Server hacked!!!?

bastardo · Oct 29, 2008

For my disgrace looks like my directadmin just got hacked.
Tryed to access to my webmail minutes ago, and got error 500.
Then went to directadmin and tryed to login as admin, submited the password and after submiting got to defaced page with this picture: http://www.up-00.com/bzfiles/5Ps89518.jpg
and this:
[email protected]

[root@mercury ~]# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[root@mercury ~]# cat /etc/shadow
root:$1$SMNoL9vL$odGcXipSA1Yev7WPgfqv0.:14181:0:99999:7

Tryed to access through ssh, but the root password was not working, accesssed with admin but can't use the SU command. Some websites in this server got also defaced, others are just giving error 500.
services aren't working.
Looks like most services are running, but what is strange is that spamd is using lots of CPU under certain user accounts as i can see with TOP.
Can't access with root.

HELP

demz · Oct 29, 2008

If you want to help us, tell us which services you run, ports and what versions..

Do you have joomla installations on the server?
Do you have other pre-prepared scripts running on your server?

What do the logs say? if they still exsist? does ps still works?
What do you see with netstat -a / netstat -n ??

Tell us everything and more

bastardo · Oct 29, 2008

Many Thanks for your reply!
The server is running on Centos 5.
Yes, there`s a few websites with joomla, some of them got defaced a while ago, it was through sql injection. Removed the vulnerable Joomla components, and fixed it.
Not many other pre-prepared scripts running.
PS still works.
Which logs should i look into? Can i access to them since i lost root access?
This is the result from netstat:

Code:

