Issue Got hacked maybe MySQL?

[daanse]

Hi,

i recently descbribed some Problems with Hack to Joomla Forum: http://forum.joomla.org/viewtopic.php?f=714&t=926197

Just wanted to ask, if this Username (please see Screenshot) is normal for Plesk?
I believe, the hacker comes in from Mysql, cause he managed to send spam via SMTP today without infiltrating a SITE.
And it was the Email Account which Datas standing in Configuration.php of Joomla with 444 rights.
and this Data i think is also stored in Database.
I checked Users ..... and found this Running user process, please see screenshot.
Is this normal that is not assigned to any Database?
Also there are 27k aborted connections to DBs
Maybe the One site which had really malware on it, managed to get into Database?
On this Site, the Super Admin Passwort even was changed.

Thank you for any Advice

 

[Lloyd_mcse]

Hi,
yeah, looking at one of my test servers I have a similar user...

pma_randomString localhost None Sleep 0 --- 0.000

Regards

Lloyd

 

[daanse]

arg! to bad.
Then i'm running out of Ideas.

 

[daanse]

Is there any chance to run a command which pulls out from all logs?
i.e. # grep "some.ip.from.hacker" /../../..
?`

 

[Lloyd_mcse]

This may help track down what's going on...

https://kb.plesk.com/en/114845

 

[daanse]

Hi,
yes, i already viewed over this Article, thank you!
I know which Emailadresses are sending Spam.
Problem is: its some day in a week at 6-7 am just for 40 Minutes. The Hacker randomly take some Email and sends Spam.
First Site which got hacked is known.
AFter i cleaned everything and made some preventing tricks, hacker again sending Spam.

Only Common is my Server / SASL Login / SMTP Data out of Joomla Config and so on...

 

[UFHH01]

Hi Daka Media KG,

Is there any chance to run a command which pulls out from all logs?

You could use:

find /var/log -type f -name "*log" -exec grep -i -H "STRING_THAT_YOU_WANT_TO_SEARCH_FOR" {} \;
find /var/www/vhosts/system -type f -name "*log" -exec grep -i -H "STRING_THAT_YOU_WANT_TO_SEARCH_FOR" {} \;​

or/and if you would like to search in a compressed file:

zcat /var/log/logname.tar.gz | grep -a -i "STRING_THAT_YOU_WANT_TO_SEARCH_FOR"
​

Your provided informations from forum.joomla.org and from this thread leads to several issues on your server and I even guess, that the "hacker" uses your postfix misconfiguration, to allow anonymous connections while using SASL. To avoid blacklisting of your IP(s), you really should follow the joomla advices, or start to provide log - files and depending configuration files, so people willing to help you can start investigations. At the moment, you are just digging in the dark, without concrete approaches to your root cause(s).

 

[daanse]

Hi,
thank you.
What do you need to kindly continue help?

 

[Lloyd_mcse]

Sorry to butt back in...Do you have these entries in your /etc/postfix/main.cf...

## SASL
smtp_sasl_security_options = noanonymous,noplaintext
smtp_sasl_tls_security_options = noanonymous
smtpd_sasl_security_options = noanonymous,noplaintext
smtpd_sasl_tls_security_options = noanonymous

Regards

Lloyd

 

[trialotto]

@Daka Media KG

The following remark from your side

Problem is: its some day in a week at 6-7 am just for 40 Minutes. The Hacker randomly take some Email and sends Spam.

is a clue and potentially a hint that your server did not get "hacked", but that some code is present that runs on a schedule.

The usual suspects are

1 - mailinglists (easy to "crack"): to verify whether they are the culprit, just deactivate them and wait and see what happens
2 - WordPress plugins (often malformed, but not really malicious): just replace all mail related WP plugins by a SendGrid plugin (use SendGrid with the Swiftmailer library)
3 - a script that runs on a cronjob: if true, you should be able to find that script on the server´s crontask list
4 - a script that runs on a cronjob via WordPress: rather difficult to detect, but you verify this by disabling "Allow users and scripts to use Sendmail" in Mail server settings

and so on.

