| Posted by Ramex, 11-01-2010, 04:11 PM | | Hello Folks
i have one production server has been rooted twice although
i reloaded it twice and upgrade kernal to 2.6.18-194.17.4.el5
and update the glibc
even i install mod_sec with good rules and tweaks the permission and confirmed that all websites and reasllers have no shell or root access
my quest, is this kernal 2.6.18-194.17.4.el5 contain any security issue give root access to any user?
how could i know that my glibc dosen't contain any security issue
and how to update them ?
thanks
|
| Posted by eth00, 11-01-2010, 05:16 PM | | That is the latest kernel.
Ksplice posted a tool that allows checking to make sure you are immune to the glibc exploit.
Have you done anything else to try and see how they got root? What exactly were they doing once they did get root? You are not restoring ssh keys and have verified there are no backdoor accounts? If they got in awhile ago they might still be getting in without having to re-root it depending on what you restore and how.
|
| Posted by Ramex, 11-01-2010, 06:51 PM | | Hello eth00
that'e mean the lastet kernal is secure ?
they clean the history and remove all bash and log files
i removed the hdd and installed a new one reload a fresh OS
when i restore i just restore a websites backup and confirm that there have no ssh login or shell acess or root
after hours they rooted the server completly although the kernal is updated and the glbic is updated that's make me wonder how could normal user get root !
maybe i update it wronge
could u please tell me how to update the glibc ?
thanks
|
| Posted by woods01, 11-01-2010, 07:02 PM | | please post the ip and root password for help.
|
| Posted by Ramex, 11-01-2010, 07:08 PM | | Hello
thank u wookds for ur kidding replay
it's appreciated
thanks
|
| Posted by Ramex, 11-01-2010, 07:36 PM | | Hello again
when i checked the glibc as u said i get no security issues
(see http://www.ksplice.com/uptrack/cve-2010-3081)
$$$ Kernel release: 2.6.18-194.17.4.el5
$$$ Backdoor in LSM (1/3): checking...not present.
$$$ Backdoor in timer_list_fops (2/3): not available.
$$$ Backdoor in IDT (3/3): checking...not present
any recommendation
in advance !
thanks
|
| Posted by woods01, 11-01-2010, 08:30 PM | | All kidding aside there are probably a number of things you could be doing.
Do you run the CSF firewall? They have a great utility to test your security configuration.
|
| Posted by Ramex, 11-02-2010, 06:16 PM | | could anybody get root even the kernal is secire also without any shell access or root access to any account!
how could he use any website to rootthe server , although my glibc and kernal is updated ?
also i checked all website it dosen't has any root or shell access
the server rooted for the 4th time now !
in advance
advice please
|
| Posted by Mr Terrence, 11-02-2010, 06:24 PM | | It all depends on what you have running on your server, is it used for hosting? are all software updated?
|
| Posted by Ramex, 11-02-2010, 06:50 PM | | yes this server used for hosting and all software is updated
|
| Posted by petteyg359, 11-02-2010, 08:11 PM | | There are a few major things that you haven't said you've changed.
1. Root password.
2. Your normal user password. (You'd better have a normal user. If you're always logging in as root or even have root login allowed in ssh you're just begging to be hacked).
3. SSH keys, if ssh is configured to allow login via key instead of password.
If any of the above have not been changed, then all we can do is point and laugh when (not if) the server gets compromised again.
|
| Posted by Ramex, 11-02-2010, 10:33 PM | | Hello petteyg359
i have changed what u talk about i want to ask if all software updated
what make the server rooted when i restore the backups although i checked them after restoring no root access no shell access
thanks
|
| Posted by M Bacon, 11-03-2010, 02:31 PM | | What do you have? cPanel? Even if you have cPanel or Not. You need to install a firewall and make sure that your functions are disabled in PHP and make sure that Brute Force Protection is Enabled, Binaries are Disabled, & Chroot/RHK Hunter is installed. Your SSH Port should be different than 22 and of course more things...
I would suggest you to hire a server admin for around $30/month to take care of your problems.
You can get rooted with your kernal and glibc up to date and by not taking the above measures.
|
| Posted by parky1, 11-03-2010, 02:52 PM | | Have you checked your permissions on all files/folders?
|
| Posted by TBradley, 11-03-2010, 03:47 PM | | I would recommend installing CSF Firewall, it should help protect against this type of behavior. If it continues I would have someone that specializes in server security take a look.
|
| Posted by rustelekom, 11-03-2010, 03:54 PM | | Three possible situation:
1) Backdoor after reinstall: What reinstall are you using? Provided by DC? Is reinstall is automatic? Done using KVM by you?
