Servers Hacked - Preventing SQL Inject?

[jrianto]

Hi,
Three of my WHM servers were compromised on Thu-Fri by Sarbot511.

I believe they get in through an application which are open to SQL Inject attack. My question is how did they gain root password of the server through SQL Inject?

I have SuPhp, mod_security, and CSF firewall installed. All clients are running through their own username, if a client's website say is open to SQL inject attack, how is it possible for them to gain root access and compromised the whole server?

Any inputs would be appreciated. I am currently clueless on how to patch the hole. I tried reloading the server and restored client data back to the server, within a few hours the same server is compromised again, the same way.

Thank you.

 

[Spiral]

Only broad speculations could be made here without actually examining and deeply analyzing the server along with your logs and current configuration settings to be able to say anything specific.

However, based on what you did just say above, I very strongly recommend a complete review of your servers by an expert as it is clear that your security is not quite as good as you thought it was and there is also a very likely potential and possiblity that your servers may be backdoored or trojaned or have some other currently unknown vulnerability and you need to find that out as well before you go any further.

The software you mentioned as already start is definitely a start in the right direction but those items in and of themselves cannot totally protect you, well nothing can other than unplugging the machine, but there is a whole lot you can do above and beyond those things you listed!

It is also critically important that you make sure your server is updated with the latest software revisions, security patches, and most importantly your system kernel especially since you mentioned "Sarbot511".

EDIT: Probably wouldn't hurt to go ahead and update Cpanel while you're at it too!

 

[cPanelKenneth]

Hi,
Three of my WHM servers were compromised on Thu-Fri by Sarbot511.

I believe they get in through an application which are open to SQL Inject attack. My question is how did they gain root password of the server through SQL Inject?

I have SuPhp, mod_security, and CSF firewall installed. All clients are running through their own username, if a client's website say is open to SQL inject attack, how is it possible for them to gain root access and compromised the whole server?

Any inputs would be appreciated. I am currently clueless on how to patch the hole. I tried reloading the server and restored client data back to the server, within a few hours the same server is compromised again, the same way.

Thank you.

If you are using Linux, is your kernel fully up-to-date?

 

[brianoz]

I'd spend the money and hire an hour of a server expert's time to find out why it happened. It's not enough to have CSF, SuPHP etc, you've also got to know how to set them up.

Once someone is in a server as a user, there are a number of local root exploits and unless your kernel was current that'd be how they got in.

Since Spiral responded here, he's well known and trusted, why don't you use him?

 

[konrath]

Hi,
Three of my WHM servers were compromised on Thu-Fri by Sarbot511.

I believe they get in through an application which are open to SQL Inject attack. My question is how did they gain root password of the server through SQL Inject?

I have SuPhp, mod_security, and CSF firewall installed. All clients are running through their own username, if a client's website say is open to SQL inject attack, how is it possible for them to gain root access and compromised the whole server?

Any inputs would be appreciated. I am currently clueless on how to patch the hole. I tried reloading the server and restored client data back to the server, within a few hours the same server is compromised again, the same way.

Thank you.

All index of your users was modified?

Konrath

 

[bou3lam]

what kind of open source are you using ?

 

[marksentence]

injecting into sites are like hacking they get all the data's inside right?

 

[kbuser]

injecting into sites are like hacking they get all the data's inside right?

Not really. If a clever person found somewhere on your site they could inject sql, especially if they get a response based on this, they could do some damage to your database assuming you didn't follow the "least privileges" mantra. If you're running SQL on your site as root/admin SQL user then you're asking for trouble with unsanitized querying.

This, however, doesn't give them access to your server/file system.

 

[mohit]

why not ask cPanel staff to have a look into it, if your license is eligible for support.

This could not only let you know the details but can also help them identify it there's any security holes which can be patched and this activity would certainly help other users too.

just my 2 cents.

 

[oshs]

Hi,
Three of my WHM servers were compromised on Thu-Fri by Sarbot511.

I believe they get in through an application which are open to SQL Inject attack. My question is how did they gain root password of the server through SQL Inject?

I have SuPhp, mod_security, and CSF firewall installed. All clients are running through their own username, if a client's website say is open to SQL inject attack, how is it possible for them to gain root access and compromised the whole server?

Any inputs would be appreciated. I am currently clueless on how to patch the hole. I tried reloading the server and restored client data back to the server, within a few hours the same server is compromised again, the same way.

Thank you.

Hi,

Did you get to the bottom of how your server's were hacked by Sarbot511?

We're seeing this on a few client servers.

Regards,
Suhail.

 

[brianoz]

If anyone can post some URLs of the hack attempts, we could come up with some mod_security code to filter them...

 

[anushkumar]

Spiral is absolutely right. Nobody here could help unless they get to see the damage. You might want to consult an expert. 99% of SQL injections dont result in root compromise. How did you know it was a root compromise in the first place?

 

[ModServ]

Hello,

You can gain root access from SQL Injection, by finiding the infected table then execute commands like viewing /etc/mysql. You can also execute an upload center code that's encrypted inside /tmp/ then open it in explorer and upload a shell script, After that you can make commands, Like compiling, The hacker can get a local root exploit, compile it then execute then can make a back connection to your server and get a root access, Done

I think that this can be solved by
in php.ini turn on magic_quotes_gpc.
execute this

/scripts/compilers off

and

chmod 700 /usr/bin/lsattr; chmod 700 /usr/bin/find; chmod 700 /usr/bin/lastlog; chmod 700 /usr/bin/w; chmod 700 /usr/bin/which; chmod 700 /usr/bin/locate; chmod 700 /usr/bin/gcc

Also you can restrict the modification of php.ini by using suphp then edit its config file located in /opt/suphp/etc/suphp.conf and from it:

;application/x-httpd-php=/usr/local/lib/
;application/x-httpd-php4=/usr/local/php4/lib/
;application/x-httpd-php5=/usr/local/lib/

Uncomment all of them. Then you should tight your security from php.ini and my.cnf also httpd.conf, After that you will have a secure system.

Hope that help you.

 

[rpmws]

i have complete details, scripts used and methods of this. PM me for details.

and it's NOT a cPanel exploit.

 

[eth00]

i have complete details, scripts used and methods of this. PM me for details.

and it's NOT a cPanel exploit.

I was helping Paul look at this, at least in his specific case it was completely *un*related to both cPanel and linux.

 

[rpmws]

I was helping Paul look at this, at least in his specific case it was completely related to both cPanel and linux.

want to make it clear, thsi isn't a cPanel exploit or flaw in cpanel or cpanel boxes. in fact, you could remove php and mysql wouldn't stop this. for those that think you have cleaned up from backups. check for SSH keys you didn't install