Finally, be aware of the fact that "randomly taking some email" (if this is true) implies that ALL (or at least almost all) mail accounts are compromised, which is rather unlikely.

That would really require some hell of a hack script and weeks/months of planning, even in the case they obtained direct access to the MySql databases.

So, it is pretty safe to say that you would be able to see some activity in logs, if such a elaborate hack attack was present and compromised your mail server and mail accounts.

I am pretty sure that there is a more obvious explanation, such as one of the "usual suspects" (see above) causing the undesirable behaviour.

Regards....

 

[daanse]

Hi,
no i havn't, sorry!
i inserted

## SASL
smtp_sasl_security_options = noanonymous,noplaintext
smtp_sasl_tls_security_options = noanonymous

into that file.
Will this stay? Cause this file was recently accessed, i think from Plesk Update.

also with awesome Code from UFHH01 i got a lead on a "xx.php" script which some Mail Fields (from/ to) on a complete other customer.

here are also some Logs:

/var/log/maillog:Jun 13 06:55:01 web-host04 postfix/smtpd[16202]: disconnect from unknown[41.225.215.132]
/var/log/maillog:Jun 13 06:55:01 web-host04 postfix/smtpd[16271]: connect from unknown[41.225.215.132]
/var/log/maillog:Jun 13 06:55:01 web-host04 postfix/smtpd[16271]: 9A9E05862FEE: client=unknown[41.225.215.132], sasl_method=LOGIN, [email protected]
/var/log/maillog:Jun 13 06:55:02 web-host04 postfix/smtpd[16271]: disconnect from unknown[41.225.215.132]
/var/log/maillog:Jun 13 06:55:02 web-host04 postfix/smtpd[16202]: connect from unknown[41.225.215.132]
/var/log/maillog:Jun 13 06:55:02 web-host04 postfix/smtpd[16202]: C0E155862FF4: client=unknown[41.225.215.132], sasl_method=LOGIN, [email protected]
/var/log/maillog:Jun 13 06:55:03 web-host04 postfix/smtpd[16202]: disconnect from unknown[41.225.215.132]






/var/log/maillog:Jun 13 06:57:02 web-host04 postfix/cleanup[24532]: 5A1025863034: milter-reject: END-OF-MESSAGE from unknown[41.225.215.132]: 5.7.0 Your message could not be sent. The limit on the number of allowed outgoing messages was exceeded. Try again later.; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<kouki-chawki>



/var/log/apache2/other_vhosts_access.log:customers-domain.com:80 41.225.215.132 - - [13/Jun/2016:07:00:00 +0200] "GET /images//xx.php HTTP/1.1" 200 1988 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36"
/var/log/apache2/other_vhosts_access.log:customers-domain.com:80 41.225.215.132 - - [13/Jun/2016:07:00:43 +0200] "POST /images//xx.php HTTP/1.1" 200 3760 "http://customers-domain.com/images//xx.php" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36"
/var/log/apache2/other_vhosts_access.log:customers-domain.com:80 41.225.215.132 - - [13/Jun/2016:07:01:30 +0200] "POST /images//xx.php HTTP/1.1" 200 3750 "http://customers-domain.com/images//xx.php" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.84 Safari/537.36"

The Last Entrys of that Piece of log is clear to me! But the first Part, i cant figure Out how he managed to use other Customers Email Accounts.

the Command " find /var/www/vhosts/system -type f -name "*log" -exec grep -i -H "STRING_THAT_YOU_WANT_TO_SEARCH_FOR" {} \; " throughs out "find: missing argument to `-exec' "

Also made a screenshot from the xx.php Script i found ...

 

[trialotto]

@Daka Media KG

The first part simply states that someone is TRYING from IP 41.225.215.132, but those attempts DO NOT SUCCEED.

