Security at our webserver

Portal Home > Knowledgebase > Articles Database > Security at our webserver

Posted by magnar, 11-25-2010, 09:01 PM
Hi, We recently got files deleted below the www-folder at our server, and they also deleted one of the main administrator profiles in our CMS-solution. I then wonder how they managed this? I am NOT a server technician, but I want to learn how to secure down the server as good as possible. This was a commercial CMS-solution for a social community, www.boonex.org and Dolphin, and I have gotten info that it has a lot of DB Exploits (whatever that should mean). My questions are as follow: 1) Can a hacker read the WHOLE file and folder structure at any webhotel they want? 2) Can they run SQL-injections to the MySQL system at the server and alter/change data in the tables. I.e. delete rows, etc. 3) Can they read files that arent CHMOD correctly? Our config file was CHMOD 644. I have now set CHMOD to this at 400. 4) Are there ways to check EVERY command that was "commanded" via SSH in log files at the server? We didnt use the standard username "admin" as the name of the adminuser, and they changed this password also. So they probably knew the login to PHPMyAdmin (via cPanel) or used SQL-injections to get it... NB. They only deleted that specific admin account (which was the name of one of our admins) so I am sure the server is hacked. Any own theories on this...? Excellent if you want to answer my questions so I understand more of this. And help me clearify if this was caused by an external hacker or an insider that knew the login to our webhotel. Only the ISP and one of our admins (that I consider to be faithful) had admin access to the server.
Posted by larwilliams, 11-25-2010, 10:37 PM
It could have been anything, but it sounds unlikely that it was an SQL Injection, as those are mainly intended to steal database information (such as a dump of the database or such) or bypass security features in a web site itself. Are you using Apache as your web server? It is running under user "nobody" (a bad idea for security). chmod 0644 for files and 0755 for files is relatively safe. As for SSH, check out /var/log/secure. It may give some clues as to what happened. Given that the hacker was able to delete a system user, I would think they got in to the root account because of a weak password or one of the PCs you guys use is infected with a trojan that got the password somehow.
Posted by cpanellover, 11-26-2010, 02:22 PM
hi, Deleting a user with administrative privileges in a server side application (eg PHP ) does not necesarly mean they have your root password.Most likely it whas an exploit like SQL injection or CSRF (Cross Site Request Forgery) you could try looking at the .bash_hiistory files that contains every command executed on the server but a smart hacker knows that and deletes his tracks...
Posted by larwilliams, 11-26-2010, 04:30 PM
I doubt that would be possible unless they found an escalation exploit in MySQL, as it doesn't run as root
Posted by jankocharlie, 11-28-2010, 03:37 AM
make sure there are no folders or files with 777 permission. Also ensure that dangerous php functions like exec are disabled as i have seen many of the websites/servers destroyed using these commands. check /tmp ensure its free of executables and setup /tmp as noexec
Posted by jlkinsel, 11-29-2010, 04:17 PM
Greetings, Magnar - So, you're running software that you know (or have "heard") has a bunch of db exploits, and you're surprised you have been compromised? With most systems, once I have SQL injection capabilities, and I'm familiar with the software you are running, I can modify data so I have administrative access. Once I have administrative access to a CMS, I can usually escalate that access to get shell access to the system. Game over. But, even without the CMS - if you're running a application that I can find a SQL injection vulnerability on, this means I can write to your hard drive. The next problem is how do I execute the file that I'm writing to. If I can figure that out, in most cases it is once again game over. This obviously isn't easy, depends on the skill and patience of the attacker you're up against. Config files - if permissions are not set right, and that file can be served out by the web server...I think you have your answer? Ways to check every command - by default, no. People over the years have written patches for bash/tcsh that force every command to be logged. Get a setup like that, and log to syslog on another host (bash_history or syslog on the same host is pointless if I compromise your box). There's some other ideas out there that will log all keystrokes, that may or may not be more useful. Also, keep in mind, has your admin accessed your site from a coffee house over wifi? If so, and it wasn't over https/ssl, again you're sitting wide open... Hope this helps somewhat. I haven't given any clear answers, but hopefully something for you to think about. John

Add to Favourites Print this Article