Thank's for all the answers, if you know anything more about what could have been the attack I would like to hear about it.
I'm almost sure as you said, it was a php-insecure page related xploit.r0nin is a common script to use, and upload. (i fix lots of clients computers with this). Aa logs are gone, it is difficult to determine the exact way they hacked into the machine, unless, you try to seach trough the disk (if the didn't zero it out).- Take a look at your sites. I've found that a common denominator for this situation are : phpNuke (specially when using that eGallery crap), phpBB, Cpanel default configuration, sites that upload files using global vars (register_global = on), and so on..
Unfortunally, internet is plagued by those damn kiddiez, who dont do anything useful. Just get into your box (using some pointer, or scripts out there), and start placing some files, DoS to other networks, or just installing lots of irc-bots. Some more advanced guys, replace system files (which keeps changing other executables to keep the systems vulnerable), sniff users/password of the machine/lan, sniff packets in search of a credit card number, etc.
Common places for installing "hack" utils : /var/tmp /tmp /dev/shm /dev/" " (or more spaces...) /dev/... (or more dots, or with spaces) /dev/someunknowndir /usr/share/locale (i've seen lots using sk under that path) /" " (or more spaces) (in cpanel machines) /usr/local/cpanel/proxy /usr/local/cpanel/ (almost any of the dirs. under that )(obviously, there a lot's more.. but almost every machine i fix, had this directories compromised)
Some simple stuff : link /var/tmp to /tmp mount tmp as noexec, and some other restrictive permissions mount /dev/shm as noexec (this is to bug the kiddiez, they can use lots of other directories) using selinux is kinda complex, but gives lots of other options. How to see if you are hacked :if in redhat fedora, the common package to get changes are psmisc procps net-tools and util-linux
rpm -VVV all of those packages. (if you dont have ps,lsof, and netstat changed) see the processes running (ps axuf)see the ports open (netstat -ln) and process who opened them (netstat -lntup)
run lsof. Look at any port/file suspicios. There are lots more to do... But if you can, better to reinstall from scratch.(it happened to me 2 days ago. i installed a new server with default installation. went home, and it was hacked already. My fault for letting ssh1 open, and a soft root password).
--- Dennis Speekenbrink <d.g.speekenbrink@xxxxxxxxxxxxxxx> wrote:Hi, Please keep in mind that I'm not a security expert. Something about this says that they did not get root access to the machine. Are you absolutely sure that "root-only" files we're changed? Reasons for my thinking are: The rogue processes are running under the Apacheuser (why not root?) You can still log in. (usually root-exploits change the root password first thing, sadly speaking from my own experience)The rogue processes are located in /tmp which is world-writeable. If access was gained through Apache, and it wasindeed running as an un-priviledged user, then they would need a second exploit to raise their access level to root. By default a security breach in apache should only compromise anything that Apache cantouch. On the other hand: If you're logged in and the 'who' command showsabsolutely nobody, then it is obviously at fault. If non-writeable files we're modified then an Apache / php exploit alone couldn't have done it.If system logs we're deleted that is almostcertainly an indicator of a root-exploit.If you conclude that root-access was indeed gained,then the machine must be considered lost.Do not try to repair it, as you can never be sureyou removed all traces of the attacker.If you assume that it was only a apache / phpexploit then repair is possible but a reinstall might be safer.Good luck! Dennis p.s. if you have an off-site backup or remotelogging try comparing data to see what has changed.---------------------------------------------------------------------The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx___________________________________________________________ 250MB gratis, Antivirus y Antispam Correo Yahoo!, el mejor correo web del mundo http://correo.yahoo.com.ar--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|