If the logs are regarded as complete then, yes, it's phpMyAdmin. Note that "your problem" is not only running outdated software:
- if you would have installed Logwatch (or equiv.) and read the reports it sends you would have received Apache warnings to respond to,
- if the /phpmyadmin dir was protected (config or .htaccess file) allowing only access from your management IP range no user would have been able to access it,
- if you would have had mod_security rules in place they could have provided additional logging/access restrictions.
So the application might have been vulnerable but restricting access could have prevented a lot.


Some logs go back to 2008 but most logs don't. I did not find logging to suspect attack vectors in other services and neither did I find out how SHV5 got installed


That looks like a good statement to make. But your dpkg and term logs (apt-get) show gaps, at times more than three months between update runs. There's a difference between running Munin's 'apt-get update' plugin to be notified of updates and actually updating things. Focussing on phpMyAdmin we see version 2.9.1.1-7 got updated on 2008/Oct/17 to 2.9.1.1-8, on 2009/Feb/24 to 2.11.8.1-5 and on 2009/Sep/07 to 2.11.8.1-5+lenny1. Version 2.11.8.1-5+lenny1 was patched on 2009/Mar/24 and released on 2009/Jun/25. If you only used apt-get to update software then I could conclude your server management skills are somewhat lacking.


One of the problems with GNU/Linux is that one of its unique selling points (namely it being available free of cost) in some people creates the misconception that once they run a GNU/Linux server they are already a "server administrator", that getting to know the platform intimately (especially for users accustomed to using Operating Systems that are different in architecture and concepts) is unnecessary, and that no investment is needed in terms of knowledge. This misconception is enhanced by resellers (and sought for by users) who provide provide easy access to some system functionality through a web-based "panel", leading to the idea that point-and-click is OK and all one needs, and that if there is no option or no "OK" button for something then that something simply does not exist. Unfortunately that is not the case. One other problem is that some categories of software install too easily to be true. It might run OK and seem to do your bidding, and unless you remain vigilant you will not soon see evidence of the contrary. It is not without reason I renamed PHP to read "Pretty Horrific Programming". Because of its strenghts a GNU/Linux is coveted by many and because of GNU/Linux being "the networked operating system" with running it comes the responsability to keep it from harming other network users. Security is not a "fire and forget" one-off but a continuous cycle of monitoring and auditing the system and making adjustments.


I'm not saying that you have done nothing to harden your server, but by not configuring Apache access controls for phpMyAdmin, by not running Logwatch (or not reading logs) and not updating when updates became available you have missed some aspects. These days rootkit compromises have become rather rare. It is unfortunately that you have been hit by it but I hope that you will learn from it. Right now, unless you have more questions, it is time to save your (humanly readable) configuration files (not for reuse but for reference) and backup the daemon and system logs (just in case its needed). Before you have the the server wiped reinstalled from scratch I suggest you create a new thread in this forum, list the software packages that are to be installed that provide access over the network, post (attach) the configs that go with it, propose what you will do in terms of system hardening and ask for securing / hardening tips.

HTH

Hi unSpawn,

yes, you are absolutly right - being a system administrator is an ongoing process and not finished with setting up the system or install some things.

I absolutly agree that I should better update the system more often or read logs at least one a week or maybe more often - but , and thats why this thread was moved to this secury tree, I posted originaly in the "Beginner" tree, because I just started and had no clue what to do
I learned something about firewall-setup, installing things and so on - and also set up a test-server at home.

I will now make a fresh install, without saving anything from the current situation because only then I can find out, what someone else or what I have done in the past and keep at least one eye on the security aspect.

From my point, I think that my firewall-setup was nearly complete and fine but as you already mentioned, I forgot to keep in mind things like "htaccess" for phpmyadmin and so on.

Also I will keep your hint in mind to open another thread and check there my new configuration of the server.

Thanks for your time, I now need some to make the reinstall and think that I will start with it this evening/night.

Thanks and kind regards,
OK

It shows courage to admit that you lack knowledge and realising it is the first good step to learn from all of this trouble. If you have (paying) customers I understand that you want to move on and completely wipe and reinstall as quickly as possible to get things running again, however I would like to point out that it might be better to hold it off for a little while and draw up a plan to secure and harden your server and services. That would be more efficient effort and time wise and possibly more complete.

If you're pressed for time alternatively you could wipe completely, then only install the OS and SSH and raising the firewall immediately to only allow traffic to and from your management IP range before installing other services and awaiting securing / hardening tips. That way you would only have to fear current unpatched remote kernel / netfilter / SSH vulnerabilities (if any and depending on installed versions and in one case depending on loaded kernel modules).

If you could do me one favour in return please retrieve the latest version of Rootkit Hunter and Chkrootkit, configure and run it and attach the logs. Not that I think it will provide us with information that could change the outcome, but (personally and as one of the rkhunter devs) I am interested to see what they report...

I can nearly tell which services should run on the server after a reinstall.

HLDS - port 27015
HLDS - port 27020
OpenVPNServer
ZNC-Bouncer
Eggdrop

Maybe:
Apache


Until now, the server is still up, so I can sent the outcome of chkRootkit and RKHunter later.

OK, thanks in advance!

//BTW, I'd still suggest creating a new thread for hardening as it provides you (in all aspects) with a clean work slate.

So I should open another thread somewhere here in the forum, to discuss about what should I look for if I install the tasks mentioned in my last post?

Sorry, now I found the "attach files" section^^

Attached Files

	rkhunter.txt (72.7 KB, 26 views)
	chkrootkit.txt (8.3 KB, 26 views)

Thanks for the logs. Yes, I think that would be the best way forward. I took the liberty of nudging you on by duplicating your post to a new thread here: http://www.linuxquestions.org/questi...server-753675/, edit the text as you please.

Thanks unSpawn, I wil start with reinstallation hopefully this evening.