Getting hacked Plesk - Joomla

[obeone]

I am getting hacked.

I have Plesk 8.2 and use Joomla.

The Joomla needs a writable temp folder, to save session save paths (for VirtuMart and for those logging into Joomla), as well as really a cache folder, which is currently not being used, while this is occurring.

The hack is someone uploading a *.tar.gz file, then it is extracted. In the folder is a bunch of files and folders, primarily an eggdrop application is being used.

This then allows files to be copied to my /tmp folder of the VPS root.

cmdtmp files are created in the /tmp folder as well.

They then upload very large *.avi files to this /tmp/.dev? folder which many others are downloading, which is dragging my VPS down tremendously.

I need the /tmp folder to be writable and executable, since believe the psa-.... files need this /tmp folder fully open.

Any idea what is going on and how this can be fixed???

Thanks,

 

[lvalics]

Did you secured your /tmp folder??

 

[obeone]

what do you mean by secure??

I guess I have not,

But Joomla needs it to be read/write/executable to log-in, etc.

But please let me know what you mean by secure.

 

[dynamicnet]

Greetings:

See http://dynamicnet.net/customer/h-sphere/security/make_tmp_its_own_partition.htm in relation to securing /tmp

See http://dynamicnet.net/customer/h-sphere/security/secure_shared_memory.htm in relation to securing /dev/shm (shared memory).

Please make sure your Joomla is up to date, running the latest version.

If you are not using mod_security from http://www.modsecurity.org/ please consider using it; http://www.gotroot.com/ has a good starter set of rules to use.

Thank you.

 

[lvalics]

Even if you secure /tmp Joomla or any other software can write there, just nothing can be executed.

http://www.web-hosting-control-pane....php/HOW-TO_setup_a_PLESK_Dedicated_Server/6/

 

[obeone]

If you would be interested in taking a look at my VPS, and setting up as described in the document, I will pay the price in the doc.

But, as it is currently set-up, when I make the tmp files non-executable, I am not able to log-into Joomla, and get error messages. So now they are set as fully open.

You can contact me at [email protected] if you would like to discuss this further.

I think you will see quite easily what is going on by looking at my VPS /tmp folder.

So, at this point I really am not sure what the damage is to my VPS. It may need to be wipped clean again.

 

[lvalics]

I added to my Yahoo

 

[atomicturtle]

This whole "Securing /tmp" business is completely ineffective. It hasn't ever worked, and won't do anything to stop a malicious attacker from executing whatever they want in /tmp (or anything else writable, like cache/ in this example). All you do is call an interpreter, like sh, perl, python, bash with the path to the script. IE: perl /tmp/eggdrop. Please do us a f

Heres an example:

Noexec would stop this:
http://www.domain.com/app/appname.php?field1=chmod +x /tmp/foo.pl
http://www.domain.com/app/appname.php?field1=/tmp/foo.pl


Noexec will not stop this:
http://www.domain.com/app/appname.php?field1=perl /tmp/foo.pl

Note how this is not only going to work, but also involves fewer steps. Its much easier to automate this in a worm, or basic attack tool. This applies to /dev/shm, or any other directory you're attempting to "Secure" by using the noexec flag. This works because the code is not really "executed" in /tmp, /dev/shm, or wherever. Its merely being read by something that is permitted to legitimately execute on the system, like /usr/bin/perl.


Good security is a process, start with knowing what you have:
1) inventory your applications, so you know where your threats are, and fix them. I suspect you will find that the version of Joomla you are running is vulnerable to a Remote Inclusion attack. Upgrading joomla will make this problem go away.
2) Implement input validation (mod_security, and mod_filter are great tools for that). As mentioned, we have a great set of rules up on gotroot.com for this already
3) Patch your box, stay on top of vendor updates. Check daily
4)Test your security, there are a lot of free services out there that will do basic testing for you. Check out tools like nikto, nessus, and the application testing site: owasp.org.
5) Repeat