Can't stop hacking.

Discussion in 'Server Operation' started by jagodica, Nov 13, 2014.

  1. jagodica

    jagodica New Member

    At the begining of the month someone infected my site with some js stuff that redirected visitors to other sites but I keep cleaning that. I changed all my password for everything.

    Today I think the same person hacked again my server and deleted one site (just one others are fine).

    There are no wordpress or joomla sites.

    I installed ispconfig with this

    I really don't know where to begin, how should I secure my server and stop this.

    Another thing I can't access settings in phpmyadmin. Could they hacked my vps through it?
  2. srijan

    srijan New Member HowtoForge Supporter

  3. till

    till Super Moderator Staff Member ISPConfig Developer

    First you should check your server with rkhunter, then wil maldetect:

    Then you should ensure that all ubuntu security updates are installed. If your sites use a cms system and there are updates for that cms, then you should install them as well if possible.

    you can also try to install mod_security to secure your server even more.
  4. jagodica

    jagodica New Member

    Thnx for replying but that didn't help my problem. :)

    maldetect didn't find anything.

    I see 1.4.2 is out but when I do

    /usr/bin/rkhunter --update
    [ Rootkit Hunter version 1.4.0 ]
    Checking rkhunter data files...
      Checking file mirrors.dat                                  [ No update ]
      Checking file programs_bad.dat                             [ No update ]
      Checking file backdoorports.dat                            [ No update ]
      Checking file suspscan.dat                                 [ No update ]
      Checking file i18n/cn                                      [ No update ]
      Checking file i18n/de                                      [ No update ]
      Checking file i18n/en                                      [ No update ]
      Checking file i18n/tr                                      [ No update ]
      Checking file i18n/tr.utf8                                 [ No update ]
      Checking file i18n/zh                                      [ No update ]
      Checking file i18n/zh.utf8                                 [ No update ]
    So I did the scaning anyway...

    [04:57:38] File properties checks...
    [04:57:38] Required commands check failed
    [04:57:38] Files checked: 137
    [04:57:38] Suspect files: 3
    [04:57:38] Rootkit checks...
    [04:57:38] Rootkits checked : 305
    [04:57:38] Possible rootkits: 0
    [04:57:38] Applications checks...
    [04:57:38] All checks skipped
    [04:57:38] The system checks took: 2 minutes and 40 seconds
    This is from log file, all other is [OK] or [ Not found ]
    [04:55:09] Performing file properties checks
    [04:55:09] Warning: Checking for prerequisites               [ Warning ]
    [04:55:09]          Unable to find 'lsattr' command - all file immutable-bit checks will be skipped.
    [04:55:20]   /usr/bin/GET                                    [ Warning ]
    [04:55:20] Warning: The file '/usr/bin/GET' exists on the system, but it is not present in the 'rkhunter.dat' file.
    [04:55:29]   /usr/bin/unhide.rb                              [ Warning ]
    [04:55:29] Warning: The command '/usr/bin/unhide.rb' has been replaced by a script: /usr/bin/unhide.rb: Ruby script, ASCII text
    [04:55:29]   /usr/bin/lwp-request                            [ Warning ]
    [04:55:30] Warning: The file '/usr/bin/lwp-request' exists on the system, but it is not present in the 'rkhunter.dat' file.
    [04:57:17]   Checking loaded kernel modules                  [ Warning ]
    [04:57:17] Warning: No output found from the lsmod command or the /proc/modules file:
    [04:57:17]          /proc/modules output: 
    [04:57:17]          lsmod output: 
    [04:57:26]   Checking for local host name                    [ Found ]
    [04:57:26] Info: Starting test name 'startup_malware'
    [04:57:26]   Checking for system startup files               [ Found ]
    [04:57:28]   Checking for passwd file                        [ Found ]
    [04:57:28] Info: Found password file: /etc/passwd
    [04:57:29] Performing system configuration file checks
    [04:57:29]   Checking for a system logging configuration file [ Found ]
    [04:57:29] Info: Found SSH /etc/ssh/sshd_config configuration file: 
    [04:57:29] Info: Rkhunter option ALLOW_SSH_ROOT_USER set to 'no'.
    [04:57:29] Info: Rkhunter option ALLOW_SSH_PROT_V1 set to '0'.
    [04:57:29]   Checking if SSH root access is allowed          [ Warning ]
    [04:57:29] Warning: The SSH and rkhunter configuration options should be the same:
    [04:57:29]          SSH configuration option 'PermitRootLogin': yes
    [04:57:29]          Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no
    [04:57:30]   Checking for a running system logging daemon    [ Found ]
    [04:57:30] Info: Found rsyslog /etc/rsyslog.conf configuration file: 
    [04:57:30]   Checking for a system logging configuration file [ Found ]
    [04:57:30]   Checking /dev for suspicious file types         [ Warning ]
    [04:57:30] Warning: Suspicious file types found in /dev:
    [04:57:30]          /dev/.udev/rules.d/root.rules: ASCII text
    [04:57:31]   Checking for hidden files and directories       [ Warning ]
    [04:57:31] Warning: Hidden directory found: /dev/.udev: directory 
    Also I've upgraded from ubuntu 13.10 to 14.04 and installed mod_security from here


