Help!!! - Website on ISPConfig server Infected - How to clean?

Discussion in 'Server Operation' started by Ambro, Oct 7, 2017.

  1. Ambro

    Ambro New Member

    Hi,
    thanks in advance to anyone that can help... A couple of question:
    1. I have a ISPConfig that get infected. now I have a site that spam to the external. If I use postdate -vq <MessageID> I see the php originating script but if Search for PID in execution I can't find process. If I delete the script, the mass mail stop, but next days I find another script that restart spamming. How I can stop this mass mail? if I use ps aux| grep web36 I find 5 process... I have already stop and deleted this php script but next day there are in another place with another name, but with the same result... What I have to do?
    2. The same installation, I've received a notification that my server try authenticate on a SMTP third party server, how can find process that is trying to attack and clean my server?
    The most important thing: how to harden my server? what I've to do prevent attack? how get notified and take prevent action?
    I know that security is a large and complex argument, but where to start?
    Now I've only installed lynis, but I've to document and correctly setup, can be a valid start point?

    Thanks in advance to anyone that would help...
    Bye
    Stefano
     
  2. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    first of all, we need more informations like which operating system do you use?
    - disable php mail function in php.ini, restart php-fpm / apache processes
    - check your logs, especially syslog/auth.log wether there are suspicious ftp logins
    - there might be some infected script running on that web which allows remote attacker to upload/modify own code which starts the spamming, check access.log or look into the scripts, check which file got modified and list them by time to get an idea which file could be modified.
    - the process trying to auth to remote server might aswell be the same script of attacker
    - you didn't find the process id because that php script might have been finished already the moment you see it.
     
    Last edited: Oct 7, 2017
  3. concept21

    concept21 Member

    You must also "limit outgoing traffic". CSF's default installation only opens very few outgoing ports. Try it. :cool:

    Also install Malware Detect v1.62
    https://www.rfxn.com/
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    And one thing to note, not ISPConfig was infected. When you have a process owned by web36 then a website on your server is infected and not ISPConfig, that's a huge difference. I'll alter the title of your thread from 'Help!!! - ISPConfig Infected - How to clean?' 'Help!!! - Website on ISPConfig server Infected - How to clean?' to reflect that as others might think that there is an ISPConfig issue otherwise.

    Regarding the solution, @ztk.me and @concept21 pointed out possible next steps.
     
  5. Poliman

    Poliman Member

    Where limit outgoing traffic (postfix?) and what is CSF -> https://configserver.com/cp/csf.html? :)
     
  6. Ambro

    Ambro New Member

    Sorry, my fault, it's correct...

    Ok, the server is an ubuntu 14.04 LTS that update manually once a week. I've made a scan with ISPProtect and it finds many issue. Some question:
    - Now system is not spamming: mailq command return empty list. normally for site with php we use fast-cgi with suExec option in site config, it's better to run in other mode or disable the suExec?
    - when checking one issue, I had the idea to control related .htaccess so I found that attackers redirect logs to /dev/null... So I can't be sure that all action is normally logged... I've to control every .htaccess and repair corrupted, isn't it?

    Other question: ISPProtect identify Unix.Malware.Agent-1847048 in /var/www/clients/client1/web2/tmp/phpGG9pXH_amryozlco6keolad, the malware is in ClamAV signatures, but I have no report in ClamAV scan in ISPConfig. Surely is my mistake in configuration, but where?

    Thanks a lot, I have to start from basis...

    The last question (for now...): I've plan to harden ISPConfig installation, where is better to start? I've read that the usage of lynis is a good start point... what do you think?

    Thanks in advance to all...
    Stefano
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    The PHP mode is fine. You may use php-fpm instead of php-fcgi, but there is no difference security wise, php-fpm is just the modern version of php-fcgi. So I would leave it just at php-fcgi. Suexec should always be on.

    As /dev/null in a .htaccess file is quite unusual, you should be able to scan for that easily with grep. e.g. if you want to scan just the .htaccess files in the web root:

    grep '/dev/null' /var/www/clients/client*/web*/web/.htaccess

    or use a combination of find and grep command to scan all .htaccess files in /var/www recursively.

    By default, ISPConfig uses ClamAV to scan incoming emails. ClamAV is not used to scan websites unless you installed and configured it to do so. The detection rate for PHP based Malware in ClamAV is quite low.

    Lynis is good to get an overview of the security settings. But it probably won't help much with hacked websites. If you host your own sites, then try to keep the CMS systems and plugins up to date.
     
    ztk.me likes this.
  8. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    clamav is basically configured to scan emails only, not websites.
    yes you have to check every file the user of that web could possibly access.
    There's usually not much you can do, if a php-script has an issue allowing to execute code which has been sent by POST/GET/COOKIE/HEADER....whatsoever request, or even an uploaded image which has malicious code in it confusing the internal graph library or uploads allowed with .php extensions or simple ?page= stuff where some people write code like
    include($_GET['page'].'.php'); could easily passed by - just put ?page=yourdesireduploadedmaliciouscode and then a NULL char et voila.

    it's the code on that web which allowed the attacker to do such things ( usually ). Sometimes the user has some sneaky malware which sniffs FTP credentials which are sent to the attacker-server who then infects the page.
     

Share This Page