LinkBack URL
About LinkBacks
hacked and frustrated
So I was hacked Saturday night or so, and ever since we have been trying to figure out how.
The frustration is they were able to steal money from our payment processor account once they were able to breach our servers. (and it's a lot, and I won't mention it to keep your jaw from dropping)
We operate on a cloud server that is managed. Let me outline the story and analysis from our security person at the datacenter.
lfd on vm228.customer.blacklotus.net: WHM/cPanel root access alert from 178.73.222.206 (EU/-/cms206.speckledfloor.com)
Time: Sat Jun 25 10:56:27 2011 -0700
IP: 178.73.222.206 (EU/-/cms206.speckledfloor.com)
User: root
Within minutes of that they did all sorts of things, downloaded database, backups, etc. The security analysis for what happened is below:
The cPanel and WHM access and the operations are carried out during the time
17:56:19 to 18:12:46 [5:56 PM to 6:12 PM]. But the ssl access log shows that the
IP 178.73.222.206 was accessing different pages like
http://***********.com/demo.php and http://*************.com/login.php
from 11:18 AM to 11:23 AM. So it is clearly evident that the IP was trying to
access the ***********.com urls and then logged into the whm/cPanel.
So it can be either through any malware program on customer's local machine.
The access log doesn't show any signs of compromise through customer's scripts
/files.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
FIRST ACCESS LOG ENTRY FROM THE IP 178.73.222.206
c******/access-logs/**********.com-ssl_log:178.73.222.206 - -
[25/Jun/2011:11:18:02 -0700] "GET /login.php HTTP/1.1" 200 4773
"http://************.com/demo.php" "Mozilla/4.0 (compatible;
MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; EmbeddedWB 14.52 from:
bsalsa EmbeddedWB Home EmbeddedWB 14.52; SLCC2; .NET CLR 2.0.50727; .NET CLR
3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"
LAST ACCESS LOG ENTRY FROM THE IP 178.73.222.206
c******/access-logs/**********.com:178.73.222.206 - -
[25/Jun/2011:11:23:20 -0700] "GET /info.php HTTP/1.1" 404 389
"-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64;
Trident/4.0; EmbeddedWB 14.52 from: bsalsa EmbeddedWB Home EmbeddedWB 14.52;
SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center
PC 6.0; .NET4.0C; .NET4.0E)"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
FIRST CPANEL ACCESS LOG ENTRY FROM THE IP 178.73.222.206
178.73.222.206 - - [06/25/2011:17:56:19 -0000] "GET / HTTP/1.1" 401 0
"" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64;
Trident/4.0; EmbeddedWB 14.52 from: bsalsa EmbeddedWB Home EmbeddedWB 14.52;
SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center
PC 6.0; .NET4.0C; .NET4.0E)"
LAST CPANEL ACCESS LOG ENTRY FROM THE IP 178.73.222.206
178.73.222.206 - root [06/25/2011:18:12:46 -0000] "GET
/cpsess748341418/json-api/loadavg HTTP/1.1" 200 0
"https://208.********:2087/cpsess748341418/scripts/command"
"Mozilla/4.0 (compatible; MSIE 8.0;Windows NT 6.1; WOW64; Trident/4.0;
EmbeddedWB 14.52 from: bsalsa EmbeddedWB Home EmbeddedWB 14.52; SLCC2; .NET CLR
2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0;
.NET4.0C; .NET4.0E)"
-----
So far we've not been able to detect any system or file damage at this time, but if accounts were accessed they all appear to be legitimate.
-------
Today I was able to find this hacker poking around by looking through my notification emails, this is the same hacker:
Time: Fri Jun 24 08:26:06 2011 -0700
IP: 178.73.217.237 (EU/-/cast237.guitarspoke.com)
Failures: 5 (cpanel)
Interval: 300 seconds
Blocked: Permanent Block
Log entries:
178.73.217.237 - root [06/24/2011:15:21:26 -0000] "GET /cpsess4811030428/ HTTP/1.1" FAILED LOGIN whostmgrd: user password incorrect
178.73.217.237 - root [06/24/2011:15:21:31 -0000] "POST /login/ HTTP/1.1" FAILED LOGIN whostmgrd: user password incorrect
178.73.217.237 - root [06/24/2011:15:23:06 -0000] "GET /cpsess8921312361/ HTTP/1.1" FAILED LOGIN whostmgrd: user password incorrect
178.73.217.237 - root [06/24/2011:15:23:14 -0000] "POST /login/ HTTP/1.1" FAILED LOGIN whostmgrd: user password incorrect
178.73.217.237 - root [06/24/2011:15:26:04 -0000] "POST /login/ HTTP/1.1" FAILED LOGIN whostmgrd: user password incorrect
Any advice???
Here's from a previous security enhancing service as to what was done to make the server more secure:
1. safe_mode = On
By enabling safe_mode parameter, PHP scripts are able to access files only
when their owner is the owner of the PHP scripts. This is one of the most
important security mechanisms built into the PHP. Effectively counteracts
unauthorized attempts to access system files (e.g. /etc/paswd) and adds many
restrictions that make unauthorized access more difficult.
2. expose_php = Off
Turning off the "expose_php" parameter causes that PHP will not disclose
information about itself in HTTP headers that are being sent to clients in
responses to web requests.
3. display_errors = Off
If the display_errors parameter is turned off, PHP errors and warnings are not
being displayed. Because such warnings often reveal precious information like
path names, SQL queries etc., it is strongly recommended to turn this
parameter off on production servers.
4. allow_url_fopen = Off
If it is enabled, this will give you the option to allow the treatment of URLs
(like http:// or ftp://) as files. This can exploit some vulnerability in
server and can execute any script on server.
5. disable_functions = dl,system,exec,passthru,shell_exec,symlink,ini_restore,imap_body,imap_list,imap_open,mysql_list_dbs,popen,stream_select,socket_select,socket_create,socket_create_listen,socket_create_pair,socket_listen,socket_accept,socket_bind,socket_strerror,readlink,symlink,link,pfsockopen,ini_alter,dl,openlog,syslog,putenv,pcntl_exec,pcntl_fork,pcntl_signal,pcntl_waitpid,pcntl_wexitstatus,pcntl_wifexited,pcntl_wifsignaled,pcntl_wifstopped,pcntl_wstopsig,pcntl_wtermsig,fpassthru,detcwd,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate
Add the functions show_source, system, shell_exec, passthru, exec, popen, proc_open, allow_url_fopen to the disable_functions. This directive allows you to disable certain functions for security reasons. It receives a comma-delimited list of function names. This directive is NOT affected by whether Safe Mode is turned On or Off.
Reply With Quote
