Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #11  
Old 2nd March 2010, 09:06
damir damir is offline
Senior Member
 
Join Date: Jun 2006
Posts: 375
Thanks: 11
Thanked 51 Times in 42 Posts
Default

Keep us posted so we know that we can rule out ISPConfig
Reply With Quote
Sponsored Links
  #12  
Old 2nd March 2010, 09:20
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,033
Thanks: 262
Thanked 150 Times in 130 Posts
Default

Found this (see comments) about the Horde, but as you did not have it on your system the hack was not done that way.

Keep us posted on what you find.
__________________
Never execute code written on a Friday or a Monday.
Reply With Quote
  #13  
Old 2nd March 2010, 11:15
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,509
Thanks: 815
Thanked 5,269 Times in 4,130 Posts
Default

@Samtzu: Did you had phpmyadmin installed on these servers? I've seen several hacks that I investigated for customers trough phpmyadmin in the last months.

If this happened to you on ispconfig2 and ispconfig 3 systems, it might be not related to ispconfig as ispconfig 2 and 3 are completely different architectures and do not share any code. Sonits very unlikely that a problem affects both versions.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.

Last edited by till; 2nd March 2010 at 11:19.
Reply With Quote
  #14  
Old 2nd March 2010, 11:38
SamTzu SamTzu is offline
HowtoForge Supporter
 
Join Date: Apr 2007
Location: Helsinki
Posts: 426
Thanks: 33
Thanked 55 Times in 38 Posts
Send a message via Skype™ to SamTzu
Default

to: Till

Agreed. I too suspect phpmyadmin. But so far I'm not good enough to find out for certain.

Here is the apt-get upgrade info from one of the hacked servers...
(As you can see phpmyadmin should be updated. It was last updated a few months ago.)

The following packages will be upgraded:
apache2 apache2-doc apache2-mpm-prefork apache2-suexec apache2-utils apache2.2-common base-files bind9-host
dhcp3-client dhcp3-common dnsutils dpkg dpkg-dev fam gzip libapache2-mod-php5 libbind9-40 libc6 libc6-dev
libcups2 libcupsimage2 libdbd-mysql-perl libdns45 libexpat1 libfam0 libgd2-xpm libglib2.0-0 libglib2.0-data
libgnutls26 libhtml-parser-perl libisc45 libisccc40 libisccfg40 libkrb53 libldap-2.4-2 libltdl3 libltdl3-dev
liblwres40 libmysqlclient15-dev libmysqlclient15off libpq5 libssl0.9.8 libthai-data libthai0 libtool
linux-libc-dev locales login mysql-client mysql-client-5.0 mysql-common mysql-server mysql-server-5.0 ntp
ntpdate openssl passwd php-pear php5 php5-cgi php5-cli php5-common php5-curl php5-gd php5-imap php5-mcrypt
php5-mysql phpmyadmin python2.5 python2.5-minimal spamassassin spamc tzdata
73 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 96.0MB of archives.
After this operation, 131kB of additional disk space will be used.
Do you want to continue [Y/n]? n
__________________

Sami Mattila
Internet-Content

Telephone:
00358942833310
Email: firstname.lastname@internet-content.org
Shop: http://shop.internet-content.net
Site: http://www.internet-content.net
Blog: http://www.internet-content.net/en/blog
FB: https://www.facebook.com/internetcontent

Reply With Quote
  #15  
Old 2nd March 2010, 12:26
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,509
Thanks: 815
Thanked 5,269 Times in 4,130 Posts
Default

There are a few general recommendations to prevent this in future:

a) Install all updates regularily. I check at least one one of my servers every few days, If i see that there are updates available, I login to every server and install the updates.

b) Try to protect phpmyadmin, the following options might help:

- Add a robots.txt in the phpmyadmin filder which denies spidering, so your phpmyadmin install is not listed in the major search engines.
- Dont name the phpmyadmin folder phpmyadmin.
- The ultimate but not always usable method to secure phpmyadmin is to add a password protection with a .htaccess file.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #16  
Old 2nd March 2010, 12:39
SamTzu SamTzu is offline
HowtoForge Supporter
 
Join Date: Apr 2007
Location: Helsinki
Posts: 426
Thanks: 33
Thanked 55 Times in 38 Posts
Send a message via Skype™ to SamTzu
Default

I think I'm going to go with .htaccess that ask's LDAP (zimbra) for the user ID and password.

I all ready have the .htaccess ready but we have not used it anywhere yet because the LDAP is not SSL protected.

Anyway we can use somekind of phpmyadmin account and change it's password regularly to avoid problems like this.

Most ordinary clients do not use MySQL tools anyway. And those who need to use them can ask for a password.


PS. How often you guys change the mysql root password?
__________________

Sami Mattila
Internet-Content

Telephone:
00358942833310
Email: firstname.lastname@internet-content.org
Shop: http://shop.internet-content.net
Site: http://www.internet-content.net
Blog: http://www.internet-content.net/en/blog
FB: https://www.facebook.com/internetcontent

Reply With Quote
  #17  
Old 3rd March 2010, 13:20
dxr dxr is offline
Member
 
Join Date: Jun 2009
Posts: 40
Thanks: 0
Thanked 5 Times in 4 Posts
Default

Hi,

If i can help you tell me please. I am very interesed in investigate and maybe to known new hack methods and search a solution.

./dxr
Reply With Quote
  #18  
Old 4th March 2010, 12:57
dxr dxr is offline
Member
 
Join Date: Jun 2009
Posts: 40
Thanks: 0
Thanked 5 Times in 4 Posts
Default

strong root password is not the solution for secure servers. You need more things for it.
Reply With Quote
  #19  
Old 4th March 2010, 17:02
dxr dxr is offline
Member
 
Join Date: Jun 2009
Posts: 40
Thanks: 0
Thanked 5 Times in 4 Posts
 
Default

For example:

http://bugtracker.ispconfig.org/inde...&due=21&status[0]=&pagenum=2
Reply With Quote
Reply

Bookmarks

Tags
debian, hacked, irc, ispconfig3, lenny

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
hELP WITH HACKED WEBSITE PLS spytron Server Operation 1 12th October 2009 16:29
My ISPConfig got hacked nsansari General 1 7th September 2009 13:01
Urgent need help my server is hacked !!!! zinovsky Server Operation 3 5th February 2009 17:23
Have I Been Hacked? :-o PierreQuebec Server Operation 11 8th April 2008 09:24
hacked by By BeLa & BodyguarD shajazzi HOWTO-Related Questions 2 25th April 2007 23:49


All times are GMT +2. The time now is 09:36.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.