Huge bug in Directadmin

K

.klug

Verified User
Joined
Apr 3, 2011
Messages
16
Hello,
Yesterday one of my entire server's DA user accounts and databases were wiped from within DA with a secondary admin account which has been stolen with the help of a keylogger.

The wiping is not a huge problem, but the hacked admin account deleted the main admin account and it's database (da_admin) within DirectAdmin. Who the heck thought that it is a good thing to allow this kind of delete by default ? Another admin user deleting the main admin account and it's database without anything to stop him is the worst idea ever. Now I am left with a bricked DA install and I can't even restore my user backups (a lot of clients lost, huge downtime because we don't have a full system backup), there is no guide on how to reinsert the main DA admin user if it is deleted by someone (it shouldn't be allowed at all in the first place).

I was screwed by an amateur hacker because DA allowed the main admin account to be deleted by another admin user, I've spent over 10 hours on recovering the admin user and da_admin database but I can't login into the panel no matter what I do. I've personalized my DA install heavily and reinstalling it is the last thing I might want to do.

Would somebody mind helping me to reinstall the main DA user ?
Everything else works except I don't have any DA admin accounts to log in with on my server because of this huge programming flaw.

Thank you.
 
Last edited:
You should wipe the server and install the os and da from scratch. I fail to see why this is a bug at all. Your password was hacked by a keylogger - what if the hacker also got you server root password? Would you then call it a bug in your os when the hacker then would log in to your server as root user and change root password and delete everything? You should protect your da_admin password just as you would protect your server root password.
 
There is no such thing as a main admin account. It is just a default account. It is not needed to run directadmin at all. Maybe there needs to be some more security as admins are concerned such as a super administrator and more settings on what administrators can actually do. This is why it is a good idea to keep backups remotely.
 
Actually, atleast in my case, the admin account kept most of the data and settings, if you delete it everything gets queer (databases like da_roundcube, da_phpmyadmin are deleted). I know that only the DA account was compromised because that was given to the person with a keylogger.
The bug is that you shouldn't be able to delete the admin account and the da_admin database. A lot of problems arise after it is deleted and it is a pain in the a$$ to fix them.

I'll reinstall my DA build hoping that everything will be like it was, I observed that the rule in DA is that you can delete all other admin accounts except the one you are logged in with, I checked the logs carefully and I noticed that the hacker left the account which he used in place. This is the bug, you shouldn't be able to delete the first admin account. If I try to recreate the admin account with the account that was left I can't assign ips, I have to remake the da_admin database manually, all the admin profile settings got lost and who knows what other bugs have probably arisen.
 
Last edited:
To forbid deleting of admin account from within directadmin (for future references) you might want to use POST/PRE scripts: user_destroy_pre.sh

Code: 
# cd /usr/local/directadmin/scripts/custom/
# touch user_destroy_pre.sh
# chown diradmin:diradmin user_destroy_pre.sh
# chmod 700 user_destroy_pre.sh

Open the script in editor and put the following content into it:

Code: 
#!/bin/bash

if [ "$username" == "admin" ]; then
{
   echo "You are not allowed to delete user $username";
   exit 1;
}
fi;

exit 0;

I've checked it on my dev server, it gets triggered even if you try to delete admin account.
 
Last edited:
Is this an error?
Code: 
 echo "You are now allowed to delete user $username";
Click to expand...
Should now be replaced with [/i]not[/i]?

If not, then I'm confused :).

Jeff
 
Hello,

the admin account kept most of the data and settings, if you delete it everything gets queer (databases like da_roundcube, da_phpmyadmin are deleted).
Click to expand...
Not correct.

To clarify, the "admin" account has no super mysql access.
"admin" does not have access to delete da_admin, to delete da_roundcube, or anything else.

If "admin" is deleted, apart from DA deleting any Users that were under "admin", which is normal behavior, it wouldn't touch the system databases like da_roundcube or the da_admin mysql account.

It's more likely they simply also got the da_admin password, and hurt it that way.

If you can't login to mysql through DA, and get an error on the databases page, this is the related guide to fix it:
http://help.directadmin.com/item.php?id=45

However, if they've already had access to your system, I wouldn't really trust it.


For the future, other handy tools for these types of issues:
1) brute force scanning and prevention:
http://help.directadmin.com/item.php?id=404

2) Using login_pre.sh to limit logins based on IPs or whatever criteria you want:
http://help.directadmin.com/item.php?id=384

Note, you can make it so only "admin" has an IP check, and other Users are not ip checked, just change the script as desired.

3) As mentioned "admin" is the default. You're welcome to create a 2nd Admin account with a different name, and delete the original "admin" account. This makes brute force attacks on "admin" pointless, as they're testing the wrong name.

4) More just with regards to general system security, less with this specific case:
http://help.directadmin.com/item.php?id=247

Hope this helps!

John
 
You must log in or register to reply here.
Back
Top