Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 1st April 2011, 17:54
quannv quannv is offline
Member
 
Join Date: Sep 2007
Location: Viet Nam
Posts: 33
Thanks: 0
Thanked 0 Times in 0 Posts
Default My ISPconfig server get hacked

The document root (/var/www) of ISPconfig3 server ( Debian Lenny) is written by hacker, he put the phishing website with .it domain, after I delete phishing website, he is still put them, I can not inspect the reason. This problem is really awesome for me, I attach here the website code, so if any one need other information to inspect them help me, I will provide

update: I check the /tmp dir and I get the phishing website code, How to prevent /tmp attack?
Attached Files
File Type: zip jaja.zip (15.3 KB, 87 views)

Last edited by quannv; 1st April 2011 at 19:10.
Reply With Quote
Sponsored Links
  #2  
Old 1st April 2011, 20:41
i-chat i-chat is offline
Member
 
Join Date: Jan 2011
Posts: 31
Thanks: 3
Thanked 0 Times in 0 Posts
Default

first of all - please try to decently explain what you did to try and stop this,
also tell us stuff like, who you think did this. in example is it a client or someone you dont know.

do you protect your sever by a firewall and how strong are your password ... note a password should always be complex ...

a passworld like: abcd123 is easily hackabale.
where: #M7tW3ftW.8oO0 is not.

try to understand that a decent security is verry important, and try to do some background checks (like reading the loggs) to investigate what may be the problem here..

note that no one here has access to your server so - we can really help you - unless you tell us more..
Reply With Quote
  #3  
Old 2nd April 2011, 04:35
Norman Norman is offline
HowtoForge Supporter
 
Join Date: May 2006
Posts: 242
Thanks: 0
Thanked 18 Times in 14 Posts
Default

Most likely reason he was able to access /tmp is cause one of your sites has wrong chmod for directories so they could upload files (php shells) or has outdated versions of common CMS:es with security exploits.

Update your websites and make sure you find which website was used to execute scripts locally as that user.
Check which user owns the files under /tmp and it should give some hints.
if it's owned by www-data you have to check the access.log's of each site individually or do some grepping/find of unknown files that may seem out of place.
__________________
http://www.xh.se
Reply With Quote
  #4  
Old 2nd April 2011, 05:47
quannv quannv is offline
Member
 
Join Date: Sep 2007
Location: Viet Nam
Posts: 33
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by Norman View Post
Most likely reason he was able to access /tmp is cause one of your sites has wrong chmod for directories so they could upload files (php shells) or has outdated versions of common CMS:es with security exploits.

Update your websites and make sure you find which website was used to execute scripts locally as that user.
Check which user owns the files under /tmp and it should give some hints.
if it's owned by www-data you have to check the access.log's of each site individually or do some grepping/find of unknown files that may seem out of place.
Thank Norman, I check owner of files in /tmp and I see root is owner of that, can someone run under root?

There are some files have mysql owner

-rw-rw---- 1 mysql mysql 1385260 Apr 2 10:46 #sql_2a25_0.MYD
-rw-rw---- 1 mysql mysql 1024 Apr 2 10:46 #sql_2a25_0.MYI
Reply With Quote
  #5  
Old 4th April 2011, 20:05
Norman Norman is offline
HowtoForge Supporter
 
Join Date: May 2006
Posts: 242
Thanks: 0
Thanked 18 Times in 14 Posts
 
Default

Well, it could be any numerous ways if they made access to write to /tmp through an exploited site.
You could also be running outdated local software that made it possible to exploit. Who knows.

Can't tell for sure without access to system and doing an investigation.
Talking someone through a forensics exam isnt really an option.

*does this for a living*
__________________
http://www.xh.se
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Version 1.3 of the ISPConfig 3 Manual is finally available! falko General 44 2nd December 2011 12:04
Debian 5 Ajax error + network interface always shutting down ev0css Installation/Configuration 3 5th June 2010 12:58
Hosting multiple websites and webmail dmwcool Installation/Configuration 8 30th March 2010 03:15
Problem with keeping Apache alive bobeq Server Operation 3 29th November 2007 16:11
Rejecting outbound mail tristanlee85 General 11 20th May 2007 17:04


All times are GMT +2. The time now is 18:27.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.