2) Serious root exploit (currently not known)
3) Are you on Windows? May be your PC just infected by keylogger ?
|
| Posted by Ramex, 11-03-2010, 05:46 PM | | Hello rustelekom
the DC which install the OS , also it's OS install manually 2 times
kernal and glibc and all software updated also all security tweaks i think i did, less , firawall , mod_security with good ruls , disables functions , changed permision , check if there are shell or root access to any account , changed the ssh port changed all websites password installed ClamV and installed GRsecurity ,
my pc at windows XP is secure with updated KIS and AVIRA as i have more than 55 servers info and critcal info nothing repeated or happened at another servers
it's just this !
which make me wonder i contacted one security company and it secure and tweaks the security on the server and it's rooted again yestrday
now i contacted another one rack911 and i hope it solved ,
so i ask for any suggestion
thanks
Last edited by Ramex; 11-03-2010 at 05:49 PM.
|
| Posted by rustelekom, 11-03-2010, 05:57 PM | | Never seen anything like this case. I doubt about security hole in basic system thought. BTW. How you found that server rooted and what "hacker" did on your system? It look for me abnormal behavior of hacker when he wast his time just for fan (because rooted server which is known as rooted is useless in most case). How about other your servers ? Are they have similar S/W set and are they located in the same DC?
|
| Posted by petteyg359, 11-03-2010, 06:08 PM | | Running two anti-virus applications at once means they're conflicting with each other and neither can actually do what they're supposed to. That's not secure.
|
| Posted by guru4hosting, 11-03-2010, 09:41 PM | | Did you reinstall Os after you got rooted for the first time ?
|
| Posted by OLM | DavidG, 11-04-2010, 07:32 AM | | You mentioned "when i restore i just restore a websites backup and confirm that there have no ssh login or shell acess or root". Before restoring web site backups on a hacked server, it is critical to carefully audit the web site content for any backdoors. Hackers could have left PHP (or other) Apache-level backdoors, which would provide them with unprivileged shell access on the server (even though SSH may be disabled). They could have also left local root-level backdoors within the web content, for instance via a suid root-owned binary.
|
| Posted by Ramex, 11-08-2010, 05:26 PM | | the server rooted again now ,
even i used CSF and i get a very profisional security admin at the server to make the security and check the websites
and then the server rooted again now
also i reload my pc and change all infor from a clean and secure pc
any suggestion
|
| Posted by parky1, 11-08-2010, 05:28 PM | | Who did you use to check the security on the server?
|
| Posted by Ramex, 11-08-2010, 05:42 PM | | rack911
Steven he is a tottaly profisional admin , after his tweaks the server rooted twice even i reload my pc OS and secure it with updated KIS
thanks
|
| Posted by rustelekom, 11-08-2010, 06:19 PM | | i would recommend do not login as root for some time (month at least . seriously, it is unbelievable that server software can be rooted so frequently. even if hacker has a local account on your server it is not so easy got root privileges.
|
| Posted by M Bacon, 11-08-2010, 07:12 PM | | We have been in business for a few but have never gotten hacked. We do our security ourselves. I suggest that you get a different management company or a different provider with management. You have to do a lot to secure your server. Doing it quickly is prone to mistakes.
|
| Posted by Dedicated guru, 11-08-2010, 07:50 PM | | 0day exploits are always exist !! we have been in a similar case a few days ago , a hacker broke down our secured system and leave a message on motd file . sounds like a 0day/private exploit in wild !
This does not mean you are secured !
|
| Posted by Steven, 11-08-2010, 08:02 PM | | The security on his server has not been done quickly. We have tried a variety of things.
As a test I have done a few things. The most recent attack we have setup his ssh on random port in a very high range and setup sshd to only allow the non-root secondary username to login and it was logged into by an unknown party.
I am fairly sure he has some kind of compromise on his end.
