Server attacked by phishers

[neonix]

Hi,

Some of my domains were affected by a phisher who uploaded multiple phishing sites like nationwide, ebay, bank of montreal... I have spent better part of the day undoing the damage.

d--------- 3 domain1 domain1 4096 Jun 25 01:21 bom/


d--------- 4 domain2 domain2 4096 Jun 22 08:02 nationwide.co.uk.olb2.nationet.comdefault2.3c0bb2e15f32dd074f90eb6239b866ae3eb/


d--------- 3 domain3 domain3 4096 Jun 25 04:52 ebay.fr.update.account/
d--------- 3 domain3 domain3 4096 Jun 25 04:52 fr.update.account/
d--------- 3 domain3 domain3 4096 Jun 25 04:58 signin.ebay.fr.update.account/
d--------- 3 domain3 domain3 4096 Jun 25 04:51 update.account/
d--------- 3 domain3 domain3 4096 Jun 25 04:51 account/


d--------- 4 domain4 domain4 4096 Jun 22 09:46 nationwide.co.uk.olb2.nationet.comdefault2.3c0bb2e15f32dd074f90eb6239b866ae3eb/



root@cat3 [/usr/local/apache/domlogs]# grep "nationwide.co.uk" ./* | more

./ftp.mydomain.com-ftp_log:Mon Jun 25 02:57:53 2007 0 196.203.154.253 773 /home/username/public_html/nationwide.co.uk.olb2.n
ationet.comdefault2.3c0bb2e15f32dd074f90eb6239b866ae3eb/nationwide.confirm.secure.co.uk/aspFINISH=3c0bb2e15f32dd074f90eb6239b
866ae3eb.php a _ o r username ftp 1 * c

root@cat3 [/usr/local/apache/domlogs]# grep "onlinebanking" ./* | more

./ftp.domain1.com-ftp_log:Mon Jun 25 01:17:56 2007 0 196.218.47.230 187 /home/username1/public_html/bom/BMO_Bank_of_Montrea
l_Online_Banking_files/onlinebanking_faqs_off.gif b _ i r process1 ftp 1 * c


...Looks like they ftpd the files on all the sites.


They also addedd these lines of code for the affected sites within httpd.conf.

<VirtualHost xx.xx.xxx.xxx>
ServerAlias www.signin.ebay.fr.update.account.mydomain.com
ServerAdmin webmaster@signin.ebay.fr.update.account.mydomain.com
DocumentRoot /home/username/public_html/signin.ebay.fr.update.account
ServerName signin.ebay.fr.update.account.mydomain.com

<IfModule mod_suphp.c>
suPHP_UserGroup username username
</IfModule>
<IfModule mod_php4.c>
php_admin_value open_basedir "/home/username:/usr/lib/php:/usr/local/lib/php:/tmp"
</IfModule>
<IfModule mod_php5.c>
php_admin_value open_basedir "/home/username:/usr/lib/php:/usr/local/lib/php:/tmp"
</IfModule>

User username
Group username
BytesLog /usr/local/apache/domlogs/signin.ebay.fr.update.account.mydomain.com-bytes_log
CustomLog /usr/local/apache/domlogs/signin.ebay.fr.update.account.mydomain.com combined
ScriptAlias /cgi-bin/ /home/username/public_html/signin.ebay.fr.update.account/cgi-bin/
</VirtualHost>


I want to find and plug the leak - Is this a known exploit? - has someone countered this attack - would sure appreciate some EXPERT advice on how this attack could have been launched and to prevent a repeat of this phishing attack.

I have secured tmp, mod-sec.,etc... I am on RHEL.

Thanks,

[jrehmer]

Have you checked for root kits and the like? It's obvious that they had to have root access to your server to make some of those changes (specifically the httpd.conf modifications).

I would also check things like CGI/PHP guestbooks, discussion forums, photo galleries, blogs, etc. to see if there are any vulnerable versions on your server.

[AndyReed]

...Looks like they ftpd the files on all the sites.


They also addedd these lines of code for the affected sites within httpd.conf.

<VirtualHost xx.xx.xxx.xxx>
ServerAlias www.signin.ebay.fr.update.account.mydomain.com

If this hacker was able to modify your Apache conf file -- http.conf -- that means your server has been compromised. Run chkrootkit and rkhunter and see what the results are. Overall, I suggest you backup your client's and personal data, ask your host to format your HD, OS reload and start over. Secure and harden your server is a must in your case, as hackers tend to come back to do further damage.

[rustelekom]

http.conf can be configured by Cpanel users. Sure, not directly by using Cpanel. So, questions is follows:

1) Are all domains was added under one user/reseller account?
2) Do you have reseller with root features?
3) Did you check your Windows computer for exploits, trojans etc.

Depend from answers, some decision can be made. For 3) case, here is already posted right way.