Attacked by Blackhole Exploit Kit?

Discussion in 'General' started by SparkyRih, Aug 28, 2013.

  1. SparkyRih

    SparkyRih New Member

    So I have a huge problem all of my websites get injected with malicious javascript code (all *.js files, a lot of *.html files and usually only *header*.php and *footer*.php files)...

    My server setup was based on the Ubuntu 12.10 Perfect Server tutorial (http://www.howtoforge.com/perfect-server-ubuntu-12.10-apache2-bind-dovecot-ispconfig-3)...

    While still on Ubuntu 12.10 the attacks started, in an attempt to solve this I did:
    -Upgrade to Ubuntu 13.04
    -Disabled dangerous and unused features in PHP
    -Tried hardening Apache by installing mod_security and mod_evasive
    -Checked for rootkits with hkhunter (updated and reran again a couple of minutes ago)
    -Searched a lot of logs, but can't seem to find anything unusual
    -Ask for help on the Ubuntu forums, but they keep saying they don't know...

    So none of these stops the attacks... Luckily I do have a dirty workaround that cleans up my websites automatically, so I'm not spreading any malware to my site visitors anymore, but I really need to find out how to stop the attacks...

    When the attacks started I was running the latest installation of ISPConfig, "during the attacks" ISPConfig released a new version, so that's ther version that I'm running now (3.0.5.3)...

    I'm running several websites:
    -1 based on MediaWiki
    -4 based on WordPress (one of them forces an SSL connection, but still gets attacked)
    -2 based on e107
    -1 based on 1 HTML and 1 JPG file (the IP address of the server)
    All of them are currently running the latest version of their CMS, all are running on FastCGI PHP engine...

    One specific thing though, all websites have a known domain name except for one e107 website, it's still under construction and the domain name has never been published anywhere, this website has never had any code injections whatsoever...

    I hope this info will tell you something which can point me in the right direction of solving this huge issue?
     
    Last edited: Aug 28, 2013
  2. almere

    almere Member HowtoForge Supporter

    Well... It seems, like somebody get access to your server ( root ftp, root ssh etc. ). It's only way that I see.

    You should try:

    1) Create a VPS and make it like a VPN server, allow root/administrator login only from that VPN's IP. And scan your computer for viruses.

    2) System -> server config -> your server -> web -> Permissions and check "Set folder permissions on update" and "Make web folders immutable ". Than run resync. It should fix all permissions issues.

    3) Check if your fail2ban works, and check logs.

    4) Update your OS and ISPconfig one more time and install all patches from http://www.ispconfig.org/download/patches/ .
     
  3. SparkyRih

    SparkyRih New Member

    My SSH connection uses an unusual port, and only one user is allowed to login via SSH (me of course), also no root user allowed... And nothing logged in to that one account as far as I can see in the logs...

    As for the settings, the setting that you're point to has been enabled, but as I'm pretty sure it always has been that way...
    [​IMG]

    As for your last point, I update the server pretty much every week, but I didn't install the ISPConfig patches, so I will dive into that tonight...

    Also thanks for the first tip, I can do that, a VPS to be used for something like that isn't expensive and it can even be used for other purposes :)
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    The current ispconfig patches are only for usability issues (not working php version selector, not working options tab of ftp user settings), not security issues. In the 3.0.5.3 update was a security patch, but this was about priviliges of existing clients in the interface and not remote access. Even if one of your clients wold have used that, the actions would have been logged in sys_datalog table, so I'am quite sue that this is not related to your issues.

    Beside rkhunter, you should try to use chkrootkit as well and scan the whole server filesystem with clamav.
     
  5. SparkyRih

    SparkyRih New Member

    All of the websites are owned by me except for one WP site... The user only has FTP access (no ISPConfig)...

    Edit: I did use chkrootkit too... But I didn't do clamav, so I'll do that...

    Edit 2: ClamAV results

    ----------- SCAN SUMMARY -----------
    Known viruses: 2698134
    Engine version: 0.97.8
    Scanned directories: 26225
    Scanned files: 178291
    Infected files: 0
    Total errors: 11488
    Data scanned: 10914.63 MB
    Data read: 16330.91 MB (ratio 0.67:1)
    Time: 1322.688 sec (22 m 2 s)
     
    Last edited: Aug 28, 2013
  6. maumar

    maumar New Member HowtoForge Supporter

  7. SparkyRih

    SparkyRih New Member

  8. SparkyRih

    SparkyRih New Member

    maldet doesn't seem to be able either...

    But I'm pretty sure they hacked into all of our pure-ftpd accounts because the log that I missed says so (I feel so, sooo stupid :S)...

    Any tips? I know: changing all passes, but they got them somehow, so if I change them they will get them again? Whitelisting IPs is also not an option since clients have to be able to login from any location without having to use a VPN or anything...
     
  9. maumar

    maumar New Member HowtoForge Supporter

    it seems they have stolen your passwords using a keylogger, this is a very widespread virus and very often they abuse smtp auth to send spam using sasl authentication
     
  10. SparkyRih

    SparkyRih New Member

    Than let's wait and see what happens... I've changed all passwords and haven't logged in to any accounts since...
     
  11. remy74

    remy74 New Member

    Can you provide Apache logs ? (PM if needed)
     
  12. almere

    almere Member HowtoForge Supporter

    That's what I call magic...
     

Share This Page