Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Hacked server? 2

Status
Not open for further replies.
Crundy

Crundy

Programmer
Jul 20, 2001
305
GB
Hi all,
I've been asked to look at a server, and it looks like Apache has been hacked on it. Users were complaining about pages not working, and just seeing a red square in the top right corner or certain pages. It looks like the exploit code isn't in the actual underlying pages themselves, and the problem only occurs every now and then (sometimes no problem on a particular page, click refresh and the problem appears).

On a page with the red square showing, using view source displays a load of obfuscated javascript code, e.g.
Code: 
<html><head><style> v\:* { behavior: url(#default#VML); }</style></head><body>
<script language=vbs>qrmd="*":hjr="%":xnnro="}  ;92*wa6*77*(etirwe2*te6*56*m57
*36*od  02* 02*  ;37*=b2*77*jw02*02*d7*02*02*} 02*zk16*=+37* 02*b7* 02*esl56*
(etc, all on one line)
On machines running McAfee this is detected as JS/Exploit-BO.gen, and on other machines it looks like it's trying to use existing MS exploits.

Has anyone seen this before, and does anyone know where I should start to try and clean the problem up?

C:\DOS:>
C:\DOS:>RUN
RUN DOS RUN!!
 
Sort by date Sort by votes
Step One, Unplug that machine from any networks!
Step two, read up on those exploits and whether they can be fingerprinted by you at the console to understand whether this is a hack
Step three, assume that more than one incursion has been experienced and continue checking.



D.E.R. Management - IT Project Management Consulting
 
Upvote 0 Downvote
It is a Linux server!!

I guess we'll have to re-image it.

C:\DOS:>
C:\DOS:>RUN
RUN DOS RUN!!
 
Upvote 0 Downvote
In all seriousness, there is a risk in re-imaging... you haven't learned anything. What possible infection/trojan got into your perimiter, how far into that machine did it get, what data are you restoring and is it safe, did the infection get beyond this one machine in your perimeter.

I know this is a big topic to think about, but an infected machine is as much a symptom of other problems as it is a problem to solve in itself.

I humbly caution you to give this a bit more thought than was implied... Otherwise, you may very well be a victim again - if that was, in fact, the case in the first place.

D.E.R. Management - IT Project Management Consulting
 
Upvote 0 Downvote
Agreed, but there was apparently an issue with a spammer somehow gaining access and sending crap through sendmail, which was resolved by upgrading all the RPM packages on the server and rebooting (so to the linux zealot RythmAce, although viruses do not target linux platforms, malicious users do, and they are just as susceptible).

We've checked all the scripts in the web root and everything seems up to date, so I'm hoping they just dropped something in to get in and out whenever they want, and reinstalling the server from scratch and copying the web files across will solve it.

A Nessus scan found a Sendmail vulnerability before the first actions, so I presume they made their way in using that.

C:\DOS:>
C:\DOS:>RUN
RUN DOS RUN!!
 
Upvote 0 Downvote
Although incomplete, you should be using
'chkrootkit' and should scan for folder name '...' as a way to be more complete in your analysis.


I'm a bet skeptical about your analysis concerning sendmail... the last known vuln in sendmail was published by CERT that would lead to remote access like that appears to be several years ago?!

I would be more inclined to believe that you have a script/CGI/mailer that is compromised... or another service... or someone defeated/compromised something else.

I guess, somewhat without an invitiation to do so, I am suggesting (again, humbly) that you should not assume that finding one vulnerability has closed the door or assured that you are "clean"...

I'll stop posting unless you ask, but if I were consulting to you I'd be considerably more agressive in scrubbing that machine down. Just my $0.02USD.

Good luck,
Dave.

D.E.R. Management - IT Project Management Consulting
 
Upvote 0 Downvote
Hi

Just as Dave wrote, there could be more.

On a Linux forum I used to read, all experts had the same opinion : once a system cracked, is not your anymore.

They could recompile your utilities for example /bin/ls, to not show certain files, for example the folders with name '...'.

You can never know how intelligent the cracker is, but usually they are more intelligent then the administrator. Sorry.

Feherke.
 
Upvote 0 Downvote
Thanks for the links, I'll definitley use those to make sure they haven't left anything in the webroot.

Agree with all your points, it's difficult once someone's in to shut the door!

C:\DOS:>
C:\DOS:>RUN
RUN DOS RUN!!
 
Upvote 0 Downvote
I was in no way trying to imply that linux had no vulnerabilities. Quite the contrary, one only has to visit this form or the linux forum to see there are plenty to choose from. Any time you allow user interactivity on your server, you invite mischief. The most common avenues of attack seem to be php/mysql and cgi as well as web, mail, ftp and telnet/ssh servers to name a few. You may want to look into selinux. You more than likely already have it installed and just need to set it up. It will add another level of security to your system. I agree with thedaver. Reinstalling everything won't help much because you don't know how they are getting in and will still have that door open when all is said and done. You've got to find all those open doors and windows and even the cracks that can be exploited. Remember, if you let people do more than just read a page, they will. Before you let them have any type of interaction, check for vuls. The developers home page is a good place to start. Try to keep your system up to date with the latest security updates but stay away from bleeding edge packages because they have not been tested for exploits. If you host other domains on your server, you need to keep an eye on everything they run. For example, some cms and forum packages, have major security problems. It is up to you to find out which ones those are. As you can see, there is no quick fix or easy answer. You will always be reading and learning and pluging and as fast as you fix one leak, you will find another. Some of the guys here run huge server farms, so you can see why they would not think reinstalling everything would be a good idea. Just hang in there and work it through. You are not the first or only person this has happened to so you will find a lot of help here at tek-tips. We can offer some advice and point you in the right direction on a lot of issues but for the most part, you are going to have to solve the problem yourself.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MP2023
  • Locked
  • Question
mail Server
Replies
0
Views
131
MP2023
MP2023
MP2023
  • Locked
  • Question
Mail Server zimbra
Replies
0
Views
153
MP2023
MP2023
bk Patel
  • Locked
  • Question
Openscape 4000 Eco Server
Replies
3
Views
197
bk Patel
bk Patel
Phi_1.618
  • Locked
  • Question
Linux server
Replies
2
Views
170
SamBones
SamBones
Steve Bowman
  • Locked
  • Question
I have a Debian server (buster) I h
Replies
0
Views
73
Steve Bowman
Steve Bowman

Part and Inventory Search

Sponsor

Back
Top