server hacked - thoughts?

[hmseas]

2 days ago a hacker was able to obtain root access and then run a script that replaced every index.php file on our server with this wonderful page:
http://netphonereview.com/

The account he got in through had phpBB running on it (a point of break-in in the past). the public_html folder in that account was changed to be owned by '507'. there also appears to be malicious binaries on dev/shm and /dev/shm/psybnc.

The question is: we had the datacenter security team look into this and they claim that our 2.6.x kernel may be outdated, and that we should do an OS Reload. Our administrator says the kernel is fine, and that phpBB is the sole problem. Does anyone have any thoughts on this:

Neil

[chirpy]

Are you sure it was a root compromise? A root compromise is not necessary to achieve what you describe if you haven't protected yourself with phpsuexec (even with it enabled it's still possible). Outdated phpBB installations are quite likely to be the initial point of entry.

If you have experienced a root compromise you will need to have an OS reload done and if the kernel is out of date, that will need upgrading. If not, have a read of this thread:
http://forums.cpanel.net/showthread.php?t=30159

Or consider hiring someone to do it for you.

[DogTags]

Does installing phpsuexec wreck any already installed scripts or have any other issues?

Or, is it just a matter of updating apache and away you go?

Many thanks

[chirpy]

It can cause the following issues:

1. php related .htaccess directives have to be moved to a local php.ini file instead

2. The HTTP_AUTH access control method does not work (you usually need to replace it with htpasswd files)

3. Stricter directory and file permissions are imposed, so you need to ensure directories that contain php files do not have 777 permissions enabled, for example.

Other than that, it's usually fine. Generally, though, it's usually a good idea to enable it on a server before you put clients on, but you can firefight it once enabled on a loaded server.

[jamesbond]

if you haven't protected yourself with phpsuexec (even with it enabled it's still possible). Outdated phpBB installations are quite likely to be the initial point of entry.

I still don't quite understand how it's possible to replace the index files in all accounts without phpsuexec. How is that done if the index files are set to 644 ?

I assume user nobody first needs to change file permissions on (index)files in the public_html directories to get write access to it? (haven't tried that myself)

[chirpy]

Yup. With phpsuexec disabled, all php scripts on the server will run as nobody, since nobody has access to all the web files on all sites (it must have at least read access) then at the very least they can read php script files and easily get MySQL database passwords, for example, which are very often setup the same as users cPanel passwords. Or direct access to htpasswd protected areas.

As you say, if people have their pages set to 666, anyone on the server can then modify them, if you set them to 644 you cannot do it so easily - you'd need to invoke a local root compromise or as above with password trawling of files.

If you have phpsuexec enabled, you're restricted by normal file permissions and ownerships and so makes security much simpler. Also any files created are under your accounts username making tracking problems much simpler too.

[StevenC]

What is the kernel version you are using?