|
|
|
|
#1
2006-02-06, 16:06 PM
|
|||
|
Hacked this AM
Someone used a PHP exploit to take down several of our sites this morning.
Replaced the homepages with their hacker page ~DESTROYER~ We had backups but they actually took the time to delete one of our databases, leaving the rest untouched. We traced it to the hosting company, www.e3sarcom.org Not sure what exploit they used as we had the latest version of PHPBB with all updates to the OS and many services disabled. Jerry 
|
|
#2
2006-02-06, 22:38 PM
|
|||
|
It was probably an injection exploit. I never realized the number of attempts until I installed mod_security (linux apache module -- recommend if this is what you're running), which isn't a total fix-all, it does very well at blocking many injection requests.
I had a web calender exploited (they didn't get very far since we've taken other security precautions) but I have their php script they managed to use to send a bunch of spam out with. Which, again I caught before it got too out of control (they tried a DOS mail attack). I reported the site they used to get the script from (fbinasa.gov or something like that) and contacted the web host, and within 2 hours they were taken down. While they probably had quite a few others, at least it might have stopped them for a few attacks.
|
|
#3
2006-02-06, 22:44 PM
|
|||
|
We got everything restored now except one domains PHPBB database (mySQL). The cpanel backup on the backup FTP server is truncated for some reason. Exploding the GZ it his an unexpected EOF. Occurs on both the Daily and Weekly backups.
Looks like that message board will be starting over from scratch. We have the HTML files so the look and feel remain, just no accounts or posts. I would be happy if the penalty for hacking sites was death. It's not a crime you would accidentaly do so any penalty that stops it is just.
|
|
#4
2006-02-06, 23:01 PM
|
|||
|
Since you're running Cpanel, I would recommend mod_security. They have it under the addon modules (you might have to get the pro version mod first). They are both free, and this adds a nice interface for WHM to see how many attempts were blocked. With it you set the rules you want it to watch for, and there are tons of samples out there.
If you'd like, I can post or send you the ruleset I'm using, which seems to block most exploits, especially those that try to retrieve other files and open the back door.
|
|
#5
2006-02-07, 16:37 PM
|
|||
|
I would like to see your ruleset...
|
|
#6
2006-02-07, 16:44 PM
|
|||
|
This is my config file. I'm open to suggestions as well.
Code:
SecServerSignature "Apache"
SecFilterScanPOST On
# Require Content-Length to be provided with every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
# Don't accept transfer encodings we know we don't handle (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$"
SecFilterSelective ARGS_VALUES "[[:space:]](cc|bcc|to)[[:space:]]*\:.*\@"
# Protecting from XSS attacks through the PHP session cookie
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
SecFilter "viewtopic\.php\?" chain
SecFilter "chr\(([0-9]{1,3})\)"
SecFilterSelective REQUEST_URI "(cd[[:space:]]+.+|echo[[:space:]]+.+|perl[[:space:]]+.+|python[[:space:]]+.+|rpm[[:space:]]+.+|lynx[[:space:]]+.+|links[[:space:]]+.+|mkdir[[:space:]]+.+|elinks[[:space:]]+.+|wget[[:space:]]+.+|(s|r)(cp|sh)[[:space:]]+.+|net(stat|cat)[[:space:]]+.+|rexec[[:space:]]+.+|smbclient[[:space:]]+.+|t?ftp[[:space:]]+.+|(nc)?ftp[[:space:]]+.+|curl[[:space:]]+.+|telnet[[:space:]]+.+|gcc\s+.+|cc[[:space:]]+.+|g\+\+[[:space:]]+.+|system\(|exec\(|uname[[:space:]]+-a|\.htgroup|\.htaccess|///cgi-bin|/cgi-bin///|/~root|/~ftp|/~nobody|<script)"
SecFilter "javascript\://"
SecFilter "_PHPLIB\[libdir\]"
SecFilterSelective THE_REQUEST "/htgrep" chain
SecFilter "hdr=/"
#SecFilterDefaultAction "pass,exec:/home/modsec.php"
# WEB-ATTACKS wget command attempt
SecFilterSelective THE_REQUEST "wget "
# WEB-ATTACKS uname -a command attempt
SecFilterSelective THE_REQUEST "uname -a"
# WEB-ATTACKS .htgroup access
SecFilterSelective THE_REQUEST "\.htgroup"
# WEB-ATTACKS .htaccess access
SecFilterSelective THE_REQUEST "\.htaccess"
# WEB-CLIENT Javascript URL host spoofing attempt
SecFilter "javascript\://"
# WEB-MISC cross site scripting \(img src=javascript\) attempt
SecFilter "img src=javascript"
