Account hack

[n000b]

One of my customers just told me that their website is showing a hacked page when viewed. Apon investigation, a hacker has indeed got in to this users website and defaced it. The person is running a version of ZenCart that has a few known exploits, so I assume that this is how they got in - that's fine, it's the users fault etc. However, it appears that the hacker has also got access to three other accounts (out of about 200) on the server, and I'm not sure how.

My server is running CSF firewall, mod_security with gotroot rules, suhosin, suPHP, open_basedir, etc.

The hacker has used a heap of scripts, including c99, r57, possibly one or two other scripts like c99/r57, a CGI-Telnet script and probably others. The security software on the server has blocked most of the scripts (looks like it has blocked all of the c99 type scripts). The CGI-Telnet script works, but I logged in and played around and I don't have any sort of access outside of the users directory.

The three other users accounts that were compromised are running Wordpress (2) and Joomla (1). I have taken a look through those accounts and they seem to be fine file permission-wise. We have other websites on the server running Wordpress and Joomla that didn't get affected.

The hacker appears to have created symlinks to the PHP configuration files for the three accounts that have been compromised. Here is the ls output from the initial compromised users directory:

Code:

drwxr-x--- 15 <initialuser> nobody     4096 Jul 27 19:01 ./
drwx--x--x 11 <initialuser> <initialuser>   4096 Apr  5 00:16 ../
-rw-r--r--  1 <initialuser> <initialuser>    144 Jul 26 01:19 .htaccess
lrwxrwxrwx  1 <initialuser> <initialuser>     37 Jul 25 23:04 5.txt -> /home/<user1>/public_html/wp-config.php*
lrwxrwxrwx  1 <initialuser> <initialuser>     42 Jul 18 16:17 a.txt -> /home/<user2>/public_html/configuration.php
lrwxrwxrwx  1 <initialuser> <initialuser>     11 Jul 26 01:28 aa.txt -> /etc/passwd
drwxr-xr-x  5 <initialuser> <initialuser>   4096 Apr  5 00:16 admin/
-rw-r--r--  1 <initialuser> <initialuser>  23937 Jul 26 01:35 ahmet.txt
lrwxrwxrwx  1 <initialuser> <initialuser>     11 Jul 21 15:53 aqqqq.txt -> /etc/passwd
-rw-r--r--  1 <initialuser> <initialuser>      9 Jul 12 20:24 biuh.php
-rw-r--r--  1 <initialuser> <initialuser>      9 Jul 26 01:41 by.php
-rw-r--r--  1 <initialuser> <initialuser>     12 Jul 26 06:43 c99.php
drwxrwxrwx  2 <initialuser> <initialuser>   4096 Apr  5 00:16 cache/
drwxr-xr-x  2 <initialuser> <initialuser>   4096 Oct 30  2009 cgi-bin/
lrwxrwxrwx  1 <initialuser> <initialuser>     40 Jul 26 06:38 cs94.txt -> /home/<user3>/public_html/wp-config.php
drwxr-xr-x  2 <initialuser> <initialuser>   4096 Nov  8  2009 docs/
drwxr-xr-x  2 <initialuser> <initialuser>   4096 Nov  8  2009 download/
drwxr-xr-x  3 <initialuser> <initialuser>   4096 Nov  8  2009 editors/
drwxr-xr-x  2 <initialuser> <initialuser>   4096 Nov  8  2009 email/
-rw-r--r--  1 <initialuser> <initialuser>   9667 Jul 21 01:51 email.php
-rw-r--r--  1 <initialuser> <initialuser>  22201 Jul 21 15:59 end.txt
-rw-r--r--  1 <initialuser> <initialuser>      0 Jul 27 18:48 erm.txt
drwxr-xr-x  2 <initialuser> <initialuser>   4096 Nov  8  2009 extras/
drwxrwxrwx 17 <initialuser> <initialuser>  69632 Jun 22 05:53 images/
-rw-r--r--  1 <initialuser> <initialuser>  23157 Jul 26 19:12 images.m4
drwxr-xr-x 13 <initialuser> <initialuser>   4096 Nov  9  2009 includes/
-rw-r--r--  1 <initialuser> <initialuser>   2923 Jul 26 03:27 index.php
-rw-r--r--  1 <initialuser> <initialuser>      0 Jul 26 02:57 indexo.html
-rw-r--r--  1 <initialuser> <initialuser>   1471 Nov  8  2009 install.txt
-rw-r--r--  1 <initialuser> <initialuser>  16328 Nov  8  2009 ipn_main_handler.php
drwxr-xr-x  2 <initialuser> <initialuser>   4096 Jul 21 16:07 iskeltan/
-rw-r--r--  1 <initialuser> <initialuser>  14857 Nov  8  2009 license.txt
drwxrwxrwx  2 <initialuser> <initialuser>   4096 Apr  5 00:16 media/
-rw-r--r--  1 <initialuser> <initialuser>   2117 Nov  8  2009 nddbc.html
-rw-r--r--  1 <initialuser> <initialuser>   3974 Nov  8  2009 nochex_apc_handler.php
-rw-r--r--  1 <initialuser> <initialuser>    657 Nov  8  2009 page_not_found.php
-rw-r--r--  1 <initialuser> <initialuser>     13 Jul 25 22:24 php.ini
drwxrwxrwx  2 <initialuser> <initialuser>   4096 Apr  5 00:16 pub/
-rw-r--r--  1 <initialuser> <initialuser> 196121 Jul 26 01:19 r57.php
-rwxr-xr-x  1 <initialuser> <initialuser>  23117 Jul 26 01:19 rip.m4*
-rw-r--r--  1 <initialuser> <initialuser>   2374 Jul 24 20:28 root.html
-rw-r--r--  1 <initialuser> <initialuser>      9 Jul 21 16:05 rrr.php
-rw-r--r--  1 <initialuser> <initialuser> 211999 Jul 25 22:39 slm.php
-rw-r--r--  1 <initialuser> <initialuser>  37750 Jul 25 23:05 sqL.php
-rw-r--r--  1 <initialuser> <initialuser>     86 Jul 27 18:48 testfile.php

I was wondering if anyone had any ideas on how the hacker got access to other accounts, and how they could have created symlinks to someone else's files! I did try to view the contents of the symlink via the CGI-Telnet script but it said permission denied.

The best thing that I can think of is that they managed to brute force the three users passwords; I can't think of any other way that the hacker would get access to three accounts out of 200 that aren't running unique software.

I will make sure that I am running the latest version of the gotroot rules and that I specifically block these scripts in mod_security, but is there anything else I can do as well (apart from making sure my customers run the latest scripts obviously! )?

[GaryT]

Well I would say this is not major or more server security, I can only assume, They looked up some random names of the domain, And Or, They know the guys who you host and provide webhosting, to, Now brute force is not common for emails such as msn, Hotmail ect so they probably just got there passwords through this, If it was a root issue then I would only guess alot more accounts would have been compromised.

As for this "gotroot" what rulings did you use, Also, If there just part of mod_security where did you download the rulings from, I too have been thinking about this for a while now but to be honest I did not find much about it.

[Beansprout]

Unless you have .php file permissions set to 600, they can read anything they like. The default for FTP uploads is 644 so perhaps the affected clients weren't aware to alter their permissions and as a result, got done.

[n000b]

Unless you have .php file permissions set to 600, they can read anything they like. The default for FTP uploads is 644 so perhaps the affected clients weren't aware to alter their permissions and as a result, got done.

Even with .php permissions at 644, I can't access them from another account - tried via SSH and also via another PHP script on a different account.