MAybe hacked ISPC

Discussion in 'General' started by AfrodCZ, Apr 21, 2020.

  1. AfrodCZ

    AfrodCZ New Member

    Hi everyone,
    I have a problem. First problem is my English ( I am so sorry). I have installed ISPC3 and I have a client sazeni-online.eu this client find your website on the ascensionrodcompany.com . After my check server Debian 9 ver. 4.9.144-3.1 and after check php files website sazeni-online.eu , I didn't find any assault. So I ask where I should look for a problem, because I really don't know anymore.
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I did not understand what the problem is you are solving?
    If you have wrong website shown in browser when url is sazeni-online.eu then that common problem has been discussed numerous times on this forum. Use Internet Search Engines with
    Code:
    site:howtoforge.com wrong website shown
     
  3. AfrodCZ

    AfrodCZ New Member

    I haven't a problem which you wrote . Somebody hacked server and downloaded data from sazeni-online.eu in real time. ascensionrodcompany.com is not on my server. This page ascensionrodcompany.com is hacker page
     
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Now I get it.
    My quess is there is malware code inserted either in the PHP files of the website, or what I have seen recently in the database.
    One way to check is use browser that has javascript turned off or with plugin NoScript or similar, and see how the web pages look.
     
  5. AfrodCZ

    AfrodCZ New Member

    I changed db user and db password and the page ascensionrodcompany.com is still running. If web sazeni-online.eu stopped, so page ascen...... ends with an error. Web sazeni-online.eu and his source code are clear. ISPC maybe have exploit.

    So what I'd meant, I am considering that the server or exploit in ISPC was hacked. Your website is being pulled out in real-time. I'd also tried to rewrite the website, and it didn't work.

    So you say if I find a website of my client (I am talking about the front-end and content) written under a different domain, then my client's one, with exact front-end like my client's one. Is it a prevalent problem?

    Please advice me with this case,
     
  6. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I looked at page sazeni-online.eu with Firefox having NoScript installed and active.
    Looking at page source there are several scripts, I do not know which of them you intend to have there. But this one looks suspicious:
    Code:
    <script type="text/javascript" src="//script.crazyegg.com/pages/scripts/0068/4742.js" async="async"></script>
    Find the <script tags and check those that load scripts from outside your server.
    Loading and running hostile javascript can make the browser do anything, including showing a completely another page.
    My guess is that script is inserted in database, possibly to every page record in the database. I have had to clean the database a few times, a bit laborius. Alternative is to load yesterdays backup of the database. Or from time before the infection if it was before yesterday.
     
  7. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I started a virtuabox client, and looked at sazeni-online.eu there. I do not know what the page should look like, but URL stays at sazeni-online and page shows Sazeni logo on top left.
    Have you tried accessing sazeni from another browser or from another host? Your browser may have been hijacked.
     
  8. AfrodCZ

    AfrodCZ New Member

    This is
    Code:
    <script type="text/javascript" src="//script.crazyegg.com/pages/scripts/0068/4742.js" async="async"></script>
    web analytics, but deleted. All protected, but still broken. I suspect an exploit in the ISPC.
     
  9. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    What reason do you have for this suspicion?
    I have not seen anything wrong with that sazeni-online.eu page. I think I can not help anymore, since I do not understand at all what is wrong here.
     
  10. AfrodCZ

    AfrodCZ New Member

    Thanks for your time, but you still don't understand the issue. Site sazeni-online.eu is on the server where I have ISPC. We have now uncovered ascensionrodcompany.com which runs on cloudflare.com. We changed the passwords for the database and the user, copied all the files from a backup that is not online, and ascensionrodcompany.com still somehow still loads the contents of sazeni-online.eu, and Google indexes this page and that page exists. The moment I change the password for the db and the user, I would assume that the site ascensionrodcompany.com will not work, but it works. Services like ssh, ftp and others are not compromised, all I can think of is an exploit in ISPC because the site is still duplicating and I can't detect any connection with the typesetting-online and ascensionrodcompany.com
     
  11. Jesse Norell

    Jesse Norell ISPConfig Developer ISPConfig Developer

    Check your logs, what http requests to the ISPConfig admin interface do you have between the time you cleaned up the site and it was overwritten again? What requests do you have to the website in question, and even to other sites? Are your website permissions correct, such that a user of another website can't overwrite files on this site? You might even check for cronjobs running during that time.

