Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
in general you need to secure your host and web server, but that is not that simple. So there is no "single-command" solution, but you need to check all your services, configurations, permissions, network settings (and a few other things).
Additionally you may need to check your log files to find out what's happened.
All of these settings depend on your hardware and software and hard to give you any help without knowing anything about that.
Log files might tell you what happened, (though depending on the attacker's level of access/competence they could be wiped/forged).
Most likely it's because you're running insecure code that trusted user input and allowed someone to inject their own code.
(There's a number of ways to do that, and it's hard to say more without seeing the code.)
Another possibility is there's a weak password in use somewhere which they managed to determine.
If so, change all relevant passwords, and consider whether any other accounts linked to same/similar emails need addressing.
There's other possibilities, but really there's no point saying more: in all situations step 1 is talk to your hosting provider.
On a shared-hosting environment, sometimes the host does not properly set the security rules for each user's account ... it is actually possible for another user to cd into your home directory, examine its content, and perhaps modify it.
Your web site should be running under a user/group, such as nobody, that does not have write-access to any directories that contain code or resources. If the program needs to write somewhere, only that location should be read/write to it, and it should not be possible for a user to get a directory listing.
Unfortunately, most hosts do not use OpenVPN nor provide VPN-first access to their resources – they simply expose ssh and they usually allow passwords (not certificates). Therefore, your passwords must be pure-random and changed frequently.
wrong permissions or ownership on files (if I type the URL of a script or key file, will it come up in my browser?)
incorrect configuration
using unsanitized user input (just ask Bobby Tables)
unpatched vulnerabilities in software
leaving services running that you don't need (ftp, print)
using insecure add-ons (looking at you, Wordpress)
default or simple or no passwords (you wouldn't do that, would you?)
Some features that may or may not apply: Only allow login/admin on a separate management IP with strict firewall rules. Do remote logging so if (when) you get hacked, they can't wipe the logs. Test on a separate machine; wipe and reinstall everything on update.
Distribution: Ubuntu based stuff for the most part
Posts: 1,173
Rep:
If you are using Wordpress check the extensions you loaded to see if they have a reported security hole. That is the most common way people get access to sites running Wordpress.
Thanks everyone for the replies. Definitely some things to look at there.
One question on all this... When the server was made and Wordpress installed, I noticed that all the wordpress files were owned by a certain user (let's call it UserX). Most of the files have rw-r--r-- rights. Most folders have rwxr-xr-x. Does that look right?
I don't understand how I can tighten that down any more without accidentally locking myself out of being able to access the files.
One question on all this... When the server was made and Wordpress installed, I noticed that all the wordpress files were owned by a certain user (let's call it UserX). Most of the files have rw-r--r-- rights. Most folders have rwxr-xr-x. Does that look right?
I don't understand how I can tighten that down any more without accidentally locking myself out of being able to access the files.
From memory, that sounds about right - I think there's documentation somewhere on the Wordpress site that explains the different folder permissions - but permissions protect your files from other users on the server, they're less relevant if the attacker gets in through a vulnerability in Wordpress (or more likely, one of the plugins), and thus can execute their own PHP code.
You can try putting the names of the plugins you're using into a vulnerability database search - if something comes up you need to check the details and fix it (might be as simple as upgrading to latest version), through if nothing comes up that doesn't guarantee security.
Distribution: Ubuntu based stuff for the most part
Posts: 1,173
Rep:
Try running a clamav scan on the system to find any command shells they are uploading giving them remote access.
The location of anything you find might give a clue as to how they are getting in.
No telling how a hacker got in, if they really did.
I'd consider recording network packets. Then search again if fails. Step up the firewall to include white list, black list, geo limits.
There have been some holes in wordpress a long while ago.
Do you notice the changes? What are the changes other than file?
I didn't notice any other changes. The user had inserted code to create a user in the wordpress db. It looks like they weren't successful and as far as I can see they didn't get any further than that.
But it is interesting they tried the exact same thing 2 nights in a row.
Personally i would backup everything to somewhere else. Wipe the server. Restore the site from backup. Then harden the crap out of it. Although if you are using Wordpress thats almost like trying to bailout a sinking ship with a thimble.
As an admin you can do a certain amount to secure the backend, but the website side is a different matter. Unless you are an experienced programmer you will not be able to shore up the wordpress problem. You can probably mitigate it up to a point by keeping on top of patches and updates, but their is always a possibility that the attacker is using a zero day that no one has found yet.
One thing you could try is restore the functions.php from backup then make it immutable (chattr +i). Presumably that file has no need to be changed very often. In fact any file that doesnt need to be changed you could do the same with. Its very sledgehammer to nut level, but it should work if you are running the webserver as a non-privileged user (preferably with no login). If it then gets changed again, well you have bigger problems because the attacker has found and is probably using a privilege escalation exploit, since only root can remove the immutable attribute. If that happens, look at your root password, get rid of sudo if its installed, in fact get rid of sudo regardless or lock it down so no one can use it.
ClamAV could be a port of call, definitely rkhunter/chkrootkit as well. If it finds a rootkit, then you definitely need to scrub the server and start over.
Good luck. I've been there in the past. I didnt faff around. I just wiped it, restored it and moved on. You can spend weeks trying to work out how they got in, but without a bunch of experience and maybe some pentesting knowledge you will struggle. If everything is up to date and it happened regardless, its either a password issue or maybe a zero day. You could also maybe email the logs to yourself every 15 mins for a couple of days to try and work out how they are getting in.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.