My server was hacked, and the hacker was nice enough to not cause damage except changing index.php of couple of my websites. The index.php had the following info: "Hacked By Top First Warning That's Bug From Your Servers Next Time You Must Be Careful And Fixed Your Site Before Coming Another Hacker And Hacked You Again Sorry Admin And Don't Worry Just I Change Index ALTBTA For Contact : l_9@hotmail.com Best Wishes" Of course, I sent him email, just in case it's valid, asking how he did it or how should I patch things up. But haven't got a reply yet. I've looked at all the log files, particularly auth.log, although there were thousands of login attempts to SSH and FTP, but none succeeded. And I don't know where else to look, please help. I'm using FreeBSD 7.1-Release with below daemons Apache 2.2.11 ProFTP 1.32 OpenSSH 5.1 Webmin 1.480 MySQL 5.0.67 BIND 9.6.0
On Dec 9, 2009, at 4:40 PM, Squirrel wrote:> My server was hacked, and the hacker was nice enough to not cause damage except changing index.php of couple of my websites. The index.php had the following info: > > "Hacked By Top > First Warning That's Bug From Your Servers > Next Time You Must Be Careful And Fixed Your Site Before Coming Another Hacker And Hacked You Again > Sorry Admin And Don't Worry Just I Change Index > ALTBTA > For Contact : l_9@hotmail.com > Best Wishes"While it's unfortunate that your machine was hacked, and it would be nice to assume that no other changes were made, you need to completely rebuild this box, regenerate SSH keys, SSL certs, etc before you can trust anything it talks to.> Of course, I sent him email, just in case it's valid, asking how he did it or how should I patch things up. But haven't got a reply yet. I've looked at all the log files, particularly auth.log, although there were thousands of login attempts to SSH and FTP, but none succeeded. And I don't know where else to look, please help. > > I'm using FreeBSD 7.1-Release with below daemons > > Apache 2.2.11 > ProFTP 1.32 > OpenSSH 5.1 > Webmin 1.480 > MySQL 5.0.67 > BIND 9.6.0You're down-rev on Apache and BIND, for the very least. And, the fact that you mentioned index.php suggests that you're running a lot more than just a basic Apache webserver; PHP is a likely candidate for security vulnerabilities by itself, and if you haven't patched for FreeBSD-SA-09:16.rtld, any local exploit will yield root. Installing /usr/ports/ports-mgmt/portaudit can be helpful.... Regards, -- -Chuck
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Squirrel wrote:> My server was hacked, and the hacker was nice enough to not cause damage except changing index.php of couple of my websites. The index.php had the following info: > > "Hacked By Top > First Warning That's Bug From Your Servers > Next Time You Must Be Careful And Fixed Your Site Before Coming Another Hacker And Hacked You Again > Sorry Admin And Don't Worry Just I Change Index > ALTBTA > For Contact : l_9@hotmail.com > Best Wishes" > > Of course, I sent him email, just in case it's valid, asking how he did it or how should I patch things up. But haven't got a reply yet. I've looked at all the log files, particularly auth.log, although there were thousands of login attempts to SSH and FTP, but none succeeded. And I don't know where else to look, please help. > > I'm using FreeBSD 7.1-Release with below daemons > > Apache 2.2.11 > ProFTP 1.32 > OpenSSH 5.1 > Webmin 1.480 > MySQL 5.0.67 > BIND 9.6.0It could be tricky to figure out how the attacker gets in. I'd be curious what PHP application are you using right now? Do you have properly set the permissions (i.e. files are either executable, or writable, but not both; www user can't write on where code can be executed, etc), and there is no vulnerability in your web application? By the way, if you use ports you can install ports-mgmt/portaudit and use 'portaudit -Fda' to check if there is known vulnerability with your installed packages, just a hint. Cheers, - -- Xin LI <delphij@delphij.net> http://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.13 (FreeBSD) iEYEARECAAYFAksgTFUACgkQi+vbBBjt66DA5gCeKX9oPnuBJOEznAA6WOxozpTz hZMAoI2CRuXM6o/t9JuKffPli6Uk7uQ/ =rOnr -----END PGP SIGNATURE-----
