Hi all, I was noticing some strange behavior on my server (all of the files of one of the ISPConfig's sites was suddenly deleted) so decided to look thru stuff and logs. Somebody/something deleted the auth.log. Not only that, I noticed a new user "ta" in /etc/passwd I run every rootkit check I could think of and found nothing. So I deleted the user and changed my root pass. Then installed snort, ossec, prewikka, base, etc... to make sure it won't happen again. I thought I got rid of the problem. Not really. I'm just doing a standard checkup and looking thru some files and logs. Auth.log is there, but doesn't say anything interesting. But there's something concerning in /etc/passwd. And that something points to think there's a security flaw in the ISPConfig (running the latest version). Here's the line that's giving me a headake: user91_admin:x:10130:10091::/var/www/web91:/bin/falsew0rm::2666:777:ADM Inet W0rm:/:/bin/sh I know this points to a flaw in BIND (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=UNIX_ADM.WORM.A&VSect=T), but what's strange it that I'm using the latest herdy Ubuntu repository. Could this be a problem with the ISPConfig ? chkrootkit is now showing: Checking `lkm'... You have 3 process hidden for readdir command You have 3 process hidden for ps command chkproc: Warning: Possible LKM Trojan installed and the rkhunter: ADM Worm Can anyone comment on this?
you should check which script is runned on the web91 website (phpbb,joomla, wordpress, etc...), the security flaw is certainly there, and not in ispconfig.
I will check this. Please have a look in the ispconfig mysql database, select the line were user_username = user91_admin from the database table isp_isp_user and send it to me by email to dev [at] ispconfig [dot] org. Please send me also the file /home/admispconfig/ispconfig/ispconfig.log by email.
Thanks, I checked the data. According to the logfile, ISPConfig added the user with the following settings to /etc/passwd: 20.02.2008 - 18:37:23 => INFO - USER: user91_admin:x:10130:10091::/var/www/web91:/bin/false I had a look at the sourcecode and the ouput in the log is the same then the line ISPConfig writes to the file. Assumed that the hacker did not modify the logfile to hide the way he modified the account data. The data in the mysql database is fine too. This means that most likely the user has been modified in /etc/password manually and not through ispconfig. I guess that the following happened: The hacker tried to add a user "w0rm" to the /etc/passwd file by adding a line: w0rm::2666:777:ADM Inet W0rm:/:/bin/sh but he was not aware that ispconfig is not adding a newline at the end of the /etc/passwd file. He most likely used a script for this and though he does not notice that he created a non working user line: user91_admin:x:10130:10091::/var/www/web91:/bin/falsew0rm::2666:777:ADM Inet W0rm:/:/bin/sh instead of a new line after the user91_admin row: user91_admin:x:10130:10091::/var/www/web91:/bin/false w0rm::2666:777:ADM Inet W0rm:/:/bin/sh
