ISPconfig security

Discussion in 'General' started by SamTzu, Nov 28, 2013.

  1. SamTzu

    SamTzu Active Member

    Odd thing is happening right now on 1 of our servers.

    Customer web-site was hacked.
    I disabled the web-site in ISPC but still the ps -panut shows this...
    Even after I restarted Apache (notice that there is no nginx installed on this server.)

    Edit: Reboot of the server closed the site.
    Last edited: Nov 28, 2013
  2. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Just for future cases:

    killall kills a process by name not by user, so it would have been
    killall /usr/sbin/nginx
    Then, it is sometimes helpful to check what files a process uses with lsof -p
    In your case this would have been
    lsof -p 14434
    to check one of the processes.

    Have you verified that:
    - the /usr/sbin/nginx file is gone
    - no cron job was created by the user to re-infect the system
    - the website path itself contains no malicious scripts anymore
  3. SamTzu

    SamTzu Active Member

    Looks like it was a DDoS Attack against PRODEPA.
    The file that /proc/ID/exe pointed to was perl.

    Kill -9 processID was tried it did not find anything to kill. I'm still wondering how ps -ef showed /usr/sbin/nginx when ther was no nginx anywhere in the server. Not even in the compromised web-site.
  4. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    The process name ps shows can be faked.
    You can try with 'c' paramter to show real commands. Like
    ps acux
    or something like that.

Share This Page