Exploited Servers

[nxds]

Hi,

Several of our CPanel servers were recently exploited such that index.html files were added to several websites and index.htm files were modified with an iframe line containing the string mlm-norway and uppercase characters changed to lower case in index.htm.

The modified and new files were owned by the account hosting the website. Only a subset of the websites hosted on the servers were modified.

The exploited servers were running CentOS 4.2 and the latest Cpanel. Rkhunter and chkroot come back negative.

Does anyone recognise this attack and can anyone tell me what vulnerability has been exploited to do this?

I have installed apf, bfd and mod-security on all the servers and restricted ssh access to certain addresses and users. What else can I do to prevent these attacks succeeding?

Thanks.

 

[dalem]

you have a php exploit i would check the domlogs of the affected account(s) if its the same hacker then the "several websites" may be running the same eploitable scripts or its just a coincidence find the exploit and add to you mod_sec rules


and make sure you check & clean your tmp files


can't really tell you if we recognize it when we dont know what was exploited

 

[rs-freddo]

More than likely it's the WysiwygPro exploit. Check if the account had WysiwygPro folder.

 

[Dattatec]

More than likely it's the WysiwygPro exploit. Check if the account had WysiwygPro folder.

Add this in yor php.ini:

disable_functions = shell, shell_exec, exec,allow_url_fopen,system_exec, proc_open, proc_close,proc_nice,
proc_terminate,proc_get_status,escapeshellarg,passthru, escapeshellcmd,popen ,system, mkfifo, pcntl_exec

More easy than install firewalls :P

 

[brianoz]

Add this in yor php.ini:

disable_functions = shell, shell_exec, exec,allow_url_fopen,system_exec, proc_open, proc_close,proc_nice,
proc_terminate,proc_get_status,escapeshellarg,passthru, escapeshellcmd,popen ,system, mkfifo, pcntl_exec

More easy than install firewalls :P

Might be "more easy than install firewalls" but it makes PHP largely useless. Be careful with this one. Mod_security is probably a better way of safeguarding your server.

 

[AndyReed]

Might be "more easy than install firewalls" but it makes PHP largely useless. Be careful with this one. Mod_security is probably a better way of safeguarding your server.

That's true. Do NOT add these directives in php.ini. Remove APF and BFD as they don't have as great of value of security as many people might think. Clean up this mess and secure your server.

 

[dreamwiz]

Remove APF and BFD as they don't have as great of value of security as many people might think. Clean up this mess and secure your server.

Would you mind explaining how removing APF and BFD would increase security? IMHO they are valuable part of securing server.

 

[chirpy]

Indeed. What a load of rubbish. BFD and APF add massively to server security and to say otherwise is ridicuous unless you are proposing replacing them with something different, which is fine, but you need to give better advice than simply recommending people remove their iptables firewall scripts

 

[AndyReed]

Indeed. What a load of rubbish.

Let's be respectful of each other, Mr. moderator. This is very inappropriate and you wouldn't like it if I say the same thing about any of your postings. It is my opinion and if you don't like it, ignore my posting. I don't think I offended you or any body with my suggestion. Thank you, sir

 

[dave9000]

To some extent I agree with Andy on the value of APF and BFD

%99 of the server exploits come in on a valid port usually port 80

This said mod_security, snort intrusion protection offer a lot more protection for your server than a firewall.

If you modify your ssh port to something besides 22 BFD is rendered mostly useless due to the fact %99 of the brute force attacks come in on port 22 at the hands of script kiddies

the APF and BFD have their uses but they are not going to secure your server. They help but you need intrusion protection worse than firewall

 

[chirpy]

Let's be respectful of each other, Mr. moderator. This is very inappropriate and you wouldn't like it if I say the same thing about any of your postings. It is my opinion and if you don't like it, ignore my posting. I don't think I offended you or any body with my suggestion. Thank you, sir

No. Sorry, but recommending people disable their firewalls is downright irresponsible. If you want to disable yours, go ahead, but don't go around recommending other people open themselves up to attacks that I would be very happy to list in detail. I sincerely hope everybody ignores your post, not just me.

 

[AndyReed]

If you want to disable yours, go ahead, but don't go around recommending other people open themselves up to attacks that I would be very happy to list in detail. I sincerely hope everybody ignores your post, not just me.

In one of the threads, you agreed that APF and BFD were not as good. One day you say something, the next day you say the opposite. That's weird. Read your own words: http://forums.cpanel.net/showthread.php?t=50745

Why did you attack my posts, and me personally? Have you ever heard of net-etiquettes? Just in case, there are commonsense net-etiquettes every body should observer:

"- Avoid criticism and sarcasm.
- No flaming.
- Be POLITE in your email message or other postings; apply the same general rule of politeness you would if you were talking to a person on his or her face."
(this was taken from AACC Web site where you can read more about net-etiquettes at: http://ola.aacc.cc.md.us/csi147/NetEtiquettes.htm)

 

[Lyttek]

In one of the threads, you agreed that APF and BFD were not as good. One day you say something, the next day you say the opposite. That's weird. Read your own words: http://forums.cpanel.net/showthread.php?t=50745

I read the post you mentioned. First, there's a difference between an exploit and a DOS/DDOS. For the latter, having it blocked via hardware by the upstream router IS better than having to deal with it on your server. For the former, you have to fix it/work around it on your server, so trying to block it via hardware isn't going to work.

