Hacked server using port 8080?

Discussion in 'General' started by calbasi, Oct 8, 2019.

  1. calbasi

    calbasi Member

  2. till

    till Super Moderator Staff Member ISPConfig Developer

    And why do you think that the server was hacked trough port 8080? If you refer to that a service is normally using the same port, then this is not related to the actual hack which means it's not related to the fact that ISPConfig uses the same port. Port 8080 is commonly used by different software.
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    The blog post you linked is about Kubernetes on port 8080, so that's not related to ISPConfig on port 8080 in any way, it's a completely different software application.
  4. Chris_UK

    Chris_UK Active Member HowtoForge Supporter

    Have you actually determined that the hack was made through port 8080 or have you read about this exploit and made a causal link that way?

    In any case, this server should be considered dead until its verified safe.

    If you lease this server and do not have the knowledge on how to assess a breach you should contact the hosting providers security team, they will have the tools/knowledge on how to do this. I imagine the first thing they will advise is shut down the server.

    As you refer to port 8080 I am presuming that its the primary/master server. This will leave any slaves (if any) operating alone with no way to communicate. If it were a slave breached I would be recommending removing all access to the master for this slave.
  5. calbasi

    calbasi Member

    You are right, I haven't a solid sysadmin knowledge and I can be wrong easily :)
    I suppose "mm" software, used to control my server, could be used taking profit of several exploits, not just what I was talking about...
    The server is know stopped, and I save an snapshop some days to check it if I need it, but I think the origin of the hacking could be a simple brute attack force, I'm copy-pasting you what I've told on IRC ##ispconfig room:

    I'm not talking just about IspConfig... The hack could be due to the Debian system, or even Moodle install...

    But in the link above, they talk about port 8080, and this port is the same used by IspConfig
    It seems this attack uses a linux security vulnerability solved a couple of years ago...
    I wonder why my recent Debian 10 could be affected...
    Maybe due the default could image used by hosting provider (debian 8, I think) to install the initial system... I've upgraded it to Debian 10, but why if attackers get the user scalation vulnerability in the time (just 1-2 days) between the initual Debian 8 was not upgraded... I'm going to check witch Debian core is used by hoster cloud images...
    calbasi: port 8080 is the common http-alternate port used by everything from ispconfig over basically every wildfly or tomcat. what's more interesing is was the system patched and most likely the attack vector was some insecure php thing that was not up-to-date
    Yes. maybe it's easier enough... I get the cloud template (debian 9) some days without any work... maybe enought time to get root access? (I've reinstalled it know and it show this warning:

    Debian 9.4 Stretch 64 Bit (root pass aA123ABC please change as soon as you login first time uning the passwd command!)
    100% bruteforced
    But maybe an not upgrade Moodle could be the issue origin? I wonder if you can scalate permissions to a linux root user just with a php vulnerability (I thought you can use apache to send messages, etc. but not to have control of all the OS)

    Do you mean just trying one or another password? maybe fail2ban could had stopped it?
    yes thats what bruteforce means..
    dude you have ssh open to the world with an super easy password
    i even guess its in the top 100
    dude you have ssh open to the world with an super easy password
    II've seen, in the actual reinstall, that I can not access just doing ssh root@myserver (only using virtualizated VPN terminal)

    Not sure if this is a security layer...
    EWhen I just updated my template debian 9 to debian 10, I have been able to access by ssh
    By the way, I'm installing IspConfig using the automated script... Once installed it say:

    Now you can access to your ISPConfig installation at:
    https://XXXXX:8080 or https://XXXX:8080 The
    default ISPConfig Username is: admin and the Password is: admin
    Warning: This is a security risk. Please change the default password
    after your first login.
    You will need to edit the username and password
    in /var/lib/roundcube/plugins/ispconfig3_account/config/config.inc.php
    of the roundcube user, as the one you set in ISPconfig

    I wonder if wrinting down my ispconfig admin password to a text file (to use it by roundcube) is not an insecure practice
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    So basically the guy's in the chat told you the same that you were told here. You mixed up applications due to a commonly used port. That ISPConfig is used on your server is probably not related to your issue.

    Roundcube does not use the ispconfig admin user login. Roundcube uses a remote user with limited permissions that you have to add in ispconfig under System > remote users.
  7. calbasi

    calbasi Member

    Thanks so much, @till I think the ispconfig_script instructions are not clear, because it's talking about a password just after it is talking about ispconfig admin password. Now I understand what it means. No references about how to set a roundcube user, etc. I'm going to open an issue at its github repo.

Share This Page