I was regrettably hacked.

kotel

kotel

Verified User
Joined
Sep 15, 2006
Messages
35
Location
Russia
I have recently been broken up. But how, i'm don't know.Server:
Apache 2.2.6 (mod_ssl/2.2.6 OpenSSL/0.9.8g PHP/5.2.4)
DirectAdmin
Exim 4.68
MySQL 5.0.45
Named 9.3.3
ProFTPd 1.3.0a
sshd
dovecot 1.0.7

Open_base dir = on
Safe mod = off
PHP as module.
Judging from the log ROOT password they have not received, but were able to take advantage of his rights.

Where a vulnerable place?
 
no........i find a perl exploit.But i'm don't understand ,which vurnuable he used.
 
kotel said:
OS:FreeBSD 6.2
DirectAdmin: 1.30.1
Click to expand...


You should probably have hired a server consulting company to lock down your server if you dont have the knowledge to do it yourself. This is a very first thing that should be done before you ever go online. The problem is, too many people buying servers without any kind of knowledge on how to manage, secure it then they wonder why.
 
kotel said:
I have recently been broken up. But how, i'm don't know.Server:
Where a vulnerable place?
Click to expand...
You just can't limit vulnerability to scripts. There are many ways to hack a server; Just to mention a few: through a vulnerable scripts (including Php, cgi/Perl, bash, JavaScripts, and c), Rootkits, weak passwds, open Ports, server's application or services such as the Kernel or Apache.

It is nearly impossible to be certain that a system hasn't been compromised; if the system is online and running, and if the intruder was any good, it will be completely impossible to determine that a system has been hacked without first taking it offline.

This is in no small part due to the prevalence of "rootkits," replacement system binaries that hide the signs of a compromised system from its users.

I suggest you use chkrootkit and rkhunter applications to examines binaries for signatures of known rootkits, much like virus scanners search for signatures of known viruses.

If you are not very comfortable with Linux, you can seek professional help.
 
andyreed said:
You just can't limit vulnerability to scripts. There are many ways to hack a server; Just to mention a few: through a vulnerable scripts (including Php, cgi/Perl, bash, JavaScripts, and c), Rootkits, weak passwds, open Ports, server's application or services such as the Kernel or Apache.

It is nearly impossible to be certain that a system hasn't been compromised; if the system is online and running, and if the intruder was any good, it will be completely impossible to determine that a system has been hacked without first taking it offline.

This is in no small part due to the prevalence of "rootkits," replacement system binaries that hide the signs of a compromised system from its users.

I suggest you use chkrootkit and rkhunter applications to examines binaries for signatures of known rootkits, much like virus scanners search for signatures of known viruses.

If you are not very comfortable with Linux, you can seek professional help.
Click to expand...


With all do respect; have you ever been on the darkside?
I was reffering to the situation that the services are secure and the: "what else could have been vulnerable?" 'case' ...

Rootkit a vulnerablility? lol, do you even know what a rootkit is?
You dont hack with an rootkit, you install it after the hack, (lose ends) if its included in an exploit it would be called: autorooter/worm or what else they call it these days... but even then it gets exploited before rootkit install...

You're talking about vuln kernel... hmmz ever heard an hacker doing an remote hack.. on an kernel?? hahaha
Kernel hacks are made local, yes through nobody accounts (exploits, reminds me at the wu-ftpd sploit.. ) or scripts that generate an shell ... reminds me on one of the first php - include bugs :)

The fact indeed that binaries gets replaced, true but watch for network connections filter your input/output, sure there are 65,000 ways to come in, but i reffered to the case that the services were secure...
 
andyreed said:
You just can't limit vulnerability to scripts. There are many ways to hack a server; Just to mention a few: through a vulnerable scripts (including Php, cgi/Perl, bash, JavaScripts, and c), Rootkits, weak passwds, open Ports, server's application or services such as the Kernel or Apache.

It is nearly impossible to be certain that a system hasn't been compromised; if the system is online and running, and if the intruder was any good, it will be completely impossible to determine that a system has been hacked without first taking it offline.

This is in no small part due to the prevalence of "rootkits," replacement system binaries that hide the signs of a compromised system from its users.

I suggest you use chkrootkit and rkhunter applications to examines binaries for signatures of known rootkits, much like virus scanners search for signatures of known viruses.

If you are not very comfortable with Linux, you can seek professional help.
Click to expand...

You maybe? :rolleyes:
 
th. to all!
writable /tmp
Click to expand...
Yes!It is!
I have find all exploits and etc malware files in tmp.....

I solve this problem:
I'm edit my.cnf and move mysql.sock.
chmod -R 666 tmp/
end.
 
Hmmm... can a system do anything if /tmp isn't writable?

BTW, andyreed, he's using BSD; I doubt Linux experience is going to help him ;).

Jeff
 
PHP isn't all that writes to /tmp, but it'll be the most obvious problem, as that's where PHP puts the session files if you don't tell it to put them elsewhere.

Jeff
 
You must log in or register to reply here.
Back
Top