Different tools for different problems. So, either you're trying to start some "totally combustible" war, don't know how to read context, or are mis-informed. In any case, given the arguments you've put forth, Chirpy didn't contradict himself, and removing APF/BFD is still a bad idea.

 

[gorilla]

I read the post you mentioned. First, there's a difference between an exploit and a DOS/DDOS. For the latter, having it blocked via hardware by the upstream router IS better than having to deal with it on your server. For the former, you have to fix it/work around it on your server, so trying to block it via hardware isn't going to work.

Different tools for different problems. So, either you're trying to start some "totally combustible" war, don't know how to read context, or are mis-informed. In any case, given the arguments you've put forth, Chirpy didn't contradict himself, and removing APF/BFD is still a bad idea.

I second that objective statement !

 

[brianoz]

I've actually found APF a help, it does make it a lot easier to block sites, and for a completely naive user it is great for that.

Be careful with BFD though - it can block legitimate users, for instance, if they leave their FTP client running retrying the wrong password their whole IP will be blocked by BFD, not nice, and something that adds to admin work. If you add /etc/relayhosts to BFD's exclude.files that will prevent that happening. On my system that looked like:

echo /etc/relayhosts >>  /usr/local/bfd/exclude.files

One important point here. People often think that a firewall is a magic cure-all, perhaps because of the name. A firewall is only one tool in your toolkit - if you could just block everything you'd be as safe as houses, but obviously you can't!!

 

[XPerties]

In one of the threads, you agreed that APF and BFD were not as good. One day you say something, the next day you say the opposite. That's weird. Read your own words: http://forums.cpanel.net/showthread.php?t=50745

Why did you attack my posts, and me personally? Have you ever heard of net-etiquettes? Just in case, there are commonsense net-etiquettes every body should observer:

"- Avoid criticism and sarcasm.
- No flaming.
- Be POLITE in your email message or other postings; apply the same general rule of politeness you would if you were talking to a person on his or her face."
(this was taken from AACC Web site where you can read more about net-etiquettes at: http://ola.aacc.cc.md.us/csi147/NetEtiquettes.htm)

I didn't see chirpy attacking your post at all. In a more direct comment to your post what I did see is a server management company make a ridiculous statement and tell others to remove their firewall protection. That is an ignorant statement and in kinder words chirpy was only making that exact point.

Continuing to defend such a statement in this thread is not making you look at better.

Having a firewall up - Free if you use APF
Having your server management company tell you that you don't need one - Priceless :D

 

[paulius]

Having your server management company tell you that you don't need one - Priceless

There are some things that money can't buy, for everything else, there's cPanel.

I think that a firewall is not 100% required but it does add an extra layer of security. I would personnaly never put a unprotected server out on the Internet.

PHP hardening is also important but also it's important to instruct users to update their scripts!

 

[dave9000]

Note to my previous post.

I myself did not say no firewall I just said do not depend on it as a catch all security device

We run cisco access lists , hardware firewall, active intrusion protection, hosts.deny and hosts.allow lists , mod_security, phpsuexec, suexec, secured tmp, compilers disabled, wget disabled except for root, all updates maintained and we are subscribed to several security maillists that send us the latest exploits.

and we still have had some php exploits get through on occasion.

but luckly with all the layers of security we have we have been able to limit damage to the individual user.

 

[twhiting9275]

Remove APF and BFD as they don't have as great of value of security as many people might think.

And while you're at it, set all your passwords to test123 and make a public list of the accounts on those. C'mon now, that's just riiiiiiidiculous.

APF and BFD have a great value in security. They're not the only things that should be used, but still, come on now, removing them, is ridiculous.

APF/BFD won't , however, stop this type of thing from happening. That's not their job. Properly securing your server and keeping it secure, however, will.

This isn't as much a "server security" thing, however, as a "script security" thing. Sure, server security might be able to handle this, but at what extent? The server would be virtually useless. At some point, it becomes the responsibility of the user to secure their code.

I think that a firewall is not 100% required but it does add an extra layer of security.

A firewall is, indeed a 100% necessity. Keep in mind though, that APF isn't a "firewall" in and of itself, it's a frontend to iptables, the actual firewall.

 

[mctDarren]

Remove APF and BFD as they don't have as great of value of security as many people might think.

Really hate to jump on this bandwagon, but ... in defense of Mr Reed, APF isn't really a firewall. It's a front-end to iptables. Now, having said that - security is all about layers of protection. The more you have, the better off you are. He's right in that they might give some folks a false sense of protection. He's wrong that because of that you should remove it.