| Posted by Jacob2011, 03-23-2015, 04:05 PM | | It seems that my server was hacked by somebody. When I access it with a ftp program, there's a zero-size file which was not uploaded by me in a directory,
It can't be deleted. When I access this folder with the root account via putty, there's no such file, but there's a folder named "\r", it's not created by me too.
|
| Posted by qlpqlp, 03-23-2015, 04:15 PM | | Try to rename the file first, if you cant, create a new directory and move the file/directory to the new folder and then delete the new folder.
|
| Posted by Jacob2011, 03-23-2015, 04:41 PM | | Thanks for the advice, the file itself is safe, I'm concerned that somebody can create a file on my server, and I don't know how he did it.
My server is a full management one, so I submitted a ticket, it took him over 40 minutes to remove this file. I'm very disappointment, I don't know whether my server is still secure now.
|
| Posted by nisamudeen97, 03-24-2015, 08:08 AM | | Hi Jacob,
You have to check server logs mainly FTP log, apache log and control panel (if instaleld ) in detail and make sure how the file has got uplaoded to the location.
You have to check the server access list and make sure your server is not being acccessed from any other than yours.
|
| Posted by Jacob2011, 03-24-2015, 01:38 PM | | Thank you, I checked the commands they executed in the bash history, they've checked the correct log file.
And finally I found the vulnerability! Although I don't know whether there're other ones, but this one it deadly simple and everyone can run any command on my server! I can confirm that my server is no longer secure, perhaps there're tens guys have accessed my server and installed backdoors on my server.
|
| Posted by nisamudeen97, 03-24-2015, 11:10 PM | | Hi
That's make the sence. Now you have to take decesion of moving the accounts to new server. Staying in a server which is already compramised is not a good idea.
|
| Posted by david510, 03-24-2015, 11:26 PM | | The best approach will be to reinstall the server and start everything from scratch.
You can install OS in a new drive, harden and secure the server and then copy only the needed file from the old drive. Care should be taken when copping data from old server as you don't want any backdoors to be copied over.
Periodic security audits will help you to check the hacks to a great extend.
Don't forget to backup data as soon as possible.
|
| Posted by Wes0805, 03-25-2015, 04:03 AM | | If this is a public-facing directory, it was most probably created from an exploit from an existing application like Wordpress. If you are running maldet daily, it might have cleaned that file.
|
| Posted by HRoot_Inc, 03-25-2015, 04:41 AM | | 1.
Always schedule maldets runs, everyday. Here's something you can do -
1. changing SSH ports?
2. changing SSH logins using key file?
3. secure third party apps?
4. monitor server load spikes with SAR?
5. keep your OS/Apps up-to-date?
|
| Posted by eth00, 03-25-2015, 08:18 AM | | I would defiantly suggest moving to a new server if you find any evidence they gained root. If it was only an exploitation of a single user account that didn't go anywhere else then it was contained and no reason to reload the system. Either way it can be hard to be completely sure the system was not compromised so it would not hurt to re-image from a security perspective. Make sure to harden the machine and really lock it down before starting to move the accounts over so if something is exploitable it does not get hacked again right away.
|
| Posted by Jacob2011, 03-25-2015, 04:43 PM | | I know, but it seems that the hacker has not modify the php files, I compared them with several older versions on my local hard disk, nothing changed by others.
And he could do anything silently without leaving this footprint, but he didn't.
|
| Posted by Jacob2011, 03-25-2015, 04:47 PM | | So after I submitted a ticket, they only deleted that file, but didn't audit the system security, I'm very disappointed.
|
| Posted by Jacob2011, 03-25-2015, 04:52 PM | | Thanks, I backup my files frequently, so even if all the files on the server are deleted, I can recover them.
Now I'm removing all possible vulnerabilities of the php files, I'll audit them entirely before moving to the new server.
|
| Posted by Jacob2011, 03-25-2015, 05:06 PM | | Thanks, I'll let the server provider to harden the system, I'll harden the php files which are written by myself.
|
| Posted by Jacob2011, 03-25-2015, 05:11 PM | | The hard drive is pretty slow, when cPanel is backuping files, it will cause high iowait for several hours. I have to change the backup frequency from daily to weekly, and exclude many folders.
|
| Posted by Jacob2011, 03-25-2015, 05:15 PM | | I agree with you, I'll remove Wordpress entirely from the new server. Thanks for suggesting maldet, but if I install it, I think the iowait will become more higher.
|
| Posted by hostcurator, 03-26-2015, 11:06 AM | | Hi,
Wordpress is the best ever simple CMS. The main thing you have to make sure while using wordpress CMS, make sure wordpress is updated to latest stable and all plugins and themes are downloaded from authentic websites. It will be great if you test plugins and themes in detail before implementing to live server. Malicious plugins and themes are the main cause behind wordpress hacks. There are chances it contains silent self executable bash shells
|
| Posted by eth00, 03-26-2015, 11:28 AM | | On top of that make sure the theme plugins are up to date. The revolution slider plugin has at least one very nasty vulnerability that is being hit hard right now. The themes which bundle it don't always upgrade it leading to the belief that WP is fully updated when it is in fact not.
