LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Urgent: Server Hacked - please help (https://www.linuxquestions.org/questions/linux-newbie-8/urgent-server-hacked-please-help-471043/)

stuartc1 08-05-2006 10:40 AM

Urgent: Server Hacked - please help
 
Hi,

Someone has managed to compromise my Linux (Fedora) server today. The evil person has added IFRAME's to many of my sites homepages - the iframe loads a remote page which contains a java applet which downloads and attempts to install at least 3 nasty viruses to the clients.


My question is:

How can I find out a list of files edited/create today? is there some command where I can get a list of these files? I know about ls and some basic params, but not sure about finding files by date. Is there a grep or something else for this??


Please please help...

zaichik 08-05-2006 11:07 AM

I think you might be looking for something along the lines of find, as in
Code:

find / -mtime -1
This will find all the files from the root partition down that have been modified (-mtime) 1 day or less ago.

That's probably going to be a very large number of files, so you might want to filter the output through grep to search for certain extensions (like .html and so forth), or use more of the options that the find commmand has to offer.

A word of worning, though--the last time I saw this, the server had actually been compromised, rather than user files being replaced. Turns out that there was a loadable kernel module that caused Apache to write the IFRAME. The issue was resolved by backing up the data and reinstalling the OS. Probably not what you wanted to hear. :(

Good luck.

stuartc1 08-05-2006 11:37 AM

Thanks zaichik.

That command works as described.

Looks like whatever got access has created a index.html file in every directory of at least one of my sites.

One of the other files I found actually had:
<?php include 'myhomepage.php'; ?>
<!-- the iframe code here -->

This suggests that it may have been done manually, although perhaps not.

Any advice on trying to pinpoint where the breach came from? (I have WHM/Cpanel and ssh access)

Thanks again...

haertig 08-05-2006 11:45 AM

Unfortunately, if your server was truely hacked you won't be able to trust what you find. If someone successfully hacked your server, then they could have successfully changed the timestamps on the files they modified, successfully replaced your ls, find, and other standard commands with their trojan versions, etc. Even if you were able to list all fines modified in the last 24 hours you'd have no idea if that was really an accurate listing.

Things might be a little better if the attacker just found some hole in Apache and got in only with limited Apache permissions (userid www, nobody, etc.) and was not able to escalate to root. If they didn't gain root privilages you have a chance of detecting what they might have done. If they DID gain root, assume that they hid their tracks well and do not trust anything on your system. Chances are they hid their tracks so well that you might not even be able to detect that they gained root in the first place. Disconnect from the network and restore your system from known-clean backups.

haertig 08-05-2006 11:51 AM

Also, you should scan your system from another system. i.e., go to a different Linux box and run an "nmap" scan and possibly a "nessus" scan looking for entry points.

If you find something fishy - like your local hacked system says "I'm not listening on port 4078" but an nmap scan from another computer tells you that you are listening ... you've got big problems! Time for a bare-metal restore if you find someting like this.

zaichik 08-05-2006 11:53 AM

Very valid points. It is important that you not confuse a site (or sites) getting hacked, and your server being compromised. The former can be cleaned up and usually involves lax permissions (write permissions for the Apache user, most frequently)or PHP cross-site scripting vulnerabilities or something similar and is relatively innocuous. The latter really requires that the system be reinstalled. Run a rootkit checker--preferably two, like rkhunter and chkroot. If you have any questions about the results, ask.

stuartc1 08-05-2006 12:32 PM

Thanks guys.

On further investigation is looks like something has ran and attached the iframe html to the bottom of all index.html files.

I'm getting all backups from the backup server (which will take about 6 hours :( )

I may write a php script to remove all iframes.

I'll try running those commands you suggested and write back if I find anymore problems.

thanks again.

zaichik 08-05-2006 01:47 PM

Root kit scanners aren't actually commands; you'll have to download and install them.

Some info on root kits is available here

chkrootkit is available here

rkhunter is available here.


All times are GMT -5. The time now is 06:02 AM.