Oops... Server hacked...

Discussion in 'Server Operation' started by edge, Jan 16, 2011.

  1. edge

    edge Active Member Moderator

    Today I noticed a high CPU usages on one of my servers, and I did get a warning email from RKhunter.

    The RKhunter log told me that port 6667 was open.

    After this I did a: netstat -nap | grep 6667 and yes.
    This did not look good. So I did a: lsof -i tcp:6667
    Googling the IP's gave me more info and showed me that it's pointing to same bad scripts.

    The "hacker" got in through a website on my server that was running dompdf (php code to generate .pdf files)
    They injected scripts by calling dompdf like this: domain.tld/dompdf/dompdf.php?input_file=

    My servers are all running in a XenServer environment, and as I make backups every week I reversed back to one week ago, and dissabled dompdf on that site.

    I'm now going to look at the "hacked" XenServer backup and see what damage has been done.
    Last edited: Jan 16, 2011
  2. pititis

    pititis Member

    Hi Edge,

    Can you report the version from dompdf please?

  3. Ben

    Ben ISPConfig Developer ISPConfig Developer

    According to exploitdb it should've been something before 0.6.0 beta1?

    @edge: even though this'd only set the level for an successfull attack a bit higher, you have no user based outbund rules on your firewall?
    E.g. you could completely deny the webserver's user to actively connect outbund or regulate it's outbound access to known servers and ports with iptables.

    How do you run rkhunter? On a daily basis or "by hand" from time to time?
  4. edge

    edge Active Member Moderator

    It was version dompdf 0.5.1

    I have added them now.

    It's doing a scan every 3 hours.

    Anyway. I've been examining the "hacked" XenServer virtual server 'off-line', but did not find any problems exept the dompdf.
    So. I have no clue on how they managed to make this "ircd" connection.
    The IRC server on "" is still active, and if you go to it with a browser you will find some interesting files on it (have a look at tunnels.txt)

    I've been trying some things myself thrue the dompdf exploit on my XenServer virtual server system, and all thigs done through dompdf were as users www-data. Not sure what main damage can be done by this user.

    Anyway. I've now protected the "dompdf" directory with a .htaccess / .htpasswd file.
    Last edited: Jan 19, 2011
  5. pititis

    pititis Member

    I have download the myid.jpg code

    Hacker can upload any file in your server and execute it. He modified your system process. If you don't have a fs integrity checker will be difficult to detect the process or file. Attack send a email to the creator when is done. ([email protected]) Check your logs too
  6. edge

    edge Active Member Moderator

    That was the 1st thing I did. I decompiled the base64_encode (and the email address), and had a look at the code.

    The emailaddress that I got from the code was "[email protected]"
  7. edge

    edge Active Member Moderator

    What other ports do you block?

Share This Page