    # sudo apt-get upgrade
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    Calculating upgrade... Done
    0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
  5. jagodica

    jagodica New Member

    And after all this, again hacking happend.

    Does anyone have any idea how can I see how are they doing this?
  6. edge

    edge Active Member Moderator

    Sounds like one of your sites has a vulnerability.

    Till wrote a little article some time ago about how to see which site is sending emails. (something with piping all the email thru a PHP script)
    Unfortunately I can not find the article at the moment.

    Maybe this is a good option for you to see what site is being used to spam with
  7. edge

    edge Active Member Moderator

    Last edited: Nov 15, 2014
  8. jagodica

    jagodica New Member

    Thanks for the reply.

    But the server is not used for spamming.

    In the middle of the attack before they wiped everything, I saved a couple of logs.

    The site has option to upload attachments, like images...

    This is from logs
    "POST /ajaxup.php HTTP/1.1" 200 748 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36"
    "GET /upload/2014/54679168731b1.php5?act=img&img=home HTTP/1.1" 304 225 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36"
    "GET /upload/2014/54679168731b1.php5?act=ls&d=%2Fvar%2Fwww%2Fclients%2Fclient0%2Fweb1%2Fweb&sort=0a HTTP/1.1" 200 5627 

    edit: it was c999shell -.-

    So what should I do now to protect sites/server from this?
    Last edited: Nov 16, 2014
  9. edge

    edge Active Member Moderator

    In that case you will need to fix the upload script (54679168731b1.php5) as that is where the problem is.

    A fix could be some check to see if it is a true image that has been uploaded.
    Last edited: Nov 16, 2014
  10. jagodica

    jagodica New Member

    54679168731b1.php5 is not an upload script, it was the file that someone upload to the server and use it to mess up things.

    Should this in htaccess help?

    <Files ~ "\.(php|sql|php3|php4|php5|phtml|pl|py|jsp|asp|htm|shtml|sh|cgi)$">
      order allow,deny
      deny from all
    this didn't help

    again *.ph5 was uploaded and deleted the site
    Last edited: Nov 16, 2014
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Your site has severe problems in its code and you have to fix these if you want to stop the hackers come in. Has the site very many request? If not, then check the requests in access.log that have been done before the site got wiped out. Start with the check of post requests.
  12. jagodica

    jagodica New Member

    "POST /ajaxup.php HTTP/1.1" 200 743 "" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36"
    only POST

    ajaxup.php is for uploading images. so I guess they use this file to get *.php5 on the server
  13. jagodica

    jagodica New Member

    I did some digging around...
    the script for uploading is uploadify, it has been modified for the site.
    It contains
    'fileExt'     : '*.jpg;*.gif;*.png;*.jpeg',
    but that is not enough for securing the upload.

    So I was thinking to modify .vhost (just in case that htaccess files are rewriten or deleted) files for all the sites and add this lines:

    deny from all
    <Files ~ "^\w+\.(gif|jpe?g|png)$">
    order deny,allow
    allow from all
    only for images
    <IfModule mod_php5.c>
    php_flag engine off
    if someone is trying to put some code into images.

    Would that do some work?

Share This Page