[admin@mercury ~]$ netstat -a / netstat -n
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:1004            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:2222            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:110             0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:783           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN
tcp        0      0 24.102.62.102:53        0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN
tcp        1      0 24.102.62.102:57809     131.252.208.96:80       CLOSE_WAIT
tcp        1      0 24.102.62.102:57807     131.252.208.96:80       CLOSE_WAIT
tcp        0      0 127.0.0.1:35503         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35501         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35510         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35509         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35506         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35507         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35504         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35505         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35518         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35516         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35517         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35514         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35512         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35513         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35526         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35527         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35524         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35525         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35522         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35520         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35521         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35534         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35535         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35532         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35533         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35530         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35531         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35528         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35529         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35542         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35543         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35540         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35541         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35539         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35536         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35537         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35550         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35551         127.0.0.1:783           FIN_WAIT2
tcp        0      0 127.0.0.1:35548         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35549         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35546         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:35547         127.0.0.1:783           TIME_WAIT
tcp        0      0 24.102.62.102:25        62.139.139.122:9997     ESTABLISHED
tcp        0      0 24.102.62.102:25        62.139.139.122:10157    ESTABLISHED
tcp        0      0 127.0.0.1:42489         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:42488         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:42483         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:42485         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:42487         127.0.0.1:783           TIME_WAIT
tcp        0      0 127.0.0.1:42486         127.0.0.1:783           TIME_WAIT
tcp        0      0 24.102.62.102:143       85.139.40.185:58004     ESTABLISHED
tcp        0      0 24.102.62.102:3306      76.70.10.152:61651      ESTABLISHED
tcp        1      0 24.102.62.102:40023     152.3.121.62:80         CLOSE_WAIT
tcp        1      0 24.102.62.102:40028     152.3.121.62:80         CLOSE_WAIT
tcp        1      0 24.102.62.102:50496     129.101.198.62:80       CLOSE_WAIT
tcp        0      0 24.102.62.102:25        62.139.139.122:9951     ESTABLISHED
tcp        0      0 127.0.0.1:783           127.0.0.1:35551         CLOSE_WAIT
tcp        0      0 24.102.62.102:110       85.242.216.141:49159    TIME_WAIT
tcp        0      0 24.102.62.102:110       85.242.216.141:49158    TIME_WAIT
udp        0      0 0.0.0.0:32768           0.0.0.0:*
udp        0      0 0.0.0.0:36916           0.0.0.0:*
udp        0      0 24.102.62.102:53        0.0.0.0:*
udp        0      0 127.0.0.1:53            0.0.0.0:*
udp        0      0 24.102.62.102:28355     24.215.0.11:53          ESTABLISHED
udp        0      0 0.0.0.0:998             0.0.0.0:*
udp        0      0 0.0.0.0:5353            0.0.0.0:*
udp        0      0 0.0.0.0:1001            0.0.0.0:*
udp        0      0 0.0.0.0:111             0.0.0.0:*
udp        0      0 0.0.0.0:631             0.0.0.0:*
raw        0      0 0.0.0.0:1               0.0.0.0:*               7
raw     1324      0 0.0.0.0:1               0.0.0.0:*               7
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node Path
unix  2      [ ACC ]     STREAM     LISTENING     7183   @/var/run/hald/dbus-3XZN2T5VkZ
unix  2      [ ACC ]     STREAM     LISTENING     6662   /dev/gpmctl
unix  4      [ ]         DGRAM                    21717262 /dev/log
unix  2      [ ACC ]     STREAM     LISTENING     7142   /var/run/avahi-daemon/socket
unix  2      [ ACC ]     STREAM     LISTENING     16414469 /var/lib/mysql/mysql.sock
unix  2      [ ACC ]     STREAM     LISTENING     6993   /tmp/.font-unix/fs7100
unix  2      [ ACC ]     STREAM     LISTENING     5506   /var/run/audit_events
unix  2      [ ]         DGRAM                    1230   @/org/kernel/udev/udevd
unix  2      [ ]         DGRAM                    7195   @/org/freedesktop/hal/udev_event
unix  2      [ ACC ]     STREAM     LISTENING     7184   @/var/run/hald/dbus-fLg2Huz1kZ
unix  2      [ ACC ]     STREAM     LISTENING     5969   /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     6144   /var/run/pcscd.comm
unix  2      [ ACC ]     STREAM     LISTENING     6293   /var/run/acpid.socket
unix  2      [ ACC ]     STREAM     LISTENING     21247925 /var/run/cups/cups.sock
unix  3      [ ]         STREAM     CONNECTED     22808634
unix  3      [ ]         STREAM     CONNECTED     22808633
unix  3      [ ]         STREAM     CONNECTED     22797692
unix  3      [ ]         STREAM     CONNECTED     22797691
unix  2      [ ]         STREAM     CONNECTED     22774452
unix  3      [ ]         STREAM     CONNECTED     22164447
unix  3      [ ]         STREAM     CONNECTED     22164446
unix  2      [ ]         DGRAM                    21717621
unix  2      [ ]         DGRAM                    21717269
unix  2      [ ]         DGRAM                    21698997
unix  2      [ ]         DGRAM                    220366
unix  3      [ ]         STREAM     CONNECTED     8288   /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     8287
unix  3      [ ]         STREAM     CONNECTED     8056   /var/run/acpid.socket
unix  3      [ ]         STREAM     CONNECTED     8055
unix  3      [ ]         STREAM     CONNECTED     8048   @/var/run/hald/dbus-3XZN2T5VkZ
unix  3      [ ]         STREAM     CONNECTED     8045
unix  3      [ ]         STREAM     CONNECTED     7190   @/var/run/hald/dbus-fLg2Huz1kZ
unix  3      [ ]         STREAM     CONNECTED     7189
unix  3      [ ]         STREAM     CONNECTED     7187   /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     7186
unix  3      [ ]         STREAM     CONNECTED     7145   /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     7144
unix  3      [ ]         STREAM     CONNECTED     7136
unix  3      [ ]         STREAM     CONNECTED     7135
unix  2      [ ]         DGRAM                    7133
unix  2      [ ]         DGRAM                    7126
unix  2      [ ]         DGRAM                    6937
unix  2      [ ]         DGRAM                    6648
unix  2      [ ]         DGRAM                    6245
unix  2      [ ]         DGRAM                    6189
unix  2      [ ]         DGRAM                    6143
unix  3      [ ]         STREAM     CONNECTED     6034   /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     6033
unix  2      [ ]         DGRAM                    6003
unix  3      [ ]         STREAM     CONNECTED     5972
unix  3      [ ]         STREAM     CONNECTED     5971
unix  3      [ ]         STREAM     CONNECTED     5913
unix  3      [ ]         STREAM     CONNECTED     5912
unix  2      [ ]         DGRAM                    5761
unix  2      [ ]         DGRAM                    5596
unix  3      [ ]         STREAM     CONNECTED     5472
unix  3      [ ]         STREAM     CONNECTED     5471
[admin@mercury ~]$

demz · Oct 29, 2008

hmmz noboy streaming at the moment i mean strange ports, backdoors and so..

Yes, the joomla were defaced? hmmz just hope they didnt got access through dirty script.. there is an admin passwd change vuln in joomla 1.5 series around.. so you can control the joomla installation and install/place an filemanager in joomla to upload evil files, they run them to get nobody access and then kernel exploit and then tada root access...

Hmmz difficulty...
What versions of services do you run?
What kernel?

Well you could try: cat
/var/log or /var/logs/

Do you seen any strange procs in ps? ps -aux ?
Your really sure the root pass isnt working? hmmz maybe the **** changed it, but then he got full-root access what means: reinstall server im afraid..
You could spend hours on investigating and forensics, but i think you beter spend that on reinstalling..

