My server got hacked

documetaltux · 03-10-2016, 02:30 PM

Hi,
My server running on CentOS 6.6 got hacked a few moments ago. The server had multicraft minecraft panel and users could upload and execute .jar files there. Is there anyway to check if a script have been used to exploit ? The log at /var/log secure had many failed login attempts but none of seems them succeed. The hacker had access to my /var/www/html directory and he deleted the content and uploaded his webpage. If he can do so, do he have root access ? The incident took twice, I changed the root password but after an hour he hacked again!
This is a result of netstat -at :

Code:

Proto Recv-Q Send-Q Local Address               Foreign Address             Stat                                     e
tcp        0      0 localhost:smux              *:*                         LIST                                     EN
tcp        0      0 *:mysql                     *:*                         LIST                                     EN
tcp        0      0 unassigned.psychz.net:ftp   *:*                         LIST                                     EN
tcp        0      0 *:ssh                       *:*                         LIST                                     EN
tcp        0      0 localhost:25465             *:*                         LIST                                     EN
tcp        0      0 localhost:smtp              *:*                         LIST                                     EN
tcp        1      0 localhost:37130             localhost:25465             CLOS                                     E_WAIT
tcp        1      0 unassigned.psychz.net:46054 unassigned.psychz.net:25465 CLOS                                     E_WAIT
tcp        1      0 localhost:37078             localhost:25465             CLOS                                     E_WAIT
tcp        1      0 localhost:44884             localhost:25465             CLOS                                     E_WAIT
tcp        1      0 localhost:50076             localhost:25465             CLOS                                     E_WAIT
tcp        0      0 localhost:25465             localhost:38768             ESTA                                     BLISHED
tcp        0      0 localhost:38756             localhost:25465             ESTABLISHED
tcp        1      0 unassigned.psychz.net:46074 unassigned.psychz.net:25465 CLOSE_WAIT
tcp        0      0 localhost:25465             localhost:38792             ESTABLISHED
tcp        1      0 localhost:37102             localhost:25465             CLOSE_WAIT
tcp        1      0 unassigned.psychz.net:46080 unassigned.psychz.net:25465 CLOSE_WAIT
tcp        1      0 localhost:37098             localhost:25465             CLOSE_WAIT
tcp        0      0 localhost:25465             localhost:38762             ESTABLISHED
tcp        0      0 localhost:25465             localhost:38774             ESTABLISHED
tcp        0      0 localhost:38792             localhost:25465             ESTABLISHED
tcp        1      0 unassigned.psychz.net:46062 unassigned.psychz.net:25465 CLOSE_WAIT
tcp        0      0 localhost:25465             localhost:38782             ESTABLISHED
tcp        1      0 localhost:50132             localhost:25465             CLOSE_WAIT
tcp        1      0 localhost:50136             localhost:25465             CLOSE_WAIT
tcp        1      0 localhost:44876             localhost:25465             CLOSE_WAIT
tcp        1      0 localhost:50120             localhost:25465             CLOSE_WAIT
tcp        1      0 localhost:37106             localhost:25465             CLOSE_WAIT
tcp        1      0 unassigned.psychz.net:46050 unassigned.psychz.net:25465 CLOSE_WAIT
tcp        0      0 localhost:38698             localhost:25465             ESTABLISHED
tcp        1      0 localhost:50086             localhost:25465             CLOSE_WAIT
tcp        0      0 localhost:58098             localhost:mysql             ESTABLISHED
tcp        0      0 localhost:25465             localhost:38786             ESTABLISHED
tcp        1      0 unassigned.psychz.net:46060 unassigned.psychz.net:25465 CLOSE_WAIT
tcp        1      0 localhost:50080             localhost:25465             CLOSE_WAIT
tcp        0      0 localhost:38768             localhost:25465             ESTABLISHED
tcp        1      0 unassigned.psychz.net:46052 unassigned.psychz.net:25465 CLOSE_WAIT
