| Posted by AdamD, 01-08-2013, 07:44 PM | | I say theories, because the server has been wiped/reinstalled since, because we "thought" we had backups.
Server is a dedicated machine, running the latest Centos 6, 64bit edition.
Cpanel/WHM are updated daily, with the release builds.
CSF is installed, online and scores highly on the security test
I disable all non essential services/programs, like webmail, mailman and also apply the recommended security suggestions that CSF offers (apache restrictions, php base directory stuff etc)
I run Apache as FastCGI, with SuExec.
I run daily malware scans on the system, and have the reports emailed to me
I run cphulk's protection, with email notification
We run various websites on the server, which include a large, 10 year old forum (running Vb 4.2) and wordpress installations (all up to date)
Last night, the co owner/sharer of the server asked me for the root password, as he'd misplaced it (I did verify it was him, before handing it over! )
He lives in Denmark, I live in the UK.
Half an hour after doing that, I got an email notification from CPhulk/CSF saying:
SSH login alert for user root from 192.211.51.59 (US/United States/-)
I was in bed, so missed the email
I got two more, in a half hour period.
I was out all day today, so hadn't checked my emails, I got back home and at 8:15pm my time (tonight), another email, same IP, logged in again
Root was logged into pam using following authentication service: system
Origin Country: United States (US)
Root Login from IP 192.211.51.59
I sat down at my desk at about 8:30 and noticed the forum was down, a missing index/forum.php file, which of course, ran alarm bells.
Tried to login to ssh, no connection, WHM wouldn't load either, the server then went offline
I had the host check it, most of it had been wiped, except for a single text file named x.txt, which contained the following:
"hacked by Hmei7"
So I wasn't panicking at that point, because we had backups....or so I thought
We copy databases off site to an FTP server once every 3 hours
We also copy the daily cpanel backups off once a day, storing upto 31 days worth of backups and about 600 database backups
Turns out, this hacker? must've spent time examining our systems, because he or she logged into said FTP server and wiped it clean.
Of course, we don't have thousands of pounds to do data recovery, so we're trying to run getdataback for Fat, on a harddrive I have, which contained copies of said backups, from 5ish days ago
But, if you were to theorize, how do you think they gained access?
Only I and the other party had root access, neither would abuse said access, because we own sites on the server, sites which at this point, seem to be lost for good.
My computer is free of trojans/viruses, as is the other parties, so I'm genuinely at a loss
Is it possible he/she was able to intercept it through MSN?
And yes, I know, we should be using public/private keys rather than password authentication, heh, it was at the other parties insistance we keep it "simple".....sigh.
|
| Posted by TravisT-[SSS], 01-08-2013, 08:12 PM | | There are a few ways that could have prevented access all together even if they had the root password but as far how they got in it could have been an exploit in the web app and from there they exploited a weak kernel.
Backup wise, we recommend a PULL method, which is what we use for clients where the backup server dials in and grabs the backups, thus leaving no access to the backup server. That keeps things safer.
Your partner could have been hacked and root password gained, or your network is being sniffed and watch and msn and several other services don't encrypt traffic.
PS: Hopefully, you can retrieve the data.
Last edited by TravisT-[SSS]; 01-08-2013 at 08:15 PM.
|
| Posted by UNIXy, 01-08-2013, 09:14 PM | | He continues to scan/deface:
http://www.zone-h.org/archive/notifier=Hmei7
I'm surprised that the took the time to inspect cpbackup.conf.shadow to grab the password and then FTP to remove the backup files. It's just so much time consuming when he's doing hundreds of websites a day.
|
| Posted by KnownSRV, 01-08-2013, 10:04 PM | | That is true. He is also in it just for zone-h score most likely, I don't see why he would waste time deleting his backups.
|
| Posted by TravisT-[SSS], 01-08-2013, 10:29 PM | | He probably has the entire process automated by now at the rate he is going. Grab root, run script, ???, profit.
