Re: site compromised and httpd log analysis

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


Happy Wednesday

Ok allow me to share some experience :

about 4 years ago 1one1 hosting, myself and a bunch of others got hacked.

this is because i was using common vhosts pointing to the web directory
because www:www were the rights (no real easy way to get around that) i had to lock php down (as indicated) along with wordpress etc.
It appears this is the real issue at hand, once a server is comprimised (regardless of the operating system at hand) it basically needs to wiped clean and reloaded
the config below might be like using a balistic missle when a sledge hammer will do ... 

however touch wood i have not need hacked since
and if someone does figure out a site login (ftp,wordpress etc) then the damage is contained to that site and will not bleed out sideways. 

unfortunately this is what is required in today's operating environment

so basically with this config

central logging that will firewall ip's on demand

wordpress fail2ban showing bad admin logins being track
people try all day long but no real issues other the the odd dos attacks with the firewall will fix within 20 minutes of the attack? 


Hope this explains / helps .....


Happy Wednesday !!!
Thanks - paul

Paul Kudla


Scom.ca Internet Services <http://www.scom.ca>
004-1009 Byron Street South
Whitby, Ontario - Canada
L1N 4S3

Toronto 416.642.7266
Main 1.866.411.7266
Fax 1.888.892.7266
Email paul@xxxxxxx

On 7/6/2022 8:57 AM, Frank Gingras wrote:
Cross-site contamination is not the same as exploiting insecure php scripts to upload malicious content.
I will agree that isolation is a good idea, but it really has little to do with the thread at hand.
On Wed, 6 Jul 2022 at 06:30, Paul Kudla (SCOM.CA <http://SCOM.CA> Internet Services Inc.) <paul@xxxxxxx <mailto:paul@xxxxxxx>> wrote: 


    ok may or may not be related but i found i had to lock php, wordpress
    etc down heavely in apache

    especially if you are using vhosts

    i found one authorized site could talk to another without making things
    more strict

    yes its a pain to have one vhost per site but its the only way to fully
    isolate one from the other

    if someone executes stuff it stays within their working directory

    example (shows http alias etc - note the directory directives - i use a
    database --> script generator so its not too inconvient.) :


    <VirtualHost *:80>
    ServerName bedrockconstruction.ca <http://bedrockconstruction.ca>
    ServerAlias bedrockconstruction.ca <http://bedrockconstruction.ca>
    ServerAlias www.bedrockconstruction.ca
    <http://www.bedrockconstruction.ca>
    Redirect permanent / https://bedrockconstruction.ca/
    <https://bedrockconstruction.ca/>
    </VirtualHost>

    <VirtualHost *:443>
    ServerName bedrockconstruction.ca <http://bedrockconstruction.ca>
    ServerAlias bedrockconstruction.ca <http://bedrockconstruction.ca>
    ServerAlias www.bedrockconstruction.ca
    <http://www.bedrockconstruction.ca>
    DocumentRoot /www/bedrockconstruction.ca <http://bedrockconstruction.ca>

    SSLEngine on
    SSLProtocol all
    SSLCertificateFile
    /www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.crt
    <http://bedrockconstruction.ca/ssl/bedrockconstruction.ca.crt>
    SSLCertificateKeyFile
    /www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.key
    <http://bedrockconstruction.ca/ssl/bedrockconstruction.ca.key>
    SSLCertificateChainFile
    /www/bedrockconstruction.ca/ssl/bedrockconstruction.ca.chain
    <http://bedrockconstruction.ca/ssl/bedrockconstruction.ca.chain>


    SuexecUserGroup www www

    <Directory "/www/bedrockconstruction.ca/wp-content/uploads/
    <http://bedrockconstruction.ca/wp-content/uploads/>">
    <Files "*.php">
    Order Deny,Allow
    Deny from All
    </Files>
    </Directory>

    <Directory /www/bedrockconstruction.ca <http://bedrockconstruction.ca>>
    php_admin_value open_basedir /www/bedrockconstruction.ca:/var/log/
    </Directory>

    <Directory /www/bedrockconstruction.ca <http://bedrockconstruction.ca>>
    php_admin_value sys_temp_dir /www/bedrockconstruction.ca/tmp/
    <http://bedrockconstruction.ca/tmp/>
    </Directory>

    <Directory /www/bedrockconstruction.ca <http://bedrockconstruction.ca>>
    php_admin_value session.save_path /www/bedrockconstruction.ca/tmp/
    <http://bedrockconstruction.ca/tmp/>
    </Directory>

    <Directory /www/bedrockconstruction.ca <http://bedrockconstruction.ca>>
    php_admin_value soap.wsdl_cache_dir /www/bedrockconstruction.ca/tmp/
    <http://bedrockconstruction.ca/tmp/>
    </Directory>

    <Directory /www/bedrockconstruction.ca <http://bedrockconstruction.ca>>
    php_admin_value upload_tmp_dir /www/bedrockconstruction.ca/tmp
    <http://bedrockconstruction.ca/tmp>
    </Directory>

    <Directory "/www/bedrockconstruction.ca
    <http://bedrockconstruction.ca>">
    AllowOverride All
    php_value session.save_path "/www/bedrockconstruction.ca/
    <http://bedrockconstruction.ca/>"
    </Directory>

    </VirtualHost>












    Happy Wednesday !!!
    Thanks - paul

    Paul Kudla


    Scom.ca Internet Services <http://www.scom.ca <http://www.scom.ca>>
    004-1009 Byron Street South
    Whitby, Ontario - Canada
    L1N 4S3

    Toronto 416.642.7266
    Main 1.866.411.7266
    Fax 1.888.892.7266
    Email paul@xxxxxxx <mailto:paul@xxxxxxx>

    On 7/5/2022 9:52 PM, KK CHN wrote:
     > https://pastebin.com/YspPiWif <https://pastebin.com/YspPiWif>
    <https://pastebin.com/YspPiWif <https://pastebin.com/YspPiWif>>
     >
     > One of the websites hosted  by a customer on our Cloud
    infrastructure
     > was compromised, and the attackers were able to replace the home
    page
     > with their banner html page.
     >
     > The log files output I have pasted above.
     >
     > The site compromised was PHP 7 with MySQL.
     >
     >  From the above log, can someone point out what exactly happened
    and how
     > they are able to deface the home page.
     >
     > How to prevent these attacks ? What is the root cause of this
     > vulnerability  and how the attackers got access ?
     >
     > Any other logs or command line outputs required to trace back
    kindly let
     > me know what other details  I have to produce ?
     >
     > Kindly shed your expertise in dealing with these kind of attacks and
     > trace the root cause and prevention measures to block this.
     >
     > Regards,
     > Krish
     >
     >
     >
     > --
     > This message has been scanned for viruses and
     > dangerous content by *MailScanner* <http://www.mailscanner.info/
    <http://www.mailscanner.info/>>, and is
     > believed to be clean.

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
    <mailto:users-unsubscribe@xxxxxxxxxxxxxxxx>
    For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
    <mailto:users-help@xxxxxxxxxxxxxxxx>


--
This message has been scanned for viruses and
dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is
believed to be clean.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux