server deface
Last night someone was able to do a mass deface on one of our servers. We run chkrootkit and rkhunter regularly and I don't see any odd processes running so I don't think I have a root kit problem.
Is there any way to track down a script vulnerability that could have done this?
All files matching *index* had 4 <iframe> lines added and chown to root.root
Any help would be appreciated (If there's a better forum for this please let me know).
Thanks,
Dean
If the index files are chowned to root:root where they weren't previously, then you've had a root compromise somewhere. No-one other than root (or a daemon, process or suid binary) can change file ownerships like that. Are you running the latest STABLE/RELEASE/CURRENT/EDGE of cPanel as there were some exploits found not long ago.
Jonathan Michaelson
Need your cPanel servers secured and tuned?
cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services
Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf
http://www.configserver.com
I'm running the RELEASE tree and it says it's up to date
WHM 9.9.7 cPanel 9.9.8-R5
If I've had a root compromise it's probably beyond my realm to find it. I've noticed a couple of places that do security work on linux/Cpanel systems. How do you know who you can trust?
Sadly, with difficulty. One option is to ask for recommendations from others. Another route might be to ask CERT for help:
http://www.cert.org/tech_tips/incident_reporting.html
Jonathan Michaelson
Need your cPanel servers secured and tuned?
cPanel Server Configuration, Security, Recovery and Antivirus/AntiSpam Services
Developers of the most effective (and free) Firewall & Security Solution for cPanel Servers - csf
http://www.configserver.com
You can certainly trust Chirpy.Originally Posted by Crooner
I'll second that... he knows what he's doing too
Check your /tmp folder for scripts. It could be as simple as having exec privilages on the /tmp folder that allowed someone to run it. I know there was an old my_egallery exploit that caused issues like this in the past. Might want to scan your server and see if anyone is running my_egallery.
Look through your httpd logs (if they haven't been wiped) for suspicious activity near the time of the timestamps on the modified files. If the files are indeed owned by root, then you need an OS reload. If not, you should be able to clean up, plug the hole, and make sure that nothing else was touched.
If it is a root compromise i strongly recommend an os reinstall, rather then trying to clean the box up.
Rack911.com - Competent Server Administration
Server Security - Administration - Managed Servers - Optimization - High Traffic Clusters
LinkBack URL
About LinkBacks
Reply With Quote