Navigation

quannv · #1 1st April 2011, 17:54

The document root (/var/www) of ISPconfig3 server ( Debian Lenny) is written by hacker, he put the phishing website with .it domain, after I delete phishing website, he is still put them, I can not inspect the reason. This problem is really awesome for me, I attach here the website code, so if any one need other information to inspect them help me, I will provide

update: I check the /tmp dir and I get the phishing website code, How to prevent /tmp attack?

i-chat · #2 1st April 2011, 20:41

first of all - please try to decently explain what you did to try and stop this,
also tell us stuff like, who you think did this. in example is it a client or someone you dont know.

do you protect your sever by a firewall and how strong are your password ... note a password should always be complex ...

a passworld like: abcd123 is easily hackabale.
where: #M7tW3ftW.8oO0 is not.

try to understand that a decent security is verry important, and try to do some background checks (like reading the loggs) to investigate what may be the problem here..

note that no one here has access to your server so - we can really help you - unless you tell us more..

*Norman* · #3 2nd April 2011, 04:35

Most likely reason he was able to access /tmp is cause one of your sites has wrong chmod for directories so they could upload files (php shells) or has outdated versions of common CMS:es with security exploits.

Update your websites and make sure you find which website was used to execute scripts locally as that user.
Check which user owns the files under /tmp and it should give some hints.
if it's owned by www-data you have to check the access.log's of each site individually or do some grepping/find of unknown files that may seem out of place.

quannv · #4 2nd April 2011, 05:47

Quote:

Originally Posted by Norman

Most likely reason he was able to access /tmp is cause one of your sites has wrong chmod for directories so they could upload files (php shells) or has outdated versions of common CMS:es with security exploits.

Update your websites and make sure you find which website was used to execute scripts locally as that user.
Check which user owns the files under /tmp and it should give some hints.
if it's owned by www-data you have to check the access.log's of each site individually or do some grepping/find of unknown files that may seem out of place.

Thank Norman, I check owner of files in /tmp and I see root is owner of that, can someone run under root?

There are some files have mysql owner

-rw-rw---- 1 mysql mysql 1385260 Apr 2 10:46 #sql_2a25_0.MYD
-rw-rw---- 1 mysql mysql 1024 Apr 2 10:46 #sql_2a25_0.MYI

*Norman* · #5 4th April 2011, 20:05

Well, it could be any numerous ways if they made access to write to /tmp through an exploited site.
You could also be running outdated local software that made it possible to exploit. Who knows.

Can't tell for sure without access to system and doing an investigation.
Talking someone through a forensics exam isnt really an option.

*does this for a living*

Navigation

Facebook

News

Recent comments

Newsletter