I am Hacked... just found vadimII on my server

**checked** · 02-15-2005 07:05 AM

Suddenly I checked the processed and found that there are few malicious codes on my server under /var/spool/samba

I am running Redhat 9 + apache 1.33 + PHPSuexec. I have checked and found that 1 or 2 of them are IRC Bots and other I don't know but there name seem suspicious.

Please tell me that How do I prevent users to access these types of folders ?

I just found an vadimII under /var/spool/samba and I don't know whether I am hacked or not. I have suspended the user.

Please tell me how do I checked that whether my server is hacked or not

**AdminWAY** · 02-15-2005 08:23 AM

You should really get a professional too look at the server and diagnose it, you may have to have the server restored, there is alot of server administration companies out there that have reasonable rates and can help you out.

**checked** · 02-15-2005 08:30 AM

I have resolved it.................my server is not compromised anymore.

but I still have a question that I found VadimII at 2 locations : /dev/shm and /var/spool/samba and one place it was created with some user and at second location it belongs to some other user. I mean that one place the owner user was different and at the second place the ownser was different.

Both the users belongs to our 2 different clients and I am really wondering that who was the culprit

**denisdekat09** · 02-15-2005 08:48 AM

Check their passwords, we had a client who created users and passwords the same and he was cracked by a brute force.

Also, check into good mod security rules to prevent folks who do hack from doing bad things.

Here is a good rule I saw during the phpworm issues:

SecFilterSelective "THE_REQUEST" "(system|exec|passthru|popen|shell_exec|proc_open|fopen|fwrite)\s*\("

This tends to make it hard for scripties to do shell stuff. It also kills the phpBB google worm

Another thing you should look into are rootkits. rkhunter and chkrootkit. Run those just in case

HTH

**jamesbond** · 02-15-2005 09:18 AM

Originally Posted by denisdekat09

I've seen that rule a lot also, but it doesn't work exactly like you would expect, because \s* is not recognized properly.

\s*\( should mean 0 or more whitespace characters followed by a (

While this rule blocks system(..) , it does NOT block system (..).
At least not when I tried it

Using [[:space:]]* is what worked for me

**denisdekat09** · 02-15-2005 10:17 AM

**checked** · 02-15-2005 10:31 AM

Are you talking about having mod_security Apache Module ?

unfortunately I am not having it

**chirpy** · 02-15-2005 10:34 AM

Then install it. As was already recommended above, if you don't know how to do these things, you should hire someone who does. there's little point in cleaning up a successful exploitation and nothing more as it will simply happen again.

**jamesbond** · 02-15-2005 10:37 AM

Just use [[:space:]]* instead of s* like this:

SecFilterSelective "THE_REQUEST" "(system|exec|passthru|popen|shell_exec|proc_open|f open|fwrite))([[:space:]]*)\("

This blocks the commands regardless of the number of spaces used. The ( ) around [[:space:]]* are probably not necessary.

You could also also add ARGS_VALUES like this :

SecFilterSelective "THE_REQUEST|ARGS_VALUES" "(system|exec|passthru|popen|shell_exec|proc_open|f open|fwrite))([[:space:]]*)\("

You could consider using SecFilter instead of SecFilterSelective with this rule though, since you want to block POST requests as well, not only GET requests.
I haven't had any false positives using SecFilter with this rule, it just depends on the type of sites you have on the server.

**denisdekat09** · 02-15-2005 10:57 AM

Thanks double o' seven

Great ideas!

**checked** · 02-23-2005 10:04 AM

**denisdekat09** · 02-23-2005 10:18 AM

Check out modsecurity.org for a good explanation.

http://modsecurity.org/documentation/index.html is good too.

good article I found on their page:

http://www.hackinthebox.org/article.php?sid=12867

The idea is to watch for these patterns in url injections (be they post or get) so as to prevent kiddies from running unix like or php commands or injecting php commands into your code or client's code.

**checked** · 02-23-2005 10:30 AM

thanks denis that is really helpful

**denisdekat09** · 05-30-2005 12:14 PM

I just found that this got through somehow:

%252esystem(chr(101)%252echr(99)%25

Do you think adding esystem in there woudl help? I am tring to figure out how come it did not catch it....

I am thinking of using this now:

LinkBack

Thread Tools

I am Hacked... just found vadimII on my server

Server Hacked - Found out how

hacked server

Server get hacked

vadimII on my box after switch proftpd with pure-ftpd ?

server hacked....