Server Hacked - Found out how

Hello,

We just got on of our servers hacked.
Seems that first hackers used XSS exploits to upload some scripts.
We secured that with latest mod_sec rules from gotroot.com
Unfortunately we did not find those uploaded scripts.
And now when they cannot use XSS anymore they used those scripts to find the users and passwords from the server.
They listed users from /var/mail and changed the passwords of account.
Then they connected to ftp and uploaded/deleted files from the other accounts.
Also they inserted iframes in others.

I am installing suhosin now and put php in safe_mode for now and disabled functions: exec, popen, pclose, ini_set

Also they have a perl script that can make symlinks to other accounts: they used the function symlink() from perl.
How can I disable that for perl?

I will update you on how it's going and you are welcome to let me know some tips on how to secure it better

PS: the script name is EgY SpIdEr ShElL

 

I do not think root was compromised.
I checked the cpanel login logs and there were thousands of failed logins.
Seems that they actually used brute-force.
But since the logins were attempted from localhost Brute-Force protection from cpanel didn;t banned them as they are automatically whitelisted or it does not even go trough it.

 

Yes. It most likely.
Seems that they hacked about 50 websites with those scripts.
It is unbelievable how many things you can do with php running in suphp, with open_basedir in effect and other security.
It's like having no security at all.

 

I have installed suhosin but it did not did protect the server against php vulnerabilities.

You can still see and edit files from /etc.
I have disabled these functions in php:

Also it seems that php can include files from /etc.... and other dirs.
Why? phpsuexec and suphp are enabled. Also open basedir from cpanel security is enabled.

Why and how can I prevent that?

 

We have investigated this issue and found the following:

Problem:

1. A php shell script (which contain numerous php/apache/zend vulnerabilities) has been uploaded trough a XSS attack.

2. Script has been used to gather usernames from the servers.

3. Script has modified the passwords of the accounts located in /etc/passwd

4. Hackers connected from different IPs to the FTP accounts and uploaded/deleted files.

Solution:

1. Upgrade to Apache 2.2 with latest PHP versions (currently 5.2.10)! (a must)! and compile with suhosin, suphp, suexec!

2. Install mod_Security from cpanel addons!

3. Install mod_security rules from gotroot.com (they have a free rules download also).

4. Install clamv addon from cpanel.

5. Forbid the following functions in php:

Please note that some functions like realpath or chdir may be used by some websites.

5. Enable FTP TLS Encryption Support as Required!

6. Change your SSH port to something else.

7. Enable Brute-Force protection.

8. Install firewall.

9. Configure SUHOSIN so it will disable eval function (note that this is a good protection but many legit scripts use this function and could cause issues. but you can whiteliste and blacklist accounts that can use this function - see suhosin docs)

10. Update kernel to latest version. Seems that Linux Kernel 2.6.18-128.1.6 which we had on CentOS 5.3 is vulnerable.

We found that the shell scripts uploaded were base64 encoded.

Use this search command in ssh to find files that are base64 encoded and take a look at them as they may be backdoors:

Replace "/home" with your path.

Also find files that are using php command: "posix_getpwuid" as this is how they list the server's usernames!

There are other vulnerabilities with zend also!
Even if you enable Safe Mode in PHP they can still list /etc/passwd or any other system file even though Open_basedir restriction is enabled.
We are still investigating this and I will update you as soo as we have a solution.

Also we found another Perl script that came with the shell code above.
It uses the symlink() function to create symlink into vulnerable account to any other account or directory in server. this way they have access to everything.

If someone has more ideas how to secure the server againts these vulnerabilities please let us know.

I will also keep you updated.

Thanks.

PS: I can provide the shell scripts used to hack the server. They contain latest exploited vulnerabilities. Just PM me.