I've just finished the rtld patch. Now in process of regenerating all the keys and certs. Next will look into php. But far as rtld vulnerability, doesn't it require at least a local user account? Looking at all the authentication, there wasn't any authenticated session during the time frame. So I'm leaning more towards php 5.2.9, and checking all my ports. Thanks for info. -----Original message----- From: Chuck Swiger cswiger@mac.com Date: Wed, 09 Dec 2009 20:12:08 -0600 To: squirrel@isot.com Subject: Re: Hacked - FreeBSD 7.1-Release> On Dec 9, 2009, at 4:40 PM, Squirrel wrote: > > My server was hacked, and the hacker was nice enough to not cause damage except changing index.php of couple of my websites. The index.php had the following info: > > > > "Hacked By Top > > First Warning That's Bug From Your Servers > > Next Time You Must Be Careful And Fixed Your Site Before Coming Another Hacker And Hacked You Again > > Sorry Admin And Don't Worry Just I Change Index > > ALTBTA > > For Contact : l_9@hotmail.com > > Best Wishes" > > While it's unfortunate that your machine was hacked, and it would be nice to assume that no other changes were made, you need to completely rebuild this box, regenerate SSH keys, SSL certs, etc before you can trust anything it talks to. > > > Of course, I sent him email, just in case it's valid, asking how he did it or how should I patch things up. But haven't got a reply yet. I've looked at all the log files, particularly auth.log, although there were thousands of login attempts to SSH and FTP, but none succeeded. And I don't know where else to look, please help. > > > > I'm using FreeBSD 7.1-Release with below daemons > > > > Apache 2.2.11 > > ProFTP 1.32 > > OpenSSH 5.1 > > Webmin 1.480 > > MySQL 5.0.67 > > BIND 9.6.0 > > > You're down-rev on Apache and BIND, for the very least. And, the fact that you mentioned index.php suggests that you're running a lot more than just a basic Apache webserver; PHP is a likely candidate for security vulnerabilities by itself, and if you haven't patched for FreeBSD-SA-09:16.rtld, any local exploit will yield root. > > Installing /usr/ports/ports-mgmt/portaudit can be helpful.... > > Regards, > -- > -Chuck >
Taking your advice and checking all ports for problems. Thanks. -----Original message----- From: Xin LI delphij@delphij.net Date: Wed, 09 Dec 2009 20:18:13 -0600 To: squirrel@isot.com Subject: Re: Hacked - FreeBSD 7.1-Release> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Squirrel wrote: > > My server was hacked, and the hacker was nice enough to not cause damage except changing index.php of couple of my websites. The index.php had the following info: > > > > "Hacked By Top > > First Warning That's Bug From Your Servers > > Next Time You Must Be Careful And Fixed Your Site Before Coming Another Hacker And Hacked You Again > > Sorry Admin And Don't Worry Just I Change Index > > ALTBTA > > For Contact : l_9@hotmail.com > > Best Wishes" > > > > Of course, I sent him email, just in case it's valid, asking how he did it or how should I patch things up. But haven't got a reply yet. I've looked at all the log files, particularly auth.log, although there were thousands of login attempts to SSH and FTP, but none succeeded. And I don't know where else to look, please help. > > > > I'm using FreeBSD 7.1-Release with below daemons > > > > Apache 2.2.11 > > ProFTP 1.32 > > OpenSSH 5.1 > > Webmin 1.480 > > MySQL 5.0.67 > > BIND 9.6.0 > > It could be tricky to figure out how the attacker gets in. I'd be > curious what PHP application are you using right now? Do you have > properly set the permissions (i.e. files are either executable, or > writable, but not both; www user can't write on where code can be > executed, etc), and there is no vulnerability in your web application? > > By the way, if you use ports you can install ports-mgmt/portaudit and > use 'portaudit -Fda' to check if there is known vulnerability with your > installed packages, just a hint. > > Cheers, > - -- > Xin LI <delphij@delphij.net> http://www.delphij.net/ > FreeBSD - The Power to Serve! Live free or die > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.13 (FreeBSD) > > iEYEARECAAYFAksgTFUACgkQi+vbBBjt66DA5gCeKX9oPnuBJOEznAA6WOxozpTz > hZMAoI2CRuXM6o/t9JuKffPli6Uk7uQ/ > =rOnr > -----END PGP SIGNATURE-----
