i use csf but you can choose what you want/prefer).

Regards
 
You must log in or register to reply here.
Back
Top