1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Awesome, switch to Plesk and get hacked in a wink...

Discussion in 'Plesk for Linux - 8.x and Older' started by RattleSn@ke, Feb 27, 2007.

  1. RattleSn@ke

    RattleSn@ke New Pleskian

    22
    73%
    Joined:
    Dec 27, 2006
    Messages:
    22
    Likes Received:
    0
    Hello,

    Stunned by the moment when I discovered that after I changed from Ensim to Plesk, my server got hacked, cracked or whatever within a few weeks... :confused:

    Looks like there are hugh security-holes in perl. The infection is (as I believe) the reason why I have hugh amounts of traffic, about 4-5GB in just half an hour...

    As attachement the malicous script / files which I discovered in /tmp

    Had anyone else this problem? And more interessing: how to get dis-infected and stay like that?!?!?!

    Thanks!
    Onno.
     
  2. kram@

    kram@ Regular Pleskian

    26
    40%
    Joined:
    Dec 11, 2003
    Messages:
    152
    Likes Received:
    2
    Location:
    South Africa
    securing /tmp &

    Hi there,

    I have been hit hard by scripts running rampant in /tmp.

    I did 2x things to help get my server back under my control so that I could spend the time to find the real hole and patch accordingly.


    1)edit /etc/php.ini
    change:
    allow_url_fopen = On
    allow_url_fopen = Off

    run: apachectl graceful

    reason: if allow_url_fopen is enabled, this system can be exploited by simply changing the value of the variable in a PHP querystring. This happend to me time and time again with sites running JOOMLA.


    2) Secure the /tmp directory
    you can also go here: http://kb.swsoft.com/article_38_1410_en.html

    Securing /tmp

    The /tmp partition is one the common places for script kiddies and crackers alike to place trojans or scripts. Because of that you should have the /tmp partition mounted noexec. First we need to check if your /tmp is secure.
    shell: df -h |grep tmp

    If that displays nothing then go below to create a tmp partition. If you do have a tmp partition you need to see if it mounted with noexec.
    shell: cat /etc/fstab |grep tmp

    If there is a line that includes /tmp and noexec then it is already mounted as non-executable. You will also want to check if /var/tmp is linked to /tmp.
    shell: ls -alh /var/ |grep tmp

    If it shows something to the effect of "tmp -> /tmp/" then you are ok. If not go ahead an remove the old /var/tmp and replace it with a sym link to /tmp.
    shell: rm -rf /var/tmp/
    shell: ln -s /tmp/ /var/

    If you do not have any /tmp partition you will need to follow the directions below to create and mount a partition.

    Create a 190Mb partition
    shell: cd /dev/; dd if=/dev/zero of=tmpMnt bs=1024 count=200000

    Format the partition
    shell: mke2fs /dev/tmpMnt

    Make a backup of the old data
    shell: cp -Rp /tmp /tmp_backup

    Mount the temp filesystem
    shell: mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp

    Set the permissions
    shell: chmod 1777 /tmp

    Copy the old files back
    shell: cp -Rp /tmp_backup/* /tmp/

    Once you do that go ahead and start mysql and make sure it works ok.
    If it does you can add this line to the bottom of the /etc/fstab to automatically have it mounted:
    /dev/tmpMnt /tmp ext2 loop,noexec,nosuid,rw 0 0

    While we are at it we are going to secure /dev/shm. Look for the mount line for /dev/shm and change it to the following:
    none /dev/shm tmpfs noexec,nosuid 0 0

    Umount and remount /dev/shm for the changes to take effect.
    shell: umount /dev/shm
    shell: mount /dev/shm

    If everything still works fine you can go ahead and delete the /tmp_backup directory.
    shell: rm -rf /tmp_backup

    Hope that helps, i know i have not had further issues since then.
     
  3. DerFalk

    DerFalk Guest

    0
     
    Did you secure your Apache & Co. with mod_evasive or mod_security?
     
  4. amit290

    amit290 Basic Pleskian

    24
    23%
    Joined:
    Dec 9, 2006
    Messages:
    56
    Likes Received:
    0
    Slightly off topic....

    What would it mean if I got
    mount: could not find any device /dev/loop#

    after running:
    mount -o loop,noexec,nosuid,rw /dev/tmpMnt /tmp

    after following the above instructions?
     
  5. execubob

    execubob Guest

    0
     
    We also got hacked. Trashed everything, even though I hired an expensive security management company to harden the server. Good thing I have a back up service.
     
  6. danliker

    danliker Silver Pleskian Plesk Certified Professional

    33
    43%
    Joined:
    Feb 15, 2006
    Messages:
    575
    Likes Received:
    0
    Location:
    Switzerland
    ask the "expensive security management company"
     
  7. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    Are you guys astroturfing? You just said the same thing in two separate threads.
     
  8. modom

    modom Guest

    0
     
    Hi,

    I followed your instructions to secure my server better but I'm not understanding how to change the fstab to noexec.

    This is my fstab file now:

    This is my fstab:

    # This file is edited by fstab-sync - see 'man fstab-sync' for details
    LABEL=/1 / ext3 defaults,usrquota 1 2
    LABEL=/boot1 /boot ext3 defaults,usrquota 1 2
    none /dev/pts devpts gid=5,mode=620 0 0
    none /dev/shm tmpfs defaults 0 0
    none /proc proc defaults 0 0
    none /sys sysfs defaults 0 0
    LABEL=/tmp1 /tmp ext3 defaults,usrquota 1 2
    LABEL=SWAP-sda2 swap swap defaults 0 0

    How would I change the tmp to noexec?

    Thanks!
     
  9. Hal9000

    Hal9000 Guest

    0
     
    haha this thread is so funny :)
     
Loading...