I 've been hacked, I need some help please... 2005-03-15 - By Ivan Barrera A.
> Thank's for all the answers, if you know anything more
> about what could have been the attack I would like to
> hear about it.
I'm almost sure as you said, it was a php-insecure page related xploit.
r0nin is a common script to use, and upload. (i fix lots of clients
computers with this).
Aa logs are gone, it is difficult to determine the exact way they hacked
into the machine, unless, you try to seach trough the disk (if the
didn't zero it out).-
Take a look at your sites. I've found that a common denominator for this
situation are : phpNuke (specially when using that eGallery crap),
phpBB, Cpanel default configuration, sites that upload files using
global vars (register_global = on), and so on..
Unfortunally, internet is plagued by those damn kiddiez, who dont do
anything useful. Just get into your box (using some pointer, or scripts
out there), and start placing some files, DoS to other networks, or just
installing lots of irc-bots. Some more advanced guys, replace system
files (which keeps changing other executables to keep the systems
vulnerable), sniff users/password of the machine/lan, sniff packets in
search of a credit card number, etc.
Common places for installing "hack" utils :
/var/tmp
/tmp
/dev/shm
/dev/" " (or more spaces...)
/dev/... (or more dots, or with spaces)
/dev/someunknowndir
/usr/share/locale (i've seen lots using sk under that path)
/" " (or more spaces)
(in cpanel machines)
/usr/local/cpanel/proxy
/usr/local/cpanel/ (almost any of the dirs. under that )
(obviously, there a lot's more.. but almost every machine i fix, had
this directories compromised)
Some simple stuff :
link /var/tmp to /tmp
mount tmp as noexec, and some other restrictive permissions
mount /dev/shm as noexec
(this is to bug the kiddiez, they can use lots of other directories)
using selinux is kinda complex, but gives lots of other options.
How to see if you are hacked :
if in redhat fedora, the common package to get changes are psmisc procps
net-tools and util-linux
rpm -VVV all of those packages.
(if you dont have ps,lsof, and netstat changed)
see the processes running (ps axuf)
see the ports open (netstat -ln) and process who opened them (netstat
-lntup)
run lsof. Look at any port/file suspicios.
There are lots more to do...
But if you can, better to reinstall from scratch.
(it happened to me 2 days ago. i installed a new server with default
installation. went home, and it was hacked already. My fault for letting
ssh1 open, and a soft root password).
>
>
> --- Dennis Speekenbrink
> <d.g.speekenbrink@(protected)> wrote:
>
>>Hi,
>>
>>Please keep in mind that I'm not a security expert.
>>
>>Something about this says that they did not get root
>>access to the machine.
>>Are you absolutely sure that "root-only" files we're
>>changed?
>>
>>Reasons for my thinking are:
>>The rogue processes are running under the Apache
>>user (why not root?)
>>You can still log in. (usually root-exploits change
>>the root password
>>first thing, sadly speaking from my own experience)
>>The rogue processes are located in /tmp which is
>>world-writeable.
>>If access was gained through Apache, and it was
>>indeed running as an
>>un-priviledged user, then they would need a second
>>exploit to raise
>>their access level to root. By default a security
>>breach in apache
>>should only compromise anything that Apache can
>>touch.
>>
>>On the other hand:
>>If you're logged in and the 'who' command shows
>>absolutely nobody, then
>>it is obviously at fault.
>>If non-writeable files we're modified then an Apache
>>/ php exploit alone
>>couldn't have done it.
>>If system logs we're deleted that is almost
>>certainly an indicator of a
>>root-exploit.
>>
>>If you conclude that root-access was indeed gained,
>>then the machine
>>must be considered lost.
>>Do not try to repair it, as you can never be sure
>>you removed all traces
>>of the attacker.
>>If you assume that it was only a apache / php
>>exploit then repair is
>>possible but a reinstall might be safer.
>>
>>Good luck!
>>
>>Dennis
>>
>>p.s. if you have an off-site backup or remote
>>logging try comparing data
>>to see what has changed.
>>
>>
>>
>>
>>
>>
>
> ---------------------------------------------------------------------
>
>>The official User-To-User support forum of the
>>Apache HTTP Server Project.
>>See <URL:http://httpd.apache.org/userslist.html> for
>>more info.
>>To unsubscribe, e-mail:
>>users-unsubscribe@(protected)
>> " from the digest:
>>users-digest-unsubscribe@(protected)
>>For additional commands, e-mail:
>>users-help@(protected)
>>
>>
>
>
>
>
>
>
>
> ___________________________________________________________
> 250MB gratis, Antivirus y Antispam
> Correo Yahoo!, el mejor correo web del mundo
> http://correo.yahoo.com.ar
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@(protected)
> " from the digest: users-digest-unsubscribe@(protected)
> For additional commands, e-mail: users-help@(protected)
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@(protected)
" from the digest: users-digest-unsubscribe@(protected)
For additional commands, e-mail: users-help@(protected)
|
|
