My Apache webserver Hacked

[kzn]

Hi

I recently set up a website on my own server and it has been hacked. I hope I have posted this in the right place.Please see attached file, it lists the steps I followed when I set up the server running Centos Apache PHP and MySQL. It would be great if people could contribute to creating a good build document that will hopefully help other people who are in the same situation. Maybe the admin of

http://www.tek-tips.com

could create a section for build documents?


Thanks in advance.

 

[kzn]

Here are my notes

##################################################################################### HOW TO INSTALL APACHE WEB SERVER ############################################
##################################################################################

Install Centos 5.6 via the GUI using default settings

Set IP Address – edit ifcfg-eth0 file
/etc/sysconfig/network-scripts/
vi ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
IPADDR=172.16.0.10
NETMASK=255.255.0.0
GATEWAY=172.16.0.1
HWADDR=00:0C:29:25:C1:64
ONBOOT=yes

Set up DNS – edit resolv.conf file
/etc/
vi resolv.conf
Nameserver 172.16.0.20

Change Host name
Go to /etc/sysconfig
vi network
hostname=myserver.mydomain.local

Change Host File
Go to /etc
vi hosts
Host file
172.16.0.15 firstdomainname.com
172.16.0.16 seconddomainname.com

Run ntsysv and remove unwanted services
Bluetooth
Iptables6
Isdn


UPdate the Operating system
yum update

Add NTP settings for Time
Yum install ntp
chkconfig ntpd on
ntpdate uk.pool.ntp.org
service ntpd start



Disable SELinux and IP Tables – run ntsysv
ntsysv

vi /etc/sysconfig/selinux
setenforce 0


Install MYSQL
yum search mysql
yum install required files

Install apache
yum install mod_ssl.x86_64 system-config-httpd.noarch httpd.x86_64 mod_nss.x86_64 php.x86_64

Install php
yum install php.x86_64 php-common.x86_64 php-mysql.x86_64

Set mysql settings
/usr/bin/mysqladmin –u root password monkey
Secure mysql
/usr/bin/mysql_secure_installation

Change root password N
Remove anonymouse Y
Disallow root login remotely Y
Remove test database Y
Reload priviledge tables now Y
Mysql complete

To log in to mysql
Mysql –u root –p –h localhost



Create location for sites under root
Mkdir sites (Create this folder under root, this will be the location of all domains)
Adduser techno
Passwd techno
Chown techno:apache sites (sites is the name of folder)
Chown –R techno:apache sites -R will change all subfolders
Chmod 777 sites

Change to sites Directory and add a directory for each domain
mkdir

http://www.firstdomainname.com

mkdir

http://www.seconddomainname.com

In each of the newly created folders add two new directories
Mkdir public (this holds the site folders)
Mkdir logs (this holds all the errors logs for the site)


Edit the Httpd.conf
/etc/httpd/conf and edit httpd.conf
Edit the following two lines
ServerName 172.16.0.10:80
NameVirtualHost 172.16.0.10:80

Add the following to the bottom of the file
<VirtualHost 172.16.0.10:80>
ServerAdmin email@emailaddress.com
DocumentRoot ../../sites/

http://www.firstdomainname.com/public

ServerName

http://www.firstdomainname.com

ErrorLog ../../sites/

http://www.firstdomainname.com/logs/com-error_log

</VirtualHost>
<VirtualHost 172.16.0.10:80>
ServerAdmin email@emailaddress.com
DocumentRoot ../../sites/

http://www.seconddomainname.com/public

ServerName

http://www.seconddomainname.com

ErrorLog ../../sites/

http://www.seconddomainname.com/logs/com-error_log

</VirtualHost>

Save file
Stop and start the httpd service
Service httpd restart


Hack prevention notes
• First, make sure you have correctly set "open_basedir" in your php.ini file, and have set "allow_url_fopen" to "off".
• Always make sure you add a blank file named "index.html" to all folders like include or image folders - even if you deny directory listing yourself
• Second, add in a simple counter. If you detect a certain number of failed logins in a row, disable logging in to the administration area until it is reactivated by someone responsible
• Track IP addresses of both those users who successfully login and those who don't. If you spot repeated attempts from a single IP address to access the site, you may consider blocking access from that IP address altogether.
MySQL and SQL Server allow you to control what a user can and cannot do. You can give users (or not) permission to create data, edit, delete, and more using these permissions. Usually, I try and ensure that I only allow users to add and edit data.
Create a item deleted column and purge old deleted data your self
Admin tool must only be allowed from certain address
Php functions that are not needed can be disabled like eval() this allows things on the os to be executed. Commonly disabled functions include ini_set(), exec(), fopen(), popen(), passthru(), readfile(), file(), shell_exec() and system().
It may be (it usually is) worth enabling safe_mode on your server. This instructs PHP to limit the use of functions and operators that can be used to cause problems. If it is possible to enable safe_mode and still have your scripts function, it is usually best to do so.
When setup database and have set the maximum length ensure that if someone enters a larger number that no error is returned to help the hacker
You've got to find out how the attacker broke into your system. Check log files, if you have access to them.
File upload
Ensure a file is a-z0-9.doc it must not be donkey.php.123
Host Access (TCP_WRAPPERS)
There are two host access files (/etc/hosts.allow and /etc/hosts.deny), that are part of the TCP_WRAPPER package. This makes it possible to allow or deny access to certain services based on the IP.
Edit the hosts.allow and hosts.deny files:
# vi /etc/hosts.allow
sshd:<IP ADDRESS>
vsftpd:ALL
sendmail:ALL
# vi /etc/hosts.deny
ALL:ALL
The <IP ADDRESS> above is the internet IP you are connecting from (don’t include < or >). You can enter multiple IP address here (separated by spaces) or to allow SSH from any IP just replace with ALL.
The root account should never be able to login via SSH (without first logging in as a user). You must change this, so edit /etc/ssh/sshd_config and ensure the following is set:
# vi /etc/ssh/sshd_config
Change the following lines as follows:
PermitRootLogin no
Protocol 2

 

[Noway2]

What happened that leads you to believe that your site has been compromised? Have you determined how it has been compromised and to what level?

Normally, I recommend that one follows the CERT Intruder Detection Checklist, which lists the steps necessary to investigate a compromise. Here is a link:

http://www.scribd.com/doc/6398/Cert-Intrusion-Detection-Checklist

The first thing you should do is isolate the machine by either disconnecting the network cable or raising your firewall (iptables) to only allow SSH traffic from a known, trusted, location. You will want to conduct as much forensic information as possible.

Once you have the system secured, you will need to begin you investigation. Per the CERT list you will need to perform various steps including looking for hidden files, checking for changes to your CRON table, verifying whether or not any system binaries have been modified, etc.

I recommend running the following comamnds:

/bin/ps acxfwwwe 2>&1; 
/usr/sbin/lsof -Pwln 2>&1; 
/bin/ls -al /var/spool/cron 2>&1; 
/usr/bin/lastlog 2>&1; 
/usr/bin/last 2>&1; 
/usr/bin/who -a 2>&1

Ideally you can collect them all into into a file by concatenating the output into a temp file. Look for strange processes, unknown application, examine all the network connections, etc.

Next you will need to thoroughly examine your system logs. This is best done with a combination of eyeballs and a tool such as logwatch set for maximum detail.

Since your running Linux, I might also suggest stopping by this forum:

http://www.linuxquestions.org/questions/linux-security-4/

In my opinion it is one of the best sources for Linux Security information and incident response.

Ultimately, especially if you have been compromised at the root level, you may need to reformat and re-install the system. This should NOT be done until you have determined how you were compromised as well as the extent of the damage.