Squirrel wrote:> My server was hacked, and the hacker was nice enough to not cause > damage except changing index.php of couple of my websites. The > index.php had the following info: > > "Hacked By Top First Warning That's Bug From Your Servers Next Time > You Must Be Careful And Fixed Your Site Before Coming Another Hacker > And Hacked You Again Sorry Admin And Don't Worry Just I Change Index > ALTBTA For Contact : l_9@hotmail.com Best Wishes"i won't be sure he has changed only indexes, it's a good rule to check carefully every other file or revert to a backup precedent to the hacking.> > Of course, I sent him email, just in case it's valid, asking how he > did it or how should I patch things up. But haven't got a reply yet. > I've looked at all the log files, particularly auth.log, although > there were thousands of login attempts to SSH and FTP, but none > succeeded. And I don't know where else to look, please help. > > I'm using FreeBSD 7.1-Release with below daemons > > Apache 2.2.11 ProFTP 1.32 OpenSSH 5.1 Webmin 1.480 MySQL 5.0.67 BIND > 9.6.0 >most likely could be some kind of remote code execution or SQLi executed in the context of some php scripts, you should audit php code of your web interface and of the websites you host. also consider the strenght of your passwords, lots of login attempts to ssh/ftp may mean a he has tried a bruteforce (or a dictionary attack maybe). you should also check webmin logs, there are a few bruteforcer for webmin out there, (*hint*) consider the lenght of your average password if it's more than 7-8 characters aplhanumeric with simbols most likely this isn't the case. check (if you have them) logs of urls requested and mysql errors, the answer could be find here probably. regards ocean
On Wed, Dec 09, 2009 at 06:40:17PM -0600, Squirrel wrote:> My server was hacked, and the hacker was nice enough to not cause damage except changing index.php of couple of my websites. The index.php had the following info: > > "Hacked By Top > First Warning That's Bug From Your Servers > Next Time You Must Be Careful And Fixed Your Site Before Coming Another Hacker And Hacked You Again > Sorry Admin And Don't Worry Just I Change Index > ALTBTA > For Contact : l_9@hotmail.com > Best Wishes" > > Of course, I sent him email, just in case it's valid, asking how he did it or how should I patch things up. But haven't got a reply yet. I've looked at all the log files, particularly auth.log, although there were thousands of login attempts to SSH and FTP, but none succeeded. And I don't know where else to look, please help. > > I'm using FreeBSD 7.1-Release with below daemons > > Apache 2.2.11 > ProFTP 1.32 > OpenSSH 5.1 > Webmin 1.480 > MySQL 5.0.67 > BIND 9.6.0 > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"1) Immediately disable all forms of network connectivity from the Internet to this box. Do it physically if possible, otherwise cross your fingers (that nothing low-level got tinkered with) and use pf. 2) Format the box + reinstall OS. Don't bother trying to "fix up what may have been changed", nor simply rebuilding world/kernel + rebooting. There is absolutely no guarantee the individual did not backdoor something, including libraries or even replace kernel modules. Don't risk it: reinstall the entire OS and rebuild from scratch, or restore necessary (non-OS) pieces from backups (assuming you know absolutely 100% for sure when the person "hacked the box" -- chances are it could've been hacked long before the person told you and your backups contain the same backdoors). Don't have backups? Use this situation as justification for 'em. :-) -- | Jeremy Chadwick jdc@parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
I do have most of measure you've mentioned implemented. There is one website that is required to have register_global, which I have set on his directory/.htaccess to prevent site-wide. Currently, I'm in process of upgrading all my ports. Thanks for info. -----Original message----- From: Matthew Seaman m.seaman@infracaninophile.co.uk Date: Thu, 10 Dec 2009 02:24:34 -0600 To: squirrel@isot.com Subject: Re: Hacked - FreeBSD 7.1-Release> Squirrel wrote: > > I've just finished the rtld patch. Now in process of regenerating > > all the keys and certs. Next will look into php. But far as rtld > > vulnerability, doesn't it require at least a local user account? > > Looking at all the authentication, there wasn't any authenticated > > session during the time frame. So