|
|||
|
I am Hacked... just found vadimII on my server
Suddenly I checked the processed and found that there are few malicious codes on my server under /var/spool/samba
I am running Redhat 9 + apache 1.33 + PHPSuexec. I have checked and found that 1 or 2 of them are IRC Bots and other I don't know but there name seem suspicious. Please tell me that How do I prevent users to access these types of folders ? I just found an vadimII under /var/spool/samba and I don't know whether I am hacked or not. I have suspended the user. Please tell me how do I checked that whether my server is hacked or not
|
|
|||
|
You should really get a professional too look at the server and diagnose it, you may have to have the server restored, there is alot of server administration companies out there that have reasonable rates and can help you out.
__________________
AdminWAY Administration Services Providing top notch server administration services. - adam@adminway.net |
|
|||
|
I have resolved it.................my server is not compromised anymore.
but I still have a question that I found VadimII at 2 locations : /dev/shm and /var/spool/samba and one place it was created with some user and at second location it belongs to some other user. I mean that one place the owner user was different and at the second place the ownser was different. Both the users belongs to our 2 different clients and I am really wondering that who was the culprit
|
|
|||
|
Check their passwords, we had a client who created users and passwords the same and he was cracked by a brute force.
Also, check into good mod security rules to prevent folks who do hack from doing bad things. Here is a good rule I saw during the phpworm issues: SecFilterSelective "THE_REQUEST" "(system|exec|passthru|popen|shell_exec|proc_open| fopen|fwrite)\s*\(" This tends to make it hard for scripties to do shell stuff. It also kills the phpBB google worm ![]() Another thing you should look into are rootkits. rkhunter and chkrootkit. Run those just in case ![]() HTH
__________________
http://www.latincalifornia.com |
|
|||
|
Quote:
\s*\( should mean 0 or more whitespace characters followed by a ( While this rule blocks system(..) , it does NOT block system (..). At least not when I tried it ![]() Using [[:space:]]* is what worked for me
|
|
|||
|
so use this:
SecFilterSelective "THE_REQUEST" "(system|exec|passthru|popen|shell_exec|proc_open| f open|fwrite)\s*\(" and this: SecFilterSelective "THE_REQUEST" "(system|exec|passthru|popen|shell_exec|proc_open| f open|fwrite)\s *\(" ? What does your rule look like to prevent this?
__________________
http://www.latincalifornia.com |
|
||||
|
Then install it. As was already recommended above, if you don't know how to do these things, you should hire someone who does. there's little point in cleaning up a successful exploitation and nothing more as it will simply happen again.
__________________
Jonathan Michaelson cPanel Forum Moderator Need your cPanel servers secured and tuned? cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf http://www.configserver.com |
|
|||
|
Just use [[:space:]]* instead of s* like this:
SecFilterSelective "THE_REQUEST" "(system|exec|passthru|popen|shell_exec|proc_open| f open|fwrite))([[:space:]]*)\(" This blocks the commands regardless of the number of spaces used. The ( ) around [[:space:]]* are probably not necessary. You could also also add ARGS_VALUES like this : SecFilterSelective "THE_REQUEST|ARGS_VALUES" "(system|exec|passthru|popen|shell_exec|proc_open| f open|fwrite))([[:space:]]*)\(" You could consider using SecFilter instead of SecFilterSelective with this rule though, since you want to block POST requests as well, not only GET requests. I haven't had any false positives using SecFilter with this rule, it just depends on the type of sites you have on the server. Last edited by jamesbond; 02-15-2005 at 09:39 AM. |
|
|||
|
Thanks double o' seven
Great ideas!
__________________
http://www.latincalifornia.com |
|
|||
|
Can anyone please explain a little bit that what does this following directive meant for......I mean what does it do ?
SecFilterSelective "THE_REQUEST|ARGS_VALUES" "(system|exec|passthru|popen|shell_exec|proc_open| f open|fwrite))([[:space:]]*)\(" Last edited by checked; 02-23-2005 at 09:08 AM. |
|
|||
|
Check out modsecurity.org for a good explanation.
http://modsecurity.org/documentation/index.html is good too. good article I found on their page: http://www.hackinthebox.org/article.php?sid=12867 The idea is to watch for these patterns in url injections (be they post or get) so as to prevent kiddies from running unix like or php commands or injecting php commands into your code or client's code.
__________________
http://www.latincalifornia.com |
|
|||
|
I just found that this got through somehow:
Quote:
I am thinking of using this now: Quote:
__________________
http://www.latincalifornia.com Last edited by denisdekat09; 05-30-2005 at 11:17 AM. |
![]() |
| Thread Tools | |
| Display Modes | |
|
|