Root Access?

[noimad1]

Did that latest bulletin about upgrading becuase of a security risk mean that users could get ahold of the root user on a server?

I just had a server hacked, and just realized that particular server wasn't upgraded when we did all of the upgrades.

This user got full root access, and defaced all of our websites. This is the first time I've ever been hacked at the root level.

I'm wondering if they did this using this security problem...

 

[designeru]

Answers...

Did that latest bulletin about upgrading becuase of a security risk mean that users could get ahold of the root user on a server?

Yes.

I'm wondering if they did this using this security problem...

Did he left any logs? Are you sure it was a root level hack?

 

[noimad1]

Yes.


Did he left any logs? Are you sure it was a root level hack?

The files he was running were owned by root, and he defaced every site on the server.....

 

[lbccserv]

damnit, i just got rooted too. changed every index on the site. definately root. ****.

 

[lbccserv]

wait but i was fully patched.

 

[noimad1]

wait but i was fully patched.

That is scary. What version of cpanel?

 

[lbccserv]

10.9 c43... i was running 2.4.22-1.2115.nptl. Im not saying it was cpanel, but i dont know what else would have dropped him into root. I havent seen any really bad kernel exploits for 2.4

 

[dgbaker]

Check if any users are using FlashChat for VB, there is a known security hole in unpatched FlashChat that will do exactly this.

 

[cPDan]

Check if any users are using FlashChat for VB, there is a known security hole in unpatched FlashChat that will do exactly this.

Excellent point, also several other common PHP scripts do this also (at times even just because its PHP - think XSS from a simple phpinfo script that was finally fixed just recently).

Make sure /tmp is tight and your PHP is not too loose.

I know of some comapanies offering hosting servers that do not have PHP on them (since its then faster and more secure) and they report *no* hackings on those vs their PHP ones with constant issues and monitoring for well intentioned but nevertheless destructive PHP scripts)

The trick is educating people on alternative projects to replace their PHP based stuff and helping them do so. but thats a whole other thread

 

[mctDarren]

The current Moodle exploit is the soup du jour this week, could be that... could be one of a hundred different php holes open at the moment. :D

Fixed typo.. :/

 

[LS_Drew]

Check if any users are using FlashChat for VB, there is a known security hole in unpatched FlashChat that will do exactly this.

How is FlashChat for VB going to give someone root? A shell, sure, but root?

 

[dgbaker]

Take a look at the VB forum with regards to this. It does and did happen.

From SecurityFocus
FlashChat Multiple Remote File Include Vulnerabilities

FlashChat is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input to the application.

An attacker may leverage this issue to have an arbitrary remote file containing malicious script code execute in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system. Other attacks are also possible.

FlashChat 4.6.1 and previous versions are vulnerable.

 

[jester.ro]

i don't get this.
php security holes, xss and remote file inclusion is something we deal with everyday.

but gaining root from one of these exploits?
then how about a malicious user that is hosted on a server?
he has nobody user, and his own user to do evil stuff.

that would mean that NO server is secure, not only those running exploitable php scripts.

 

[jugo]

That is not root access...

That index page defacement is not a "root" based attack. It is XSS using vulnerabilities in shotty PHP scripts like vWar and PHP-Nuke.

The best way to stop those is to implement restrictive MOD_SECURITY rules liek the ones from gotroot.

 

[Skyline_GTR]

how can I possibly fixed the problem? since I have a server that has been infected and most of the websites have a iframe which lead to a trojan website.. how can I fix the problem?


Please help!

 

[mikeroq]

This guy got my site like 10 times, he would delete all my files, and after I had reuploaded them all, he would delete it again.

His name is Vibutx, watch out.

 

[noimad1]

how can I possibly fixed the problem? since I have a server that has been infected and most of the websites have a iframe which lead to a trojan website.. how can I fix the problem?


Please help!

The best thing to do would be to reload your OS and Cpanel, then restore all of your files from a backup if you have one before the attack. Then make sure your OS and Cpanle are both up to date and patched.

That's what we did on our server. It has been a huge nightmare. I hope the patches take care of this issue and it doesn't happen again...

 

[Murtaza_t]

how can I possibly fixed the problem? since I have a server that has been infected and most of the websites have a iframe which lead to a trojan website.. how can I fix the problem?


Please help!

The best way would be intallating rootkit which will repair all your ssh command if they are infected and will also take care of any torjan installed. And just replace the index pages.. as far as I know they replace only index pages.. AND also try and get some good mod_sec rules.

And also UPCP --force.. that will over write complete cpanel which is as good as intalling new cpanel software. You might also need to reinstall customized skins as upcp will skip them.

You can also write a bash script that will check and list the files that has iframes in them.

 

[Skyline_GTR]

My forum has been affected and everytime when I make a quick reply, it will have this iframe under the last post.. however when I disable javascript, this won't happen..

As well, for my other websites, I looked at the index and the templates but I couldn't find any iframe codes at all..

 

[Murtaza_t]

My forum has been affected and everytime when I make a quick reply, it will have this iframe under the last post.. however when I disable javascript, this won't happen..

As well, for my other websites, I looked at the index and the templates but I couldn't find any iframe codes at all..

This is what you should follow:
1. Backup forums.
2. Backup Database
3. Uninstall forums.
4. Install new forums.
5. Restore database.
6. Moves images/upload folder in to new installation.

If that does not help you will need to check your database as it might be affected then.