tcp        1      0 localhost:50128             localhost:25465             CLOSE_WAIT
tcp        1      0 localhost:50104             localhost:25465             CLOSE_WAIT
tcp        1      0 localhost:50090             localhost:25465             CLOSE_WAIT
tcp        0      0 unassigned.psychz.net:ssh   117.199.1.210:37074         ESTABLISHED
tcp        0      0 localhost:25465             localhost:38698             ESTABLISHED
tcp        1      0 unassigned.psychz.net:46082 unassigned.psychz.net:25465 CLOSE_WAIT
tcp        1      0 localhost:50140             localhost:25465             CLOSE_WAIT
tcp        0      0 localhost:38782             localhost:25465             ESTABLISHED
tcp        1      0 localhost:37042             localhost:25465             CLOSE_WAIT
tcp        1      0 localhost:50098             localhost:25465             CLOSE_WAIT
tcp        0      0 localhost:38752             localhost:25465             ESTABLISHED
tcp        1      0 localhost:50148             localhost:25465             CLOSE_WAIT
tcp        1      0 localhost:50160             localhost:25465             CLOSE_WAIT
tcp        1      0 unassigned.psychz.net:46064 unassigned.psychz.net:25465 CLOSE_WAIT
tcp        0      0 localhost:38786             localhost:25465             ESTABLISHED
tcp        1      0 localhost:50072             localhost:25465             CLOSE_WAIT
tcp        1      0 localhost:37058             localhost:25465             CLOSE_WAIT
tcp        0      0 localhost:38762             localhost:25465             ESTABLISHED
tcp        0      0 localhost:25465             localhost:38752             ESTABLISHED
tcp        0      0 localhost:38702             localhost:25465             ESTABLISHED
tcp        1      0 localhost:44870             localhost:25465             CLOSE_WAIT
tcp        0      0 localhost:38774             localhost:25465             ESTABLISHED
tcp        1      0 unassigned.psychz.net:46070 unassigned.psychz.net:25465 CLOSE_WAIT
tcp        1      0 localhost:50094             localhost:25465             CLOSE_WAIT
tcp        1      0 localhost:50116             localhost:25465             CLOSE_WAIT
tcp        1      0 localhost:50108             localhost:25465             CLOSE_WAIT
tcp        1      0 unassigned.psychz.net:46090 unassigned.psychz.net:25465 CLOSE_WAIT
tcp        1      0 unassigned.psychz.net:46078 unassigned.psychz.net:25465 CLOSE_WAIT
tcp        1      0 unassigned.psychz.net:46088 unassigned.psychz.net:25465 CLOSE_WAIT
tcp        1      0 unassigned.psychz.net:46058 unassigned.psychz.net:25465 CLOSE_WAIT
tcp        1      0 unassigned.psychz.net:46084 unassigned.psychz.net:25465 CLOSE_WAIT
tcp        1      0 unassigned.psychz.net:46076 unassigned.psychz.net:25465 CLOSE_WAIT
tcp        0      0 localhost:25465             localhost:38702             ESTABLISHED
tcp        1      0 localhost:50112             localhost:25465             CLOSE_WAIT
tcp        1      0 unassigned.psychz.net:46048 unassigned.psychz.net:25465 CLOSE_WAIT
tcp        1      0 localhost:50124             localhost:25465             CLOSE_WAIT
tcp        0      0 localhost:mysql             localhost:58098             ESTABLISHED
tcp        0   9360 unassigned.psychz.net:ssh   117.199.1.210:50121         ESTABLISHED
tcp        1      0 unassigned.psychz.net:46072 unassigned.psychz.net:25465 CLOSE_WAIT
tcp        1      0 unassigned.psychz.net:46086 unassigned.psychz.net:25465 CLOSE_WAIT
tcp        1      0 localhost:50144             localhost:25465             CLOSE_WAIT
tcp        0      0 localhost:25465             localhost:38756             ESTABLISHED
tcp        0      0 *:vseconnector              *:*                         LISTEN
tcp        0      0 *:http                      *:*                         LISTEN
tcp        0      0 *:ssh                       *:*                         LISTEN
tcp        0      0 localhost:smtp              *:*                         LISTEN
tcp        0      0 *:https                     *:*                         LISTEN
tcp        0      0 unassigned.psychz.net:25565 *:*                         LISTEN
tcp        0      0 unassigned.psychz.net:55922 ns511765.ip-198-27-66.:http TIME_WAIT
tcp        0      0 unassigned.psychz.net:55930 ns511765.ip-198-27-66.:http TIME_WAIT
tcp        0      0 unassigned.psychz.net:55932 ns511765.ip-198-27-66.:http TIME_WAIT