I am suggesting to the user that he not have any form of login for the server so we can rule that out.
|
| Posted by M Bacon, 11-08-2010, 08:34 PM | | You're right. It could be a member of his staff that caused it. I suggest him and his staff not to login until you can rule that out.
|
| Posted by Ramex, 11-08-2010, 09:31 PM | | i'm tottaly sure my pc is safe , running with updated KIS and some maleware checker also
i have more than server and a critical info belonge to my biz the problem never happened at anyother server
i reloaded my pc twice and formated it and never login even to my msn also changed my e-mail pass and only after reloaded my pc i login to the ssh and start restoring the websites after Steven told me that it's secure
the problem not from my pc and no one else know the login info exept steven so i think it's a a server security hole !
thanks
|
| Posted by petteyg359, 11-08-2010, 09:44 PM | | Do you have some kind of WGA crack in Windows? Do you have "nulled" forum software? Any kind of crack may have a back door.
Is the server in a reputable datacenter where no malicious employee might have physical access for exploitation?
|
| Posted by Ramex, 11-08-2010, 09:49 PM | | nope i didn't have any nulled forum or WGA
thanks
|
| Posted by Ramex, 11-08-2010, 09:52 PM | | how could i check that ?
thanks
|
| Posted by TBradley, 11-08-2010, 10:56 PM | | May I ask who you hired to do a security audit, they should of done this for you!
|
| Posted by Ramex, 11-08-2010, 11:03 PM | | steven , rack911.com
thanks
|
| Posted by Dedicated guru, 11-08-2010, 11:31 PM | | Maybe its not your PC , Another famous attack method , is man-in-middle attack , a hacker can always sniff the traffic across the network which coming into the server (sniffer pointed to the server ip ), be sure to always login to WHM or what ever control panel using the encrypted port (2087 for WHM) so the attacker can not get the root password as a clear text, as the SSH in encrypted .
Good Luck
|
| Posted by petteyg359, 11-09-2010, 12:14 AM | | People might be able to provide much better assistance if you described what the server is running, and how you access it.
Linux or Windows? Web server (Apache, lighttpd, nginx, or something else) or database server (MySQL, Postgres? open ports, or tunneled (ssh) file system and a socket?) or something else? Running a forum (vB or IPB or phpBB or SMF) or CMS (Joomla or Drupal)? If you're running PHP, is it mod_php, FastCGI, suPHP, or what? Running some other language (Python or Ruby)?
What application do you use to connect to your server? Are you using SSH and SCP, or FTP? If FTP, are you using SSL? If not, your passwords may be intercepted every time you use FTP.
|
| Posted by Steven, 11-09-2010, 01:31 AM | | Already checked for suid binaries in user content.
Last edited by Steven; 11-09-2010 at 01:35 AM.
|
| Posted by Steven, 11-09-2010, 01:32 AM | | His datacenter does 'modify' the os with their own 'security' tweaks on deployment. I've asked him to see if the datacenter can install a clean centos 5 installation.
|
| Posted by Steven, 11-09-2010, 01:46 AM | | One of the first things I do is force whm/cpanel to use ssl ports.
|
| Posted by Patrick, 11-09-2010, 02:10 AM | | Have you reinstalled Windows XP from scratch, enabled a firewall, then did every single update? Are you behind a router of sorts, you know a Linksys or D-Link? I mean, you have to reinstall. From scratch. You cannot just update, and rely on AV scanners at the moment..
In cases like this, especially where the server was reinstalled and rooted again, the problem almost always lies with the users computer. Perhaps someone has a backdoor or a key logger on your Windows XP machine.
Sounds like a mess, but unfortunately I would focus on your own PC before logging into that server again...
|
| Posted by Patrick, 11-09-2010, 02:14 AM | | I forgot to ask but are all of your applications legit? One of the most dangerous things you can do is download Windows from some random torrent or download site, or Norton Internet Security etc. I'm not accusing you of this, but that's a huge avenue to get a backdoor deep in the computer...
|
| Posted by Steven, 11-09-2010, 05:25 AM | | Should be interesting.
Doing remote syslog logging to my logging server. I installed grsecurity (it was compromised both with a grsecurity kernel and without) with exec logging enabled. Hopefully we come up with something doing it this way. With the remote logging, we'll be able to have a copy of the logs that the attacker deletes.
|
| Posted by spykee, 11-10-2010, 11:56 AM | | what's the services that's running in your box? the other day I was also rooted and found out it's because of proftpd vulnerability - http://lists.grok.org.uk/pipermail/f...er/077281.html
|
| Posted by Steven, 11-10-2010, 11:58 AM | | he does not have proftpd
|
| Posted by kevinnivek, 11-11-2010, 02:25 PM | | if you haven't already, format the rooted box.
|
|
 Add to Favourites
 Print this Article
|
