Investigating possible compromise

Discussion in 'General' started by Mike Hyland, Feb 11, 2015.

  1. Mike Hyland

    Mike Hyland New Member

    Hi All,
    I am investigating a concerning issue regarding a possible compromise on our ISPconfig environment. We have ISPconfig managing a number of webservers and have been noticing a user being added with root privileges to one of the webservers and the only logical explanation is that he/she is somehow exploiting ispconfig. We are on an outdated version of ispconfig and obviously the first thing would be to upgrade to the latest version. I have not worked with ISPconfig before so there is a learning stage for me and it seems I have been thrown in the deep end, so to speak, to get to terms with a breach and understand the intricacies of ISPconfig.

    I turned on the debug logging last night and saw this in the cron job log for server.sh :

    10.02.2015-23:01 - DEBUG - There is already an instance of server.php running. Exiting.
    10.02.2015-23:02 - DEBUG - There is already an instance of server.php running. Exiting.
    10.02.2015-23:03 - DEBUG - There is already an instance of server.php running. Exiting.
    10.02.2015-23:04 - DEBUG - There is already an instance of server.php running. Exiting.
    10.02.2015-23:05 - DEBUG - There is already an instance of server.php running. Exiting.
    10.02.2015-23:06 - DEBUG - There is already an instance of server.php running. Exiting.
    10.02.2015-23:07 - DEBUG - There is already an instance of server.php running. Exiting.
    10.02.2015-23:08 - DEBUG - There is already an instance of server.php running. Exiting.
    10.02.2015-23:09 - DEBUG - There is already an instance of server.php running. Exiting.
    10.02.2015-23:10 - DEBUG - There is already an instance of server.php running. Exiting.
    10.02.2015-23:11 - DEBUG - There is already an instance of server.php running. Exiting.
    10.02.2015-23:12 - DEBUG - There is already an instance of server.php running. Exiting.
    10.02.2015-23:13 - DEBUG - There is already an instance of server.php running. Exiting.
    10.02.2015-23:14 - DEBUG - There is already an instance of server.php running. Exiting.
    The last log was a minute before a user, with root privileges was added to one of our web servers. I know there is this documented exploit but am not sure it is relates, it may be :

    http://www.exploit-db.com/exploits/34241/

    Any advice will be much appreciated as well as a robust upgrade process for 5 servers managed by ISPconfig.

    Thannks in advance
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    That is very unlikely for 2 reasons. First: The issue posted there is not a real exploit, it is the discussion if the root user of the server (ispconfig administrator) shall be able to create all other shell users freely or not. The method in that post describes that a correctly authenticated server administrator (aka root user) is able to create a new shell user from within a webbased controlpanel where he can choose the name on its own or not. You can do that in other panels like webmin as well, the root / admin user in webmin can create others users and so could the ispconfig admin. But as some poeple thought that the ability to create shell users with administrative priveliges within a webbased controlpanel is an exploit, we limited that function in july so that you cant do that in ispconfig anymore. Second: If you installed any ispconfig update since end of july, you could not have added that root user while logged in as adminisrator as the function has been removed.

    In any case, as long as you have not handed out the ispconfig administrator password to a person that you dont trust, all ispconfig versions were safe as no normal users (client or reseller or email user) were ever able to administrate your server in that way.

    Code:
    10.02.2015-23:14 - DEBUG - There is already an instance of server.php running. Exiting.
    This means either that the server process was running or the lock file was not removed. So if you see the same messages in the log after the root user was added, then the lock file was not removed correctly and therefor ispconfig is not able to do any changes to your setup at all. If the modification in the passwd file was done by ispconfig, then you must see that in the debug log like "added shell user root" or a similar line.

    If you want to know if the root user was added trough ispconfig, then take a look into the sys_datalog table in the dbispconfig database. All actions done by ispconfig are logged there and only read from there.

    Just run the ispconfig update script. If its a multiserver setup, then update the master server first and then the slaves.
     
  3. Mike Hyland

    Mike Hyland New Member

    Thanks for that information and advice - could you advise what column I can look at to see user activity and how to interpret?

    Thanks
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    The column is the data column. It contains a serialized php array of the corresponding data record before and after the update. To get started you should just check if you can find the username of the newls added user there.
     
  5. Mike Hyland

    Mike Hyland New Member

    Hi Till,
    Thank you so much for your replies. I have found this issue to be caused by glibc libraries which were not up to date. This has now been resolved. Thanks again for your correspondence.
     

Share This Page