My server has been hacked four times in the past month

Discussion in 'Site & Server Administration' started by kaptain, Jan 18, 2006.

  1. #1
    I have a dedicated server and it has been hacked about four times in the past few weeks. Each time the hacker uploads files to the root temp directory and does DOS-Attacks on other sites.

    They are gaining access right through a browser... This is a few of the logs of successful entries:

    i replaced the real urls with "mysite".... also this is happening on multiple urls on the same server. The only php stuff i use is xoops and wordpress. But you will notice mentions of mombo etc. cms's i don't use....

    Is anyone else having this problem and does anyone know the fix. I have read somethings that it could be but i am really not sure what the exact problem is.

    the venerabilities i have read about is :
    1) register globals being enabled
    2) "mosConfig_absolute_path" parameter.
    3) something about aw stats

    Are all these the same problem or what....

    Any help would be appreciated

    It seems that some of the reading i have done says that globals need to be off and some say it need to be on.... but really i have no clue....my register_globals is set to on....

    Some of the reading i have found:
    http://secunia.com/advisories/17622/
    http://secunia.com/advisories/17441/
     
    kaptain, Jan 18, 2006 IP
  2. Shoemoney

    Shoemoney $

    Messages:
    4,474
    Likes Received:
    588
    Best Answers:
    0
    Trophy Points:
    295
    #2
    globals just allow the variables to be passed in urls like you are doing.

    Are you using a windows based server? In order for the above to work you must have cmd and wget in the webserver users path and also executable. Check for these.
     
    Shoemoney, Jan 18, 2006 IP
  3. kaptain

    kaptain Peon

    Messages:
    194
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    0
    #3
    it's a linux server
     
    kaptain, Jan 18, 2006 IP
  4. FeedBucket

    FeedBucket Well-Known Member

    Messages:
    159
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    108
    #4
    For goodness' sake, turn register_globals off! Pretty much everything written in PHP in the past 4 years has been written to use the environment properly -- something like Mambo (I'm guessing you're running it, based on your log) shouldn't have any problems.
     
    FeedBucket, Jan 18, 2006 IP
  5. minstrel

    minstrel Illustrious Member

    Messages:
    15,082
    Likes Received:
    1,243
    Best Answers:
    0
    Trophy Points:
    480
    #5
    Also, do you have AWSTATS on your site?
     
    minstrel, Jan 18, 2006 IP
  6. ServerUnion

    ServerUnion Peon

    Messages:
    3,611
    Likes Received:
    296
    Best Answers:
    0
    Trophy Points:
    0
    #6
    Our admins have a policy that once a server is hacked, the system is rebuilt. You never know what they leave on to allow them access the next time.
     
    ServerUnion, Jan 18, 2006 IP
  7. Design1

    Design1 Active Member

    Messages:
    388
    Likes Received:
    7
    Best Answers:
    0
    Trophy Points:
    78
    #7
    Good luck! It's a shame that people can't treat each other with respect and try to help each other out more. We've had similar issues along the way. You can always look on the bright side though, your site is popular enough to make someone mad enough to do something about it. You can't be that bad off.. ;)
     
    Design1, Jan 18, 2006 IP
  8. kaptain

    kaptain Peon

    Messages:
    194
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    0
    #8
    i think i may have found the problem.... i am running php 4.3.9 and if wordpress and or xoops uses pear

    PHP application that includes PEAR.php from PHP <= 4.3.10 and is running in PHP < 4.4.1 with register_globals turned on, can be exploited

    does that make since ???

    yes i do have aw stats, but my whm is on automatic updates and from what i have read that problem is fixed in the latest versions...???

    No, i'm not running mambo at all.... only word press and xoops
     
    kaptain, Jan 18, 2006 IP
  9. Shoemoney

    Shoemoney $

    Messages:
    4,474
    Likes Received:
    588
    Best Answers:
    0
    Trophy Points:
    295
    #9
    before you do anything you need to figure out how your being hacked. replicate it yourself...

    Being this is a linux box run a rootkit checker make sure you havent been backdoored.

    As serverunion said above its wise to erase the OS and rebuld


    When I used to get hacked through phpbb2 all the time (before they even realized it was exploitable) I had a very very similar thing happen. What you can do is replace the wget binary with your own logging binary. This will show you how its being called ...then you can backtrace from there
     
    Shoemoney, Jan 18, 2006 IP
  10. kaptain

    kaptain Peon

    Messages:
    194
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    0
    #10
    my decision on it being my version of php was because of reading this article

    http://www.hardened-php.net/globals_overwite_and_its_consequences.76.html

    i found it very informative.

    Now when i put the url from my logs above onto my browser i get
    "GLOBALS overwrite attempt detected"

    I have checked out rootkit hunter and will be installing it. I was thinking the same thing about the backdoor.

    I'm a little surprised my web host was not aware of this php vulnerability. I also think it is a good idea to do a system rebuild.

    I'll post if it seems to fix the problem.

    Note to Shoemoney, Your Shoemoney Contest link resolves at a 404
     
    kaptain, Jan 18, 2006 IP
  11. Shoemoney

    Shoemoney $

    Messages:
    4,474
    Likes Received:
    588
    Best Answers:
    0
    Trophy Points:
    295
    #11
    Thanks... forgot about that.

    Again its really important that you can douplicate the exploit. Otherwise your just guessing. Also you will learn tons in the process.
     
    Shoemoney, Jan 18, 2006 IP
  12. samantha pia

    samantha pia Prominent Member

    Messages:
    4,639
    Likes Received:
    482
    Best Answers:
    0
    Trophy Points:
    310
    #12
    have you deleted the config.php files from wordpress after you installed it?
     
    samantha pia, Jan 19, 2006 IP
  13. kaptain

    kaptain Peon

    Messages:
    194
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    0
    #13
    I was thinking by putting the url the hacker used in my address bar would duplicate it, but by me not really knowing the rest of what he/she does i don't know for sure.

    Minstrel: Apparently i also had a problem with awstats and have installed a patch. I thought if whm was up to date, the awstats patches would be too?

    This is the only business that i have ever been in that even after four+ years i feel like a newbie sometimes. But, that is what makes it interesting. ;)
     
    kaptain, Jan 19, 2006 IP
  14. kaptain

    kaptain Peon

    Messages:
    194
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    0
    #14

    Are you talking about the one file named wp-config.php ? No i did not.... but i don't remember reading that i was supposed to. From what i remember i was to delete the install file and i did that.
     
    kaptain, Jan 19, 2006 IP
  15. RectangleMan

    RectangleMan Notable Member

    Messages:
    2,825
    Likes Received:
    132
    Best Answers:
    0
    Trophy Points:
    210
    #15
    I update my php version within hours of a new update. It just has to get done. Join security mailing lists to get emails on new updates. This is also very helpful to know if you run software with a problem.
     
    RectangleMan, Jan 20, 2006 IP