Hacking threat

M

max2000

Verified User
Joined
Nov 7, 2004
Messages
141
Location
Europe
I am receiving insulting emails from a guy how managed to access to one of my servers. He was able to see every customer account and access to any data within this Unix server. I received few emails from this guy and he certainly will use his knowledge to destroy my job.

This sever uses DirectAdmin, I don't know how he managed to access to everything. May be there a problem with my configuration.

Thank you for your help!!!
 
Hey man,

I'm not exactly a security expert, but what you may want to do is this:

1. Change your passwords. All of them.
2. Back up everything to a secure location.
3. Hire someone to help you secure the thing. (maybe jsalman of nobaloney.net or Steve of rack911.com)

I hired Steve (since my knowledge on firewalls and anti-rootkit stuff and such is very limited), and from what I can see, he did a good job (at one point, I thought the server had crashed, but it turned out the firewall had blocked me because it thougt I was a hacker, heh!)

Hope this helps. I'm not sure how knowledgeable you are when it comes to Linux / BSD, but since you came here, I'm guessing you're like me and you'll really need to hire someone to help you out. If something like this happened to me, I'd check the server logs first, but if I couldn't find out what was happening real fast, I'd sure as hell hire someone to find out for me.
 
One more thing: if the guy e-mailed you, you may want to try and track down his IP, and see if that matches against your server logs.
 
It"s a good idea.

But he was able to send really every account listed on this server. I don't know if he is able de modify these files, but he can see them. He can also read configuration files of forum and other portals hosted on the server. So he knows the mysql passwords and other things he cas use to do what ever he wants with my server. I don't know if this apache or directAdmin problem.

Thank you for your concern.
 
max2000 said:
I don't know if this apache or directAdmin problem.
Click to expand...
It's a system security problem. He has somehow managed to break into your system. Hey may have compromised your system and you must assume he can get in and out at will and do anything he wants to do.

You should immediately install and run both the latest copy of chkrootkit and also of Rootkit Hunter.

Originally posted by roel
maybe jsalman of nobaloney.net
Click to expand...
Roel spelled my handle wrong; I forgive him :).

I specialize in supporting DA installations on RHL and RHEL (and workalike) systems.

Jeff
 
Roel spelled my handle wrong; I forgive him :).
Click to expand...
Duly noted. I blame my mistake on living in a country where certain memory-affecting substances are tolerated by the law. :)
 
Thank you for your help guys. This hacker can ruin my life if he delete my customer's accounts. I founded a small and kind hosting service to finance my studies. Everything was ok before these emails. This hacker is really haunting me. I will do everything to block him.
 
Here is the kind of information he sent :

customer1:x:501:501::/home/customer1:/bin/false
customer2:x:502:502::/home/customer2:/bin/false
customer3:x:504:504::/home/customer3:/bin/false
customer4:x:505:505::/home/customer4:/bin/false

I replaced the logins he sent by customers (i)

Add to this some insults in every email...
 
If that's all he sent you, then he could have just logged in through anything which would give him access to the server; that's just a a snip from the /etc/passwd file, which is world readable.

My Private Message box was full but I just deleted everything.

However you'll reach me a lot more quickly with an email; my email address is in my sig at the bottom of each of my posts.

Jeff
 
My guess is that he doesn't have access to write/modify/delete files/directories other than his own except directories with permission of xx7 (777) or files with xx6 (666), else he would have wiped ur system clean already. He either:
has a shell account, which allows him to read files that have permission of xx4 (usually 644) under directories that have permission of xx5 (usually 755).
OR
has written a php or perl script, so he can:
do everything that I just mentioned above plus:
have read access (posibly even write if it's xx7) on directories that are owned by apache as long as apache can execute that directory (1 = execute)
have read access (posibly even write if it's xx6) on files that are owned by apache as long as apache can read that file (4 = read).
So of course, reading usernames & passwords in forums' configuration files and /etc/passwd is not a problem at all.

If you do a ls -ld on ~username/domains/domainname/public_html, you'll see that the permission looks like this:
drwxr-x--- (710)
owned by username apache
which means that apache can read and execute on that directory

I've written a php script awhile ago that can do something similar: LinuxExplorer (for security reasons, it's just an image, but you get my point.)
 
Last edited:
i had the same with a customer of mine, who used some cgitelnet script to access the server...he was able to see files with the right permissions, and thought he could also delete files, but luckily that was not true....so its just the same as ssh access, but then through a script. SSH is off for that client, but he still is able to see all files on the server....

look here http://www.rohitab.com/cgiscripts/cgitelnet.html

thats 1 more reason to get jailing to work on DA asap
 
Thank you for your concern. There are good people on the internet too.

I found that this guy has 2 accounts under 2 differents names on m server. I blocked the both accounts and the SSH access for all my customer. The SSH access is not necessary for the regular customer. No one even noticed that the SSH is no longer available.

However, I got an email from this guy and he said that he never used the SSH but a PHP bad config to access to the files. Add to this, he was able to read a content of some files as "forum/config.php". These files contain clear login and password. Some customers use the same couple login/password for everything (ftp/forum/emails/admin...).

I hired Jeff from nobaloney.net He is a nice guy and he does a good job for a more then reasonnable price.

I also begin to communicate towards my customers to invite them to stop using the same password for everything or placing sensitive information on MySQL or clear text files.

As I am not competent on Unix systems security, I will hire Jeff everytime I rent a new server. The security has no price !
 
Yep reading this thread I was thinking its the phpFilemanger thing

you should use open_base dirs

on all of our server we edit the default DA conf files on the moment that DA is installed after we noticed this huge security hole a few mounths ago

he can't delete anything on your system only read files and he has to have or have access to an account on you system

for the future you should upgrade SSH, proftpd, phpmyadmin

they are all security threats espicialy proftpd 1.2.9
 
As is wrote in thread mentioned above, open_basedir itself not enogh to cover this php security hole.
 
Last edited:
You must log in or register to reply here.
Back
Top