    To clarify, you have the files themselves being changed? Or a database is being updated and redirecting or such? Or both?
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    That's really unlikely and nothing of what you posted backs this claim as far as I can see, so please don't do claims where you have no evidence for. That you don't understand what happens on your server does not mean that ISPConfig is related to it and especially it does not mean that ISPConfig got hacked. The ISPConfig GUI user has not even access to the site files, so it can't alter or overwrite it. And changes done by the root user are all logged in detail in the datalog, which you can see in the datalog viewer in ISPConfig. The most likely reason for a hacked website is that the cms or code of that website was hacked, @Taleman pointed that out already. And cronjobs are commonly used in such a case, like @jesse pointed out.
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    Just a guess which would exactly match your description, you don't have any issues or hack, you just see the content of another site for one of these reasons:

    1) You mixed up * and IP address in the ipv4 fields of the websites. Use either * for all sites or the IP address for all sites, never mix that.
    2) You access a site by https which has no https enabled. Ensure that all sites have SSL enabled and that all sites have a valid SSL cert installed or let's encrypt enabled.
     
  14. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    @AfrodCZ I had a look at the source code of the pages. It seems you or your client is simply a victim of content stealing by proxying requests.

    The target server, in this case possibly ascensionrodcompany.com is fetching the contents from your server depending on the called url and is rewriting the source before displaying it to the client. The proxy removes some code for twitter, google analytics etc. pp. to make it harder to find the site stealing contents.

    You can see that it steals content from these source lines:
    Code:
                <a style="display:none" href="/cdn-cgi/l/email-protection#95fcfbf3fad5e6f4eff0fbfcb8fafbf9fcfbf0bbf0e0" title="[email protected]" class=" active"><span class="__cf_email__" data-cfemail="ddb4b3bbb29daebca7b8b3b4f0b2b3b1b4b3b8f3b8a8">[email&#160;protected]</span></a>
    vs
    Code:
                <a href="mailto:[email protected]" title="[email protected]" class=" active">[email protected]</a>
    So the proxy algorithm fails to deal with the mail addresses correctly. Whereas google code and twitter tags are rewritten. You will have few chances to avoid this. You could try calling the foreign website and at the same time watching the logs of your site for accesses to the called pages. If it is a non-caching real-time proxy, then you might be able to find out the real ip of the attacker and block it.
     
  15. AfrodCZ

    AfrodCZ New Member

    Many thanks @Croydon @till @Taleman and I apologize for the suspicion of attacking the ISPC. It was really an MITM attack (man in the middle). Wouldn't it be worthwhile to include a simple protection in the default installation as an installation step?
    Thank you very much again for your effort and advice.
    This firewall setting protect all websites on the server.
    iptables -t nat -A PREROUTING -p tcp -d localhost --dport 80 -j ACCEPT
    iptables -t nat -A PREROUTING -p tcp -d / --dport 80 -j ACCEPT
    iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8888
     
  16. Jesse Norell

    Jesse Norell ISPConfig Developer ISPConfig Developer

    Just curious, was this happening on your server, or between the client and your server?

    No, there's nothing listening on port 8888 by default on a server if installed with the Perfect Server guide - the commands you used may be relevant to your system, but entirely inappropriate to a normal install.
     
    Last edited: Apr 23, 2020
  17. AfrodCZ

    AfrodCZ New Member

    The attack is conducted using a transparent proxy. He stole the content of the website, the website and the server were not attacked
     

Share This Page