This person uploaded something called c99shell script which basically let the user upload files to his hearts content anywhere inside that domains file structure. Can anyone point me at where I might find log files from 2 days ago that would let me know how they originally uploaded this script?
Logs
Check your FTP logs, and your webserver logs. It could be possible that the file was uploaded via ftp also.
Web logs, may be located under /usr/local/apache/logs/ and /usr/local/apache/domlogs/
FTP logs about transfers may be in /var/log/messages
Thanks,
Nick
Check your FTP logs, and your webserver logs. It could be possible that the file was uploaded via ftp also.
Web logs, may be located under /usr/local/apache/logs/ and /usr/local/apache/domlogs/
FTP logs about transfers may be in /var/log/messages
Thanks,
Nick
I found the shell in a couple of other places in this domain. I took the domain offline. I can't use my weekly backup as it was written today for some stupid reason.
What is the best way to rebuild a domain? Can I just create the directories having mv'd the old domain or should I delete the account and start over?
What is the best way to rebuild a domain? Can I just create the directories having mv'd the old domain or should I delete the account and start over?
This is why it is so important for users to keep their scripts up-to-date. Mambo and Joomla are known to have some security vulnerabilities. These extend into the extensions and addons available for these scripts.
It has been my experience that end users believe they can install a script and then never touch the script again. This is just not the case. If you install a script, whether its Joomla, Mambo, phpBB, SMF, vBulletin, it doesn't matter, you have to keep that script up-to-date. If the scripts are not kept up-to-date, then those scripts become vulnerable should any vulnerabilities be disclosed for those scripts.
You should be able to search the domlogs and find the script that was responsible for this. You would need a timestamp from the malicious file, when it was created on the server, then your domlogs should show a script being executed around that time and its likely the vulnerability is in that script.
Further from this, I would suspect that an account somewhere on your server is running an out-of-date script. If you are sure that the exploit was through a Mambo or Joomla script on a particular account, then I would check the versions of Mambo and Joomla installed on that account and the versions of any extensions or addons, I suspect somewhere you will find outdated material. These scripts would need to be updated to seal the security hole.
It has been my experience that end users believe they can install a script and then never touch the script again. This is just not the case. If you install a script, whether its Joomla, Mambo, phpBB, SMF, vBulletin, it doesn't matter, you have to keep that script up-to-date. If the scripts are not kept up-to-date, then those scripts become vulnerable should any vulnerabilities be disclosed for those scripts.
You should be able to search the domlogs and find the script that was responsible for this. You would need a timestamp from the malicious file, when it was created on the server, then your domlogs should show a script being executed around that time and its likely the vulnerability is in that script.
Further from this, I would suspect that an account somewhere on your server is running an out-of-date script. If you are sure that the exploit was through a Mambo or Joomla script on a particular account, then I would check the versions of Mambo and Joomla installed on that account and the versions of any extensions or addons, I suspect somewhere you will find outdated material. These scripts would need to be updated to seal the security hole.
hi,
what kinda of Hack was this? was this a Root exploit or it affected only One account on the box ?
Many people here post as server has been compromised where only a specific a/c is affected.
Were you allowing the site owner SHELL ACCESS ?
did you had "php open_basedir protection" enabled ?
If there was a root previllege escalation in a user a/c or the hacker gained root access to server you should NOT TRUST the OS installation anymore, as recommended by each and every advanced user here, you must get the OS RELOADED cause you would never be able to find out where and what holes they have made.
See ya,
mohit
what kinda of Hack was this? was this a Root exploit or it affected only One account on the box ?
Many people here post as server has been compromised where only a specific a/c is affected.
Were you allowing the site owner SHELL ACCESS ?
did you had "php open_basedir protection" enabled ?
If there was a root previllege escalation in a user a/c or the hacker gained root access to server you should NOT TRUST the OS installation anymore, as recommended by each and every advanced user here, you must get the OS RELOADED cause you would never be able to find out where and what holes they have made.
See ya,
mohit
You need to double check and make sure that your server has not been compromised. The standard approach to proving that a rootkit has been installed on a particular system is to scan your server with two applications: rkhunter and ckhrootkit. Good luck!
It was definitely an old version of Mambo running a component called facile forms. The hacker turned my system into a spam relay and was able to upload several php scripts in order to send several sthousand emails out. enough to get this server list at spamhaus.
I found several copies of the offending script in different directories on the server. and as far as I can tell looking through all the logs that I know how to look at the person came in on the 31st. His ip address was and still is 200.112.153.28.
It looks like he only had access to the user directory that he hacked into. I am manually rebuilding that now. I looked for an sql injection, but haven't found one yet.
Thanks for all your advice.
I found several copies of the offending script in different directories on the server. and as far as I can tell looking through all the logs that I know how to look at the person came in on the 31st. His ip address was and still is 200.112.153.28.
It looks like he only had access to the user directory that he hacked into. I am manually rebuilding that now. I looked for an sql injection, but haven't found one yet.
Thanks for all your advice.
I wouldn't be too concerned with this being a root compromise, although what Andy suggested can never hurt, and its always better to be safe than sorry.
The real issue with this is that a security hole in a script can allow an outside malicious user to send out spam from your server or set up phishing sites on your server. While these are not quite as extreme as a root compromise, they still are not fun to deal with and should be stopped and the security vulnerability should be patched. The mindset that needs to be taken is that if someone was allowed to access your server through a script, then its possible (perhaps unlikely, but still possible) that they could root compromise your server. These situations should be dealt with accordingly.
I know a lot of users do not like upgrading their scripts because its tedious and can result in some lost customization. All I can say to this is that I'm sorry. This is an issue that needs to be dealt with between the client and the developer of the script. As much as I despise the phpBB script, I do have to say that their developers do provide a good method of upgrading the board through patch scripts. I'm not sure if this is the case with other scripts. Perhaps something does need to be done by script developers to allow upgrades to be performed better, but again, this needs to be dealt with by the makers of these scripts. A procedure to upgrade scripts may be an inconvenience to one client on the server, but the possibility that the outdated script could lead to a compromised server would mean an inconvenience to everyone on the server.
The real issue with this is that a security hole in a script can allow an outside malicious user to send out spam from your server or set up phishing sites on your server. While these are not quite as extreme as a root compromise, they still are not fun to deal with and should be stopped and the security vulnerability should be patched. The mindset that needs to be taken is that if someone was allowed to access your server through a script, then its possible (perhaps unlikely, but still possible) that they could root compromise your server. These situations should be dealt with accordingly.
I know a lot of users do not like upgrading their scripts because its tedious and can result in some lost customization. All I can say to this is that I'm sorry. This is an issue that needs to be dealt with between the client and the developer of the script. As much as I despise the phpBB script, I do have to say that their developers do provide a good method of upgrading the board through patch scripts. I'm not sure if this is the case with other scripts. Perhaps something does need to be done by script developers to allow upgrades to be performed better, but again, this needs to be dealt with by the makers of these scripts. A procedure to upgrade scripts may be an inconvenience to one client on the server, but the possibility that the outdated script could lead to a compromised server would mean an inconvenience to everyone on the server.
| Thread starter | Similar threads | Forum | Replies | Date |
|---|---|---|---|---|
| C | Mutiple wordpress accounts hacked on 1 server | Security | 4 | |
| S | WHM and Cpanel is giving 500 internal server error as someone hacked | Security | 1 | |
|
Server Hacked through Backdoor | Security | 9 | |
| M | Server hacked help Bitcoin readme | Security | 1 | |
| K | Server hacked using pam_fprintd.so? | Security | 8 |