Server got hacked/rooted

Scr33x0r · Jul 1, 2011

Hi Guys,

Tonight our server got hacked and I don't know how.. As we speak I'm restoring backups of this morning to a new server..

The DA version was 1.38.4, did this version had any known vulnerabilities?

It seems every .php file show's their message, also the skin directory of DA got changed (enhanced/admin/index.html)...

Even the root has an index.html in it with the hackers notes..

Does any of you have experience with this? If I know how they got in, I can protect us..

The message:

~ ~ Server Rooted ~ ~

By

~ KiLLerMiNd ~

&

~ Kishan Patel ~

&

~ xkorem ~

Scr33x0r · Jul 1, 2011

Restoring takes quite long, as it is done with PHP I guess?

Is there any way I can speed up this process?

LawsHosting · Jul 1, 2011

Was probably a vulnerable PHP script that had tmp access, so a perl script modified every index.* file - not sure ..... but the last DA version with vulnerabilities was 1.33.6.

Scr33x0r · Jul 1, 2011

You were right.. there is all kinds of exploit stuff in the /tmp.. is there any way I can protect this?

tomtom901 · Jul 2, 2011

This could be a start:

http://www.directadmin.com/forum/showpost.php?p=189296&postcount=14

LawsHosting · Jul 2, 2011

Scr33x0r said:
You were right.. there is all kinds of exploit stuff in the /tmp.. is there any way I can protect this?

and Install mod_security2 manually or via this script. Not 100% proof, and ~4% of scripts hate it, but its a godsend.

nobaloney · Jul 2, 2011

Generally this will happen when apache can get into /home/*/domains/example.com/ directories and sub-directories, and overwrite index files. Most recent DirectAdmin installations don't have the vulnerability.

For example, public_html directories are now chown username:username, and chmod 755, so only the user can write into public_html.

Of this presuposes mod_ruid2 or similar, or else apache must be able to write into public_html.

Jeff

Angelokreikamp · Jul 5, 2011

So basicly if i got a bad script kiddy on my costumer server?

He can basicly bring down the system?

Is their away to block danger codes
in the php.ini or something?

zEitEr · Jul 6, 2011

0. Read this http://help.directadmin.com/item.php?id=247

1. Use suPHP or mod_ruid2

2. Set up an "access" limitted group for apache/dovecot/ftp
+ http://help.directadmin.com/item.php?id=254
+ http://www.directadmin.com/features.php?id=961

3. Secure your php.ini

4. Secure /tmp and /var/tmp
...
...
...

Search the forums for details, these subects have been already discussed here many times.

Note, I do not guarantee you, that if you follow all these steps or partly, you'll never be hacked or compromised again.

Server got hacked/rooted

Scr33x0r

Verified User

Scr33x0r

Verified User

LawsHosting

Verified User

Scr33x0r

Verified User

tomtom901

Verified User

LawsHosting

Verified User

nobaloney

NoBaloney Internet Svcs - In Memoriam †

Angelokreikamp

Verified User

zEitEr

Super Moderator