Website deface.

[mikegrungey]

Hi Guys!

Sorry if this is not the thread category. My server just been deface today and all my clients site also deface mostly the index files.

as for directadmin icant login to admin panel after i submit my username and password because that page to has been deface.

problem.
1. So how to solve my directadmin and also maybe the phpmyadmin and mail client also been deface?

2. What are the fisrt thing to see if this thing happened?

 

[zEitEr]

Hello,

That's of course good, that you are asking questions here. But you'd better hire somebody from these forums, because it'll be very difficult to teach you here, what to do.

And now, it's very important to change root/admin passwords, of course if you still can gain access with ssh.

And depending on how deep was compromised your server, there is a great possibility, that you need full format and re-installation.

 

[mikegrungey]

i check my history and i found this:
56 cat /usr/local/directadmin/data/users/admin1/httpd.conf | grep ServerName
57 cat /usr/local/directadmin/data/users/admin2/httpd.conf | grep ServerName
58 cat /usr/local/directadmin/data/users/admin3/httpd.conf | grep ServerName
59 cat /usr/local/directadmin/data/users/admin4/httpd.conf | grep ServerName
60 cat /usr/local/directadmin/data/users/admin5/httpd.conf | grep ServerName
61 cat /usr/local/directadmin/data/users/admin6/httpd.conf | grep ServerName
62 cat /usr/local/directadmin/data/users/admin7/httpd.conf | grep ServerName
63 cat /usr/local/directadmin/data/users/admin7
64 cat /usr/local/directadmin/data/users/admin8/httpd.conf | grep ServerName
65 cat /usr/local/directadmin/data/users/admin9/httpd.conf | grep ServerName
66 cat /usr/local/directadmin/data/users/admin10/httpd.conf | grep ServerName
67 cat /usr/local/directadmin/data/users/admin11/httpd.conf | grep ServerName
68 cat /usr/local/directadmin/data/users/admin12/httpd.conf | grep ServerName
69 cat /usr/local/directadmin/data/templates/httpd.conf | grep ServerName
70 pwd
71 ls /home/admin1/domains/
72 ls /home/1/
73 ls /home/
74 lsb_release -a
75 uname -a;id
76 lsb_release -a
77 find / -name "index.*" -exec cp /home/admin1/domains/domain1.com/public_html/syarikat/images/a/index.html {} \;
78 id
79 find / -name "home.*" -exec cp /home/admin1/domains/domain1.com/public_html/syarikat/images/a/index.html {} \;
80 find / -name "default.*" -exec cp /home/admin1/domains/domain1.com/public_html/syarikat/images/a/index.html {} \;
81 cd /
82 /etc/init.d/httpd status
83 /etc/init.d/httpd stop
84 ls -al

I wonder if the hackers use ssh or inject some old version joomla ?

if i use ./rebuild does it rebuild my directadmin, phpmyadmin, mail index files too?

 

[zEitEr]

It seems to me that server was hacked through domain1.com scripts.

I know nothing about ./rebuild. What is it? Do not recollect any script going with directadmin with such a name.

Any way, if a hacker got a root access, you'd better format HDD and re-install OS, because OS might has backdoors.

 

[mikegrungey]

thanks for the reply zEitEr, Yup you are right about the scripts. there is some script inside the folder and its upload via apache. I cant format my server since Im running on VPS.

 

[zEitEr]

That's much easier. Most VPS control panels allow to rebuild your VPS with moving old data to a specified directory.

 

[nobaloney]

Defacing all index.html and index.php pages may not need to be done as root. If the malicious script was run as apache (it most likely was) it could deface everything without having root access. Most important is to use either mod_ruid2 or mod_suPHP, instead of mod_php to run your php code. That way if the problem occurs again, only the user who uploaded the script (or who had the script uploaded due to a vulnerability in her/his script) will be affected.

I, and others, can audit your server for you, if you can't do it yourself; while I can't write for others, when we do it, we charge you a fee for the service.

Jeff

 

[SeLLeRoNe]

well regarding the hitory file is important know what user's own history is that.. cause if is root, so yes you need to reinstall for do a better clean.

If is just apache history (or non-root user= well so maybe not all is compromised and the suggestion from jlasman is totally valid.

Regards

 

[mikegrungey]

thank you for the info. currently the server has been reinstall and reconfigure to use mod_suphp .

 

[SeLLeRoNe]

i would suggest you to use php as cli and mod_ruid2 for security and not suphp.

You can find an how to on this forum for switch to mod_ruid2

regards

 

[interfasys]

mod_ruid2 is not that stable and introduces some significant risks (hacker becomes root). I'm not sure it's THE solution to all problems when it comes to permissions.

 

[SeLLeRoNe]

as far as i know (and i should be totally wrong) mod_ruid is same as suphp but use less resource, if not, ok im wrong

 

[interfasys]

Yep, all these mods are subject to the same vulnerability that will let a skilled hacker take over your server as soon as he takes over Apache.
I wish there was a good solution for this, but for now I'd rather have "just" Apache compromised than the whole server.

EDIT: But to go back to the original point, if one insists on using a setuid mod, mod_ruid2 is definitely the way to go if you want speed and can provide feedback to the project owner so that it can make it better and better.

 

[mikegrungey]

I got this error after reinstall.

Cannot find /usr/local/bin/php
Please recompile php with custombuild, eg:
cd /usr/local/directadmin/custombuild
./build all d

after that I try ./build php d

when i test phpinfo i got page error 500

 

[zEitEr]

Learn the reason from error logs. It seems to me you're using mod_suphp, and it's permissions issue. PHP scripts should belong to user:user, 640 (not more) and directory user:user 750 (not more).