How to investigate this further and stop him from accessing my system again ? Any help is appreciated.

jefro · 03-10-2016, 09:33 PM

Filesystem access controls usually protect things like data being written to /var/www/html directory. So, depending on groups and users it may be that they did have root access to filesystem.

You'd need to use something that can log all traffic I'd think. Right now you don't know how the attack took place. One way would be to issue commands remotely. Anther would be to have some malware do all this programmatically from within.

You can't trust any data on it really unless you can compare it to some known good data. Most secure way would be to reload entire system from known good sources. Step up your efforts to harden it. Watch for weak passwords and un-needed access like ssh telnet ftp tftp. Once it is up you'd have to log traffic I'd think. Might be smarter to use a passive switch to mirror data to monitor it. If it happens again at least you can watch time.

Could move up to some more restrictive upstream firewall.

documetaltux · 03-11-2016, 07:07 AM

Here's the result of ls -lart /var/www/html/ :

Code:

total 12
drwxr-xr-x. 7 root   root   4096 Mar  5 16:08 ..
-rw-r--r--. 1 apache apache   24 Mar 10 22:49 index.html
drwxrwx---. 2 apache apache 4096 Mar 10 22:49 .

The file index.html was added by the hacker. Can anyone make anything out of this ?
Thanks for helping

pan64 · 03-11-2016, 07:15 AM

that is not too much. It means (s)he has got at least the user and/or group apache. But probably more.

documetaltux · 03-11-2016, 07:18 AM

Quote:

Originally Posted by pan64

that is not too much. It means (s)he has got at least the user and/or group apache. But probably more.

But I would like to know if it is possible to do this without acutually ssh access to my server.
Thanks!

JJJCR · 03-13-2016, 10:57 PM

Quote:

Originally Posted by documetaltux

Here's the result of ls -lart /var/www/html/ :

Code:

total 12
drwxr-xr-x. 7 root   root   4096 Mar  5 16:08 ..
-rw-r--r--. 1 apache apache   24 Mar 10 22:49 index.html
drwxrwx---. 2 apache apache 4096 Mar 10 22:49 .

The file index.html was added by the hacker. Can anyone make anything out of this ?
Thanks for helping

cat index.html

Then check whether index.html is pointing to what directories.

List also the users on your system whether a new user account is added.

If the hacker keeps coming back to your system, and you are hosting a website. Make sure all your web forms or any thing that they user can key in are protected.

What I mean by protected, make sure that users are not able to run or execute commands from those web forms. Some sort of SQL injection through the website forms, textboxes etc.

If you are using database, change database password. List also the user accounts on the database to make sure no any new user account is created.

But password reset will not help at all, if you really don't know how the guy gets in to your system. You need to investigate further.

Check all the online services you are offering for any vulnerability.

unSpawn · 03-19-2016, 04:34 AM

Issue resolved elsewhere, for reference: https://www.centos.org/forums//viewt...=56953&start=0

Habitual · 03-19-2016, 07:38 AM

"So it was an exploit due to mis-configured permissions" (Isn't it usually?)
So, obligatory http://codex.wordpress.org/Hardening_WordPress

JJJCR · 03-20-2016, 08:54 PM

Quote:

Originally Posted by unSpawn

Issue resolved elsewhere, for reference: https://www.centos.org/forums//viewt...=56953&start=0

wow..you managed to keep track of his post.