Portal Home > Knowledgebase > Articles Database > My server has been hacked again. Please Help me!
My server has been hacked again. Please Help me!
| Posted by natik, 11-21-2009, 01:31 PM |
| Hi there,
I had my server hacked , I found this script that was run as root:
#!/usr/bin/perl
# Data Cha0s Perl Connect Back Backdoor
How can i defender my server from this script (Back Connect Backdoor) ?
|
| Posted by NeilAgg, 11-21-2009, 01:42 PM |
| You have to figure out how the attacker was able to get into your server to install it in the first place. If you use FTP, they could have snooped a password since that is not secure.
|
| Posted by 314Hosting, 11-21-2009, 01:45 PM |
| Is the data safe?
The best thing is to re-install the OS and restore backup and secure your server.
|
| Posted by e-Sensibility, 11-21-2009, 01:47 PM |
| natik,
NeilAgg is right -- the primary problem is that someone had root-credentials on your system; you need to look at a couple of things:
1. is all of your software up to date?
2. are you connecting to your server securely (i.e. using ssh instead of rsh, sftp instead of ftp)
3. has anyone you don't completely trust done "work" for you recently that involved you giving them root credentials?
At this point you're going to need to re-install your OS. There's no way for you to tell what that script kiddie might have done.
|
| Posted by LVPSHosting, 11-21-2009, 02:25 PM |
| Yes, also check if you are using some weak passwords as test, 12345 etc...
|
| Posted by HOD-Jardin, 11-21-2009, 02:29 PM |
| RKHunter, scan for any root kits
Download > http://www.rootkit.nl/secnet/
|
| Posted by e-Sensibility, 11-21-2009, 02:43 PM |
| RKHunter is fine as a preventative tool, but once you know someone's had root on your machine for a while the only solution you should be looking at is a format and reinstall.
|
| Posted by NeilAgg, 11-21-2009, 02:55 PM |
| I completely agree with this. Unfortunately, getting customers to understand and accept the need to do that is like pulling teeth. Its amazing, they think it can somehow be cleaned.
|
| Posted by Nahneeno, 11-21-2009, 03:06 PM |
| If you are rooted you really need to be thinking about reinstalling and get a professional to help you keep it secure. Try rack911.com.
|
| Posted by madaboutlinux, 11-21-2009, 03:56 PM |
| Your server is definitely rooted and cannot be cleaned up. The best way it to re-install the machine and apply some security tweaks.
The most important is your kernel which need to be kept updated as such rootkits are uploaded using a security hole in the kernel. You can then enable Apache suexec, PHP suexec, enable open_basedir, disable some php functions using which server side commands can be executed, install CSF firewall, mount /tmp and /dev/shm with noexec,nosuid mode and a few other important changes.
|
| Posted by Deltrumweb, 11-21-2009, 04:28 PM |
| Do a reinstall and secure the server. The root access could have been caused by an exploit in a third party script and therefore, you need a security expert to assess where the server has been compromised.
|
| Posted by jalapeno55, 11-22-2009, 12:18 AM |
| Re-installing the OS is probably the stupidest thing you can do.
#1. Do not install, reinstall or delete anything from that drive
#2. List the current open files, lsof, current processes, ps aux, current open ports netstat -lntp
#3. Pull the power cord out from the box (if possible or have the datacenter do
it), (if I hacked your box, I would just make a shut down script logic that ran rm -rf / for run levels 0 or 6)
#4. Notify all your users that there has been a comprimise, the is exteremly important, especially if they are ecommerce sites, notify your provider if necessary.
#5. Make a forensic image of the drive (or have the datacenter do it) using the unix dd command, set the original drive in a safe place and ensure you maintain a chain of custody on it.
#6. Go through the logs you have from Chkrootkit / Rootkit Hunter / Aide / Samhain / Snort / Integrit / Osiris or tripwire, if the logs are on the drive itself look at them on the image your made.
#7. Review the image of the comprimised drive, was the OS/kernel current? Were all the packages up to date? What was in the world writeable directories like /tmp, /var/tmp, /dev/shm, what services were running on the drive, what was the version of php, perl, etc.
#8. Look at the logs files and logrotated files such as wtmp, secure, messages, firewall logs setuid files, user shell histories, yum logs.
#9. Document any hints, huntches, or gut feeling you have on the the box was hacked.
#10. Only after your investigation and developing a plan to keep the box more secure should you install the OS on the new drive (the comprimised drive should still be in a safe place) and only the user home data should be restore, and chowned to the user's username, prior to the server being live on the internet again.
I think you will see those 10 steps are a little bit better than just going straight to an OS reinstall.
Last edited by jalapeno55; 11-22-2009 at 12:25 AM.
|
| Posted by moneymen, 12-02-2009, 06:58 PM |
| Check all logins and see the ip's and look for ip's that don't belong to you that will help u determine how he got in.For example if he got in.Also like said above don't forget to check the logs and look for traces of known attacks
after u find how he got in (exact place and type of attack)
patch the code,remove malicious scripts,and change all of your passwords for start...
|
| Posted by ksv2nash, 12-03-2009, 03:44 AM |
| Hello,
You can secure your temp for future safety
Step1. Add the following scripts [root@server ~]# cat /scripts/rmtmp.sh
pushd /tmp;rm -r `ls -a | grep -v horde.log | grep -v clamav-* | grep -v cpbandwidth | grep -v logwatch.* | grep -v .horde | grep -v PGSQL | grep -v logwatch | grep -v tmp | grep -v crontab | grep -v php | grep -v rpm | grep -v makewhatis | grep -v quota.user | grep -v impatt | grep -v cpanel | grep -v CPANEL | grep -v mt-throttle.db | grep -v sess | grep -v lost+found | grep -v mysql.sock`;popd
[root@server ~]# cat /scripts/rmshm.sh
pushd /dev/shm;rm -r `ls -a | grep -v horde.log | grep -v .horde | grep -v PGSQL | grep -v logwatch | grep -v tmp | grep -v crontab | grep -v php | grep -v rpm | grep -v makewhatis | grep -v quota.user | grep -v impatt | grep -v cpanel | grep -v CPANEL | grep -v mt-throttle.db | grep -v sess | grep -v lost+found | grep -v mysql.sock`;popd Step2. Add the following in the crontab: * 19-23 * * * /scripts/rmtmp.sh >/dev/null 2>&1
* 0-17 * * * /scripts/rmtmp.sh >/dev/null 2>&1
* * * * * /scripts/rmshm.sh >/dev/null 2>&1
|
Add to Favourites 
Print this Article
Also Read