|
| Posted by yo_vulkov, 01-09-2013, 02:26 AM | | Other way to prevent this hack next time is FAIL2BAN. It`s a tool that read multiple log files such as sshd, Apache, web server ones and bans IPs that show the malicious signs - too many password failures, seeking for exploits, etc. Easy to install and run on everything Suse, Gento, Debian even =) MacOS
goog luck
|
| Posted by david510, 01-09-2013, 04:32 AM | | It can also be that, customer machine has been hacked. Also if a machine where ssh key has been installed is hacked, it is a reason.
|
| Posted by Dr_Michael, 01-09-2013, 09:32 AM | | These questions apply for both you and your partner:
1. Do you use wifi internet connection? If yes, is it WEP or WPA protected?
2. How did you send the email? Using Outlook, webmail or something else?
3. Download and install this software: http://www.malwarebytes.org/products/malwarebytes_free/ Then perform a full scan to your computers. Did it find something?
4. When did you last change the WHM password? Was it strong or not? Was it randomly generated by WHM?
Good luck mates!
|
| Posted by AdamD, 01-09-2013, 10:08 AM | | Thanks all, a lot of questions still left to answer, so it is a mystery
I did have backups of three sites at least, although our 10 year old+ forum, sadly, doesn't look like it's coming back.
1) No wifi, both are wired
2) I was done via MSN (the instant messenging system)
3) Yea I already ran that and Kaspersky on my machine, nothing to report.
I'll have him do the same
4) Root password was changed...maybe a month ago and yes, it was randomly generated by WHM and it was 12 characters long.
Last edited by AdamD; 01-09-2013 at 10:14 AM.
|
| Posted by Dr_Michael, 01-09-2013, 10:50 AM | | You have never downloaded to your PC a backup during those 10 years?
Let us know...
|
| Posted by AdamD, 01-09-2013, 10:55 AM | | Well, I say our, it was his forum, I originally owned it for 8 years, then sold it to him.
He was happy to keep copies of the forum on his Synology nas device, which was the one what got wiped.
|
| Posted by Dr_Michael, 01-09-2013, 10:57 AM | | It is always a good practice to keep backups of the sites on your PC and maybe burn DVD occasionally.
|
| Posted by AdamD, 01-09-2013, 11:13 AM | | I completely agree Michael
I actually have an external drive caddy on order so I could keep regular (at least weekly) backups of all sites here, offline, but it's not due to arrive till Friday
Talk about bad timing
|
| Posted by Ricjustsaid, 01-09-2013, 05:36 PM | | Are you absolutely sure without a shadow of a doubt that the person you gave root to was really the co-owner?
These guys are smart; they will scour the internet and get to 'learn' about their targets first, then SE their way to get what they want. How did you verify it was him?
|
| Posted by Tina J, 01-09-2013, 06:11 PM | | Logging into a server from an insecure server is one of the most common ways a server gets rooted.
--Tina
|
| Posted by gone-afk, 01-09-2013, 07:24 PM | | The 192.211.51.59 IP seems to be on our network. If you send an email to abuse[at]inceronetwork[dot]com we will look into whether our customer has any knowledge of this (probably it's a resold VPS or proxy machine, rooted machine, or hacked wordpress running a shell, etc). Include as much info as possible and a link to this thread in your email. All contents will be forwarded on to the customer responsible for the IP on our network.
|
| Posted by Appdeveloper, 01-09-2013, 08:12 PM | | http://wordpress.org/support/topic/hacked-by-hmei7
I think your problem lies within your WordPress installation. I assume a plugin was exploited.
|
| Posted by Patrick, 01-09-2013, 08:44 PM | | While compromising WordPress can give an attacker access to the server, it won't give root. There is still another means that the attacker used to gain root access... whether compromised password or exploit.
|
| Posted by AdamD, 01-11-2013, 09:06 AM | | Yes
We've spoken several times since, so yes, I know it was and is him.
|
|
 Add to Favourites
 Print this Article
|