# WEB-MISC cd..
SecFilterSelective THE_REQUEST "cd\.\."
# WEB-MISC ///cgi-bin access
SecFilterSelective THE_REQUEST "///cgi-bin"
# WEB-MISC /cgi-bin/// access
SecFilterSelective THE_REQUEST "/cgi-bin///"
# WEB-MISC /~root access
SecFilterSelective THE_REQUEST "/~root"
# WEB-MISC /~ftp access
SecFilterSelective THE_REQUEST "/~ftp"
# WEB-MISC htgrep attempt
SecFilterSelective THE_REQUEST "/htgrep" chain
SecFilter "hdr=/"
# WEB-MISC htgrep access
SecFilterSelective THE_REQUEST "/htgrep" log,pass
# WEB-MISC .history access
SecFilterSelective THE_REQUEST "/\.history"
# WEB-MISC .bash_history access
SecFilterSelective THE_REQUEST "/\.bash_history"
# WEB-MISC /~nobody access
SecFilterSelective THE_REQUEST "/~nobody"
# WEB-PHP PHP-Wiki cross site scripting attempt
SecFilterSelective THE_REQUEST "<script"
# WEB-PHP strings overflow
SecFilterSelective THE_REQUEST "\?STRENGUR"
# WEB-PHP PHPLIB remote command attempt
SecFilter "_PHPLIB\[libdir\]"
|
|
#7
2006-02-07, 21:40 PM
|
|||
|
Actually this guy had a good little tutorial and some .conf files to keep out a lot of things..
http://frankmash.blogspot.com/2005_1...h_archive.html
|
|
#8
2006-02-10, 12:04 PM
|
||||
|
GLJones, Sorry to hear about your site getting hacked.
I have a question, how are you so sure that it was a PHP exploit? Just curious. The reason I ask is a few friends of mine had thought the same but the problem ended up being totally different (Brute force FTP attacks). Quote:
I wanted to point out that depending on what your site is about, you may need to tweak some mod_security settings to not let legitimate traffic get blocked (happened to one of my clients). If on a dedicated server, I would also recommend blocking your root login attempts alltogether and creating an alternative account with root's power. Also, install brute force detection (if not already installed). I look forward to answering any questions you may have. You can post a comment on my blog or e-mail me at softwareengineer99 at yahoo in case you need assistance. Thanks Frank
|
|
#9
2006-02-10, 12:09 PM
|
|||
|
I only have one issue and luckily its only for ONE client that just cant get off the pacifier....FRONT PAGE...just cant seem to get it to allow connections.
Is there a way to test BFD, I just want to make sure its running....
|
|
#10
2006-02-10, 12:25 PM
|
|||
|
If I run bfd I get this..
