Plesk box compromised?

[Diaego]

Afternoon all,

I'm hoping someone might be able to help with this. We're running a fully up-to-date Plesk box (8.3.0), but I believe, somehow, it may have been compromised. I decided to run a rootkitch randomly, and have the following output:

[root@zeus chkrootkit-0.48]# ./chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `crontab'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... INFECTED
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... can't exec ./strings-static, not tested
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... INFECTED
Checking `named'... not infected
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... INFECTED
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... INFECTED
Checking `telnetd'... not infected
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `vdir'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while...
/var/www/vhosts/grnbroadband.net/subdomains/mrtg/httpdocs/tcp.log
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... Possible t0rn v8 \(or variation\) rootkit installed
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/5.8.6/i386-linux-thread-multi/.packlist /usr/lib/jvm/java-1.4.2-sun-1.4.2.07/jre/.systemPrefs /usr/lib/jvm/java-1.4.2-sun-1.4.2.07/jre/.systemPrefs/.system.lock /usr/lib/jvm/java-1.4.2-sun-1.4.2.07/jre/.systemPrefs/.systemRootModFile
/usr/lib/jvm/java-1.4.2-sun-1.4.2.07/jre/.systemPrefs
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... Warning: Possible Showtee Rootkit installed
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for LOC rootkit... nothing found
Searching for Romanian rootkit... /usr/include/file.h /usr/include/proc.h
Searching for HKRK rootkit... nothing found
Searching for Suckit rootkit... nothing found
Searching for Volc rootkit... nothing found
Searching for Gold2 rootkit... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for ShKit rootkit default files and dirs... nothing found
Searching for AjaKit rootkit default files and dirs... nothing found
Searching for zaRwT rootkit default files and dirs... nothing found
Searching for Madalin rootkit default files... nothing found
Searching for Fu rootkit default files... nothing found
Searching for ESRK rootkit default files... nothing found
Searching for rootedoor... nothing found
Searching for ENYELKM rootkit default files... nothing found
Searching for common ssh-scanners default files... nothing found
Searching for suspect PHP files... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... INFECTED (PORTS: 465)
Checking `lkm'... not tested: can't exec
Checking `rexedcs'... not found
Checking `sniffer'... not tested: can't exec ./ifpromisc
Checking `w55808'... not infected
Checking `wted'... not tested: can't exec ./chkwtmp
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... not tested: can't exec ./chklastlog
Checking `chkutmp'... not tested: can't exec ./chkutmp

So obviously, this would appear the server has been compromised. However, I'm confused how this could happen on a server that has always been kept fully up-to-date (as in Updater is frequently run). Can anyone suggest a few ways I can attempt to discover how this has happened? I'm not a linux expert, hence it running Plesk, but I do know most of the basics on command line.

Any help would be really appreicated.

 

[atomicturtle]

Id say the two primary vectors would be through either compromising an administrator account/personal desktop, or through an exploitable web application. Unfortunately once a system has been compromised to that level with a rootkit a considerable amount of forensic data is lost.

 

[Amin Taheri]

The number one attack I see on a daily basis is attempting to remotely load files or inject php code into websites. Either of which can then be a tool used to grant a remote attacker root access and from there your box is pwnt.

 

[lvalics]

Why not use ASL from atomicturtle, this will install enough security tools and mostly the important one is mod_security, this will prevent in almost all cases PHP injections (even sometimes die when I use phpMyAdmin ).

 

[Amin Taheri]

Lol, thats exactly why I host phpmyadmin on a remote machine, have one centralized machine to host it for all machines to use and then set chmod -R 0000 to the one included with plesk

 

[Monarch1]

Anyone use, or have experience with, or have any comment on security monitoring services such as HackerSafe, etc,? Is it worth the $$$?

 

[atomicturtle]

Those services are targeted at looking for vulnerabilities in services, like a vulnerable version of SSH and the like. Their ability to identify web based vulnerabilities (which is your threat) from automated scans is very limited. It doesn't hurt to do it though. Just be aware of the high rate of false positives.

 

[Monarch1]

Thanks AT. I am beginning to see logos for monitoring companies on a massive number of sites I visit, and was just wondering their value.

 

[atomicturtle]

A lot of that is due to the new PCI DSS requirements

 

[Amin Taheri]

Plus people are dumb and think that a little icon on a page means they are safe, so to appease those people everyone gets those types of things, when it doesnt necessarily mean they are "hacker safe", they just passed a couple of tests

 

[atomicturtle]

Right, there are 12 controls in PCI DSS, the scan is only 1 of them.