|
| Posted by liamraystanley, 03-27-2015, 01:19 AM | | On top of this, if iodelay or slow disks make maldet scans disconcerting, you can always schedule maldet to run daily (say, 3am, or when web traffic or load isn't at it's peak), and set maldet to:
Only check files updated within the last 2 days (even if the cron gets missed, this will ensure everything gets scanned)Set it to email the results (as well, only email the results if it finds anything pertinent)Have it automatically quarantine the files so they are in-accessible and immutableEnsure that maldet is running the clamscan/clamav binary. This will find quite a few more results within this binary
On the same subject as the original topic, you should also note that there is nothing wrong with a 0 byte file. Determining where it came from, if it was arbitrarily put there or not, and by who, would very well pose a solution to your concerns.
If this ever does happen again, the first thing you should do before making any name changes, modifying the file, and deleting it, would be to stat the file. It's as simple as "stat ", however if it isn't easy or you can type the name, you can always use the below:
Once this is done, note it down, then make the file immutable, or rather inaccessible and non-executable, by setting the file to a mode of 000 with the following:
or disable every file within that directory:
Sometimes it's common to see files that you won't be able to replicate the filename if special, but non-visual characters are used. If the technician that did this for you saw this, he may have needed to remove the file by the inode number.
If you even have any form of Wordpress installed on your server, a daily maldet scan is recommended, because you can almost guarantee that you'll eventually get someone to inject obfuscated PHP because of a plugin vulnerability.
If it's really concerning you though, and you haven't wiped or reset your system yet, you may also want to run a rkhunter scan on the server. Rkhunter will check system binaries for common exploits, or even modified binaries at all, any odd bound ports or processes, and other useful information.
Last bit of advice I could give, would be to setup ConfigServer Firewall, which is the best so far that I've found for security related protection. Automated bans if someone is attempting to bruteforce their way into many services like ftp, email, different webpanels, ssh, etc. It provides handy notifications when someone gets blocked, and it also provides easy outbound firewall blocking, in the event there is a malicious file, it's less likely to "phone home" on a random port. I can't brag about it enough, just look at the things it includes on their homepage: http://configserver.com/cp/csf.html
Overall, you should be less concerned about this, and more concerned about other things.
|
| Posted by minutesuae, 03-27-2015, 02:59 AM | | You can hire an expert in securing servers.
|
| Posted by SneakySysadmin, 03-27-2015, 03:26 PM | | If you're doing 'ls' do an 'ls -ali' which will provide a directory listing including the inode of each file/directory.
You can then take action upon the files and directories using that inode number rather than the file or directory name, which can confuse your shell due to wildcard and escape characters.
You can also use "mc" (Midnight Commander) which is the GNU version of the old MS-DOS app "Norton Commander". Think of it as a text based Windows Explorer interface. Using MC you can navigate to directories and view files regardless of how weirdly the intruder named things to try and hide them from you.
|
| Posted by SneakySysadmin, 03-27-2015, 03:31 PM | | Wow. No. These are not Windows machines - there is absolutely never any reason to do this with a *nix server when the intruder didn't get 'root'. Even then it's usually easier to clean up instead, and far more importantly blowing away the box just means you hide the problem rather than fixing it.
Find how the intrusion occurred because without that you're just setting yourself up for having it happen again - and if it was a simple Wordpress hack well, first, welcome to the wonderful world of WordPress (how I loathe thee) and second the clean-up will be relatively easy.
"Wordpress is an unauthenticated remote shell that as a sometimes useful feature also includes a blog."
|
| Posted by liamraystanley, 03-27-2015, 03:59 PM | | This is very correct. Rather than wiping the current issue, find out why something happened in the first place. Be it poor password, software, etc.
I work at a datacenter and get people that call in all the time asking to reboot the server to fix the issues they're seeing.. I can't even hah.
|
| Posted by Jacob2011, 03-27-2015, 04:03 PM | | Thank you very much, there're too many files uploaded by users on the server, it's impossible to check them, since the hacker can hide a file in any folder.
The file is located in the parent folder in that website, so I can't run chmod 000 to disable every file within that directory.
I've reviewed my php files and find two of them allow to run any command by anybody, then modified them.
In the past two days I read 2 books about php security, and will make necessary change to my sites, I'll ensure that there's no obvious and easy to use vulnerabilities in the php files, and let the server provider to harden LAMP. ConfigServer Firewall is already installed on the server, but it has no effect for this type of vulnerability.
|
| Posted by Jacob2011, 03-27-2015, 04:05 PM | | Thank you, the file has been deleted, otherwise I can use the command you supplied to delete it!
|
| Posted by Jacob2011, 03-27-2015, 04:13 PM | | Yes, I'll find and fix the vulnerabilities at first, otherwise even if I reinstalled the system, others can hack it again.
I'll move all the files uploaded by users to another server, and only show them the files created by the server.
The good news is that the hacker hasn't modify my program, so the websites are not affected now.
|
|
 Add to Favourites
 Print this Article
|
