ISPconfig security

Discussion in 'General' started by SamTzu, Nov 28, 2013.

  1. SamTzu

    SamTzu Member HowtoForge Supporter

    Odd thing is happening right now on 1 of our servers.

    Customer web-site was hacked.
    I disabled the web-site in ISPC but still the ps -panut shows this...
    Even after I restarted Apache (notice that there is no nginx installed on this server.)

    Edit: Reboot of the server closed the site.
     
    Last edited: Nov 28, 2013
  2. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Just for future cases:

    killall kills a process by name not by user, so it would have been
    Code:
    killall /usr/sbin/nginx
    Then, it is sometimes helpful to check what files a process uses with lsof -p
    In your case this would have been
    Code:
    lsof -p 14434
    to check one of the processes.

    Have you verified that:
    - the /usr/sbin/nginx file is gone
    - no cron job was created by the user to re-infect the system
    - the website path itself contains no malicious scripts anymore
    ?
     
  3. SamTzu

    SamTzu Member HowtoForge Supporter

    Looks like it was a DDoS Attack against PRODEPA.
    The file that /proc/ID/exe pointed to was perl.

    Kill -9 processID was tried it did not find anything to kill. I'm still wondering how ps -ef showed /usr/sbin/nginx when ther was no nginx anywhere in the server. Not even in the compromised web-site.
     
  4. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    The process name ps shows can be faked.
    You can try with 'c' paramter to show real commands. Like
    Code:
    ps acux
    or something like that.
     

Share This Page