I mean: just to be sure, you never know.. many customers on the server?
Got backups?

bastardo · Oct 29, 2008

Everything else looks normal.
No new processes, all processes started long time ago.
Can access to direct admin with user's accounts, but can't access with admin, get a defaced page after login.
Maybe it was like some sort of SQL injection.
But strange that i get "Access Denied" when trying ssh with root, but after ssh with admin i try doing SU but get wrong password. (Maybe i changed it and don't remeber :S )
All seems to be ok with user's accounts, except that most of them are giving error 500 when accessing to its websites.

bastardo · Oct 29, 2008

Some features like File Manager in the user's DA panel lead to the same defaced page.
Some things here make me remember the SQL injection vulnerabilities in Joomla!
Are we looking here at a SQL Injection Vulnerability in DA?

scsi · Oct 29, 2008

Directadmin doesnt use sql. I honestly still would never trust that server. They could have installed keyloggers or anything. I would feel nervous typing anything on that system after being compromised like that.

bastardo · Oct 29, 2008

No paranoia here!
I don`t think they got root, they did the maximum defacement that they could through any kind of vulnerability. Otherwise they would have done much more demage.
Looks like what is hacked is the admin part of Direct admin.
Is it a bad idea to reboot the server and change root password?
Or what should i do to fix directadmin?

floyd · Oct 29, 2008

If they changed your root password then they got root access. Take it off the network immediately. Run the DirectAdmin Admin Backups. Save the backups to another drive. Rebuild server. Restore accounts from the backups.

nobaloney · Oct 29, 2008

DirectAdmin didn't get hacked

I changed the title of the thread; it wasn't DirectAdmin that was hacked but rather your DirectAdmin-based server. No need to get every DirectAdmin user who reads the forums scared.

Jeff

bastardo · Oct 30, 2008

I understand your concern regarding panic between users and even to protect a product reputation.
To be honest I still believe that DA got hacked. After a long analisis we found that the hacker got into a user's DA panel that was using a weak password. This user had no SSH access.
Then some kind of code injection was submited through the ticket/message sistem that defaced part of the DA admin level.
I was able to access the DA admin level features using URLs with the specific tokens, but the main manu page plus the messages/tickets system and File manager were defaced.
Some websites (not all) were defaced because the httpd confs were also affected and after stoping httpd couldn't get it restarted due to corrupted conf files.
We are still investigating and will send a report to DA team with all the details to investigate the existence of any vulnerability and to get it fixed.

nobaloney · Oct 30, 2008

I look forward to your report; if the user had a week password that's not the same as DirectAdmin being hacked.

The same week password could have been used to upload a php file to the server via ftp (or even the DirectAdmin control panel). Since I don't know the details of what specifically was done, I don't know if that could have resulted in damage to the DirectAdmin interface or not.

I understand your points and I think John should be made aware of the issue immediately.

However it's important to note that DirectAdmin's webserver is custom built by DirectAdmin; it's written in C++. It's been found to be quite secure in the past.

Jeff

DirectAdmin Support · Oct 30, 2008

Yes, send us an email with any info you find. If it is the ticket/messsage system, please include any text that was used. (you can grab from /usr/local/directadmin/data/tickets/*/*/*.msg)

Of course, please make sure you're using a current version of DA. The ticket character have been html encoded for a very long time, so it's less likely to happen on a box with a current DA.

I looked back on one of our testing boxes (to be sure) and I found intentional javascript injection tests that I did back from May 2006 which shows up just fine. All characters are encoded in the subject and the text... so I couldn't say how any injection could happen if you've got a newer DA.. but of course, let us know if you find anything that we've overlooked.

If the defacement in DA was showing that jpg you've posted, then it's likely he just ran a "find" as root for all html files on your box and replaced them, meaning if he has root to change html files, it's not likely he used the front door via 2222. DA uses html files in the skins, just like apache (html files on disk). Note that "admin" does not have root access and can't change the root password (that we know of). Admin is designed to be a User like anyone else and only has extra privs to create other Users. (admittedly, by getting DA to run specific commands as root, but they're heavily checked/filtered)

John

fredzz · Dec 15, 2009

hack?

I got the same problems. The "root" password does not work.
Please help.

floyd · Dec 15, 2009

If your server has been hacked then there is nothing we can do to help you. You will need to reformat the hard drive and start over.

If you simply forgot your root password then you can get the data center to reset it. Again nothing we can do to help.

Server hacked!!!?

bastardo

Verified User

demz

Verified User

bastardo

Verified User

demz

Verified User

bastardo

Verified User

bastardo

Verified User

scsi

Verified User

bastardo

Verified User

floyd

Verified User

nobaloney

NoBaloney Internet Svcs - In Memoriam †

bastardo

Verified User

nobaloney

NoBaloney Internet Svcs - In Memoriam †

DirectAdmin Support

Administrator

fredzz

New member

floyd

Verified User