I'm leaning more towards php > > 5.2.9, and checking all my ports. > > You don't necessarily need to have a login session (ie. recorded in wtmp) > to exploit the rtld bug -- just control over some process and the ability > to run commands through it. Although the rtld bug is "only" a local root > compromise, since it is so simple to exploit it is a lot more dangerous > than most, and in combination with just about any form of remote exploit > it means your box get rooted. > > Upgrading PHP and all ports is a good move. portaudit(1) is a good idea > but it doesn't necessarily address the direct route your attackers used. > My suspicions (in the absence of any detailed forensic examination of > your machine) are that you are running some vulnerable PHP code. This > may be part of a well known application, or it may be something locally written. > > In this case, I'd recommend a number of measures: > > * Run a security scanner like nikto (ports: security/nikto) > against each of the websites on your server. Do this at > regular intervals, and take action to fix any problems it > discovers. > > * Make sure that you only grant the minimum necessary permissions > on the filesystem to allow apache to run your applications. In > general, everything under your doc root should be *readable* by > uid www but not *writable* -- don't be seduced by the idea of > making the webroot owned by www:www --- root:wheel is a much > better idea, and files should be mode 644, directories mode 755 > unless there's a good reason to have them otherwise. > > * Refuse to run any PHP application that requires you to have > 'register_globals = YES' or to similarly poke enormous holes > in security through php.ini. Any application developer that > has not modified their code to use the $GLOBALS array by now > is lazy and incompetent and their code is likely to have all > sorts of other holes. > > * Similarly give your web application only the minimum necessary > permissions it needs to access any databases. You'll frequently > see instructions to do things like: 'GRANT ALL PRIVILEGES ON foo.* > TO www@localhost WITH GRANT OPTION;' This is way too much and should > be trimmed down. Web apps rarely have any need to make schema > changes, and creating other UIDs is right out, so > 'GRANT SELECT,INSERT,UPDATE,DELETE ON foo.* TO www@localhost' is a > much more reasonable starting point. > > * Where a web application has a legitimate reason to want to write > to the filesystem (eg. uploading files), preferably confine the > write access to a separate directory tree outside the web root -- > /tmp or /var/tmp aren't bad choices, but it might be better to > create a specific location for a particular application. > > * Where a web application has an administrative mode preferably > arrange to run this over HTTPS thus protecting any passwords > from snooping. If the administrative mode needs to have generic > read/write access to the web tree, then consider running it in a > completely separate Apache instance with different user credentials > than the generally accessible web server. > > Making the last point work with some arbitrary web application is > frequently challenging, but usually at least possible by a combination > of mod_rewrite and mod_proxy functions in the Apache config. > > Cheers, > > Matthew > > -- > Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard > Flat 3 > PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate > Kent, CT11 9PW > > >
On Tue, Dec 29, 2009 at 08:10:42AM -0800, Brian W. wrote:> On 12/29/2009 3:45 AM, Edwin Groothuis wrote: > >mpt to pass a Turing test or something. > > > >On all systems which need to be accessible from the public Internet: > >Run sshd on port 22 and port 8022. Block incoming traffic on port > >22 on your firewall. > > > >Everybody coming from the outside world needs to know it is running > >on port 8022. Everybody coming from the inside world has access as > >normal. > > > >Edwin > > > I seem to recall on one of the openbsd lists someone speaking of risks > of running sshd or other services on high numbered ports, presumably > because a non root user cannot bind ports up to 1024.More than happy to suggest 222 next time :-) Edwin -- Edwin Groothuis Website: http://www.mavetju.org/ edwin@mavetju.org Weblog: http://www.mavetju.org/weblog/