After brute force break in what to do?

[tjd]

I have one vhost with compromised php file(s) that attempts ftp_scanner atacks on multiple other servers. I have capped the ports it uses, removed all its constituent (ftp_scanner.c and so on files) and checked the syslog startup script for spurious lines by diffing it. Now, does anyone have any idea how to find the lines of code injected into any of hundreds of files on a mambo site?

Running some sort of diff code software on a massive structure is getting right to the outer limits of my experience and way past my certain knowledge.


Any help?

T

[till]

Instaed of comparing your files you can try to copy the files from a fresh mambo installation over xour current install. But this is only a option if you did not modify your mamyo installation too much. make sure that you backup the current install first.

[tjd]

Never an easy answer when you slack of on security. User had one catchall account with no spamassassin and no other security and the next thing we know there's server complaints from all over the world, and I only missed out running checks for a couple of days... also all her file perms are like 777, and I missed that too!

Well, guess I'll reinstall her mambo for her, sigh . . .

[till]

Hosting a Mombo or Joomly system is always a high risk If poeple miss just one security patch they (or the hoster) will get in troble very fast...

[tjd]

For others with this prob:

first change all regular passwords(sysops, root, tech users etc) for properly encrypted ones), then:

1. Portsentry, tight as you can
2. ckrootkit or similar, run often
3. ssh access by auth key only
4. logwatch cronned for daily
5. check logwatch emails every am, check hosts.deny for the ip addresses
mentioned therein. Add manually if they are not there.
6. find ftp_scanner C libs (ours were in /var/tmp/nis with an installer archive in
/var/tmp) do a Dalek on 'em: "exterminate exterminate exterminate"
7. Remove any unneeded services, close any ports not used by specific
services
8. go through all php files (IT'S A JOB!) and write a wrapper round mail()
functions.

Now! If someone can tell me how to set up postfix so it denies Bcc messages and looks for line breaks, I'll be nearly there!

[tjd]

Following the recent break in mentioned above, we went through the server with a fine tooth comb, reducing all file permissions to the minimum and hardening our firewall and other defences.

We then went ascanning, using the clamscan utility in ispconfig, with its output piped into a txt file.

63 infected files turned up, most of them dumb phishing scripts in mail boxes attached to viagra offers and the like, but there was some solid gold: in a mambo site that had been running all files and dirs on 777 perms, we found a file "modules/mod_clogin" and a file za.zip, and a folder za

"eradicate", "eradicate", "eradicate", said the dalek scanner and we did. We then, having had a squizz at the perl based scripts involved, went hunting up and down our tmp folders, and bingo! We got a file called bg, another called bcg and a file called back, in various spots.

The nasty that did it all was a thing called c99shell, out of Romania, and it basically set itself up as "apache" and then went to town, allowing in every spammer mf in the business.

So it's been got, and the upside is, we now have a bullet proof server. Hope the above helps.