Just put the IP 41.225.215.132 in the firewall as a bad IP with the rule "Deny". Problem solved partially, since you will find a lot of similar attempts and IPs, just add them too.

Also, verify that Fail2Ban has activated the postfix jail, it is very likely to be inactive.

Regards.....

 

[Lloyd_mcse]

Will this stay? Cause this file was recently accessed, i think from Plesk Update.

No, this will not get overwritten. Only directives controlled in Plesk are updated, eg the bind to IP Address.
Regards

Lloyd

 

[daanse]

@trialotto Yes, hacker / what ever had 3 IPS since last week. All on "Blacklist" Firewall.
Postfix Fail2Ban is Online since Month. I dont understand this. Already ask my self if Fail2Ban did anything.....

 

[trialotto]

@trialotto Yes, hacker / what ever had 3 IPS since last week. All on "Blacklist" Firewall.
Postfix Fail2Ban is Online since Month. I dont understand this. Already ask my self if Fail2Ban did anything.....

No, to be honest, it is very likely that Fail2Ban did no do anything except noting the bad IP, leaving it and banning after some attempts, releasing the ban....and the process restarts.

The essence is that most mail related "hack scripts" (what is in a name?) are "working around" the scanning interval of Fail2Ban, implying that these scripts "essentially" get more attempts than should be allowed by Fail2Ban settings.

I was working on that issue (read: creating a more secure set of Fail2Ban jails) but encountered some difficulties (with Plesk default configs) AND a lack of time.

 

[daanse]

@trialotto
- Mailinglist i disabled and took Whitelisted IP out of .... Firewall or something..
- Cronjobs checked and seems everything okay.
- still need to figure out how he managed to get inside last week.

Also the Logs i showed here, was exactly in that sequence.
And it began with

/var/log/maillog:Jun 13 06:48:52 web-host04 postfix/smtpd[8461]: disconnect from unknown[41.225.215.132]
/var/log/maillog:Jun 13 06:48:52 web-host04 postfix/smtpd[8461]: connect from unknown[41.225.215.132]

So somehow i have to search the log befor this Time.
Or does that script at the end of the Log before, shows just a kind of "disconnection" from that Script?

 

[daanse]

No, this will not get overwritten. Only directives controlled in Plesk are updated, eg the bind to IP Address.
Regards
Lloyd

Do you have any other Tipps, some Rules that really should not missed in Plesk?

i Also noticed something in Mysql Database, many aborted connections.
Are thoose relevant maybe?

 

[UFHH01]

Hi Daka Media KG,

the Command " find /var/www/vhosts/system -type f -name "*log" -exec grep -i -H "STRING_THAT_YOU_WANT_TO_SEARCH_FOR" {} \; " throughs out "find: missing argument to `-exec' "

If you use "copy&paste" from the forum, please make sure that all format codes from the forum are not copied ( some signs and formats might be invisible in your command line, but will still exist and result in an unwanted command ). In order to avoid that, pls. copy the string from the forum to notepad ( or something similar ), before copying the command from there and only paste the copy from notepad to your command line!


Your statement

Postfix Fail2Ban is Online since Month. I dont understand this. Already ask my self if Fail2Ban did anything.....

again leaves only space for guessing, but not for investigations. If you really want decent answers, then log - files and depending configuration files should be added from Fail2Ban.


Pls note as well:
If you already found a "hack" - script on your server, it is essential to stop all services on your server. Your server is already compromised and you really need to find the security whole, why this script could be placed on your server and how it has been placed there.

The way you are acctually trying "to repair" your compromised server and it's misconfigurations is just fumbling around and might not at all result in a secure server - you could close one security whole, while another one could be opened with another script in the background. Please backup your content from your domain(s), backup your database(s) and restart a completely new, fresh server installation. Before you restore your content and database(s), pls. make sure to inspect it, in order to avoid former mistakes and misconfigurations.