Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Tips/Tricks/Mods

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 4th February 2008, 00:05
tjd tjd is offline
Member
 
Join Date: May 2006
Posts: 46
Thanks: 4
Thanked 2 Times in 1 Post
Default After brute force break in what to do?

I have one vhost with compromised php file(s) that attempts ftp_scanner atacks on multiple other servers. I have capped the ports it uses, removed all its constituent (ftp_scanner.c and so on files) and checked the syslog startup script for spurious lines by diffing it. Now, does anyone have any idea how to find the lines of code injected into any of hundreds of files on a mambo site?

Running some sort of diff code software on a massive structure is getting right to the outer limits of my experience and way past my certain knowledge.


Any help?

T
__________________
"Those who would give up an essential liberty to purchase a little temporary safety deserve neither liberty nor safety".
Benjamin Franklin 1759
Reply With Quote
Sponsored Links
  #2  
Old 4th February 2008, 11:48
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 35,468
Thanks: 813
Thanked 5,253 Times in 4,119 Posts
Default

Instaed of comparing your files you can try to copy the files from a fresh mambo installation over xour current install. But this is only a option if you did not modify your mamyo installation too much. make sure that you backup the current install first.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 5th February 2008, 03:11
tjd tjd is offline
Member
 
Join Date: May 2006
Posts: 46
Thanks: 4
Thanked 2 Times in 1 Post
Default Yeh, I kinda figured that . . .

Never an easy answer when you slack of on security. User had one catchall account with no spamassassin and no other security and the next thing we know there's server complaints from all over the world, and I only missed out running checks for a couple of days... also all her file perms are like 777, and I missed that too!

Well, guess I'll reinstall her mambo for her, sigh . . .
__________________
"Those who would give up an essential liberty to purchase a little temporary safety deserve neither liberty nor safety".
Benjamin Franklin 1759
Reply With Quote
  #4  
Old 5th February 2008, 11:26
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lneburg, Germany
Posts: 35,468
Thanks: 813
Thanked 5,253 Times in 4,119 Posts
Default

Hosting a Mombo or Joomly system is always a high risk If poeple miss just one security patch they (or the hoster) will get in troble very fast...
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
tjd (6th February 2008)
  #5  
Old 22nd February 2008, 05:52
tjd tjd is offline
Member
 
Join Date: May 2006
Posts: 46
Thanks: 4
Thanked 2 Times in 1 Post
Default The hardening saga goes on

For others with this prob:

first change all regular passwords(sysops, root, tech users etc) for properly encrypted ones), then:

1. Portsentry, tight as you can
2. ckrootkit or similar, run often
3. ssh access by auth key only
4. logwatch cronned for daily
5. check logwatch emails every am, check hosts.deny for the ip addresses
mentioned therein. Add manually if they are not there.
6. find ftp_scanner C libs (ours were in /var/tmp/nis with an installer archive in
/var/tmp) do a Dalek on 'em: "exterminate exterminate exterminate"
7. Remove any unneeded services, close any ports not used by specific
services
8. go through all php files (IT'S A JOB!) and write a wrapper round mail()
functions.

Now! If someone can tell me how to set up postfix so it denies Bcc messages and looks for line breaks, I'll be nearly there!
__________________
"Those who would give up an essential liberty to purchase a little temporary safety deserve neither liberty nor safety".
Benjamin Franklin 1759
Reply With Quote
  #6  
Old 1st March 2008, 08:14
tjd tjd is offline
Member
 
Join Date: May 2006
Posts: 46
Thanks: 4
Thanked 2 Times in 1 Post
 
Default Where the grrrrr hackers hide a mambo script

Following the recent break in mentioned above, we went through the server with a fine tooth comb, reducing all file permissions to the minimum and hardening our firewall and other defences.

We then went ascanning, using the clamscan utility in ispconfig, with its output piped into a txt file.

63 infected files turned up, most of them dumb phishing scripts in mail boxes attached to viagra offers and the like, but there was some solid gold: in a mambo site that had been running all files and dirs on 777 perms, we found a file "modules/mod_clogin" and a file za.zip, and a folder za

"eradicate", "eradicate", "eradicate", said the dalek scanner and we did. We then, having had a squizz at the perl based scripts involved, went hunting up and down our tmp folders, and bingo! We got a file called bg, another called bcg and a file called back, in various spots.

The nasty that did it all was a thing called c99shell, out of Romania, and it basically set itself up as "apache" and then went to town, allowing in every spammer mf in the business.

So it's been got, and the upside is, we now have a bullet proof server. Hope the above helps.
__________________
"Those who would give up an essential liberty to purchase a little temporary safety deserve neither liberty nor safety".
Benjamin Franklin 1759
Reply With Quote
The Following 2 Users Say Thank You to tjd For This Useful Post:
azrahn (6th March 2008), falko (2nd March 2008)
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Does hosts.deny work against SMTP RCPT brute force attacks aceyzeriat Installation/Configuration 2 26th August 2007 17:18
Preventing Brute Force Attacks With Fail2ban On Debian Etch Jarek Buczyński HOWTO-Related Questions 6 10th August 2007 19:23
sshD brute force attacks: pam_abl to prevent Pasco Installation/Configuration 4 3rd May 2007 13:34
How to ban brute force attack throught ftp? lyndros Installation/Configuration 4 2nd June 2006 04:28
How to install BFD (Brute Force Detection) domino Tips/Tricks/Mods 9 31st March 2006 22:40


All times are GMT +2. The time now is 12:57.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.