[root@server1 ~]# /usr/local/sbin/bfd -s BFD version 0.9 <bfd@r-fx.org> Copyright (C) 1999-2004, R-fx Networks <proj@r-fx.org> Copyright (C) 2004, Ryan MacDonald <ryan@r-fx.org> This program may be freely redistributed under the terms of the GNU GPL but if I do a killall bfd...no processes killed....my bfd logs are empty..
|
|
#11
2006-02-10, 12:27 PM
|
||||
|
Quote:
You can verify BFD is running by tailing Code:
/var/log/bfd.log Code:
bfd -a GLJones, I also wanted to point out that once you are hacked, and assuming that the hacker got access to your file system, there is no guarantee that your system is clean. I highly recommend you run a rootkit scan on your server to make sure the hacker didn't leave any rootkit on your server. This can be done using tools like rkhunter/chkrootkit etc. Also, make sure your important system binaries haven't been compromised. Just a few pointers I thought may help. Thanks Frank
|
|
#12
2006-02-10, 12:29 PM
|
||||
|
Quote:
If not, try putting something like this (modify for your environment) Code:
MAILTO= SHELL=/bin/sh */10 * * * * root /usr/local/sbin/bfd -q >> /var/log/bfd.log Frank
|
|
#13
2006-02-10, 12:44 PM
|
|||
|
Hmm that might have been it...I didnt have this part ">> /var/log/bfd.log" in the cron.d/bfd, I added it.
Yep, they cannot connect. I cannot connect via my IP  ort into the admin area either...Just comes up with the error Server Error: Unknown web server type "NOYB". On Windows platforms, Microsoft Internet Information Server is supported. On UNIX platforms, Apache with the Microsoft FrontPage patch is supported. bfd -a just gets me [root@server1 ~]# bfd -a BFD version 0.9 <bfd@r-fx.org> Copyright (C) 1999-2004, R-fx Networks <proj@r-fx.org> Copyright (C) 2004, Ryan MacDonald <ryan@r-fx.org> This program may be freely redistributed under the terms of the GNU GPL
|
|
#14
2006-02-10, 13:11 PM
|
||||
|
Quote:
It indicates that bfd doesn't know of anyone attacking your server (quite surprising). Check your log files after 30 minutes and so and see if you get anything. My bfd -a gives Code:
BFD version 0.9 <bfd@r-fx.org> Copyright (C) 1999-2004, R-fx Networks <proj@r-fx.org> Copyright (C) 2004, Ryan MacDonald <ryan@r-fx.org> This program may be freely redistributed under the terms of the GNU GPL 24.158.60.76 sshd 24.171.128.253 sshd 24.226.127.215 sshd 59.120.43.88 sshd 61.144.224.28 sshd 61.172.192.3 sshd 61.178.20.170 sshd 61.219.198.34 sshd 61.233.28.130 sshd 62.111.189.167 sshd 62.194.80.137 sshd 64.251.14.182 sshd 66.147.238.14 sshd 66.221.67.64 sshd 67.127.61.253 sshd 68.228.218.72 sshd 69.144.172.111 sshd 80.53.131.30 sshd 83.228.113.166 sshd 85.41.39.34 sshd 134.241.2.218 sshd 151.8.3.179 sshd 194.228.71.66 sshd 200.155.52.143 sshd 200.85.41.90 sshd 201.51.165.241 sshd 202.108.13.91 sshd 203.131.132.66 sshd 203.158.191.6 sshd 203.200.93.135 sshd 203.43.65.189 sshd 206.40.148.132 sshd 206.51.238.182 sshd 209.160.64.51 sshd 210.228.173.152 sshd 211.125.77.65 sshd 211.154.205.252 sshd 211.162.74.225 sshd 211.21.74.146 sshd 213.98.51.34 sshd 216.193.225.138 sshd 216.227.243.105 sshd 216.97.49.226 sshd 217.160.130.123 sshd 217.172.181.107 sshd 218.189.146.172 sshd 218.87.6.201 sshd 219.129.237.66 sshd 219.133.55.47 sshd 221.254.107.187 sshd
|
|
#15
2006-02-10, 13:31 PM
|
|||
|
If you dont mind me asking..what are your inbound and egress ports set up on APF...I think I solved the problem as I moved SSH to another port and didnt have port 22 in the apf.conf, just the new port...
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | Rate This Thread |
Linear Mode
|
|
All times are GMT -5. The time now is 06:06 AM.
